For the first time, bitcoin addresses have been added to an Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list
On Wednesday, November 28, the US Treasury added two bitcoin addresses to the OFAC SDN list. For those not familiar, a bitcoin address is similar to a bank account number in that it is an identifier where to send or receive bitcoins (e.g. money), and it is generally unique to one individual or entity. However, bank account numbers have never been on the SDN list, and so this is a new occurrence and requires new tactics by financial institutions (FIs) and other FinTechs that currently deal with virtual currencies and/or with users that deal with virtual currencies.
This is the first time the US or any government has added specific bitcoin addresses to the list of sanctioned individuals, and will likely not be the last. Moreover, OFACs framework allows them to add not just bitcoin addresses, but other virtual currencies such as ethereum, Bitcoin Cash, and others. As with any entry on the OFAC list, from when the list was amended, no US institution or international institutions that check against OFAC can do business with individuals or businesses associated with either of them. This is significant as by the time the addresses were added to the list, these bitcoin addresses had received over 7,000 transactions — worth millions of dollars — from 40 FIs, including some in the US.
Listed below is an overview of why this was expected, what the actual changes were, how to comply, and why it’s so important.
1. This action was not a surprise — FinCEN had already updated their FAQ to include more information about virtual currencies and explicitly stated they were considering this exact action in May of this year. The point was to broadcast to FIs that this was coming and to prepare.
Moreover, FinCEN has been concerned about virtual currencies for over five years. In March 2013 they released their first explicit guidance on their administration, exchange, and usage of virtual currencies.
2. Changes to OFAC entries. This is not new regulation targeting bitcoin, OFAC has been publishing lists of sanctioned individuals for decades and this is simply additional information to an existing list; literally one more line in an existing five-line paragraph:
The value of compliance is multifold:
a) Preventing a sanctioned government from funding its operations. These addresses are sanctioned because they were utilized by the Iranian government to collect money from ransomware to fund their operations — this is not what your institution wants to support.
b) Ensuring the integrity of your financial institution and ensuring that it isn’t used for money laundering. Your team works very hard to prevent money laundering; virtual currency is a new technology, and you don’t want all of your hard work undone.
c) Risk mitigation. By having a multitiered policy in place that prevents sanctioned bitcoin addresses from using your institution, you can ensure compliance with state and federal examiners, as well as FinCEN. This is critical, as the fines associated with sanctions violations are severe.
d) “As a result of today’s action, persons…could be subject to secondary sanctions. Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency.” With this comment, FinCEN has put banks and payment processors on notice that they’re responsible for companies they support, even if the FIs themselves are not directly involved with the bitcoin transaction.
4. When onboarding customers, FIs, if they are to avoid any reputational risk, must ensure they are not connected to sanctioned addresses, just as they must ensure their name does not match a name on a sanctions list. This will require new tools to understand not just these sanctioned addresses, but also the addresses where they move funds. For instance, if an individual moves money from bitcoin address #1 to bitcoin (sanctioned) address #2, and then another transfer occurs from address #2 (sanctioned) to address #3, which isn’t sanctioned, both transactions need to be blocked, even though only the #2 address appears on the sanctions list.
5. Compliance will be challenging, especially for Exchanges/Money Service Businesses, Payment Processors, and Banks that will need to screen all incoming and outgoing transfers for these addresses, and users connected to these addresses. This will impact existing policies and procedures for know your customer (KYC), transaction monitoring, and sanction screening. In addition, it will require an update to how many FIs do business.
a) Every state or Federal exam will likely include a test for this, with severe findings if a transaction with a sanctioned address isn’t flagged and prevented.
b) Financial institutions must go beyond blacklisting addresses. Transactions often cannot be blocked when it comes to bitcoin, so, FIs need their platform to hold them to prevent their institution from having bitcoin sent to their institution and then immediately withdrawn, OFAC explicitly states, “you must ensure that access to that digital currency is denied to the blocked person.”
c) Decentralized exchanges (DEXs) will put crypto wallets and centralized exchanges at severe risk. DEXs decentralize all components of an exchange, meaning no central authority could forcefully impose regulations. If a customer sends bitcoin from their wallet or exchange to a DEX, which doesn’t do KYC or blacklisting of sanctioned addresses, and the customer interacts with sanctioned addresses and then brings currency back to a wallet or exchange, that’s a large potential risk.
The answer is a three-step solution: Virtual Currency Risk Assessment (VCRA). This is applicable for every financial institution that deals with bitcoin, either directly or secondarily.
1) Blacklist the sanctioned addresses:
A blacklist prevents customers from sending or receiving from sanctioned addresses.
2) Use a blockchain explorer to track transactions:
If a sanctioned bitcoin address moves bitcoin to a non-sanctioned address and then from that non-sanctioned address to your FI, wouldn’t you need to know that? A blockchain explorer tool like the one IdentityMind provides tracks bitcoin from when they were mined through today, knows every time they were moved and if they’ve been associated with dark markets, ransomware, criminal enterprise, etc.
3) Be able to relate bitcoin addresses to names:
While you can track bitcoin addresses with a blockchain explorer, you don’t know the individuals behind those addresses. IdentityMind’s electronic DNA (eDNA) creates a digital identity for each customer it sees and shares this data across all our clients. This identity contains name, address, email, phone, and also every payment instrument a customer has been associated with, including virtual currency addresses. IdentityMind also works with over 35 virtual currency exchanges and 225 ICOs from all around the world. What this means is that we already have millions of customers and vai EDNA, their virtual currency addresses, in our platform. Listed below are two examples of why this is critical
- An individual, Alice, sends funds to a sanctioned address via her digital currency wallet, this information is permanently associated with Alice in her eDNA. If Alice ever attempts to onboard or transact with your FI, you’ll be alerted that she engaged with a sanctioned address, even if she never tells you her wallet information or bitcoin address.
- An individual, Bob, receives funds from a sanctioned virtual currency address. This information is permanently associated with Bob in his eDNA. If Bob ever attempts to onboard or transact with your FI, you’ll be alerted that he engaged with a sanctioned address, even though he never tells you his wallet information or bitcoin address.
By combining these three steps, IdentityMind provides the winningest solution and the closest equivalent of beneficial ownership to a bitcoin address there is, enabling FIs to be confident they or their clients are not associated with sanctioned individuals. To ensure the safety and security of your financial platform, be sure to confirm whether or not your FI can deliver all three solutions.
Your FI is an important part of the financial ecosystem, and must do all it can to prevent nefarious activity. IdentityMind helps you fight and win against bad actors who would otherwise fund sanctioned operations. Through eDNA and Weave, our sanctions screening solutions, the IdentityMind platform is able to detect bad actors with illegal designs, allowing you to stop malicious activity before it takes root. VCRA (Virtual Currency Risk Assessment) by IdentityMind provides FIs with the assurance that they are not compromised, and therefore not vulnerable to money laundering attempts. This keeps you and your customers safe while maintaining the integrity of your good reputation and compliance with regulators. That means you’re stopping the bad guys and doing the right thing while also avoiding fines or findings by state or federal examiners.
What’s more, IdentityMind stays ahead of new mandates and regulations, offering you an AML solution and fraud prevention platform with the fastest integration time in the RegTech market. To learn more about VCRA and how it works with our existing KYC solutions, click here.