On October 18, 2021, the U.S. Department of the Treasury (finally) released the results of its top-down review of the economic and financial sanctions that it administers and enforces. Of note, Treasury’s review found that while sanctions remain an essential and effective foreign policy tool, there are new challenges that have arisen impacting the effectiveness of sanctions, including the risks from new payment systems and the growing use of digital assets.
Additionally, on October 15, 2021, the Treasury Department published several new items impacting the virtual currency industry. Notably, the Treasury Department’s Office of Foreign Assets Control (OFAC) published its first ever comprehensive Sanctions Compliance Guidance for the Virtual Currency Industry, which further clarifies OFAC’s sanctions compliance expectations for those in the virtual currency industry. OFAC also updated Frequently Asked Questions (FAQs) 559 and 646. Additionally, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) published the Financial Trend Analysis – Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021, which highlights ransomware patterns and trend information identified in Bank Secrecy Act (BSA) data.
We address these new initiatives in greater detail below.
Sanctions Compliance Guidance for the Crypto Industry
OFAC’s Virtual Currency Compliance Guidance is the first of its kind for the virtual currency industry, which builds on prior OFAC guidance for compliance best practices, including OFAC’s Framework for Compliance Commitments (May 2019). OFAC’s new Virtual Currency Compliance Guidance provides an overview of OFAC sanctions, including who must comply, reporting requirements, and consequences for non-compliance.
The Guidance also provides an in-depth discussion of best sanctions compliance practices for those in the virtual currency industry. Notably, OFAC details the five essential components of a sanctions compliance program, much of which is sourced from OFAC’s Framework for Compliance Commitments. Those pillars include management commitment, training, risk assessment, testing or auditing, and internal controls. OFAC strongly encourages a risk-based approach to sanctions compliance, since there is no single compliance program or solution that is suitable for every entity – rather, each entity should assess the sanctions risks presented by its particular business.
For those in the virtual currency industry, OFAC advises that at the very minimum, sanctions compliance programs should include sanctions list and geographic screening, including the incorporation of geolocation tools (such as IP address blocking controls). For example, companies that onboard customers and process transactions should incorporate geolocation tools and IP address blocking controls to identify and prevent IP addresses that originate in sanctioned jurisdictions from accessing the services provided. OFAC also noted that analytic tools can identify IP misattribution, for example, by screening IP addresses against known virtual private network (VPN) IP addresses and identifying improbable logins.
Additionally, OFAC advised that transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses or other identifying information (e.g., originator, beneficiary, etc.) associated with sanctioned individuals and entities listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). In 2018, OFAC for the first time began identifying virtual currency addresses on the SDN List. Accordingly, incorporating transaction monitoring can help mitigate the risk that sanctioned persons (or those located in sanctioned jurisdictions) access a particular virtual currency platform. OFAC also noted that, even if a virtual currency address is not explicitly included on the SDN List, industry participants should look out for associated addresses. Through technology such as “clustering,” detection of possible sanctions nexuses is possible and could be an important sanctions risk mitigation tool for those operating in the virtual currency space.
Additionally, OFAC’s Guidance addressed customer and counterparty screening best practices, including the following:
- Screening customer information at onboarding against OFAC-administered sanctions lists, including the SDN List.
- Screening transactions to identify addresses, including physical, digital wallet, IP addresses, and other relevant information with potential links to sanctioned persons or jurisdictions.
- Utilizing screening tools’ “fuzzy logic” capabilities to account for common name variations and misspellings.
- Ongoing sanctions screening and risk-based re-screening to address updated customer information or changes in regulatory requirements.
OFAC also addressed the importance of remediation following a sanctions violation or detecting a weakness in a company’s sanctions compliance controls, including root cause analyses. In particular, OFAC detailed the actions that companies in the virtual currency industry have taken to remediate the root causes of their apparent violations of OFAC sanctions, including implementing IP address blocking and email-related restrictions for sanctioned jurisdictions, creating keyword lists of a sanctioned jurisdiction’s cities and regions to be use for KYC screening, reviewing and updating end-user agreements to include U.S. sanctions representations and warranties, conducting retroactive batch screening, and implementing OFAC-related training and hiring additional sanctions compliance personnel.
Finally, OFAC identified numerous red flags (or risk indicators) that may indicate a sanctions nexus to a customer or particular transaction, including inaccurate or incomplete customer information provided during KYC or onboarding, attempts to access a virtual currency exchange from an IP address or VPN connected to a sanctioned jurisdiction, and refusing to provide updated customer information, among other indicators. OFAC also discussed the best methods for testing and/or auditing the effectiveness of a sanctions compliance program, as well as tips for sanctions training.
As noted above, OFAC also updated FAQs 559 and 646, reflecting refined best practices for blocking digital assets and an updated background overview of virtual currencies.
Ransomware Trends in Bank Secrecy Act (BSA) Data
FinCEN’s recent Financial Trend Analysis focused on ransomware pattern and trend information from Bank Secrecy Act data between January 2021 and June 2021. The Analysis was issued pursuant to Section 6206 of the Anti-Money Laundering Act of 2020 (AMLA), which requires FinCEN to publish threat pattern and trend information derived from financial institutions’ suspicious activity reports (SARs).
FinCEN’s Financial Trend Analysis found that ransomware is an increasing threat to the U.S. financial sector, businesses, and the public. Notably, the total number of SAR filings relating to ransomware payments has grown rapidly, with 635 SARs filed and 458 transactions reported between January 1, 2021 and June 30, 2021, which is an increase of 30 percent from the total of 487 SARs filed during the entirely of the 2020 calendar year.
Importantly, the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeded the total value reported for the entirety of 2020 ($416 million), thus demonstrating the increased focus on ransomware payments by regulated financial institutions (and also the likelihood that ransomware attacks have increased during that time period as well).
Treasury’s Sanctions Review
Treasury’s Review, which was published on October 18, 2021, reflected a broad assessment of the economic and financial sanctions that the Treasury Department administers and enforces. Of note, the Review found that while sanctions remain an essential and effective policy tool, they also face challenges, such as the growing use of new payment systems, digital assets, and the activities of cybercriminals. Additionally, Treasury found that sanctions can be more carefully crafted to limit the impact on legitimate humanitarian aid.
Treasury’s recommendations included a renewed focus on multilateral coordination; modernizing Treasury’s sanctions technology, workforce, and infrastructure (including to respond to the challenges posed by digital assets); adopting a structured policy framework that links sanctions to a clear policy objective; and ensuring that sanctions are easily understood, enforceable, and reversible.
In summary, Treasury’s recent announcements further reflect the changing regulatory environment for digital assets, including a renewed focus on sanctions evasion and ransomware. We expect regulators to continue that focus going forward, as regulatory scrutiny of the cryptocurrency and blockchain industries expands.