10/18/2021 | News release | Distributed by Public on 10/19/2021 11:54
On October 15, 2021, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) released guidance on sanctions compliance for the digital currency industry, the agency's most detailed guidance to date on its expectations for participants in this rapidly growing industry.
OFAC's guidance arrives amidst increasing scrutiny of the industry by various federal regulators and just weeks after the agency issued an advisory on ransomware payments and took the unprecedented enforcement action of placing a cryptocurrency exchange, SUEX OTC, on OFAC's Specially Designated Nationals (SDN) list. The Department of the Treasury's press release highlights that the guidance is a continuation of the Biden administration's "whole-of-government" effort to combat ransomware. Given the technological and operational differences between digital currency companies and traditional financial institutions, the specificity and detail OFAC included in its guidance provides useful insight for participants in this evolving ecosystem.
In this update, we briefly summarize OFAC's guidance, highlighting practical implications for both digital currency companies and customers. OFAC's guidance defines the digital currency industry to include not just exchangers and administrators, but also wallet providers and, notably, technology companies and miners.
U.S. Economic Sanctions and Digital Currencies
The guidance begins with an instructive primer on the U.S. economic sanctions framework-including how it relates to digital currencies. OFAC provides (1) a distinction between virtual and digital currencies, (2) an overview of how to "block" digital currencies, and (3) an explanation of OFAC's strict liability regime.
Digital Currencies v. Virtual Currencies. OFAC defines virtual currencies as a subset of assets within the larger category of digital currencies. OFAC's guidance and newly updated FAQs, however, use the terms interchangeably. Thus, OFAC's compliance expectations appear to be largely the same regardless of whether digital currency industry participants are dealing with digital currencies or virtual currencies (as OFAC defines them).
Digital Currency "Blocking." OFAC regulations require that U.S. persons deny all parties access to digital currency that is required to be blocked. While OFAC requires that blocked fiat currency be placed into an interest-bearing account, OFAC clarifies in this guidance that companies have no obligation to convert blocked digital currency into a fiat currency and place the resulting fiat into an interest-bearing account.
Strict Liability. OFAC explains that sanctions violations are strict liability offenses-i.e., a U.S. person violates U.S. sanctions by engaging in a prohibited transaction, even if inadvertently. While this may seem intimidating, in practice OFAC has considerable discretion in determining the appropriate action to take in response to apparent U.S. sanctions violations. A key factor in its enforcement decisions will be whether the U.S. person has followed this guidance and OFAC's previously published "Framework for OFAC Compliance Commitments" (Framework) on which the guidance builds.
OFAC May 2019 Framework for OFAC Compliance Commitments
In May 2019, OFAC published its first guidance addressing essential steps for implementing an effective Sanctions Compliance Program (SCP). The OFAC 2019 guidance may be found here and our May 2019 update regarding the Framework may be found here. In its 2019 guidance, OFAC stated that each SCP program should incorporate at least five essential components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
In its current guidance, OFAC expands on these five pillars by specifying best practices for implementing a SCP program for the digital currency industry. OFAC's suggestions, which ultimately tie back to a risk-based approach towards sanctions compliance, are notable for their specificity.
Management Commitment. As with traditional financial services companies, it is the responsibility of senior management to "ensure sanctions compliance efforts receive adequate resources and are fully integrated into the company's daily operations." OFAC flags this as important because of the perception that participants in the digital currency industry have often delayed implementation of an SCP.
Risk Assessment. Similar to its discussion of management commitment, OFAC's expectations for risk assessments are not markedly different for the digital currency industry than for other industries or markets. OFAC recommends that companies conduct a complete review of their potential exposure to transactions or parties subject to U.S. economic sanctions and try to minimize any such risk, through identification and screening of customers and by implementing enhanced safeguards for high-risk customers and/or counterparties.
For the digital currency industry, the key will be to tailor the risk assessment process to each company's particular business model and customer base. This may prove challenging in light of fundamental aspects of the digital currency ecosystem-most notably that it is not always possible to have full transparency into the counterparties of a transaction. For this reason, among others, OFAC notes that the digital currency industry poses higher-than-standard risks for potential sanctions evasion. In approaching risk assessment and the design of appropriate SCPs, participants in the digital currency industry must account for this perception and recognize the likely high standards the agency will have for their SCPs. In particular, notwithstanding the lack of further guidance on the non-transparent counterparties issue, OFAC will expect companies to implement an SCP that addresses the issue in the context of their operations.
Internal Controls. An effective risk assessment requires that a company implement well-designed and effective internal controls to conduct due diligence and monitor customers, business partners, and transactions. OFAC emphasizes in this guidance that internal controls should be risk-based and tailored to a company's activities.[1] In particular, the agency explains that industry participants should take the following actions:
Testing and Audits. OFAC requires companies to properly test and audit the effectiveness of their SCP. A company may not realize that its screening and other critical compliance systems are not functioning properly until it is too late. Participants in the digital currency industry should build into their SCPs a regular auditing and testing schedule to analyze the effectiveness of their SCPs in practice.
Training. OFAC notes that training should be provided to all appropriate employees on a periodic basis, at minimum, annually. As with all aspects of OFAC's requirements, the training should be tailored to reflect the employee's activities, and the company's business structure and risk profile. OFAC recommends that trainings account for the frequent changes to sanctions programs and to the new technologies employed in the digital currency space.
Takeaways and Unresolved Issues
The most significant takeaways from the guidance are
While the guidance provides more clarity for the digital currency industry, unaddressed issues nevertheless remain, which include the following:
Please contact experienced economic sanctions counsel with questions about this guidance and how it might apply to your business.
Endnote
[1] In designing and deploying sanctions compliance controls, companies also need to properly document their efforts. For example, industry participants should be prepared to present diligence files reflecting their reasonable reliance on service provider partners responsible for IP address screening. Companies should also periodically test their data collection procedures to account for avoidable human error. OFAC notes, for example, that a company should ensure that it accounts for name variations and misspellings of names and locations to the best of the company's ability. The process and procedures involved in such efforts should be properly documented.
© 2021 Perkins Coie LLP