Blog
Cryptocurrency Payments and OFAC Sanctions
Contents
- 1 Cryptocurrency Payments and OFAC Sanctions
- 1.1 OFAC Sanctions Overview
- 1.2 Sanctions Compliance for Cryptocurrency Companies
- 1.3 Challenges of Cryptocurrency Sanctions Screening
- 1.4 Penalties for Sanctions Violations
- 1.5 Real-World Examples of Cryptocurrency Sanctions Issues
- 1.6 Mitigating Cryptocurrency Sanctions Risks
- 1.7 The Future of Cryptocurrency Sanctions
Cryptocurrency Payments and OFAC Sanctions
The use of cryptocurrencies like Bitcoin and Ethereum for payments and transactions has exploded in popularity in recent years. However, this has also raised complex regulatory and compliance issues when it comes to economic sanctions enforced by the U.S. government.
In particular, the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury has highlighted risks associated with cryptocurrencies being used to evade U.S. sanctions. OFAC administers and enforces economic sanctions programs against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and more. So what happens when you want to accept cryptocurrency payments, but also need to comply with OFAC regulations?
OFAC Sanctions Overview
OFAC enforces a variety of different sanctions programs that restrict financial transactions and trade with certain countries, entities, and individuals. For example, there are comprehensive sanctions against Iran, North Korea, Syria, and Cuba. There are also sanctions targeting terrorists, drug kingpins, and human rights abusers.
U.S. persons and companies, including cryptocurrency exchanges, are generally prohibited from dealing with any blocked persons or countries on the OFAC Specially Designated Nationals (SDN) list. Otherwise, they risk significant civil and criminal penalties. According to OFAC, U.S. persons are responsible for ensuring they do not engage in unauthorized transactions, “such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.”
In May 2022, OFAC sanctioned the cryptocurrency mixer Blender.io for facilitating transactions involving illicit proceeds from the largest known theft of cryptocurrency connected to the Lazarus Group, a North Korean state-sponsored hacking group. This marked the first-ever OFAC sanctions designation of a virtual currency mixer.
As OFAC Director Andrea Gacki explained, “Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are committed to ensuring that OFAC sanctions apply to any illicit activity, regardless of whether it involves fiat currency or virtual currency.”
Sanctions Compliance for Cryptocurrency Companies
OFAC has made clear that companies dealing with cryptocurrency, including exchanges, administrators, wallet providers, and other services, have sanctions compliance obligations. This includes:
- Implementing a risk-based sanctions compliance program
- Screening customers and transactions against OFAC’s SDN list
- Blocking prohibited transactions and funds
- Reporting blocked property to OFAC
In September 2021, OFAC published detailed compliance guidance for the virtual currency industry. The guidance emphasizes the importance of sanctions screening for transactions. Companies should screen wallet addresses, transaction information, customer information, and other relevant data against the SDN list.
OFAC also recommends cryptocurrency companies use blockchain analytics tools to identify high-risk activity associated with OFAC-sanctioned addresses and wallets. This can help detect potential sanctions evasion or other illicit behavior through cryptocurrency payments.
Challenges of Cryptocurrency Sanctions Screening
While OFAC sanctions screening is standard practice for traditional financial transactions, it can be more difficult and complex in the cryptocurrency space. Here are some of the key challenges involved:
- Pseudonymous transactions – Cryptocurrency wallets and addresses do not always reveal the real identity of the user. This can make identifying prohibited parties more difficult.
- Data privacy – The transparency of public blockchains has to be balanced against data privacy regulations in certain jurisdictions.
- False positives – Similar to traditional financial transactions, similarities in wallet addresses or transaction details can produce false positives when screening.
- Real-time screening – Unlike wire transfers or other financial messages, cryptocurrency transactions are executed rapidly, so sanctions screening needs to happen in real-time.
Despite these challenges, OFAC expects cryptocurrency companies to have effective compliance procedures in place. This means leveraging the best available technology and analytics tools to screen transactions and meet regulatory obligations.
Penalties for Sanctions Violations
Given OFAC’s heightened interest in cryptocurrency, the penalties for sanctions violations in this space can be severe. In 2021, OFAC entered into a settlement agreement with BitPay, a cryptocurrency payment services provider. BitPay was accused of processing cryptocurrency ransomware payments involving sanctioned parties.
While BitPay did not voluntarily self-disclose the apparent violations, OFAC determined the company had maintained a sanctions compliance program. As part of the settlement, BitPay agreed to pay over $500,000 as part of a non-prosecution agreement. This demonstrated OFAC’s willingness to work with companies that cooperate and take corrective measures.
However, sanctions violations that involve willful or reckless conduct, attempts to conceal misconduct, or significant harm to U.S. sanctions program objectives could incur much steeper penalties. BitPay was fortunate to avoid criminal prosecution in this case.
Real-World Examples of Cryptocurrency Sanctions Issues
To understand the sanctions risks around cryptocurrency payments, it helps to look at real-world examples of how cryptocurrencies have been used to evade OFAC restrictions:
- Iran – In 2018, an Iranian ransomware scheme known as “SamSam” collected over $6 million in Bitcoin from U.S. victims. The two Iranian individuals behind the attacks were sanctioned by OFAC for facilitating ransomware transactions to Iranian cyber actors.
- Russia – During Russia’s 2022 invasion of Ukraine, OFAC warned that crypto assets may be used to avoid the impact of Russian sanctions. While the scale of cryptocurrency use to evade sanctions is unclear, Russia does have a high cryptocurrency ownership rate.
- North Korea – North Korean hacking groups have carried out numerous cryptocurrency thefts and ransomware attacks. A 2020 OFAC advisory highlighted the sanctions risk exposure for facilitating ransomware payments to North Korea.
As these examples show, OFAC is highly concerned about the use of cryptocurrency to bypass sanctions and enable illicit activity by barred regimes and criminal groups. The sanctions risks are real, even if unintentional.
Mitigating Cryptocurrency Sanctions Risks
Given the severe penalties for violating OFAC sanctions, cryptocurrency exchanges, wallet providers, and other services should take care to mitigate their sanctions risk exposure. Here are a few best practices to consider:
- Implement a customized sanctions compliance program based on OFAC guidance and industry best practices.
- Screen customers and transactions against OFAC’s SDN list using appropriate technology solutions.
- Conduct Know Your Customer (KYC) identity verification of users to understand source of funds.
- Monitor transactions for suspicious activity patterns that could indicate sanctions evasion or other illicit conduct.
- Investigate high-risk transactions and wallets using blockchain analytics tools and consult sanctions experts as needed before processing payments.
- Train employees to spot red flags that could link cryptocurrency payments to OFAC-prohibited locations, parties, or transactions.
With the right precautions, cryptocurrency companies can identify and mitigate the risk of sanctions violations. However, sanctions regulations are complex and enforcement is increasing. Working closely with OFAC regulations counsel is essential to build an effective sanctions compliance program tailored to your business.
The Future of Cryptocurrency Sanctions
OFAC will likely continue enhancing its focus on cryptocurrencies as adoption grows globally. We can expect further enforcement actions, updated compliance guidance, and sanctions designations targeting more virtual currency entities linked to prohibited regimes, terrorists, and criminal networks.
At the same time, OFAC faces pressure from the cryptocurrency industry to refine its approach. Legitimate cryptocurrency companies argue that overly strict prohibitions on transactions with any sanctions nexus could stifle innovation. They want OFAC to take a more nuanced view.
Regardless, cryptocurrency exchanges and payment platforms should continue building out their sanctions compliance programs. With the right controls in place, they can reduce sanctions risk exposure while still leveraging cryptocurrencies to enable faster, cheaper global payment solutions.
Looking ahead, here are some key areas to watch with cryptocurrency sanctions compliance:
Integration of Sanctions Screening Into Wallets and Exchanges
To make sanctions screening seamless, many companies are looking to integrate checks directly into cryptocurrency wallets, exchange platforms, and payment interfaces. For example, Elliptic offers sanctions screening APIs that can plug into existing cryptocurrency transaction flows to detect sanctions risks in real-time. Integration tools like this can reduce false positives and minimize friction for users.
Use of Zero-Knowledge Proofs
Zero-knowledge proofs are a type of cryptographic protocol that allows one party to prove to another that they have certain information without revealing the information itself. This preserves privacy and anonymity of transactions. As the OFAC guidance notes, zero-knowledge proof technology could potentially be used to screen transactions and wallets for sanctions nexus while maintaining user privacy.
Travel Rule Information Sharing
The Travel Rule requires cryptocurrency transmitters to share identity information between institutions during transactions above certain thresholds. Effective information sharing under the Travel Rule could aid in sanctions screening while allowing transactions to proceed efficiently.
List Screening Technology Improvements
Sanctions list screening is complex, as OFAC lists include thousands of addresses and wallet identifiers associated with prohibited entities and individuals. Advanced matching algorithms, machine learning, and heuristics can help improve list screening accuracy for cryptocurrency transactions.
Compliance Cooperation With OFAC
OFAC has shown willingness to work collaboratively with cryptocurrency companies that engage proactively and take risk mitigation measures. Fostering open communication and information exchange with OFAC can help the industry adapt to evolving sanctions regulations.
Overall, integrating sanctions controls into cryptocurrency transactions remains challenging. But with the right technology and collaboration between industry and regulators, it is possible to enable compliant cryptocurrency payments even under complex sanctions regimes.