Everything You Need to Know About OFAC’s New Sanctions Guidance for Cryptocurrency Businesses

On October 15, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released Sanctions Compliance Guidance for the Virtual Currency Industry. This guidance follows the recent designation of Russia-based cryptocurrency Over The Counter (OTC) broker Suex, as well as an updated Advisory on ransomware payments, which we wrote about in our blog.

The newly-released brochure reiterates OFAC’s previous guidance and outlines best practices in one comprehensive document. Specifically, OFAC’s guidance covers:

  • Sanctions-related compliance requirements for cryptocurrency businesses
  • Consequences for non-compliance and examples of how timely reporting can mitigate those consequences
  • Best practices for building a risk-based compliance program

Below, we’ll outline the key points from OFAC’s latest guidance and show you how Chainalysis can help cryptocurrency businesses meet their compliance obligations.

Sanctions-related compliance requirements for cryptocurrency businesses

All cryptocurrency businesses doing business in the U.S. are required to comply with OFAC sanctions. If they don’t, they risk civil penalties imposed by OFAC, which are imposed based on the strict liability legal standard, meaning they can be held liable for sanctions violations even if they had no knowledge the violation was occurring. In other words, ignorance is no excuse — cryptocurrency businesses offering services to US persons are expected to implement technology and processes to prevent transactions involving sanctioned individuals or entities, and to quickly file SARs on those attempted transactions.

More specifically, here’s a summary of cryptocurrency business’ specific compliance requirements around sanctions:

  • Cryptocurrency businesses must block sanctioned individuals or entities from signing up for or using their services and act when their own users attempt to transact with those individuals or entities.
  • Cryptocurrency businesses then need to file SARs reporting those attempted transactions to OFAC within ten business days, and then again in an annual report of all suspicious transactions.
  • That doesn’t just mean monitoring for and reporting transactions from the specific addresses OFAC has identified on the SDN list. Cryptocurrency businesses also need to go another degree out and screen for transactions involving addresses with significant previous exposure to sanctioned addresses, as these may also require them to take action or file SARs.

Failure to comply with the rules outlined above can result in civil and criminal penalties for cryptocurrency businesses. You can read more about OFAC’s penalty amounts for different kinds of violations here. Enforcement actions can range from requesting additional information from involved parties, issuing a “No Action” letter, a civil monetary penalty, settlement, or even referral to law enforcement for criminal investigation.

OFAC also emphasizes throughout the document that cryptocurrency business’ level of cooperation with OFAC and prior efforts to build a strong compliance program can be considered mitigating factors when the agency determines penalties for violations. For instance, if a cryptocurrency business voluntarily discloses that they believe they may have violated sanctions-related regulations, OFAC may opt to impose a lesser penalty. The same goes for cryptocurrency businesses that can demonstrate they’ve followed OFAC’s best practices for compliance, such as instituting KYC and transaction monitoring processes.

OFAC’s best practices for sanctions compliance in cryptocurrency and how Chainalysis can help

OFAC’s guidance offers a five-pronged framework for cryptocurrency businesses to build a successful sanctions compliance program, with different best practices split up across each of the five categories. Below, we’ll summarize those best practices and explain how blockchain analysis tools like Chainalysis can help cryptocurrency businesses implement them successfully.

Management commitment

OFAC’s guidance emphasizes the importance of buy-in from senior management in setting up an effective sanctions compliance program. That means executives need to ensure adequate resources — including both human capital and technology — for compliance, as well as taking on a direct role in reviewing and enforcing compliance policies. This not only ensures that compliance teams have what they need to operate effectively, but also fosters a culture of compliance commitment throughout the entire organization.

Investing in blockchain analysis solutions like Chainalysis is one of the best ways to demonstrate management commitment to sanctions compliance, as these tools are essential for transaction monitoring and risk assessment. As we’ll explore next, Chainalysis offers training programs that show cryptocurrency businesses how to use blockchain analysis to meet their compliance obligations, and which secondarily can also demonstrate management’s commitment to following OFAC regulations.

Risk assessment

From the moment they go into business, cryptocurrency businesses need to take stock of their potential sanctions risk, which will vary based on the specific services they plan to offer and jurisdictions in which they’ll operate. By completing such a risk assessment early in the company’s life cycle — say, before beta testing is complete — cryptocurrency businesses can get a strong sanctions compliance program in place before achieving high user growth, and avoid sanctions violations that may otherwise occur.

Chainalysis’ customer success team is happy to help early-stage cryptocurrency businesses manage these risk assessments alongside their teams on the optimal timeline. We’ve partnered with thousands of cryptocurrency businesses of all types, from centralized exchanges to merchant services providers to DeFi protocol operators, and can use that wealth of experience to help compliance teams identify sanctions risks before they turn into potential violations.

Internal controls

Internal controls are the most heavily emphasized area of OFAC’s five-pronged sanctions compliance framework, and primarily deal with the ways cryptocurrency businesses can identify and act on suspicious transactions when they occur. Cryptocurrency businesses need to constantly be assessing their potential exposure to sanctioned individuals and entities, as well as to cryptocurrency users in countries with significant sanctions, such as Iran, Venezuela, and North Korea. In regards to individuals and entities, compliance teams must implement robust KYC procedures to identify all individuals who register to use their service, ensure they’re not on any of OFAC’s sanctions lists, and assess them for exposure or connection to individuals or entities that are on those lists. When it comes to assessing users’ connections to specific countries that are heavily sanctioned, OFAC recommends screening users’ IP addresses upon registration to check if they’re located in any of those countries, as well as comparing IP addresses to lists of known IPs connected to VPN services that obfuscate users’ true locations.

However, this process doesn’t end when KYC checks are complete. Cryptocurrency businesses must continuously monitor users’ transactions for exposure to addresses belonging to sanctioned entities or located in sanctioned countries, as well as to addresses that, while not themselves directly connected to sanctions, have transacted with those that are. Chainalysis KYT gives compliance teams automatic alerts of suspicious activity undertaken by existing users, with customizable transaction thresholds, all based on our best-in-class cryptocurrency address dataset. Chainalysis has labeled all addresses included on OFAC’s sanctions lists, as well as those associated with individuals and cryptocurrency businesses in heavily sanctioned countries. If a user transacts with any of those addresses, Chainalysis notifies compliance teams automatically so that they can take immediate action and report the transactions to OFAC within the required ten-day window, all at no extra charge.

Testing and auditing

Once a sanctions compliance program has been implemented, cryptocurrency compliance teams must audit its performance on a recurring basis to ensure that it’s effective. One important element of this is to review old transactions for sanctions risk. Chainalysis tools can do this automatically and will trigger automatic alerts for all transactions that have interacted with addresses included on sanctions lists, risky transactions above specified transaction amount thresholds, and that any potentially risky transactions that occurred before implementation of transaction monitoring software have been accounted for. Chainalysis makes this process easy by allowing cryptocurrency businesses to review any and all on-chain transactions that have ever taken place for possible exposure to addresses associated with sanctions risk as flagged in our proprietary dataset.

In addition, OFAC’s guidance lists four other best practices for the auditing of a sanctions compliance program:

  • Sanctions list screening. Cryptocurrency businesses must ensure that transactions are being screened for exposure to addresses included on OFAC’s sanctions lists. Chainalysis helps compliance teams expedite this process by providing automatic alerts any time a user transacts with an OFAC-flagged address. In addition, Chainalysis makes it easy to see if any users have transacted with addresses that themselves have exposure to OFAC-flagged addresses, which OFAC’s new guidance says may also require action and reporting from compliance teams.
  • Keyword screening. Cryptocurrency businesses can implement software to screen users’ KYC information for keywords suggestive of sanctions risk, such as the names of countries and regions facing heavy sanctions.
  • IP blocking. IP blocking software can automatically block users with IP addresses associated with heavily sanctioned countries from accessing your site, as well as users whose IP addresses have been flagged as belonging to VPNs.
  • Investigation and reporting. Cryptocurrency businesses should audit transactions previously identified as carrying sanctions risk to confirm they were rejected if possible and reported to OFAC within the necessary ten-day window.

All of these best practices ensure that sanctions compliance programs are as effective as possible after their implementation.

Training

Finally, OFAC recommends that cryptocurrency businesses implement sanctions-specific training for their compliance teams and all other relevant personnel. Continuous training is essential for employees to know their roles and responsibilities in preventing sanctions violations, and for ensuring compliance teams are always aware of the latest additions to OFAC’s sanctions lists and evolving best practices.

Chainalysis offers several cryptocurrency training courses for both teams and individuals that cover all areas of successful cryptocurrency compliance and investigations, including those related to sanctions. While some courses are specific to Chainalysis tools, others are more general and can equip your compliance team to implement a successful sanctions program regardless of whether you use our products.

Article credit: https://blog.chainalysis.com/reports/ofac-guidance-sanctions-cryptocurrency-october-2021