21st October 2021

OFAC Issues Key Compliance Guidance for Virtual Currency Industry

The US Office of Foreign Assets Control (OFAC) has launched a new set of guidelines for financial sector compliance teams: Sanctions Compliance Guidance for the Virtual Currency Industry

The guidance follows a recent report by the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) on ransomware trends, and an announcement by the Biden administration that it plans to regulate companies that issue stablecoins.

While it does not impose any new regulatory obligations, the guidelines provide a useful set of benchmarks for firms to assess the adequacy of their sanctions screening programs.

The OFAC report outlines a framework of the five essential components of a risk-based sanctions program: management commitment, risk assessment, internal controls, testing and auditing, and training. 

Best practice guidance included in the document covers: transaction monitoring and testing, know your customer (KYC) procedures, remediating root causes of violations, geolocation tools, and risk indicators.

Knowing how to block a virtual currency that breaks OFAC regulations is a key process outlined in the guidelines. They explain that once access to a currency is halted and assets are held and reported according to OFAC regulations, there is no obligation to convert the blocked virtual currency into traditional fiat currency or hold it in an interest-bearing account. Blocked virtual currency must be reported to OFAC within 10 business days, and then annually as long as it remains blocked. 

Sanctions screening takeaways

The guide cites a case from March 2020 where OFAC sanctioned two Chinese nationals involved in a North Korean state-sponsored money-laundering scheme. They received around $100m in virtual currency stolen from cyber intrusions against two virtual currency exchanges and had layered the funds in complex transactions, which included purchasing over $1m in digital music gift cards.

Key takeaways from this case include that: “A comprehensive risk assessment that includes understanding who is accessing a company’s platform or services may help members of the virtual currency industry identify the appropriate screening standards to set for each of its products and services.”

Red flags that a transaction involves a person located in a sanctioned jurisdiction may come from address information provided by a customer, information contained in email addresses, or invoice and other transactional information, among other sources. Reviews of these sources of information should be included in the sanctions screening process. 

OFAC suggests that screening-related best practices should include: 

  • Screening customer information against OFAC-administered sanctions lists when onboarding 
  • Screening transactions to identify addresses and other relevant information with potential links to sanctioned persons or jurisdictions 
  • Utilizing fuzzy logic capabilities to pick up alternative spellings and misspellings and variations on capitalization, spacing, or punctuation for names of persons listed on OFAC sanctions lists 
  • Ongoing sanctions screening and risk-based re-screening to cover updated customer information, updates to OFAC sanctions lists, or changes in regulatory requirements

Internal controls should identify, interdict, escalate, report (as appropriate), and maintain records for transactions or activities prohibited by OFAC-administered sanctions, enabling due diligence and helping identify ‘red flags’ of illicit activity or compliance breakdowns.

“Implementing internal controls to screen available data and block activity involving certain IP addresses can prevent sanctions violations,” the report states. 

The OFAC guidance notes that monitoring and investigation software can help identify transactions involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities. 

This can help prevent transfers to addresses associated with sanctioned persons and avoid violations of US sanctions. Transaction monitoring and investigation tools should also continually review historical information for such addresses or other identifying information, to better understand their exposure to sanctions risks and identify sanctions program deficiencies. 

Cryptocurrency enforcement

While the role of cryptocurrencies in sanctions evasion is still relatively small compared to fiat currencies, the OFAC guidance is an important resource for compliance teams dealing with an evolving virtual currency threat. 

In a sign of the Biden administration’s growing focus on virtual currencies, this month the Justice Department created a National Cryptocurrency Enforcement Team to tackle investigations and prosecutions of criminal misuses of cryptocurrency and recover illicit proceeds from these crimes. 

Read more about the evolving use of global sanctions in our 2021 report.