This blog post was originally posted on December 5, 2018, and updated extensively on 3/27/2019.
US Exchanges Banned from Interacting with Specific Bitcoin Addresses
The US Government has been monitoring cryptocurrencies for several years. In March 2013, FinCEN’s guidance explicitly called out crypto exchanges where individuals buy and sell crypto currencies, and required they be regulated as Money Service Businesses (MSBs). 2015 saw the first enforcement action against a crypto exchange. In early 2018, FinCEN hinted at the addition of cryptocurrency addresses to the Office of Foreign Asset Control (OFAC) list, effectively putting financial institutions (FIs) on notice and providing them with a chance to prepare for this new type of identifier. In late 2018, for the first time, OFAC added two bitcoin addresses to the OFAC SDN list; these addresses were attributed to Iranian nationals and have been used as payment related to ransomware. FinCEN not only added these two individuals to the SDN list, they also provided their rationale, including that they had:
- Processed over 7,000 transactions
- Interacted with over 40 exchangers — including some US based exchangers
- Sent approximately 6,000 bitcoin, worth millions of US dollars
- Funds derived from SamSam ransomware
What OFAC Does
The U.S. Treasury controls the Office of Foreign Assets Control (OFAC) lists of sanctioned individuals and entities. However, OFAC also sanctions entire countries such as Iran, Syria, North Korea, and Cuba. In these instances, US companies and individuals are prohibited from conducting business with individuals and entities located in these countries. One such prohibition is to providing financial services to Iranian citizens. The reasons for these sanctions can be to prevent criminals from receiving profits from their illicit activities, or in the case of countries, as a deterrent to, or punishment for, outwardly hostile or domestically oppressive policies.
Companies prevent working with sanctioned individuals and citizens of sanctioned countries through robust screening of every new customer and every transaction. It is critical to ensure no sanctioned individual or entity can create an account, conduct a transaction, or even login to a companies platform. Screening is the start to an OFAC compliance program, but customer due diligence and sanctions-centric customer due diligence is another critical component. It’s imperative that FIs understand the nature and purpose of the relationship with their customer, understand their customers source of funds, and perform transactional due diligence in order to truly do their part in preventing sanctioned individuals from receiving funds.
Why This is Interesting
The OFAC list has only a few email addresses as part of their list attributes, so adding bitcoin addresses is a great leap forward. This is the first time that OFAC has publicly attributed two cryptocurrency addresses to designated individuals, and it will not be the last. OFAC will likely add bitcoin and other virtual currencies to the SDN list in the future. Most importantly, this means that OFAC can track bitcoin transactions. In the announcement, OFAC mentioned the designated sanctioned bitcoin addresses, volume of transactions, amounts, and that they had used US exchangers. For OFAC to have this type of detailed information means they are using blockchain explorer technology to track cryptocurrency. Previous consensus had been that the government was years behind in terms of tech literacy — given a bitcoin address belonging to a sanctioned individual, few would have expected that the government would be able to trace its owner. However, the government is now announcing that it can track transactions, and expects FIs to do so as well.
What This Means for the Industry
When FinCEN published the two Iranian addresses, it was providing a warning and helping cryptocurrency companies protect themselves and to identify other potentially linked addresses. Secondary sanctions apply to nearly all Iran-related specially designated nationals, and the punishment for dealing with them is severe, including both civil monetary penalties and criminal charges. OFAC’s program is a strict liability one, which means that you can incur a civil monetary penalty, even if you claim that you didn’t know that the individual was sanctioned. The civil penalty is very serious and fines can become ruinous to a business — the maximum fine is $250,000 or twice the value of the transaction, whichever is higher. The fines are also on a “per transaction” basis, which means 10 prohibited transactions results in 10 separate fines. You can clearly see how these fines can add up very, very quickly and become a major financial and reputational burden on businesses and FIs alike.
PayPal had 486 violations and received a dramatically reduced fine of $7.7 million because they self-reported.
What This Means for Banks
Banks are still the on-and-off ramp for the international financial system, and as such, they are the most closely regulated. Therefore, they must apply the same due diligence measures and apply OFAC mandates to their cryptocurrency clients.
- Banks that work with cryptocurrency companies need their exchange clients to follow their customer due diligence measures, such as:
- Ascertaining the true identity of the customer
- Ascertaining the beneficial owner(s) of the account
- Understanding the nature and purpose of the account
- Banks that don’t work with cryptocurrency companies:
- The majority of banks have a policy of not working with MSBs, including cryptocurrency exchanges. However, there are still significant risks posed by customers.
- Customers may have funds in the bank from peer-to-peer services, which match buyers and sellers to facilitate exchange — imagine eBay or Uber, but for purchasing cryptocurrency. Those selling cryptocurrency through such services are operating as unlicensed money transmitters and could be charged under the US criminal statutes with operating as unlicensed MSBs, as they have engaged in the transfer of funds without registering with FinCEN, and without obtaining a license from the states in which they’re operating.
What This Means for Exchanges/ Wallets
There is a sizable risk that OFAC will see a digital wallet as equal to a bank account, as it has similar functionality — the ability to receive and send payments — and therefore will require the same compliance requirements. Specifically, they’ll expect the bank working with the firm hosting the wallet to apply the same due diligence requirements that they would to any correspondent banking relationship.
If a US exchanger who is also providing a web wallet has a customer who executed a payment to one of these Iranian individuals through that web wallet, the US exchangers involved could face some enforcement exposure. Certainly, a bank that allowed one of its customers to initiate a transaction for the benefit of a citizen in Iran would be in violation. That bank could be exposed to a civil monetary penalty, even if it did not know the beneficiary was Iranian.
- The problems this brings for cryptocurrency service providers are not unique. They’re the same problems we’ve been hearing about from traditional Money Service Businesses for the last two decades.
You Will Violate Sanctions
99.999% of companies and FIs don’t want to support terrorism or work with sanctioned entities. However, they do, and often it’s not on purpose. It’s because the sanctioned entities found a way to use these companies for their own ends and the company didn’t realize it. This is how unbeknownst to you, your FI could be working with sanctioned entities:
- People will make mistakes and get ransomware on their computer
- An individual paying off a sanctioned hacker to get family pictures back is not a very attractive enforcement target for OFAC because the individual is a victim of a crime. However, the financial institutions that enabled the victim to make such a payment is an attractive enforcement target for OFAC because that financial institution:
- Facilitated a crime
- Has the highest expectations, because financial institutions have affirmative obligations to understand their regulatory obligation under the Bank Secrecy Act (BSA).
So, it doesn’t matter whether a bank works with cryptocurrencies, exchanges, or wallet providers; if it’s used to violate sanctions, it will be a target.
- It is fair to assume that FIs are going to unintentionally work with sanctioned entities and individuals, because they do not know of the end user or beneficial owner behind the transaction. It just happens, and the FI won’t realize it until after-the-fact. How will you know though? Do you have any plans or tools in place to help you? Or will OFAC have to tell you? OFAC looks at a number of factors in determining whether to assess a civil monetary penalty and how much of a civil monetary penalty it should assess. The rationale includes:
- What had the financial institution or what had the business done to minimize the risk of executing a prohibited transaction?
- What was the compliance program? Was there an acceptable set of policies and procedures in place?
- Was there screening in place?
- Was the sanctions compliance function adequately resourced based on the risk profile of the institution?
- Was there a policy of periodically conducting lookbacks to ensure nothing was missed?
A Four-Part Solution
IdentityMind has been helping banks, crypto exchanges, and wallet companies with AML compliance, including Know Your Customer (KYC), Transaction Monitoring, and Sanctions Screening since 2013. Here are the three steps that we’d recommend to stay on the right side of these sanctions changes:
1. Prevention of direct transactions. You need the ability to stop a client from either sending directly to or receiving directly from specified a bitcoin address. This means a realtime blacklist which automatically prevents clients from being able to transact at all. Anything other than realtime isn’t sufficient, for example, flagging and filing a Suspicious Activity Report (SAR) after the transaction has occurred is prohibited by OFAC.
2. Flag indirect transactions. Some of you may have heard of Blockchain explorers, such as Ciphertrace; how they work is clever. Cryptocurrencies like bitcoin or Ethereum use a public ledger, which means you can see a transaction from when the bitcoin was originally mined and everywhere it’s gone since. Companies like Ciphertrace not only track a transaction as it goes through the ecosystem, but also track the addresses it’s been associated with and see if those addresses are either good or bad, based on factors like whether the exchanges associated with those addresses are licensed and in good legal standing.
Such information lets you know whether your customer has received bitcoin from a sanctioned address. That is vital information. You must also know if a customer has sent bitcoin to an intermediary address, which thereafter sent that bitcoin to a sanctioned address.
3. Digital Identity. Blockchain explorers are great in knowing different addresses and their reputation. What they don’t tell you is the person who actually controls that address. Is it a sanctioned individual? A Politically Exposed Person (PEP)?
A Digital Identity tracks every wallet or address used by an individual and attaches that data to that individual. Therefore, if someone has ever sent funds to a sanctioned address and then comes to your FI, we can alert you to the risk they represent using Virtual Currency Risk Assessment (VCRA).
Digital Identities can be used to track the risk of digital wallets. It’s very easy to send bitcoin from such a wallet to a sanctioned address; wallet providers do not prohibit or preclude their users from sending transactions. So, if an individual sends or receives cryptocurrency from a sanctioned address, and then goes to your FI to create an account, would you like to know that? Absolutely. A digital identity allows you to know what they’ve done in the past and the risk they represent to the institution.
4. Lookbacks. It’s not just about going forward, it’s also about looking backwards. Obviously, all your users have passed onboarding/KYC and their transactions were issued. However, are you sure they are not a sanctioned entity? By proactively conducting a lookback, you can feel certain you’ve done everything you can to prevent sanctioned individuals and entities from using your FI.
No financial institution wants to be working with or aiding sanctioned individuals, no AML team wants to work as they hard as they do, only to fail because of new challenges presented by virtual currencies, and no financial institution wants to be associated with Iranian ransomware that’s used to steal money from hospitals. However, it is difficult to know the risk of virtual currency, virtual currency companies, or customers who use virtual currency. IdentityMind’s three part solution can help ensure your FI is not used by sanctioned individuals or entities, and not exposed to enforcement actions.
Have questions? We can help. Please review the information on our Virtual Currency Risk Assessment (VCRA) Solutions page.
VCRA Sanctions FAQ
Question #1: Are there tools that are able to screen for sanctioned addresses before you accept the address?
Answer #1: Yes, IdentityMind can screen for sanctioned addresses before you accept transactions.
Question #2: Are there databases that are developed for verified “good” or non-sanctioned addresses?
Answer #2: Blockchain explorer tools like IdentityMind’s have a database of good addresses, including addresses associated with licensed exchanges, miners, and other known good users who have a clean history.
Question #3: What does an OFAC compliance program need to have to be successful?
Answer #3: There are several components that OFAC has designated as part of a successful compliance program. They are as follows:
- Screening the names of all potential customers against sanctions lists
- Screening the bitcoin addresses of all potential customers against sanctions lists
- Screening the bitcoin addresses connected to all potential customers
- Comprehensive risk assessments
- Internal Controls
Question #4: Is OFAC only interested in direct exposure to sanctioned wallet addresses, or will indirect exposure matter as well? To what extent, e.g., how many degrees of separation away are funds still tainted?
Answer #4: OFAC has not said explicitly how many degrees, but we believe interest will be three or four hops.
Question #5: Is it required to block a coin that is “tainted” through the use of a blockchain explorer as you described?
Answer #5: It’s required by OFAC to block a coin that’s connected to a sanctioned address. If it cannot be blocked, it must be held in custody and you must call OFAC for further instruction.
Question #6: Will the Blockchain assist with determining if an address is a sanctioned address? How can we vet addresses before accepting the transaction?
Answer #6: Yes, a blockchain explorer would assist in determining if an address is sanctioned, or connected to a sanctioned address. This service can be used to vet addresses before accepting a transaction.
Question #7: How about for peer-to-peer transfers?
Answer #7: Peer-to-Peer (P2P) exchanges who don’t touch or hold the currency could argue that they can’t control this. However, if sanctioned bitcoin flowed through their platform, it is doubtful that OFAC would accept this argument. Moreoever, the reputational risk would be extremely large, every bank and FI would struggle to continue working with them.
Question #8: If a bitcoin transaction is going to an address one or two degrees separated from one of the sanctioned addresses, does an FI legally have to prevent that transaction, and if they let it go, are they subject to penalties?
Answer #8: This is a common question, and most FIs would refuse to do that transaction. They wouldn’t do any further investigation as one or two hops away from a sanctioned individual entity would be outside of that FIs risk appetite, and that would be the end of it.
At the very least, the FI would want to hold that transaction and conduct an investigation, keeping in mind the key thing to determine would be the source of funds. Specifically, was the source of funds the actual sanctioned individual entity?
For more information on VCRA from IdentityMind, please click here.