On February 18, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with BitPay, Inc. (BitPay), a payment processor for merchants accepting digital currency as payment for goods and services, for 2,102 apparent violations of multiple sanctions programs between 2013 and 2018. The settlement highlights that financial service providers facilitating digital currency transactions must not only establish sanctions compliance programs to screen their own customers but also must monitor third-party non-customer transaction information.
Apparent Sanctions Violations and Penalty
As part of its sanctions compliance program, BitPay screened its merchant customers against the OFAC List of Specially Designated Nationals and Blocked Persons (SDN List) and conducted due diligence to confirm that they were not located in sanctioned jurisdictions. However, BitPay did not screen its customers’ customers at the time of the transaction. As a result, BitPay enabled persons—its customers’ customers—located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria to engage in approximately $129,000 of digital currency-related transactions. OFAC took the view that BitPay should have screened transaction data, such as Internet Protocol (IP) addresses, email domains, and invoices received in connection with the transactions, to determine whether persons ordering from its customers were sanctioned persons.
OFAC determined that BitPay did not voluntarily self-disclose the apparent violations and that they were non-egregious. BitPay had implemented sanctions compliance controls for its merchant customers during the relevant period, trained employees (including senior management) on its sanctions policies, had not recently received any OFAC actions, cooperated with OFAC’s investigation, and implemented enhanced sanctions compliance measures to prevent future similar conduct. BitPay represented that it now (1) geoblocks IP addresses appearing to be from sanctioned countries; (2) checks merchants’ buyer addresses and email addresses when provided by merchants; and (3) launched BitPay ID, a mandatory customer identification tool for merchants’ customers with BitPay invoices of at least $3,000 that requires the buyer’s email address, proof of ID, and a “selfie” photo.
There are a few lessons to be learned from the settlement:
- OFAC appears to expect that digital currency service providers screen not just IP addresses (which is a common theme in prior OFAC enforcement actions), but also available invoice information. Digital currency service providers should identify the types of location-based data they have access to with respect to their customers’ counterparties in addition to IP addresses and then evaluate how to systematically incorporate such information into transaction monitoring and sanctions screening programs.
- OFAC, like the U.S. Department of the Treasury Financial Crimes Enforcement Network (FinCEN) and federal banking regulators, expects digital currency service providers (and other financial institutions) to perform transaction monitoring on the counterparties and customers of their customers—and not just on their own customers.
- That the apparent violations were deemed not to be voluntarily self-disclosed reflects the fact that OFAC (like FinCEN, other regulators, and law enforcement) has taken an active role in monitoring digital currency transactions and service providers, which we have seen in a number of public and non-public enforcement actions. We expect ongoing scrutiny of the industry, and service providers should implement risk-based sanctions compliance programs in order to both prevent sanctions violations and to receive credit from OFAC for those programs when sanctions violations are identified. This is particularly important given the nature of digital currency transactions; it is not feasible in all circumstances to prevent transactions with sanctioned persons or addresses, and so the quality of compliance efforts will as a practical matter be crucial in mitigating enforcement risks.
 Enforcement Release, U.S. Dep’t of the Treasury, “OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions” (Feb. 28, 2021), https://home.treasury.gov/system/files/126/20210218_bp.pdf.
 See, e.g., Enforcement Release, U.S. Dep’t of the Treasury, “OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions” (Dec. 30, 2020), https://home.treasury.gov/system/files/126/20201230_bitgo.pdf. Unlike the OFAC settlement with BitGo, Inc., which involved the failure to screen the IP addresses of direct customers, the BitPay settlement involves the failure to screen IP addresses and invoice information with respect to the counterparties and customers of BitPay’s direct customers.
 We are aware of instances, and there have been examples in publicly reported enforcement actions, where regulators have viewed looking through a customer’s account to its customers (in the context of transaction monitoring) as required under the Bank Secrecy Act (BSA) and its implementing regulations. See, e.g., FinCEN Assessment of Civil Money Penalty, First Bank of Delaware, November 19, 2012 (“With respect to [a money services business (MSB)] customer, the Bank lacked adequate policies and procedures to ensure compliance with the BSA and to conduct sufficient monitoring for suspicious transactions. The Bank relied on the [MSB] customer to perform BSA/AML functions related to this product, but in doing so failed to collect adequate information from its [MSB] customer on the foreign clients.”); FinCEN Assessment of Civil Money Penalty, North Dade Community Development Federal Credit Union, November 25, 2014 (“North Dade failed to have an effective suspicious activity monitoring system for its customers, particularly [its MSB customer’s] MSB customers. North Dade relied completely on [its MSB customer] to monitor its MSBs’ transactions.”).
 We are aware of regulatory interest in, and inquiry into, digital currency transactions and service providers. This is also reflected in public statements from regulators, as well as FinCEN’s notices of proposed rulemaking with respect to “unhosted wallets” and the “travel rule.”
 For information regarding OFAC scrutiny of ransomware attacks and related payments in digital currency, please see our earlier blog post available at https://www.clearycyberwatch.com/2020/09/ransomware-and-sanctions-compliance-considerations-for-responses-to-attacks/.