On February 18, 2021, BitPay, Inc. (“BitPay”), a private company based in Atlanta, Georgia, entered into a $507,375.00 settlement with the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) for 2,102 apparent violations of multiple sanctions programs related to digital currency transaction.
BitPay allowed people located in regions under U.S. sanctions including, the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria, to transact with merchants in the United States and other countries using digital currency on BitPay’s platform.
This action emphasizes that OFAC obligations apply to all U.S. persons, including those involved in providing digital currency services. In its enforcement release OFAC encouraged companies that provide digital currency services to implement appropriate sanctions compliance controls.
The apparent violations by BitPay happened over the course of five years, between June 10, 2013 and September 16, 2018. The violations were the result of BitPay’s receipt of digital currency payments from its merchant customers, and their buyers who were located in sanctioned jurisdictions. BitPay screened its direct customers against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), but failed to screen the merchants’ buyers, even though it had received their identifying information and location data.
The enforcement release notes two aggravating factors and six mitigating factors, which helped reduce the penalty from $2,255,000.00 to $507,375.00. The aggravating factors included BitPay’s failure to exercise due caution or care for its sanctions compliance obligations even though it had enough information to do the screening, and that BitPay harmed the integrity of the sanctions program by conveying economic benefit to individuals in jurisdictions under sanctions.
The mitigating factors included:
- BitPay had a formal sanctions compliance program in places;
- BitPay provided appropriate training to its employees regarding its sanctions policy;
- BitPay is a small business that did not have any penalties or violations in the last five years;
- BitPay cooperated with OFAC’s investigation;
- BitPay has ended the violations and has implemented procedures to minimize future violations;
- BitPay undertook to continue to implement it compliance commitments.
To mitigate risks of noncompliance with sanctions companies should develop a tailored, risk-based sanctions compliance program. Each company’s risk-based sanctions compliance program will vary depending on the company’s size and sophistication, products and services, customers and counterparties, and geographic locations. However, there are at least five essential components of compliance that all companies need to incorporate and consider: management commitment; risk assessment; internal controls; testing and auditing; and training.
Based on this enforcement action companies must act diligently in screening all available information, including IP addresses and other location data of customers and counterparties, to mitigate sanctions violations risks.
This enforcement action should be a cautionary tale for companies involved in providing digital currency services. Companies that process transactions using digital currency are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions. Companies should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks.
If you have questions regarding compliance, please contact us at firstname.lastname@example.org.