Beau Barnes and Jake Chervinsky of Kobre & Kim LLP are litigators and government enforcement defense attorneys who specialize in disputes and investigations related to digital assets. This article is not intended to provide legal advice.
âââ
For the past year, the cryptocurrency industryâs attention has focused on the Securities and Exchange Commissionâs deliberations over how to enforce U.S. securities laws. But the past two months have seen important developments on a new regulatory front: the application of U.S. sanctions laws by the Treasury Departmentâs Office of Foreign Assets Control (OFAC).
Last week, OFAC sanctioned two Iranian individuals for cyberattacks against U.S. networks. For the first time ever, OFAC targeted both the individuals who committed the offense and their associated bitcoin addresses.
OFAC is announcing a clear message to the industry: comply with sanctions laws or pay the price.
Economic sanctions result from U.S. government policy decisions that certain countries, governments, individuals, or companies shouldnât be allowed to transact with âU.S. persons.â The category of âU.S. personsâ is expansive: it includes U.S. citizens and permanent residents anywhere in the world, non-U.S. nationals within the United States, and entities incorporated under U.S. law (as well as their foreign branches).
OFAC has broad authority to impose sanctions based on perceived threats to U.S. national security. OFAC typically imposes âprimary sanctionsâ by prohibiting U.S. persons from directly or indirectly transacting with a sanctioned party, in addition to âsecondary sanctionsâ based on a non-U.S. personâs transactions with other sanctioned parties.
Some sanctions are nearly absolute, such as those prohibiting almost all transactions with countries like Iran, while other sanctions are nuanced, like those prohibiting certain transactions with Venezuela related to certain debt transactions. Sanctions violations are punishable as civil or criminal offenses and can result in steep fines.
Unlike many regulatory agencies, OFAC doesnât impose formal compliance obligations. Instead, it oversees a âstrict liabilityâ regime: even unintentional sanctions violations are punishable under the law, no matter the time or resources a company devotes to compliance. That said, those with a strong compliance program will have better odds of convincing OFAC to take a lenient approach toward potential violations.
To help companies build out their sanctions compliance programs, OFAC publishes a variety of policy statements, FAQs, brochures, advisories, and press releases. OFAC also offers compliance suggestions for stakeholders in specific industries.
For example, OFAC advises companies involved in online commerce to âdevelop a tailored, risk-based compliance programâ including the use of sanctions list screening software. Similarly, OFAC recommends that money transmitters block IP addresses from sanctioned jurisdictions, gather detailed customer identification information, and record a âpurpose of paymentâ for every transaction.
To fill the gaps left by its public statements, OFAC also engages in âguidance by enforcement,â detailing specific violations and the mitigating and aggravating factors that it considered in determining an appropriate fine.
In 2015, for example, OFAC announced a settlement with PayPal over approximately $44,000 in transactions that violated various sanctions programs. The settlement described numerous compliance missteps, including PayPalâs failure to screen accountholders against the sanctions list. It required PayPal to pay over $7 million and underscored to payment processors and money transmitters the importance of compliance â even for relatively low-value transactions.
While other U.S. federal agencies have been commenting on the rise of cryptocurrencies for years, OFAC long remained silent despite requests from crypto industry stakeholders for clarity on U.S. sanctions laws. This year, OFAC began to weigh in.
In March, OFAC responded to the Venezuelan governmentâs launch of its own cryptocurrencyâthe Petroâby prohibiting U.S. persons from engaging in transactions with that asset. OFAC also issued FAQs noting that U.S. personsâ sanctions obligations are the same âregardless of whether a transaction is denominated in a digital currency or traditional fiat currencyâ and flagging that it may add cryptocurrency addresses to the sanctions list in the future.
In October, in light of the U.S. governmentâs decision to withdraw from the Iran nuclear deal and re-impose certain sanctions against Iran, the Treasury Department issued an advisory warning businesses about Iranâs efforts to fund illicit activities abroad. The advisory described the Iranian regimeâs practice of circumventing financial restrictions by transacting in precious metals, misusing exchange houses, counterfeiting currency, and transacting in âvirtual currencies.â
In warning about the risks of cryptocurrencies, the advisory recommended specific compliance steps for crypto companies, including âreviewing blockchain ledgers for activity that may originate or terminate in Iran,â using software to âmonitor open blockchains,â and screening customers against the sanctions list.
Last weekâs designation of two Iranians who executed ransomware attacks on U.S. companies was OFACâs first action in direct relation to crypto. In a press release, OFAC trumpeted the designation, highlighting that it had identified those individualsâ bitcoin addresses âfor the first timeâ in order to âassist those in the compliance and digital currency communities in identifying transactions and funds that must be blocked and investigating any connections to these addresses.â
OFAC also released additional FAQs addressing crypto companiesâ obligations to block sanctioned persons and Treasury Under Secretary Sigal Mandelker said the Department âwill aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies.â
OFACâs recent actions illustrate the U.S. governmentâs renewed focus on stopping authoritarian regimesâVenezuela, Iran, North Korea, and othersâfrom using cryptocurrencies to evade U.S. sanctions. The crypto industry now finds itself caught in the middle of several intense geopolitical conflicts.
So, whatâs a crypto company to do?
First, take compliance seriously. As OFAC has noted, all the compliance obligations are the same regardless of whether a transaction involves digital or fiat currency.
Second, understand the risks. Because OFAC doesnât require specific compliance efforts, companies arenât obligated to screen customers against the sanctions list or restrict user access in certain environments. But, companies should know that they ignore these risks at their peril.
Third, expect enforcement. OFAC, like many government agencies, provides guidance in part by publicizing its enforcement actions. It will be no surprise when OFAC begins to bring enforcement actions in 2019 against those who transact in cryptocurrencies without respecting U.S. sanctions.
Iranian rial and U.S. dollar image via Shutterstock
