Takeaways from OFAC’s Sanctions Compliance Guidance for Virtual Assets and Cryptocurrency
Matt Stankiewicz, Partner at The Volkov Law Group, joins us for a post on sanctions compliance in the cryptocurrency industry. Matt can be contacted at [email protected].
In early October, OFAC released a guidance brochure on sanctions compliance, specifically tailored for the cryptocurrency and virtual assets industry. For seasoned compliance veterans, it ends up reading like a refresher course for sanctions compliance. While the guidance was created specifically for the virtual currency industry, it is not overly technical in that regard. It can actually serve as a good introduction to sanctions compliance for newer professionals, regardless of industry, and does not require any kind of specialized knowledge of virtual assets.
The guidance starts with a very foundational outline of sanctions regulations by describing what OFAC is. It then continues by outlining the different types of sanctions regulations – including broad embargoes, government or regime-specific sanctions, list-based sanctions, and sectoral sanctions – along with examples of each. When discussing the SDN List, the guidance provides several examples of the types of entities that it includes – individuals, organizations, companies, and even maritime vessels. Later on, OFAC notes that several wallet addresses are included on the SDN List as well. The point was made clear, just about anything can be designated and it’s up to companies to know who they’re doing business with, whether customers, suppliers, vendors, or otherwise. The guidance continues by discussing what constitutes a “U.S. Person,” reporting and recordkeeping requirements, general and specific licenses, and consequences of noncompliance.
The guidance continues on to note that OFAC expects a “risk-based” approach for sanctions compliance. This means that there is no single one-size-fits-all approach to compliance and what may apply to one company may not apply to another. Rather, OFAC highlights five essential components as the foundation to any effective sanctions compliance program. These five components include management commitment, risk assessment, internal controls, testing and auditing, and training. The guidance then dives a little deeper into each element. With regards to management commitment, OFAC does make an important observation. They note that too often they have seen virtual asset companies implement sanctions compliance programs months or even years after beginning operations. OFAC instead suggests that compliance should be embedded much earlier, even during the beta testing phases, in order to ensure effective compliance with sanctions regulations and to potential future enforcement actions.
The internal controls will also vary based on the company’s risk assessment. For example, companies can utilize a variety of methods and tools to execute KYC during the onboarding phase. Does a company need to have selfies and biometrics to verify the identity of a user? It’s certainly not mandatory and could be wildly unnecessary depending on the business. And an invasive KYC process may not even be necessary if its buttressed with a strong transaction monitoring program once onboarded. All that said, OFAC specifically recommends implementing geolocation tools to identify a user’s country of origin and restricting those from embargoed countries.
While the guidance provides a very good introductory lesson into sanctions compliance, it does stop short from providing in-depth technical guidance on how to best implement some of its suggestions or recommendations. A major struggle for the industry is just how these virtual asset projects fit within the current regulatory environment – whether sanctions or otherwise. While that may sound ridiculous to many on the outside, know that a lot of cryptocurrency projects are designed to be decentralized, without having a large organization running it, but rather simply maintaining a handful of developers to fix any bugs that may arise, though not actually in “control.” However, the protocol will continue to run and function on its own once it’s active. A prime example here is OFAC’s simplistic answer to the question of “how do you ‘block’ virtual currency?” OFAC simply notes that you “must deny all parties access to that virtual currency” if the assets belonging to a restricted party come into your possession. Sounds simple, but can be difficult, if not impossible, for many decentralized protocols. Unfortunately OFAC does not provide any further substantive advice. So, again, while this guidance may do well to lay the foundation of sanctions compliance, it stops short of providing anything new for industry veterans.