Beau Barnes and Jake Chervinsky of Kobre & Kim LLP are lawyers and defense lawyers who specialize in litigation and investigation of digital resources. This article is not intended to provide legal advice.
In the last year, the attention of the cryptocurrency industry has focused on the resolutions of the Securities and Exchange Commission on how to apply US securities laws. But the last two months have seen important developments on a new regulatory front: the application of US sanctions laws by the Treasury Department's Office of Foreign Assets Control (OFAC).
Last week, OFAC sanctioned two Iranian individuals for cyberattacks against US networks. For the first time, OFAC has targeted both the perpetrators and their associated bitcoin addresses.
The OFAC is announcing a clear message to the industry: comply with the sanctions laws or pay the price.
Crypto industry, OFAC meeting
Economic sanctions stem from US government policy decisions that certain countries, governments, individuals or companies should not be allowed to deal with "US people." The "US people" category is expansive: it includes US citizens and residents permanent anywhere in the world, non-US citizens in the United States and entities constituted by US law (as well as their foreign branches).
The OFAC has broad authority to impose sanctions based on perceived threats to US national security. The OFAC typically imposes "primary sanctions" by prohibiting US persons from entering into transactions directly or indirectly with a sanctioned party, as well as "secondary sanctions" based on transactions of a non-US person with other sanctioned parties.
Some sanctions are almost absolute, such as those that prohibit almost all transactions with countries such as Iran, while other sanctions are blurred, such as those that prohibit certain transactions with Venezuela related to certain debt transactions. Sanctions violations are punishable as civil or criminal offenses and may result in high fines.
Compliance and OFAC application
Unlike many regulatory agencies, the OFAC does not impose formal compliance obligations. Instead, it controls a regime of "objective responsibility": even violations of unintended sanctions are punishable by law, regardless of the time or resources that a company devotes to compliance. That said, those who have a strong compliance program will have a better chance of convincing the OFAC to take a lenient approach to potential violations.
To help companies develop their sanctions compliance programs, OFAC publishes a series of policy statements, frequently asked questions, brochures, advice and press releases. OFAC also offers compliance suggestions for stakeholders in specific areas.
For example, OFAC advises companies involved in online commerce to "develop a tailor-made, risk-based compliance program" including the use of sanction list screening software. Likewise, OFAC recommends that money transmitters block IP addresses from sanctioned jurisdictions, collect detailed customer identification information, and register a "payment purpose" for each transaction.
To fill the gaps left by its public statements, OFAC also engages in "guidance with the forces of order", specifying the specific violations and mitigating and aggravating factors it has considered in determining an appropriate fine.
In 2015, for example, OFAC announced an agreement with PayPal for around $ 44,000 in transactions that violated various sanctions programs. The agreement described numerous compliance errors, including the omission by PayPal to block the holders of accounts against the list of penalties. It required PayPal to pay over $ 7 million and underlined payment processors and money transmitters with the importance of compliance, even for relatively low value transactions.
OFAC on the crypt
While other US federal agencies have commented on the rise of cryptocurrencies for years, OFAC has long remained silent despite requests from cryptographic stakeholders for clarity on US sanctions laws. This year, the OFAC started weighing.
In March, OFAC responded to the Venezuelan government's launch of its cryptocurrency, Petro, by banning US persons from transacting with that asset. The OFAC also issued a series of frequently asked questions that state that US penalties are the same "regardless of whether a transaction is denominated in a digital currency or a traditional fiat currency" and that it can add cryptocurrency addresses to the list of sanctions in the future.
In October, in light of the US government's decision to withdraw from the Iranian nuclear deal and to impose certain sanctions against Iran, the Treasury Department issued an advisory warning on the efforts made by the Iranian government. Iran to finance illegal activities abroad. The counseling described the practice of the Iranian regime to circumvent financial restrictions through transactions in precious metals, abuse of exchange houses, counterfeiting of currency and transactions in "virtual currencies".
In warning about the risks of cryptocurrencies, the advisory committee recommended specific compliance steps for encrypted companies, including "reviewing blockchain registries for activities that could originate or cease in Iran", using software to "monitor open blockchains" and select customers against the list of penalties.
Last week's designation of two Iranians who ran ransomware attacks on US companies was the first USTAC action directly related to cryptography. In a press release, OFAC trumpeted the designation, noting that it had first identified the bitcoin addresses of these individuals "to" assist compliance and digital currency communities in identifying transactions and funds that must be blocked and investigate any connection to these addresses. "
The OFAC also issued additional frequently asked questions about the obligations of the encrypted companies to block the sanctioned people and the Undersecretary of the Treasury Sigal Mandelker said the Department "will aggressively persecute Iran and other rogue regimes attempting to exploit the digital currencies ".
Get ready for anything else
The recent actions of the OFAC illustrate the renewed attention of the US government on the arrest of authoritarian regimes – Venezuela, Iran, North Korea and others – from the use of cryptocurrencies to circumvent US sanctions. The cryptic industry is now in the midst of numerous intense geopolitical conflicts.
So, what should a crypt do?
First, take compliance seriously. As the OFAC noted, all compliance obligations are the same regardless of whether a transaction contains a digital or fiat currency.
Secondly, understand the risks. Because OFAC does not require specific compliance efforts, companies are not obliged to screen customers against a list of sanctions or to restrict user access in certain environments. But companies should know that they ignore these risks at their own risk.
Third, they expect the application. The OFAC, like many government agencies, provides guidance in part by publicizing its control actions. It will come as no surprise that OFAC begins to propose actions of contrast in 2019 against those who make cryptocurrency transactions without complying with US sanctions.
Iranian Rial and US Dollar image through Shutterstock