U.S. sanctions enforcement in the virtual currency space – USD 1 billion and counting… | Allen & Overy LLP
Beginning in 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has increasingly focused its enforcement activity on entities operating in the virtual currency space, illustrating a trend that shows no signs of slowing.
For much of the past decade, the virtual currency marketplace has operated under conditions more reminiscent of the “Wild West” than a clearly regulated financial market. Participants have experienced the booms and busts of expansive growth and innovation while the exact classification, and related regulation, of such products has lagged behind.
However, these markets have recently come under increased scrutiny by those at the helm of traditional financial regulation and enforcement – such as OFAC, the Commodity Futures Trading Commission (CFTC), the Financial Crimes Enforcement Network (FinCEN), and the Department of Justice (DOJ) – which have begun wielding their authority to reign in virtual currency markets through enforcement action. For example, as of the date hereof, six of OFAC’s previous 21 announced enforcement action settlements have involved entities believed to have been engaging in or facilitating transactions involving virtual currency and/or wallets. These enforcement actions have resulted in approximately USD 1.02 billion in civil monetary penalties, including a nearly USD 970 million settlement with Binance Holdings, Ltd. (Binance).
In this alert, we examine the OFAC enforcement landscape for entities engaged in the virtual currency marketplace. We also discuss the common pitfalls of virtual currency firms demonstrated by this enforcement activity and considerations for similarly situated businesses seeking to mitigate their risk of engaging in prohibited conduct and facing potential enforcement liability.
Binance
On November 21, 2023, OFAC announced a USD 968,618,825 settlement with Binance, a Cayman Islands company and the world’s largest virtual currency exchange. The settlement agreement between OFAC and Binance (the Binance Settlement Agreement) resolved Binance’s potential civil liability for apparent violations of multiple sanctions programs between 2017 and 2022, and was part of coordinated resolutions with FinCEN, CFTC, and DOJ. As part of these resolutions, Binance agreed to pay over USD 4 billion in fines to the U.S. government.
According to the Binance Settlement Agreement, between August 2017 and October 2022, Binance matched and executed trades on its online exchange platform between U.S. person1 users and users targeted by U.S. sanctions.2
Under the Binance Settlement Agreement, Binance agreed, among other things, to pay a civil monetary penalty, and to take a number of remedial actions, including committing to promote a culture of compliance, undertaking risk assessments and audits of its internal controls, revising and updating its compliance program, cooperating with OFAC investigations, retaining an independent monitor to assess compliance, and providing senior-level annual certification of compliance.
The Binance Settlement Agreement also provides that OFAC may seek to impose an additional penalty on Binance (up to the statutory maximum) if OFAC determines a material breach of, or misrepresentation in, the agreement has occurred, including breaches arising from Binance’s failure to perform any of the compliance commitments described above.
The larger enforcement picture
OFAC’s enforcement against Binance is just one of many recent OFAC enforcement actions against entities primarily engaged in facilitating virtual currency transactions. Since October 2022, OFAC has publicly settled potential civil liability with six such firms; for context, OFAC has announced 21 settlements total during that same period.
The timing, nature, scope, and ultimate settlement amounts, based on a calculated potential civil monetary penalty (CMP), for these settled actions varies from case-to-case. Notable data points include:
- the number of apparent violations covered by each action ranges from 152 to 1,667,153;
- these apparent violations occurred (across enforcement actions) between 2014 and 2022; and
- the related settlements comprise a settlement amount range of USD 72,230 to USD 968,618,825.
However, the most prominent violative conduct across these enforcement actions was the provision of some form of digital asset trading and/or wallet storage services and failure to exercise “due caution or care” for sanctions compliance obligations by failing to implement adequate (or any) sanctions compliance programs and counterparty screening practices. OFAC enforcement is typically based on, among other things, a determination that an alleged violator: (i) engaged in the direct or indirect exportation or other supply of goods and services from the United States, or by U.S. persons, to sanctioned jurisdictions; and/or (ii) caused U.S. persons to engage, directly or indirectly, in transactions with users in sanctioned jurisdictions or with blocked persons.
Common mitigating factors across these enforcement actions included:
- the absence of prior penalty notices or “Findings of Violation” from OFAC in the preceding five years;
- cooperation with OFAC’s investigation of the apparent violations; and
- the voluntary implementation of mitigating measures (e.g., enhancement of compliance practices) in response to discovery of the apparent violations.
OFAC also considered the apparent violations’ purportedly small transaction values and/or limited proportionality with respect to overall transaction activity on the relevant platform to be mitigating factors for Bittrex, Inc. (Bittrex), Poloniex, LLC (Poloniex), and CoinList Markets LLC (CoinList).
An illustrative table with high-level statistics for these actions is provided below.3
Assessing and mitigating potential enforcement risk
The key takeaway from OFAC’s enforcement activity in the virtual currency space is that businesses facilitating transactions involving these novel assets must develop, implement, and enforce robust policies and procedures to ensure compliance with applicable U.S. sanctions laws. Indeed, as set out in OFAC’s guidance on Sanctions Compliance for the Virtual Currency Industry, it is essential for financial institutions of any kind, including those in the virtual currency space, to develop and implement effective, risk-based compliance programs backed by adequate resources and a strong commitment from senior management. These compliance controls should include:
- robust KYC protocols;
- transaction monitoring;
- sanctions screening (including geolocation screening);
- algorithmic configurations; and
- other controls as appropriate.
The Deputy Secretary of the U.S. Department of the Treasury further echoed these points in remarks given in late 2023, stating that “[w]e have built a regulatory framework that traditional financial firms not only adhere to, but help us to implement. These firms have invested in tools, personnel, and processes that help us identify and capture criminals, terrorists, and others that seek to move money illegally… We need those in the digital asset industry to do the same.”4
However, OFAC’s recent enforcement actions demonstrate that mere development of compliance systems and protocols will not be sufficient to shield firms facilitating virtual currency-related transactions from potential civil (and even criminal) liability under U.S. sanctions. For example, OFAC determined that Kraken’s application of geolocation controls only at the time of onboarding (and not with respect to subsequent transactional activity) – despite having reason to know that certain transactions appeared to have been conducted from Iran – constituted an aggravating factor when calculating the appropriate settlement amount. Furthermore, OFAC considered Poloniex’s failure to apply its compliance program (once implemented) consistently across pre-existing accounts to be an aggravating factor for the penalty calculation. These determinations indicate that virtual currency firms not only must implement risk-based controls, but also must dedicate appropriate resources to assess both latent compliance deficiencies and identify and implement appropriate best practices to ensure compliance with such laws on an ongoing basis. Deputy Secretary Adeyemo’s remarks emphasized that failure to take meaningful action could have grave consequences for virtual currency actors, stating “[Treasury’s] actions over the last year send a clear message: [Treasury] will not hesitate to bring to bear tools across government to protect our national security.”
Nevertheless, as evidenced by OFAC’s acknowledgment of relevant mitigating factors in determining the appropriate settlement amounts in these actions, firms with historic or forward-looking compliance deficiencies were generally able to mitigate their potential liability by: (i) taking swift and appropriate action to identify and remediate non-compliance and deficiencies in existing compliance programs; and (ii) cooperating fully with OFAC during the course of an investigation (whether the investigation is initiated by OFAC or arises from a voluntary self-disclosure).
In addition, OFAC’s settlement with Binance, a non-U.S. person, illustrates that U.S. sanctions enforcement risk extends to non-U.S. financial institutions, money services businesses, and virtual currency exchanges that conduct business in the United States or provide services to U.S. persons. Without instituting the proper controls to ensure compliance with U.S. sanctions and other U.S. laws, non-U.S. firms conducting business in the United States or with U.S. persons expose themselves to significant monetary penalties and potential criminal liability.
For more information regarding compliance with U.S. sanctions, establishing appropriate compliance policies and procedures, or reviewing historical transactions and mitigating potential enforcement risk, please contact the authors (related people) or your usual contact within our Global Sanctions Group.
Footnotes
1. For these purposes, “U.S. persons” include: (i) U.S. citizens and permanent residents; (ii) entities organized under the laws of the United States and their non-U.S. branches; and (iii) any individuals or entities located in the United States.
2. Users targeted by U.S. sanctions include individuals or entities located in comprehensively sanctioned jurisdictions (which, as of the date hereof, comprise Cuba, Iran, North Korea, Syria, the Crimea region of Ukraine, and the so-called Donetsk People’s Republic and Luhansk People’s Republic regions of Ukraine) and blocked persons (i.e., persons identified on OFAC’s Specially Designated Nationals and Blocked Persons List or owned 50% or more by one or more blocked persons).
3. The figures in this table have been obtained from enforcement web notices published by OFAC for each individual action.
4. Remarks by Deputy Secretary of the Treasury Wally Adeyemo at the 2023 Blockchain Association’s Policy Summit, Nov. 29, 2023, available at https://home.treasury.gov/news/press-releases/jy1934#:~:text=We%20have%20built%20a%20regulatory,seek%20to%20move%20money%20illegally.