In October, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published new guidance for the virtual currency industry focusing on compliance with the financial industry’s obligations related to U.S. economic sanctions.
OFAC administers and enforces economic sanctions against targeted and/or sanctioned foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals.
As noted in the new guidance, virtual currencies now playing an increasingly prominent role in the global economy. The growing relevance of virtual currency, both as an investment and as a payment method, brings greater exposure to sanctions risks. Specifically, there is an increased risk that a sanctioned entity or an entity in a jurisdiction subject to sanctions might use virtual currency as an alternative to fiat currency in an effort to avoid U.S. sanctions. As such, the OFAC guidance specifically targets technology companies, virtual currency exchanges, virtual currency administrators, virtual miners, digital currency wallet providers, and users.
Once a U.S. person or entity determines that they hold virtual currency that is required to be blocked pursuant to OFAC’s regulations, the U.S. person must deny all parties access to that virtual currency, ensure that they comply with OFAC regulations related to the holding and reporting of blocked assets, and implement controls that align with a risk-based approach.
OFAC publishes lists of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country specific. Any virtual currency owned by an individual or entity on one of those prohibited lists must be blocked, held, and reported.
OFAC further outlined this process in a second, new FAQ. As an example, a U.S. virtual currency company that maintains multiple virtual currency wallets realized that a blocked person has an interest in those virtual currency wallets. The U.S. company may choose to block each virtual currency wallet or opt to consolidate and then block wallets that contain blocked virtual currency.
According to OFAC, each of these solutions is consistent with OFAC requirements for holding blocked property, so long as there are controls that will allow the virtual currency to be unblocked and returned to its owner only pursuant to an OFAC authorization or when the legal prohibition requiring the blocking of the virtual currency ceases to apply.
Individuals and companies are not obligated to convert the blocked virtual currency into traditional fiat currency and are not required to hold such blocked property in an interest-bearing account. Blocked virtual currency must be reported to OFAC within 10 business days, and thereafter on an annual basis, so long as the virtual currency remains blocked.
Revised Framework for Compliance Commitments
The new OFAC guidance also provided additional resources for U.S. based virtual currency providers as they develop monitoring and risk-based sanctions compliance programs. OFAC notes that a good compliance program includes, at a minimum, the following: (1) management commitment; (2) risk assessments; (3) internal controls; (4) testing and auditing; and (5) training.
OFAC notes that senior management’s commitment to, and support of, an organization’s risk-based sanctions compliance program is one of the most important factors in determining its success.
Risk assessments should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world.
This process will help the organization identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited entities. For example, an organization may conduct an assessment its customers, supply chain, and intermediaries. It may also review the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems.
Finally, the organization should review the geographic locations of its customers, supply chain, and intermediaries.
An effective compliance program, OFAC notes, should include internal controls, policies, and procedures which will identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by sanctions.
Testing and Auditing
OFAC recommends that U.S. based entities assess the effectiveness of their current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective audit will ensure that an organization can identify program weaknesses and deficiencies.
U.S.-based entities should consider implementing a training program and provide training to all appropriate employees and personnel on a periodic basis. The training program generally should accomplish the following: (i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.
Virtual currencies are becoming more common, so companies should be aware of their risks and the requirements that come along with them. For additional assistance, please contact a member of Faegre Drinker’s privacy and cybersecurity team.