Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

OFAC Issues Sanctions Compliance Guidance for Virtual Currencies

Share

In October, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published new guidance for the virtual currency industry focusing on compliance with the financial industry’s obligations related to U.S. economic sanctions.

OFAC administers and enforces economic sanctions against targeted and/or sanctioned foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals.

As noted in the new guidance, virtual currencies now playing an increasingly prominent role in the global economy. The growing relevance of virtual currency, both as an investment and as a payment method, brings greater exposure to sanctions risks. Specifically, there is an increased risk that a sanctioned entity or an entity in a jurisdiction subject to sanctions might use virtual currency as an alternative to fiat currency in an effort to avoid U.S. sanctions. As such, the OFAC guidance specifically targets technology companies, virtual currency exchanges, virtual currency administrators, virtual miners, digital currency wallet providers, and users.

Once a U.S. person or entity determines that they hold virtual currency that is required to be blocked pursuant to OFAC’s regulations, the U.S. person must deny all parties access to that virtual currency, ensure that they comply with OFAC regulations related to the holding and reporting of blocked assets, and implement controls that align with a risk-based approach.

OFAC publishes lists of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country specific. Any virtual currency owned by an individual or entity on one of those prohibited lists must be blocked, held, and reported.

OFAC further outlined this process in a second, new FAQ. As an example, a U.S. virtual currency company that maintains multiple virtual currency wallets realized that a blocked person has an interest in those virtual currency wallets. The U.S. company may choose to block each virtual currency wallet or opt to consolidate and then block wallets that contain blocked virtual currency.

According to OFAC, each of these solutions is consistent with OFAC requirements for holding blocked property, so long as there are controls that will allow the virtual currency to be unblocked and returned to its owner only pursuant to an OFAC authorization or when the legal prohibition requiring the blocking of the virtual currency ceases to apply.

Individuals and companies are not obligated to convert the blocked virtual currency into traditional fiat currency and are not required to hold such blocked property in an interest-bearing account. Blocked virtual currency must be reported to OFAC within 10 business days, and thereafter on an annual basis, so long as the virtual currency remains blocked.

Revised Framework for Compliance Commitments

The new OFAC guidance also provided additional resources for U.S. based virtual currency providers as they develop monitoring and risk-based sanctions compliance programs. OFAC notes that a good compliance program includes, at a minimum, the following: (1) management commitment; (2) risk assessments; (3) internal controls; (4) testing and auditing; and (5) training.

Management Commitment

OFAC notes that senior management’s commitment to, and support of, an organization’s risk-based sanctions compliance program is one of the most important factors in determining its success.

Risk Assessments

Risk assessments should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world.

This process will help the organization identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited entities. For example, an organization may conduct an assessment its customers, supply chain, and intermediaries. It may also review the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems.

Finally, the organization should review the geographic locations of its customers, supply chain, and intermediaries.

Internal Controls

An effective compliance program, OFAC notes, should include internal controls, policies, and procedures which will identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by sanctions.

Testing and Auditing

OFAC recommends that U.S. based entities assess the effectiveness of their current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective audit will ensure that an organization can identify program weaknesses and deficiencies.

Training

U.S.-based entities should consider implementing a training program and provide training to all appropriate employees and personnel on a periodic basis. The training program generally should accomplish the following: (i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.

Virtual currencies are becoming more common, so companies should be aware of their risks and the requirements that come along with them. For additional assistance, please contact a member of Faegre Drinker’s privacy and cybersecurity team.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Peter Baldwin

Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

About the Author: Grayson Harbour

Grayson Harbour is an associate in the firm's Labor & Employment practice group. Read Grayson's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

December 13, 2021
Written by: Peter Baldwin, Jason G. Weiss and Grayson Harbour
Category: Cybersecurity, Financial Services
Tags: cryptocurrency, OFAC, virtual currency

Post navigation

Previous Previous post: Faegre Drinker on Law and Technology Podcast: A Primer on Cryptocurrency
Next Next post: FTC Staff Report on ISP Privacy Practices Paves the Way for an FTC Privacy Rulemaking in the New Year

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT