In October, the Office of Foreign Assets Control (OFAC) published more targeted guidance for digital asset companies related to compliance with sanctions and best practices for mitigating risks. OFAC’s virtual currency guidance is directed at the entire industry, including “technology companies, exchangers, administrators, miners, wallet providers, and users.” It aims to “help the virtual currency industry prevent exploitation by sanctioned persons and other illicit actors,” according to the press release issued with the guidance. Essentially, the guidance emphasizes that anyone subject to U.S. sanctions laws and regulations must continue to abide by them when engaging with virtual currencies.
The guidance provides several best practices that entities involved in virtual currency activities should follow to remain in compliance and to mitigate penalties in instances of compliance failures. These practices will be familiar to anyone with experience in sanctions compliance and best practices that apply to other industries. This said, the document notes, compliance solutions should reflect a risk-based approach and should be tailored to the type of product or business involved, its size and level of sophistication, its clients and counterparties, and the locations it serves. OFAC also expects companies to implement these practices sooner rather than later in the company’s existence before any products and services are released. While there is no single compliance program to suit all scenarios, implementing OFAC’s best practices, as follows, can prevent sanctions violations and serve as a mitigating factor should any violations occur.
Management should commit to enforcing a culture of compliance throughout the organization from the company’s earliest days. OFAC recommends specific actions that management can take to set an appropriate tone from the top, including reviewing and endorsing compliance procedures, allocating adequate resources to compliance, delegating autonomy and authority to the compliance department, and appointing an experienced sanctions compliance officer.
Regular and ongoing risk assessments should be conducted to identify risks associated with sanctions compliance. Activities and relationships associated with foreign jurisdictions or foreign persons should be assessed for their potential to expose a company to sanctioned persons or places.
A virtual currency company’s risk assessment process should be tailored to the types of products and services offered and the locations in which such products and services are offered. Appropriately customized risk assessments should reflect a company’s customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations, and may also include evaluating whether counterparties and partners have adequate compliance procedures.
Internal controls should be able to “identify, interdict, escalate, report (as appropriate), and maintain records for” prohibited activities. Useful internal controls include sanctions screening, geolocation tools, know your customer (“KYC”) procedures, and transaction monitoring and investigation to identify virtual currency addresses and other data associated with sanctioned individuals, entities, or jurisdictions. OFAC includes virtual currency addresses as identifying information for designated persons, so these should be used in screening as well. While OFAC does not require the virtual currency industry to use any particular in-house or third-party software, OFAC states that such software can be a helpful tool for an effective sanctions compliance program.
Testing and Auditing
Testing and auditing procedures can include ensuring that screening and IP blocking are working effectively. Companies that incorporate a comprehensive, independent, and objective testing or audit function within their sanctions compliance program are equipped to ensure that they are aware of how their programs are performing and what aspects need to be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment.
The size and sophistication of a company may determine whether it conducts internal and external audits of its sanctions compliance program. Some best practices for testing and audit procedures in sanctions compliance programs for the virtual currency industry include sanctions list screening, keyword screening, IP blocking, investigation and reporting.
Companies should conduct training for relevant employees at least annually. The best practices for the virtual currency industry are not new, nor are they unique to the industry. However, the recent guidance from OFAC indicates that the industry will be a particular focus for enforcement. Companies in the industry should implement these measures as soon as possible if they have not already. The scope of a company’s training will be informed by the size, sophistication, and risk profile. OFAC training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted periodically and, at a minimum, annually. A well-developed OFAC training program will provide job-specific knowledge based on need, communicate the sanctions compliance responsibilities for each employee, and hold employees accountable for meeting training requirements through the use of assessments.
Where a sanctions violation has occurred, OFAC can consider the remedial measures a company has taken as a mitigating factor in a penalty determination. Remedial measures can include adding and/or strengthening the tools listed above to fill gaps and repair weaknesses in the compliance program.
OFAC is placing much greater scrutiny on the virtual currency industry. Industry members should be mindful of implementing and maintaining robust compliance measures early and often.
Roger Morris serves Compliance Alliance as Associate General Counsel. He brings a combination of unique experiences to C/A that he uses to provide guidance on a wide variety of regulatory and compliance issues. Contact him at Bankers Alliance, (833) 683-0701 or firstname.lastname@example.org.