On Feb. 18, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with BitPay, Inc., an Atlanta-based payment processing company that enables merchants to accept digital currency, for more than 2,100 apparent violations of U.S. economic sanctions. The settlement serves as a timely reminder to all companies engaged in digital currency transactions – whether administrators, exchangers, or technology companies and other business that accept digital currency – of the importance of maintaining risk-based sanctions compliance controls.
According to the OFAC enforcement notice, BitPay maintained a sanctions compliance program focused on screening its direct customers, i.e., merchants who accept digital currency from buyers. BitPay screened merchants against OFAC’s List of Specially Designated Nationals and Blocked Persons (the SDN List) and conducted additional due diligence to ensure that the merchants were not located in sanctioned jurisdictions, such as North Korea and Iran. But according to OFAC, BitPay failed to screen the information it obtained about the merchants’ customers, including buyers’ self-identified physical and IP addresses – which in some cases indicated that buyers were located in sanctioned jurisdictions. OFAC states that by processing transactions in these cases, BitPay enabled individuals in sanctioned jurisdictions (i.e., Crimea, Cuba, North Korea, Iran, Sudan, and Syria) to engage in roughly $129,000 worth of digital currency transactions with BitPay’s merchant customers.
Although the amount of money involved comprises a small percentage of BitPay’s overall business, BitPay could have been liable for over $600 million in fines. In agreeing to resolve the matter for a relatively modest amount, OFAC considered, among other things, that BitPay had sanctions compliance controls in place throughout the relevant time, that it trained its employees on sanctions restrictions, that it cooperated with OFAC’s investigation, and that it had agreed to implement certain changes, including blocking IP addresses that appear to originate in sanctioned jurisdictions and requiring proof of buyer identification for transactions over $3,000. Nevertheless, had BitPay disclosed the violations voluntarily, OFAC may have further reduced the fine or foregone a fine entirely.
Given the significant attention being paid to the anti-money laundering (AML) obligations of digital currency providers and exchangers, OFAC’s settlement with BitPay serves as a reminder of the equal importance of sanctions compliance in the digital currency space. And unlike the Bank Secrecy Act, which imposes AML program requirements only on those businesses defined as “financial institutions” (a category that includes digital money transmitters like BitPay), U.S. sanctions laws apply to all U.S. persons. Accordingly, all companies involved in the digital currency space, including technology companies and other business that accept digital payments, would do well to review their sanctions compliance programs, including their treatment of IP address information.
Of course, a buyer’s IP address does not always accurately reflect a customer’s true location, for example, if an individual uses Tor and/or a virtual private network (VPN) to access the internet. Nonetheless, OFAC’s settlement with BitPay sends the message that companies should, at a minimum, understand what identification and location information is available to them and tailor their risk-based compliance protocols accordingly.