OFAC targets the crypto craze

As the whole world is seemingly swept-up in the “crypto craze,” the Treasury Department’s Office of Foreign Assets Control (OFAC) just issued a stark warning to those companies whose businesses involve digital currency.  This comes less than a year after slapping Amazon for similar violations.

In a recent press release, OFAC announced that is has reached a $500,000 settlement with BitPay – a digital currency processing company located in Atlanta, Georgia.  BitPay was charged with 2,102 alleged violations of U.S. sanctions.

Just like all financial institutions and all U.S. persons, cryptocurrency firms must take steps to ensure they comply with U.S. sanctions programs.  BitPay is a private company whose mission is to pioneer “blockchain payment technology to transform how businesses and people send, receive, and store money around the world.”  The firm’s products include the BitPay App and the BitPay Card, which allow individuals to easily pay for goods and services with cryptocurrencies such as Bitcoin.  For businesses, BitPay offers ways to accept crypto payments via their websites or emails, and to send Bitcoin payments “to anyone, anywhere.”

How BitPay got into trouble with OFAC

According to its press release, OFAC alleged that – between 2013 to 2018 – BitPay processed 2,102 transactions for individuals located in sanctioned countries.  OFAC determined these locations based on IP addresses, invoice data and other means.  The countries involved included Cuba, North Korea, Iran, Sudan, Syria and the Crimea region of Ukraine.

What’s interesting about these violations is that they did not involve BitPay’s direct customers (merchants), but rather the merchants’ buyers who were located in sanctioned countries.  BitPay enabled these merchants to receive payments by accepting cryptocurrency on their behalf, converting it to fiat currency, and then transferring this currency to their merchant customers.

Apparently, BitPay had already established a screening process to screen its merchant customers against OFAC’s Specially Designated Nationals (SDN) List.  However, the company failed to establish processes for screening and appropriate due diligence for its merchants’ buyers who were also party to the transactions.  This gap in its processes allegedly caused BitPay to fail to analyze information it received about the buyers’ identification and location.  In some cases, BitPay had obtained details about these buyers (such as name, address, and IP location), but they failed to analyze this information or include it in their review process.  This oversight eventually led to the apparent violations.

How much do we owe?  The importance of mitigating vs. aggravating factors

When a company like BitPay gets into trouble, there are a variety of factors that can help (or hurt) in determining the final penalty.  Thankfully, BitPay was able to demonstrate that it had taken some steps to comply with OFAC regulations.  These “mitigating factors” included:

• Implementing a sanctions compliance program
• Providing compliance training to all employees, including senior management
• Cooperating with OFAC during the investigation
• Not having a violation in the five years preceding the first apparent violation
• Taking actions to stop the prohibited transactions and implementing controls to ensure they do not happen again

While these are good and positive steps to ensure sanctions compliance, there were also “aggravating factors” that OFAC considered to determine the penalty.  Avoiding these common mistakes can save companies time and money in the long run.  For BitPay, the aggravating factors included:

• The length of time when violations occurred without any steps to correct them (five years)
• BitPay did not voluntarily self-disclose the apparent violations.
• The transactions involved amounted to more than $128,000 of economic benefit to individuals located in sanctioned jurisdictions.

It’s interesting to note that the maximum monetary penalty BitPay could have received in this case was $2,255,000.  However, because of these factors above, OFAC settled for a final monetary penalty amount of $507,375 – less than 25% of the maximum.  (If you ever need financial justification to develop and implement a sanctions compliance program for your company, this is it!)

Compliance in the Age of Crypto

Most people seem to agree that cryptocurrency is here to stay.  In a world of online transactions, “contactless payment” and digital wallets, money is flowing around the world perhaps faster and easier than it ever has before.  This case highlights the fact that cryptocurrency firms – like all other financial institutions – must adhere to U.S. sanctions programs even as they race to meet the demands of the digital age.

In 2019, OFAC released a comprehensive guide to creating a compliance program.  Although the regulations may seem daunting and burdensome, failure to comply can lead to enormous penalties for any organization.  Any company involved in foreign transactions would do well to learn from this case – and take steps to develop/implement its own compliance program.

If you need help understanding OFAC compliance for your business, please schedule a no-charge consultation with one of our team members today.

Image by Michael Wuensch from Pixabay.