OFAC Settles with Digital Currency Services Provider for Apparent Violations of Multiple Sanctions Programs

What Happened: OFAC settled with BitPay, Inc. for $507,375 to resolve 2,102 apparent violations of multiple US sanctions programs for allowing individuals located in sanctioned jurisdictions to use digital currency on its platform to transact with merchants in the United States and elsewhere.

The Bottom Line: This is the second OFAC enforcement action against a digital currency services provider published in a two-month period. Companies providing digital currency services, like all financial service providers, should be aware of sanctions risks associated with providing such services. This action emphasizes the importance of developing and implementing tailored, risk-based sanctions compliance procedures sufficient to ensure that companies do not deal with blocked persons or engage in transactions prohibited by US sanctions.

The Full Story: On February 18, 2021, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published an enforcement action discussing a recent settlement with BitPay, Inc. (“BitPay”), a company based in Atlanta, Georgia whose platform facilitates merchants’ acceptance of digital currency as payment for goods and services. That is, BitPay receives digital currency on behalf of its merchants, converts the digital currency to fiat currency, and then transmits that currency to its merchants. BitPay settled for $507,375 after the company faced, at a maximum, a $619,689,816 civil monetary penalty for 2,102 apparent violations of multiple US sanctions programs.

From approximately June 10, 2013 to September 16, 2018, BitPay processed 2,102 digital currency transactions on behalf of buyers located in sanctioned jurisdictions, including Cuba, Crimea, Iran, North Korea, Sudan, and Syria. OFAC noted that, at the time of the apparent violations, BitPay screened its direct customers, the merchants, and conducted due diligence to ensure they were not located in sanctioned jurisdictions. BitPay also obtained the location information, including Internet Protocol (“IP”) addresses, from its merchants’ buyers, but it failed to use that location information to screen the buyers for sanctions compliance purposes. As a result, individuals in sanctioned jurisdictions were able to make purchases from merchants in the United States and elsewhere.

To calculate the final settlement amount, OFAC listed two aggravating factors against BitPay. First, for approximately five years, the company failed to exercise due caution by not preventing buyers located in sanctioned jurisdictions from transacting with BitPay’s merchants using digital currency. OFAC emphasized that BitPay could have screened the location data it obtained about its merchants’ buyers to ensure they were not located in sanctioned jurisdictions, but the company failed to do so. Second, BitPay’s sanctions compliance deficiencies granted approximately $129,000 in economic benefit to individuals located in sanctioned jurisdictions, undermining the integrity of the sanctions programs.  

On the other hand, OFAC credited six mitigating factors in favor of BitPay. First, BitPay implemented sanctions compliance controls, such as conducting due diligence on merchant customers, as early as 2013. It also formalized its sanctions compliance program in 2014. Second, in its training for all employees, BitPay made clear that it prohibited merchants located in sanctioned jurisdictions from signing up for its services, as well as trade with sanctioned individuals. Third, BitPay is a relatively small company that has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the first apparent violation. Fourth, though the company did not voluntarily self-disclose, it cooperated with OFAC’s investigation. Fifth, the company has undertaken measures to minimize the risk of recurrence of the conduct that led to the apparent violations. These measures include: (i) blocking IP addresses that appear to originate in sanctioned jurisdictions; (ii) checking the physical and email addresses of merchants’ buyers to prevent completion of an invoice from the merchant if the individual is located in a sanctioned jurisdiction; and (iii) launching a new customer identification tool for buyers paying invoices of $3,000 or more. The new merchant customer identification tool requires customers to provide an email address, proof of identification, and a selfie photo. Lastly, as part of the settlement, the company has agreed to continue the implementation of these and other compliance commitments.

This is the second OFAC enforcement action to target a digital currency services provider in less than two months, demonstrating OFAC’s increased enforcement attention on digital currencies. As noted in our January 6, 2021 Client Alert, on December 30, 2020, OFAC announced its settlement with BitGo, Inc. (“BitGo”), a California-based technology company that facilitates digital currency transactions and provides non-custodial digital wallet management services. In that case, OFAC settled with BitGo for $98,830, resolving 183 apparent violations of multiple US sanctions programs for processing digital currency transactions on behalf of individuals located in sanctioned jurisdictions. As in the case of BitPay, OFAC noted that, at the time of the apparent violations, BitGo tracked its users’ IP addresses for security and login purposes, but did not use their IP addresses to screen users for sanctions compliance.

OFAC’s recent enforcement actions caution persons subject to US jurisdiction of the sanctions risks associated with the provision of digital currency services. They demonstrate the need for companies to maintain tailored, risk-based sanctions compliance procedures and internal controls to ensure that they do not engage in unauthorized transactions prohibited by US sanctions. Though there is no single compliance program or solution suitable for every circumstance, the enforcement actions emphasize that OFAC expects companies to implement at least five essential components of compliance outlined in OFAC’s A Framework for OFAC Compliance Commitments: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Administrators, exchangers, and other companies engaged in digital currency services should exercise caution to prevent persons located in sanctioned jurisdictions from using their services by, for example, screening all available information, to mitigate sanctions risks. Such companies can benefit from developing and maintaining a compliance-first culture with proper risk assessments, internal controls, testing and auditing, and employee training.

Hunton Andrews Kurth LLP will continue to closely monitor related developments on this issue and the broader US sanctions regime. Please contact us if you have any questions or if you would like further information on sanctions risks and sanctions compliance programs.