by Britt Mosman, David Mortlock, Elizabeth P. Gray, J. Christopher Giancarlo, and Samuel Hall
This is Part II of a three-part post. For Part I, providing an overview of sanctions compliance issues for the cryptocurrency industry, click here. Part III will discuss restricted transactions, blocking and rejecting crypto transactions, and compliance considerations.
Blocked Coins
Fortunately, there are some clear rules of the road. Certain cryptocurrencies have been blocked outright, and U.S. persons are prohibited from dealing in them or facilitating any dealings in them. In March 2018, President Trump issued Executive Order 13827 to prohibit U.S. persons from dealing in digital currencies that were issued by, for, or on behalf of the Government of Venezuela after January 9, 2018. The Order was a response to the Maduro regime’s launch of its own sovereign cryptocurrency, the “Petro,” in part to circumvent U.S. sanctions.
As a result of Executive Order 13827, no U.S. person may take part in any transaction that utilizes digital currencies put out by the Venezuelan government, such as “Petro” and “Petro Gold.”[1] This Order carries increased importance as recent reporting suggests that the Maduro regime aims to direct significant future transactions toward government-backed digital coins.[2]
Blocked Persons
Although broad restrictions on specific coins are fairly easy to avoid, others are far less so. The more difficult restrictions for compliance purposes center around blocked persons. As noted above, U.S. persons are prohibited from engaging in transactions involving the property and interests in property of blocked persons, regardless of whether the transactions are denominated in traditional fiat or digital currency. OFAC appears to be focusing its efforts to crack down on prohibited transactions using cryptocurrencies that involve so called “Specially Designated Nationals and Blocked Persons” or “SDNs.” To that end, OFAC has taken a number of actions in which it has identified digital currency addresses associated with targeted SDNs and added the addresses to the OFAC-administered “SDN List,” thereby making that blockchain attribution public. This allows crypto sector participants to more easily screen for digital currency payments associated with SDNs and to conduct lookbacks on prior activity. OFAC will likely continue to add digital currency addresses to the SDN List, especially given the lack of traditional identifiers (such as names and dates of birth) in the digital currency context.
The scope of prohibited crypto transactions involving SDNs is extremely broad. Guidance from OFAC shows that blocking restrictions will extend to indirect benefits to, or involvement of, blocked entities in a transaction or dealing, including bans on “enter[ing] into contracts that are signed by” a blocked entity[3] and participating in negotiations with a blocked entity.[4] This illustrates how essentially any transactions—from simple transfers of digital coins to smart contracts—involving cryptocurrencies associated with an SDN, or with an entity 50% or more owned by an SDN,[5] and a U.S. person can result in a sanctions violation. What is more, even if a crypto address is not known to be associated with an SDN at the time of a transaction, transactions involving an address that is later linked to an SDN could be considered a violation, so long as the transaction occurred after the SDN was designated, given the strict liability nature of the OFAC sanctions regime (discussed above). Similarly, a digital asset in which a blocked person has an interest continues to be “blocked” property, regardless of the number of transfers away from a known blocked address. Transactions involving Mixers, Tumblers, and Chain Hopping, where the parties involved are obscured, are therefore at an increased risk.
Ransomware payments are a good example of how these sanctions-related implications present themselves in the market. Until recently, insurance providers have been generally willing to agree to reimburse ransomware payments, often in the form of cryptocurrencies, due to the enormous cost to rebuild systems and recover lost data following a ransomware attack. However, OFAC has designated several companies and actors associated with certain malware, including those associated with Cryptolocker, SamSam, WannaCry 2.0 and Dridex, which means that ransomware payments involving these persons (or any sanctioned jurisdiction) are prohibited.[6] As a result, many insurance companies have begun adding explicit exclusions to their cyber policies for ransomware payments to sanctioned actors or actors located in sanctioned jurisdictions. Given how many ransomware attacks carry “signatures” or other means to ascertain what actor is behind the attack, ransomware payments can carry significant risks under U.S. sanctions especially when the victim knows the threat actor or does not take reasonable steps to ascertain who the threat actor is. OFAC guidance encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus.[7]
Sanctioned Regions
Relatedly, the United States also maintains country-wide embargoes on the exportation or importation of goods, services, or technology to various countries or areas, including the Crimea region of Ukraine, Cuba, North Korea, Iran, and Syria. Many of these countries, most notably North Korea, have large cryptocurrency holdings and are reportedly using digital currencies as a means of evading existing sanctions. As a result, any transaction associated with embargoed countries should be strictly avoided, unless authorized by OFAC.
The risks associated with embargoed countries are illustrated in OFAC’s February 18, 2021 settlement in the amount of approximately $500,000 with the Atlanta-based BitPay—a company that provides merchants the ability to accept digital currency as payment. As is detailed in OFAC’s enforcement release, OFAC determined that BitPay potentially violated its sanctions programs over 2,000 times, when it processed crypto transactions involving its merchants’ buyers, whose identification and location data (e.g., IP addresses, names, phone numbers, etc.) indicated they were located in sanctioned jurisdictions.[8] No more evidence was needed for OFAC to bring an enforcement action. OFAC determined that the apparent violations occurred because BitPay failed to screen the identification and location data of the ultimate customers (the buyers) of BitPay’s direct customers (the merchants).
However, OFAC gave mitigation credit to BitPay for implementing various measures to ensure against similar violations in the future, including:
- Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment;
- Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
- Launching “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID, and a selfie photo.[9]
These geographic restrictions present unique issues for certain coins. For example, recent reporting suggests that North Korea has invested in state-sponsored mining of Monero—a coin that has proven more difficult to trace than Bitcoin—as a means of evading existing sanctions.[10] This raises a host of difficult questions for Monero users and has almost certainly drawn the attention of OFAC. For example, if the North Korean government is mining, technically it is also validating individual transactions where its miners win the given block. U.S. persons should therefore be aware of the sanctions-related risks when undertaking any transactions involving digital currency that is validated or mined in a sanctioned jurisdiction. In turn, we must ask: would OFAC consider it a sanctions violation for a U.S. person to engage in a transaction that is validated by a miner in North Korea or another sanctioned jurisdiction? This is certainly a possible, even plain, reading of existing sanctions regulations, but the implications of that position could be catastrophic for cryptocurrencies, as it is almost certain that there are miners in embargoed countries at any given time for any given decentralized currency. Cryptocurrency users would, in effect, be rolling the dice every time they completed a transaction, hoping that a restricted miner did not randomly win the block. Similarly, U.S. miners who validate transactions for persons located in sanctioned jurisdictions also risk violating U.S. sanctions. This highlights the complexity, and potential pitfalls cryptocurrencies raise under U.S. sanctions regulations and underscores the need for further guidance from OFAC.
Footnotes
[1] OFAC FAQ No. 564.
[2] See, e.g., Felipe Erazo, “Venezuelan President Maduro Promises 2021 Will Be the Year to Boost Usage of Petro,” Bitcoin News (Jan. 15, 2021), available online here.
[3] See OFAC FAQ No. 400.
[4] See OFAC FAQ, Nos. 505 and 547; see also OFAC, “Revised Guidance on Entities Owned by Persons Whose Property and Interests in Property Are Blocked” (August 13, 2014), available online here (PDF: 76 KB) (stating that U.S. persons “may not procure goods, services, or technology from, or engage in transactions with, a blocked person directly or indirectly (including through a third-party intermediary)” (emphasis added)).
[5] See U.S. Treasury Department, Revised guidance on entities owned by persons whose property and interest are blocked, available online here.
[6] See, e.g., Treasury Department, Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses (Press Release) Nov. 28, 2018, available online here.
[7] OFAC, “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (Oct. 1, 2020), available online here (PDF: 76 KB).
[8] U.S. Department of the Treasury, Enforcement Release: OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions, Feb. 18, 2021, available online here (PDF: 223 KB).
[9] Id.
[10] “North Korea appears to have expanded its crypto-mining operation,” MIT Technology Review (Feb. 11, 2021), available online here.
Britt Mosman, David Mortlock, and Elizabeth P. Gray are partners, J. Christopher Giancarlo is senior counsel, and Samuel Hall is an associate, at Willkie Farr & Gallagher LLP.
Disclaimer
The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.