New OFAC Guidance for the Cryptocurrency Industry Highlights Increased Regulatory Focus

On October 15, 2021, the Treasury Department’s Office of Foreign Assets Control (“OFAC”) published tailored guidance for the cryptocurrency industry that highlights sanctions compliance requirements and provides industry-specific advice regarding OFAC’s compliance expectations (the “Guidance”).[1]  OFAC simultaneously issued two new frequently asked questions (“FAQs”) relevant to the cryptocurrency industry.  A few days later, on October 19, 2021, Deputy Secretary of the Treasury Wally Adeyemo requested additional funding to combat national security threats, including those arising from the cryptocurrency markets,[2] during his testimony before the Senate Committee on Banking, Housing, and Urban Affairs.[3]   These actions, together with several recent U.S. government enforcement actions, signal increased U.S. government efforts to address the sanctions risks posed by the emerging virtual currency sector.

The key takeaways are as follows:

• The Guidance signals the Treasury Department’s efforts to engage with and provide greater regulatory clarity to the cryptocurrency industry, and makes clear that sanctions compliance obligations “apply equally to transactions involving virtual currency and those involving fiat currency.”[4] The Guidance, which is based largely on OFAC’s 2019 Framework for OFAC Compliance Commitments (the “Framework”),[5]  provides an overview of OFAC sanctions, examples of sanctions-related best practices for actors in the cryptocurrency space, and advice on how such actors can mitigate sanctions risks.[6]  The Guidance is organized around the five pillars of an effective compliance program laid out in the Framework:  management commitment, risk assessment, internal controls, testing/auditing, and training.  OFAC notes that the Guidance is intended for the whole of the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, and encourages all such actors to develop, implement, and routinely update tailored, risk-based sanctions compliance programs that generally “include sanctions list and geographic screening and other appropriate measures as determined by the company’s unique risk profile.”[7] 

The Guidance notes that the internal controls a company in the virtual currency industry will implement will depend on, in part, the company’s product and service offerings, where it operates, and its sanctions-specific risks.  Appropriate internal controls will likely include screening, investigation, and transaction monitoring, including geolocation tools and know your customer (“KYC”) procedures.   The Guidance also provides particular examples of “risk indicators or red flags” that actors in the cryptocurrency space should consider when monitoring and screening transactions and customers. [8]  Three of the risk indicators deal with how customers respond to requests for information when asked; specifically, whether the customer provides inaccurate or incomplete information when attempting to open the account and whether the customer refuses to comply with or is non-responsive to requests for updated KYC information or transaction information.[9]  In addition, OFAC flags certain behavior that is related to blocked persons or sanctioned jurisdictions, including attempts to transact with an address associated with a blocked person or sanctioned jurisdiction, or attempts to use an IP address or a VPN associated with a sanctioned jurisdiction.[10]  OFAC’s focus on geolocation tools and IP blocking is consistent with both its two recent enforcement actions in the cryptocurrency space as well as other recent OFAC enforcement actions against relatively sophisticated companies where OFAC faulted a failure to screen or monitor IP addresses or flag IP addresses from sanctioned jurisdictions.[11]  Finally, OFAC recommends that actors in the virtual currency space be mindful  of “red flags” that are generally indicative of money laundering or other illicit financial activity because such red flags may also be indicative of potential sanctions evasion.[12] 

• New OFAC FAQs define industry terms and explain how to block digital currency. OFAC’s new FAQs define the terms “digital currency,” “digital currency wallets,” “digital currency addresses,” and “virtual currency” (FAQ 559) and clarify how U.S. persons can meet their obligations to block virtual currency under OFAC’s regulations (FAQ 646).  Specifically, virtual currency companies that maintain multiple wallets  in which a blocked person has an interest may choose to block each virtual currency wallet or opt to consolidate wallets that contain blocked virtual currency (similar to an omnibus account).  Further, OFAC clarified that there is no obligation to convert blocked virtual currency into fiat currency (e.g., U.S. dollars), and that blocked virtual currency is not required to be held in an interest-bearing account.
• The Treasury Department and other U.S. government agencies are focused on enforcement in the cryptocurrency space. OFAC and the Financial Crime Enforcement Network (“FinCEN”) have recently announced enforcement actions against actors in the cryptocurrency space, including FinCEN’s August 2021 assessment  of civil penalties—in parallel with an action by the Commodity Futures Trading Commission—against crypto exchange BitMEX for operating as a futures commission merchant,[13] and OFAC in September 2021 made its first designation of a cryptocurrency exchange, SUEX OTC, S.R.O. (“SUEX”), for SUEX’s role in facilitating financial transactions for ransomware actors.[14]  During the same period, OFAC and FinCEN have also published reports related to ransomware, which both highlight the use of cryptocurrency in ransomware attacks.[15]  In the past year OFAC has also entered into two settlements with companies operating in the cryptocurrency industry, both related to those companies’ dealings with parties in sanctioned jurisdictions and failure to monitor and block IP addresses from sanctioned jurisdictions.[16] 

Further, on October 6, 2021, the Department of Justice (“DOJ”) announced the creation of a new National Cryptocurrency Enforcement Team, which will focus on “complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors” and to enhance DOJ’s “capacity to dismantle the financial entities that enable criminal actors to flourish — and quite frankly to profit — from abusing cryptocurrency platforms.”[17]

• OFAC’s latest guidance—along with the recent enforcement actions and the Senate testimony by Deputy Secretary Adeyemo—suggest that OFAC will continue to be aggressive about enforcing sanctions compliance in the cryptocurrency space. Like other agencies in the federal government,[18] the Treasury Department appears to be increasing its focus on the cryptocurrency space.  During his October 19 Senate testimony, Deputy Secretary Adeyemo stated that the additional funding requested by OFAC would assist the Treasury Department in addressing sanctions evasion, including evasion related to the growth of the cryptocurrency markets and more generally technological changes.^[19]  He further stated that the Treasury Department is planning to coordinate with non-U.S. allies to adopt anti-money laundering rules for crypto exchanges and extend existing protections to the cryptocurrency industry.^[20] 

These recent developments suggest that OFAC and the U.S. Government more generally will continue to focus on enforcing sanctions compliance laws relating to cryptocurrency, even while the regulatory landscape relating to these assets is developing.  Any company involved in the cryptocurrency industry should review the Guidance and take risk-based steps to assess and enhance its sanctions compliance program.  We will continue to monitor these developments.

                                                                                                                     *       *       *

[1]        OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (Oct. 15, 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.

[2]        Mengqi Sun & Ian Talley, Treasury Seeks More Money for Illicit-Finance Oversight, Including Crypto and Cybercrime, WSJ (Oct. 19, 2021), https://www.wsj.com/articles/treasury-seeks-more-money-for-illicit-finance-oversight-including-crypto-and-cybercrime-11634692030.

[3]        Video of the “International Policy Update: The Treasury Department’s Sanctions Policy Review and Other Issues” hearing before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, available at  https://www.banking.senate.gov/hearings/international-policy-update-the-treasury-departments-sanctions-policy-review-and-other-issues

[4]        Guidance at 1.

[5]        OFAC, A Framework for OFAC Compliance Commitments (May 2, 2019), https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf. 

[6]        Treasury Continues Campaign to Combat Ransomware As Part of Whole-of-Government Effort, U.S. Dep’t of Treasury (Oct. 15, 2021), https://home.treasury.gov/news/press-releases/jy0410.

[7]        Guidance at 10.

[8]        Id. at 17.

[9]        Id.

[10]       Id.

[11]       See, e.g., OFAC, Enforcement Release for December 30, 2020 (Dec. 30, 2020), https://home.treasury.gov/system/files/126/20201230_bitgo.pdf; OFAC, Enforcement Release for February 18, 2021 (Feb. 18, 2021), https://home.treasury.gov/system/files/126/20201230_bitgo.pdf; OFAC, Enforcement Release for April 2, 2021 (Apr. 29, 2021), https://home.treasury.gov/system/files/126/20210429_sap.pdf.

[12]       Treasury Continues Campaign to Combat Ransomware As Part of Whole-of-Government Effort, U.S. Dep’t of Treasury (Oct. 15, 2021), https://home.treasury.gov/news/press-releases/jy0410.

[13]       Paul, Weiss, CFTC and FinCEN Impose $100 Million Penalty on BitMEX (Aug. 20, 2021), https://www.paulweiss.com/practices/litigation/economic-sanctions-aml/publications/cftc-and-fincen-impose-100-million-penalty-on-bitmex?id=40790.

[14]       Treasury Takes Robust Actions to Counter Ransomware, U.S. Dep’t of Treasury (Sept. 21, 2021), https://home.treasury.gov/news/press-releases/jy0364.

[15]       Id.; see also Treasury Continues Campaign to Combat Ransomware As Part of Whole-of-Government Effort, supra note 6.

[16]       OFAC, Enforcement Release for December 30, 2020 (Dec. 30, 2020), https://home.treasury.gov/system/files/126/20201230_bitgo.pdf; OFAC, Enforcement Release for February 18, 2021 (Feb. 18, 2021), https://home.treasury.gov/system/files/126/20201230_bitgo.pdf. 

[17]       Department of Justice, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-national-cryptocurrency-enforcement-team. 

[18]       See, e.g., Paul, Weiss, Chair Gensler Reaffirms Focus on Crypto Enforcement; SEC Brings Actions Against a DeFi Lender and a Crypto Exchange for Offering Unregistered Securities (Aug. 11, 2021), https://www.paulweiss.com/practices/litigation/financial-institutions/publications/chair-gensler-reaffirms-focus-on-crypto-enforcement-sec-brings-actions-against-a-defi-lender-and-a-crypto-exchange-for-offering-unregistered-securities?id=40732.

[19]       Sun & Talley, supra note 2.

[20]       Id.