On March 19, 2018, the Treasury Department's Office of Foreign Assets Control (OFAC) published five frequently asked questions and responses (FAQs) relating to digital currency and sanctions compliance.1 The FAQs are the latest in a series of signals by the Treasury Department demonstrating its interest in monitoring digital currencies and other emerging payment systems to protect the US financial system from illicit actors, and they highlight the overlap between digital currency and US sanctions laws. US persons engaging in digital currency transactions—whether as a user, administrator, exchanger, technology company or other payment processor—should carefully review the OFAC guidance and tailor their OFAC compliance programs and operations as appropriate.
Among other guidance, the five FAQs contemplate adding "digital currency addresses associated with blocked persons" to OFAC's List of Specially Designated Nationals (SDN List) to ensure that those digital wallet addresses may be included in any relevant OFAC screening (see FAQ 561); they make clear that OFAC's reporting requirements apply to "[p]arties who identify digital currency identifiers or wallets that they believe are owned by, or otherwise associated with, an SDN and hold such property" (see FAQ 562); and they warn that "persons [such as technology companies; administrators, exchangers, and users of digital currencies; and other payment processors] that provide financial, material, or technological support for or to a designated person may be designated by OFAC under the relevant sanctions authority" (see FAQ 560).
The FAQs clarify that compliance obligations imposed on US persons are the same regardless of whether a transaction is denominated in digital currency or "fiat" (i.e., real money) currency. Accordingly, the FAQs instruct industry participants to develop and maintain a risk-based compliance program tailored to the particularized risks posed by digital currencies. In discussing strategies OFAC may employ to combat malicious actors abusing digital currencies, the FAQs state that "OFAC may include as identifiers on the SDN List specific digital currency addresses associated with blocked persons," which may consist of unique alphanumeric identifiers of up to 256 characters. In advance of such designations, US persons dealing in digital currency should consider how their interdiction software will incorporate these new data points and take steps necessary to ensure the software is effective.
In addition, we note that adding digital currency addresses to the SDN List may present a new challenge to any person or company that is the target of a "ransomware" attack. In a ransomware attack, a hacker launches a denial-of-service attack on a company's website or installs malicious software on a company's systems that blocks access to data, making IT systems unusable. Such hackers demand that victims send bitcoin or other digital currencies to a designated wallet as a ransom payment.
Many of these ransomware attacks are suspected to be perpetrated by persons and entities that are at least connected with blocked persons. If a hacker's wallet address is identified on the SDN List, victims of ransomware attacks may be placed in a situation where there is not a clear solution. As the government's approach toward digital currency and cybersecurity continues to change, additional guidance from OFAC may be appropriate to deal with these complex issues. In the interim, companies can reduce their exposure to this potential quandary by ensuring that software is patched and cyber security systems are up-to-date.
The publication of the FAQs closely follows remarks provided by Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker before the Securities Industry and Financial Markets Association Money Laundering & Financial Crimes Conference on February 13, 2018, where she detailed several digital currency-related schemes and emphasized that the Treasury Department is closely tracking technological innovations involving digital currency and aggressively targeting rogue actors attempting to use it for illicit purposes. Under Secretary Mandelker also pointed to digital currency-related efforts undertaken by other enforcement authorities, including the Financial Crimes Enforcement Network, the Securities and Exchange Commission, and the Commodity Futures Trading Commission.
The five digital currency-related FAQs are reproduced below.
559. For purposes of OFAC sanctions programs, what do the terms "virtual currency," "digital currency," "digital currency wallet," and "digital currency address" mean?
Virtual currency is a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; is neither issued nor guaranteed by any jurisdiction; and does not have legal tender status in any jurisdiction.
Digital currency includes sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency.
A digital currency wallet is a software application (or other mechanism) that provides a means for holding, storing, and transferring digital currency. A wallet holds the user's digital currency addresses, which allow the user to receive digital currency, and private keys, which allow the user to transfer digital currency. The wallet also maintains the user's digital currency balance. A wallet provider is a person (individual or entity) that provides the software to create and manage wallets, which users can download. A hosted wallet provider is a business that creates and stores a digital currency wallet on behalf of a customer. Most hosted wallets also offer exchange and payments services to facilitate participation in a digital currency system by users.
A digital currency address is an alphanumeric identifier that represents a potential destination for a digital currency transfer. A digital currency address is associated with a digital currency wallet. [03-19-18]
560. Are my OFAC compliance obligations the same, regardless of whether a transaction is denominated in digital currency or traditional fiat currency?
Yes, the obligations are the same. US persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they block the property and interests in property of persons named on OFAC's SDN List or any entity owned in the aggregate, directly or indirectly, 50 percent or more by one or more blocked persons, and that they do not engage in trade or other transactions with such persons.
As a general matter, US persons and persons otherwise subject to OFAC jurisdiction, including firms that facilitate or engage in online commerce or process transactions using digital currency, are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions. Prohibited transactions include transactions that evade or avoid, have the purpose of evading or avoiding, cause a violation of, or attempt to violate prohibitions imposed by OFAC under various sanctions authorities. Additionally, persons that provide financial, material, or technological support for or to a designated person may be designated by OFAC under the relevant sanctions authority.
Persons including technology companies; administrators, exchangers, and users of digital currencies; and other payment processors should develop a tailored, risk-based compliance program, which generally should include sanctions list screening and other appropriate measures. An adequate compliance solution will depend on a variety of factors, including the type of business involved. There is no single compliance program or solution suitable for every circumstance. [03-19-18]
561. How will OFAC use its existing authorities to sanction those who use digital currencies for illicit purposes?
The United States' whole-of-government strategies to combat global threats such as terrorism, transnational organized crime, malicious cyber activity, narcotics trafficking, weapons of mass destruction (WMD) proliferation, and human rights abuses include targeting an array of activities, including the use of digital currencies or other emerging payment systems to conduct proscribed financial transactions and evade US sanctions. The strategies draw from a broad range of tools and authorities to respond to the growing and evolving threat posed by malicious actors using new payment mechanisms. OFAC will use sanctions in the fight against criminal and other malicious actors abusing digital currencies and emerging payment systems as a complement to existing tools, including diplomatic outreach and law enforcement authorities. To strengthen our efforts to combat the illicit use of digital currency transactions under our existing authorities, OFAC may include as identifiers on the SDN List specific digital currency addresses associated with blocked persons. [03-19-18]
562. How will OFAC identify digital currency-related information on the SDN List?
OFAC may add digital currency addresses to the SDN List to alert the public of specific digital currency identifiers associated with a blocked person. OFAC's digital currency address listings are not likely to be exhaustive. Parties who identify digital currency identifiers or wallets that they believe are owned by, or otherwise associated with, an SDN and hold such property should take the necessary steps to block the relevant digital currency and file a report with OFAC that includes information about the wallet's or address's ownership, and any other relevant details. [03-19-18]
563. What is the structure of a digital currency address on OFAC's SDN List?
The digital currency address field on the SDN List provides the unique alphanumeric identifiers (up to 256 characters) for digital currency addresses and identifies the digital currency to which the address corresponds (e.g., Bitcoin (BTC), Ether (ETH), Litecoin (LTC), Neo (NEO), Dash (DASH), Ripple (XRP), Iota (MIOTA), Monero (XMR), and Petro (PTR)). [03-19-18].
* * *
Digital currency is quickly becoming a prevalent feature of the global financial system. OFAC's recent guidance illustrates the need to ensure that transactions involving those currencies comply with existing US laws, including US sanctions laws. Entities interested in assistance with implementing measures to comply with the digital currency-related FAQs are encouraged to contact any of the authors listed below or your Arnold & Porter contact. The Firm's financial services team would be pleased to assist with any questions you may have about digital currency, US sanctions compliance, or anti-money laundering compliance more broadly.
1. See OFAC Resource Center, OFAC FAQs: Sanctions Compliance, Questions on Virtual Currency, FAQs 559-63, https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_compliance.aspx#other_fi
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.