January 6, 2021
What Happened: OFAC settled with BitGo, Inc. for $98,830, resolving 183 apparent violations of multiple US sanctions programs for processing digital currency transactions on behalf of individuals located in sanctioned jurisdictions.
The Bottom Line: Companies providing digital currency services should be aware of sanctions risks and should implement compliance procedures sufficient to ensure that they do not deal with blocked persons or otherwise engage in transactions prohibited by sanctions. This action also cautions financial institutions subject to US jurisdiction of the sanctions risks associated with interacting with digital or crypto currency providers.
The Full Story: Amid the rise of digital currency services, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) published a cautionary tale on December 30, 2020, discussing a recent settlement with BitGo, Inc. (BitGo), a California-based technology company that facilitates digital currency transactions and provides non-custodial digital wallet management services. BitGo settled for $98,830 after the company faced, at a maximum, a $53 million civil penalty for 183 apparent violations of multiple US sanctions programs.
From approximately March 10, 2015 to December 11, 2019, BitGo processed 183 digital currency transactions on behalf of users located in sanctioned jurisdictions, including Cuba, Crimea, Iran, Sudan, and Syria. OFAC noted that at the time of the apparent violations, BitGo tracked its users’ Internet Protocol (IP) addresses for security and login purposes, but did not use the IP address information to screen users for sanctions compliance purposes. As a result, users in sanctioned jurisdictions were able to create and use digital currency wallets and other BitGo services, even though BitGo had the ability to identify that those users’ IP addresses were originating from sanctioned jurisdictions.
To calculate the final settlement amount, OFAC listed two aggravating factors against BitGo. First, the company failed to exercise due caution or care by not preventing persons located in sanctioned jurisdictions from opening accounts and sending digital currencies using its platform. OFAC emphasized that the company’s lack of appropriate, risk-based sanctions compliance controls resulted in this failure. Second, BitGo could have discovered the users’ location in sanctioned jurisdictions using users’ IP addresses, but the company failed to do so.
On the other hand, OFAC credited three mitigating factors in favor of BitGo. First, BitGo is a relatively small company that has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the first apparent violation. Second, though the company did not voluntarily self-disclose, it cooperated with OFAC’s investigation. Most importantly, the company has invested in significant remedial measures to minimize the risk of recurrence. These measures include hiring a Chief Compliance Officer and implementing a new OFAC Policy. The company will routinely review the OFAC Policy and update it as appropriate. The company will also require its employees to attend training programs and certify that they have reviewed and understood BitGo’s OFAC Policy.
The enforcement information favorably highlights several features of the company’s new OFAC Policy. The policy includes a detailed overview of OFAC and relevant sanctions laws. It appoints a compliance officer tasked with implementing and providing guidance and interpretation on matters involving US sanctions laws. The company is also implementing IP address blocking and e-mail restrictions for sanctioned jurisdictions. BitGo will also screen all of its users’ accounts against OFAC’s Specially Designated Nationals and Blocked Persons List, particularly against blocked cryptocurrency wallet addresses identified by OFAC.
Overall, OFAC’s recent action cautions persons subject to US jurisdiction of the sanctions risks associated with the provision of digital currency services. It demonstrates the need for companies to maintain tailored, risk-based sanctions compliance procedures and internal controls. The enforcement action emphasizes that OFAC expects companies to be familiar with and implement the five essential components of compliance outlined in OFAC’s A Framework for OFAC Compliance Commitments: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Companies engaged in digital currency services should exercise caution to prevent persons located in sanctioned jurisdictions from using their services.
This action also cautions financial institutions subject to US jurisdiction of the sanctions risks associated with interacting with digital or crypto currency providers. It demonstrates the need for financial institutions to exercise caution to ensure that they do not engage in dealings involving blocked persons or property, or prohibited trade or investment-related transactions. Though there is no single compliance program or solution suitable for every circumstance, financial institutions should maintain a tailored, risk-based compliance program that includes sanctions list screening and other appropriate measures that prevent it from engaging in transactions before determining whether the transaction would be in violation of OFAC regulations.
Hunton Andrews Kurth LLP will continue to closely monitor related developments on this issue and the broader US sanctions regime. Please contact us if you have any questions or you would like further information on sanctions risks and sanctions compliance programs.