OFAC reported two new enforcement actions in the week between Christmas and New Year’s.  The two new enforcement actions are interesting examples of sanctions enforcement, one of which involved the first against a digital currency company.

BitGo Settlement

BitGo, Inc. a technology platform that provides digital asset wallet management, agreed to pay $98,830 to settle 183 apparent violations of multiple sanctions programs, including the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria.  BitGo failed to prevent customers located in these prohibited countries from using its secure digital wallet management service.

Between March 2015 and December 2019, BitGo processed 183 digital currency tranmsactions, totaling $9,127.79, on behalf of individuals, who, based on their IP addresses, were located in prohibited countries.

As outlined by OFAC, BitGo had “reason to know” that these customers were located in sanctioned jurisdictions based on the IP addresses associated with the devices to log in to the BitGo platform. BitGo failed to implement any sanctions controls to prevent these customers from accessing its services.

BitGo used the IP address data to track its customers for security purposes but failed to use this information to ensure sanctions compliance.  Prior to April 2018, BitGo allowed individual users of its secure wallet management services to open an account by providing a name and an email address.  BitGo later amended this requirement to included verification of the customer’s country in which they were located. BitGo relied on a customer’s representation and took no steps to verify the customer’s actual location.

BitGo did not voluntarily disclose the conduct to OFAC.  It is likely that the conduct was reported by financial institutions involved in processing some of these transactions for BitGo.

After learning of the violations, BitGo implemented implemented remedial measures.  BitGo hired a Chief Compliance Officer and implemented a sanctions compliance policy. Including an IP address blocking protocol, as well as email restrictions for sanctioned jurisdictions.

National Commerce Bank Settlement

National Commerce Bank, a bank located in Jeddah, Saudi Arabia, agreed to pay $653,347 to settle 13 violations of Sudan and Syria-related sanctions programs.

Between November 2011 and August 2014, National Commerce Bank processed 13 United States dollars transactions totaling $5,918,560 that were transited through the U.S. financial system in violation of the then-applicable Sudan sanctions and Syria sanctions program.  The Sudan sanctions program was lifted on October 12, 2017.  The prohibited Sudanese and Syria parties were not customers of the National Commerce Bank.

National Commerce Bank voluntarily disclosed the eight violations of the Syria sanctions to OFAC, but did not voluntarily disclose the five violations of the Sudan sanctions program.  National Commerce Bank cooperated with OFAC’s investigation and conducted an extensive review of bank transactions.

National Commerce Bank also enhanced its compliance program by replacing its Board of Directors and senior executives and by implementing new sanctions screening software and new training procedures for bank personnel.  In addition, National Commerce Bank improved transparency of payment and non-payment messages to comply with Basel requirements and FATF recommendations that prohibit omission, deletion or alteration of information in payment messages or orders.