Virtual Currency Platforms and Ransomware Attacks: OFAC Advisories Highlight Increasing Overlap of Sanctions and Cybersecurity Risks Associated with Virtual Currency Platforms and Ransomware Attacks (Part II of II)

by John Barker, Ronald Lee, Soo-Mi Rhee, Tal Machnes, and Christine Choi 

This is part II of a two-part post. For Part I, which outlines two OFAC advisory opinions on US sanction risks associated with cyber related activities, including virtual currency platforms, click here

Focus on Virtual Currency Platforms

OFAC’s increased focus on cybersecurity, generally, has also put a spotlight on the sanctions risks specific to the virtual currency industry. Indeed, concurrent with the release of its September 2021 Updated Advisory, OFAC added SUEX OTC, S.R.O. (SUEX), a Russian virtual currency exchange, to the SDN List for facilitating financial transactions for ransomware actors—the first such designation of a virtual currency exchange. According to Treasury, over 40% of SUEX’s known transactions were associated with illicit actors, and the exchange facilitated transactions involving at least eight ransomware variants. In designating SUEX, Treasury observed that the virtual currency sector plays a “critical role” in sanctions compliance.[1]

October 15, 2021 Guidance on Sanctions Compliance for the Virtual Currency Industry

Less than a month after OFAC issued its Updated Ransomware Advisory and added SUEX to the SDN List, the role of virtual currency platforms in potential US sanctions violations was front and center again. On October 15, 2021, OFAC issued Sanctions Compliance Guidance for the Virtual Currency Industry (Virtual Currency Guidance), calling upon the virtual currency industry to help ensure that their platforms are not used as a vehicle to violate or evade US sanctions laws. OFAC’s Virtual Currency Guidance also reminded those in the industry that they themselves are responsible for ensuring they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, including: (1) dealings with blocked persons or property, or (2) engaging in prohibited trade- or investment related transactions. For example, OFAC emphasized, if a US person determines that they are in possession of virtual currency that is blocked pursuant to OFAC regulations, the person must deny all parties access to that virtual currency, comply with OFAC regulations related to the holding and reporting of blocked assets, and implement controls to isolate the blocked property going forward.

Similar to OFAC’s September 21 Updated Advisory, the Virtual Currency Guidance not only reiterated US sanctions prohibitions for the virtual currency industry but also highlighted best practices and compliance measures—in order to “help members of the virtual currency industry navigate and comply with OFAC sanctions” and “in keeping with OFAC’s commitment to engage with the virtual currency industry to promote an understanding of, and compliance with, sanctions requirements.”[2] The five areas that OFAC views as “best practices” for sanctions compliance in this industry are as follows:

  • Management Commitment. The company’s senior management has a demonstrated commitment to sanctions compliance, generally; and to a sanctions compliance program, specifically. OFAC’s Virtual Currency Guidance indicates that management may make such a showing by, for instance: (1) reviewing and endorsing compliance policies and procedures; (2) ensuring adequate resources for compliance functions; (3) delegating sufficient authority to any compliance unit; and (4) appointing a dedicated sanctions compliance officer.[3]
  • Risk Assessment. The company administers routine risk assessments to identify potential sanctions issues it is likely to encounter. According to OFAC, risk assessments allow companies to identify potential areas in which it may, directly or indirectly, engage with OFAC-sanctioned persons, countries, or regions—for instance, by taking a complete inventory of the entity’s “touchpoints to foreign jurisdictions or persons.” Such assessments are also “integral to developing effective sanctions compliance policies, procedures, internal controls, and training in order to mitigate exposure to sanctions risks.” As for the virtual currency industry, specifically, OFAC’s guidance states that risk assessments “should reflect a company’s customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations, and may also include evaluating whether counterparties and partners have adequate compliance procedures.”[4]
  • Internal Controls. The company’s sanctions compliance program includes controls to identify, interdict, and report transactions or activities prohibited by OFAC-administered sanctions, including due diligence on customers, business partners, and transactions.[5] As part of such a program, the guidance sets forth additional best practices, including:
    • Geolocation tools and IP address controls to block IP addresses that originate in sanctioned jurisdictions.
    • Know Your Customer (KYC) procedures, including gathering names, IP addresses, and other identifying customer information.
    • Transaction monitoring and investigation software to identify transactions involving virtual currency addresses or other information associated with sanctioned individuals, entities, and jurisdictions.
    • Implementing remedial measures to address weaknesses in internal controls, including IP address blocking; screening KYC information; updating end-user agreements to include sanctions information; conducting retroactive batch screening; implementing training; and hiring compliance staff.
    • Sanctions screening, including screening customer information against OFAC-administered lists.
  • Testing and Auditing. The company subjects its sanctions compliance program to ongoing testing and auditing to ensure that it works as expected and planned. Basic testing and auditing functions include: ensuring any screening and blocking measures are functioning properly; procedures for investigating transactions identified through the screening process as having a sanctions nexus; and procedures for blocked property or rejected transaction reporting to OFAC.[6]
  • The company provides periodic (at a minimum, annual) OFAC training to all appropriate personnel, including compliance, management, and customer service personnel, where the scope of such training is “informed by the size, sophistication, and risk profile of the company.”[7] In the Virtual Currency Guidance, OFAC makes clear that “training for the virtual currency industry should account for frequent changes and updates to sanctions programs, as well as new and emerging technologies in the virtual currency space.” Finally, OFAC expects that, as part of a company’s sanctions compliance program as a whole, companies will “hold employees accountable for meeting training requirements through the use of assessments.”

As in the Updated Ransomware Advisory that OFAC released last month, the Guidance notes that, in considering whether to pursue a potential enforcement action against a virtual currency platform, OFAC will consider as mitigating factors the company’s implementation of a risk-based OFAC compliance program; remedial measures taken in response to an apparent violation; and whether the company voluntarily self-discloses the issue to OFAC.[8]

Several recent enforcement actions illustrate OFAC’s consideration of such factors. For example, on December 30, 2020, OFAC announced a settlement with BitGo, Inc.—a US company that offers digital asset custody, trading, and financing services internationally—for processing virtual currency transactions on behalf of individuals who appeared to be located in sanctioned jurisdictions.[9] Though BitGo tracked its users’ IP addresses when users logged in for security purposes, BitGo failed to prevent use of its service by individuals whom it had reason to know were located in sanctioned regions, such as Cuba and Syria. Given the number of transactions that OFAC identified as apparent violations, BitGo could have been subject to a civil penalty as high as $53,051,675.[10] Yet OFAC agreed to settle the claims for $98,830, noting that the following mitigating factors, among others, were present: BitGo cooperated with OFAC’s investigation and invested in significant remedial measures in response (including hiring a compliance officer and implementing IP address blocking and SDN List screening). Likewise, a February 2021 settlement with BitPay, Inc.—a US virtual currency payment service provider that had processed virtual currency transactions between the company’s customers and persons in sanctioned jurisdictions—involved similar aggravating and mitigating factors.

In short, OFAC’s Virtual Currency Guidance is yet another example of the US government’s ongoing efforts to incentivize cooperation with US law enforcement (including by virtual currency exchanges) in the face of a cyberattack, as well as encourage companies to preemptively analyze whether their systems are adequately protected against cyberattacks—including the risk that any cyber-attack (such as a ransomware attack) may cause a company to implicate US sanctions laws.

OFAC’s September and October 2021 advisories provide a number of key takeaways for all companies dealing with cryptocurrency and other cybersecurity issues, including the corresponding potential sanctions risks. Most importantly, they highlight OFAC’s heightened focus on cybersecurity issues as a general matter, and put financial institutions, virtual currency platforms, and other companies on notice of OFAC’s expectations for how the private sector should deal with these issues. Companies should strongly consider heeding OFAC’s calls to implement preemptive compliance measures (such data backup, incident response plans, screening and blocking protocols, and company training) and/or to cooperate with US law enforcement in the face of an attack—the best ways to mitigate today’s increasing number of cybersecurity related landmines.

[1] OFAC Press Release, Treasury Takes Robust Actions to Counter Ransomware: Targets First Virtual Currency Exchange for Laundering Cyber Ransoms (Sept. 21, 2021).

[2] OFAC Press Release, Publication of Sanctions Compliance Guidance for the Virtual Currency Industry and Updated Frequently Asked Questions (Oct. 15, 2021).

[3] See OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (Oct. 2021).

[4] Id. at 12.

[5] See id. at 13-17.

[6] Id. at 18.

[7] Id. at 19.

[8] Id. at 5-6, 9, 12, 14, 16.

[9] See also Arnold & Porter Enforcement Edge Blog, Bits Too Far: Digital Wallet Company Settles OFAC Sanctions Violations (Jan. 15, 2021).

[10] See OFAC Enforcement Release, OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Dec. 30, 2020), at 2.

John Barker, Ronald Lee, and Soo-Mi Rhee are partners, Tal Machnes is a senior associate, and Christine Choi is an associate, at Arnold & Porter. Law clerk Maya Kouassi also contributed to this post. She is not admitted to the practice of law.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.