Late last month, the Department of the Treasury announced that the Office of Foreign Assets Control (OFAC) had entered into a settlement with BitGo, Inc., a Silicon Valley company that offers "non-custodial secure digital wallet management services" for blockchain currencies, for its failure to prevent users in countries subject to US sanctions from using its services. Treasury stated that BitGo's culpability stemmed from its "[failure] to implement controls"—such as IP-address blocking—designed to prevent such occurrences.
Treasury's announcement highlights that at the time of the violations, BitGo did track its users' IP addresses—but did not filter out users with IP addresses in sanctioned countries and territories. Until April 2018, users only needed to create a username and password to use BitGo's services. After April 2018, BitGo required users to self-identify their location, but did not verify those attestations—again, even though it tracked that information via IP address for unrelated purposes. In other words, it had "reason to know" of the violations.
DespiteBitGo's knowledge of users' locations, users from the sanctioned jurisdictions of Crimea, Cuba, Iran, Sudan, and Syria were able to create and use digital currency wallets and engage in digital currency transactions on BitGo's platform in violation of Executive Order 13685. Between March 2015 and December 2019, BitGo processed 183 digital currency transactions for individuals whose IP addresses indicated that they were in sanctioned jurisdictions for a total of $9,127.79.
To settle the claims, BitGo agreed to pay $98,830—more than ten-fold the total amount of the underlying transactions. Given the number of transactions, OFAC potentially could have fined BitGo for significantly more. Still, the settlement is unusual: OFAC settlements do not often exceed the total amount of the underlying transactions.
A Shot Across the Bow
BitGo's case may be a warning bell, or a harbinger, of OFAC enforcement actions to come. Treasury noted that BitGo is a relatively small company that has not been subject to a penalty notice of a violation finding from OFAC in the last five years. But it focused on the fact that BitGo still clearly had the means to recognize that users were accessing the app from sanctioned jurisdictions—and indeed, that it was already collecting the data needed to screen for sanctions violations.
All app developers creating products for the global market that permit in-app purchases or intra-app transactions, or any activity that might subject them to US sanctions law (including the provision of any services from US-based web servers), should pay attention. Treasury's message is clear. If developers that are subject to US sanctions law are collecting geolocation data from their users for any reason, then they should be careful to use it for sanctions compliance as well.
What is not clear is whether this means that app developers must collect geolocation data specifically for sanctions law purposes. But depending on the services being provided, collecting data for such purposes may make sense. Particularly if a US-based service provider is facilitating financial transactions, it may be prudent to collect geo-location data because the US government is likely to continue pursuing services that might permit sanctioned persons to avoid the global banking system, which has become highly sensitive to the US sanctions-law regime.
Comply Now or Comply Later
BitGo's settlement was offset by "mitigating factors" determined by OFAC's Enforcement Guidelines. In particular, BitGo (1) cooperated with OFAC's investigation into the apparent violations, and (2) made "significant" investment into remedial compliance measures, including hiring a chief compliance officer and implementing a robust OFAC policy that incorporated several technical measures, such as IP-address blocking for sanctioned jurisdictions, period-batch screening, recordkeeping procedures, and regular screening configurations criteria reviews.
US app developers cannot rely on the companies that distribute their apps (e.g., app stores and phone manufacturers) to ensure that they abide by governing laws and policies. To avoid large settlements and the reputational harms that flow from enforcement actions, developers should be careful to prioritize comprehensive compliance programs with US and global sanctions, export control, privacy, and other regulatory requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.