On February 18, 2021, BitPay, Inc. (“BitPay”), a major cryptocurrency payment processing platform, entered into a $507,000 settlement with the Office of Foreign Asset Control (“OFAC”), to settle allegations that it processed cryptocurrency payments which violated various US sanctions programs. Significantly, OFAC did not allege that BitPay knowingly violated sanctions laws or took steps to actively conceal violations. Rather, OFAC alleged that BitPay had inadequate due diligence and internal controls policies in place which failed to identify potential sanctions violations.
The settlement reflects a trend in OFAC enforcement of holding cryptocurrency companies accountable for failing to prevent sanctions violations by third parties using their services.
The BitPay settlement comes less than two months after OFAC announced a $98,000 settlement agreement with BitGo Inc., a cryptocurrency wallet management company, to resolve similar allegations. Other cryptocurrency companies have publicly reported an uptick in OFAC subpoenas. Coinbase Global Inc., a major cryptocurrency exchange, recently reported receiving multiple OFAC subpoenas in its 10-K annual report in connection with suspicious cryptocurrency transactions.
The BitPay action is consistent with prior OFAC guidance stating that the compliance obligations for transactions involving “traditional fiat currency” fully apply to “digital currencies” as well. OFAC used the BitPay settlement press release to reiterate this expectation that companies dealing in cryptocurrency take active measures to avoid facilitating transactions that violate sanctions:
This action highlights that companies involved in providing digital currency services—like all financial service providers—should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks. Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.
This action highlights the need for companies dealing in cryptocurrency to evaluate their sanctions risk and implement an effective sanctions compliance program. In the key takeaways section below, we discuss the basic steps that cryptocurrency companies should take to mitigate the risk of sanctions violations.
Overview of BitPay Settlement
BitPay’s Failure to Effectively Screen Buyer Data Constituted “Apparent Violations”
BitPay provides payment processing services to online merchants, who use BitPay’s service to make sales to buyers using cryptocurrency for payment. OFAC acknowledged that BitPay had implemented some sanctions compliance measures, and took steps to verify the identities of its direct clients (the merchants) who contracted with BitPay directly to use its services. BitPay collected identifying information from merchants, ran this data against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and conducted due diligence on verify they were not based in sanctioned locations.
The company’s apparent violations were the result of processing 2,102 transactions between 2013 and 2018 on behalf of individuals who appeared to be based in jurisdictions subject to comprehensive sanctions (including Crimea, Cuba, North Korea, Iran, Sudan, and Syria). The average value of these transactions was relatively small (around $60), but they totaled nearly $130,000 over five years.
The company failed to apply similar screening to buyers who entered into transactions with merchants using BitPay’s platform. BitPay recorded the IP addresses of buyers and received buyer identifying information on payment invoices that should have alerted BitPay to the buyers’ location (including the buyer’s name, address, email address, and phone number). BitPay failed to analyze this information for sanctions compliance purposes, however, and consequently failed to block transactions with individuals who appeared to be based in sanctioned countries.
Aggravating and Mitigating Factors
OFAC noted that the settlement amount of $507,000 was significantly below BitPay’s maximum potential liability. OFAC calculated the maximum civil monetary penalty at nearly $620 million and the base penalty amount under OFAC’s guidelines at $2.25 million. OFAC cited two aggravating factors and five mitigating factors in its decision to settle for $107,000.
Aggravating factors included the total value of the sanctions violations, and BitPay’s failure to screen customers for a five year period despite having access to location data. Although not specifically cited as an aggravating factor, OFAC’s determination that BitPay’s failed to voluntarily self-disclose the apparent violations was also referenced in the settlement press release.
Nevertheless, OFAC determined that the apparent violations constituted a “non-egregious case,” based on several mitigating factors:
- BitPay implemented a sanctions compliance program which included customer due diligence and screening merchant customers against sanctions lists.
- BitPay provided sanctions compliance training to its employees.
- BitPay is a “small business” with no prior sanctions violations.
- BitPay cooperated with OFAC’s investigation.
- BitPay implemented new compliance measures to prevent future violations (including automatically blocking IP addresses based in sanctioned countries, additional identity and location verification measures).
Although BitPay’s compliance measures did mitigate its violation, OFAC observed that the measures in place prior to the enforcement action were not comprehensive or sophisticated enough to prevent the violations or avoid a penalty.
OFAC Enforcement Reflects Increasing Regulatory Scrutiny of Cryptocurrency
Federal regulators and law enforcement officials have long viewed cryptocurrency with suspicion due to its anonymity and its ability to circumvent the strict monitoring and reporting requirements imposed on traditional financial institutions. Criminals began exploiting these features of cryptocurrency almost immediately after the introduction of Bitcoin in 2009. Prosecutors have brought criminal charges against the operators of offshore cryptocurrency exchanges that have allegedly actively concealed illegal transactions on their platforms (such as BTC-e and BitMEX).
In light of regulatory uncertainty over what rules apply to cryptocurrency, however, regulators have been more cautious in pursuing violations involving insufficient internal controls. OFAC’s approach to cryptocurrency has, until recently, been more narrowly aimed at the individuals directly involved in an illegal transaction rather than a third party cryptocurrency exchange’s failure to block such transactions. OFAC has also targeted companies for facilitating the trading of Venezuela’s state-sponsored cryptocurrency, the “Petro.”
This has changed in the last year, as Bitcoin and other cryptocurrencies have risen dramatically in value (Bitcoin recently surpassed $1 trillion in market capitalization), and cryptocurrency has become increasingly accepted by established, institutional investors. The current trend of escalating regulatory scrutiny of cryptocurrency began during the Trump Administration, and the Biden Administration appears to be continuing this approach. The newly appointed Treasury Secretary Janet Yellen has indicated in public comments that preventing illicit cryptocurrency transactions will be a major priority during her tenure. The Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) has proposed controversial rules that, if approved, would impose strict monitoring and reporting requirements on cryptocurrency transactions. Such changes would significantly limit the appeal of cryptocurrency by eliminating much of its anonymity and independence from governments and financial institutions.
In line with this wider effort, OFAC is likely to increasingly pursue enforcement actions against companies that fail to implement compliance measures for cryptocurrency transactions comparable to those required for traditional financial transactions. The BitPay settlement represents the latest stage in OFAC’s increasing focus on cryptocurrency sanctions violations.
In this environment, cryptocurrency companies will increasingly be expected to meet the heightened sanctions compliance standards similar to those required in traditional financial institutions and money transfers. Established financial institutions entering cryptocurrency (a process already underway due to market demand) may be well-positioned to leverage and adapt their existing regulatory compliance infrastructure to take on a larger role.
Any company that facilitates cryptocurrency transactions or accepts cryptocurrency payments should review OFAC’s guidance and industry best practices to develop an effective risk-based sanctions compliance program. In a previous post, we discussed the Framework for OFAC Compliance Commitments which details the basic elements all sanctions compliance programs should include. OFAC has also addressed several frequently asked questions regarding cryptocurrency specifically. At a minimum, companies should not enter into or facilitate any cryptocurrency transaction without first taking appropriate steps to verify the identity and location of all parties involved. If there is any indication that a transaction may have violated sanctions, OFAC may later treat it as an “apparent violation” absent evidence to the contrary. As the BitPay settlement demonstrates, OFAC considers it the company’s obligation to take reasonable steps to verify such information and the company’s burden to show that a violation did not occur.
Companies should also consider their reporting obligations to OFAC if they suspect that a cryptocurrency transaction violated sanctions. OFAC has extended the reporting requirements for financial transactions blocked due to sanctions to blocked cryptocurrency transactions. OFAC identified BitPay’s failure to voluntarily disclose apparent violations as an aggravating factor in determining BitPay’s penalty.
We will continue to monitor developments in this area. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.
 OFAC referred to these as “apparent violations” because the actual location and identity of these individuals was never confirmed.
 In September 2020, OFAC designated multiple anonymized “digital currency addresses” which had allegedly been used by Russia’s Internet Research Agency (“IRA”) to finance election interference operations in the US. OFAC has also designated digital currency addresses associated with North Korean and Iranian individuals.