Sanctions compliance programs have never been more critical, especially in the cryptocurrency industry. Recent enforcement actions by the Office of Foreign Assets Control (OFAC) – including its first-ever sanctioning of a crypto exchange – highlight the increased regulatory scrutiny that crypto firms are under. And in March 2022, President Biden signed an executive order calling for a “whole-of-government approach” to addressing the risks and benefits of digital assets.
The Executive Order came at a critical time, as Russia’s invasion of Ukraine invoked numerous sanctions from nations around the world. Regulators have zeroed in on the potential role of cryptocurrency in evading Russian sanctions. In a joint statement, the Group of Seven (G7) leaders said:
“We commit to taking measures to better detect and interdict any illicit activity, and we will impose costs on illicit Russian actors using digital assets to enhance and transfer their wealth, consistent with our national processes.”
Table of Contents
What Are Sanctions and What Is Sanctions Compliance?
Sanctions can be defined as “punitive and deterrent actions taken by one government or multilateral body (such as the U.N.) against another country, entity or individual.” The figure below identifies the different categories of sanctions:
In the United States, trade and economic sanctions programs are administered and enforced by OFAC, an agency in the U.S. Treasury Department. OFAC has been very active in its enforcement actions, including against virtual currency companies. In 2021, OFAC collected more than $21 million in penalties.
Why Is Sanctions Compliance Important for Crypto Companies?
Digital asset platforms should follow sanctions guidelines as part of their overall compliance programs. Doing so mitigates the risks of fines or other enforcement actions.
Effective compliance with sanctions requirements requires careful planning, execution, and ongoing improvements. Fortunately, cryptocurrency businesses are technology and financial innovators who can apply their technical ingenuity to streamline sanctions compliance requirements in the United States and other jurisdictions. Indeed, they can set the standard for sanctions compliance for other financial institutions to follow.
5 Factors for a Risk-Based Approach to an OFAC Sanctions Compliance Program
OFAC has published “A Framework for OFAC Compliance Commitments,” which details the five essential components for an effective sanctions compliance program. These include:
1. Management Commitment
As with most initiatives, support from senior management is crucial to successful sanctions compliance. Executive commitment helps ensure sufficient resources and priority are dedicated to building a sanctions compliance program that works.
In its “Sanctions Compliance Guidance for the Virtual Currency Industry,” OFAC identifies four steps crypto executives can take to show their commitment to sanctions compliance:
- Review and endorse sanctions compliance policies and procedures.
- Ensure adequate resources — including human capital, expertise, information technology, and other resources — support the compliance function.
- Delegate sufficient autonomy and authority to the compliance unit.
- Appoint a dedicated sanctions compliance officer who has the essential technical expertise.
OFAC notes that many crypto firms delay sanctions compliance until after they’ve been operational for years – exposing them to sanctions risks. It’s recommended VASPs evaluate potential sanctions risks early on, such as during the beta testing stage of operations.
2. Risk Assessment
A risk assessment evaluates a company’s touchpoints to foreign jurisdictions or persons. This process helps identify potential areas in which a company may be engaging with OFAC-sanctioned persons, countries, or regions.
Again, OFAC recommends early action to virtual currency companies, that they evaluate their exposure to OFAC sanctions and work to minimize their risks – even before opening their doors. The risk assessment process should be tailored to a company’s:
- Customer or client base
- Products and services
- Supply chain
- Geographic locations
3. Internal Controls
The results of the risk assessment determine the specific policies and procedures a company should adopt. These include internal controls that enable due diligence and identify red flags – indicators of illicit activity or compliance breakdowns. For the virtual currency industry, OFAC specifically states that internal controls depend on:
- The company’s product and services
- Where the company operates
- The locations of its users
- The sanctions risks identified during the risk assessment
As sanctions against Russia, Belarus, separatist regions of Ukraine and other jurisdictions intensify, it’s vital for crypto companies to follow OFAC’s best practices for strengthening their internal controls.
One best practice is to adopt geolocation tools and IP address blocking controls, including tools that screen IP addresses against known VPN IP addresses. VPN detection should be a cornerstone of sanctions compliance – VPN demand in Russia peaked at 2,692% since the conflict with Ukraine began on Feb. 24, 2022 (see figure below).
Chart showing daily VPN demand increases in Russia compared with the daily average between Feb. 17-23, 2022. Source: Top10VPN.com
4. Testing and Auditing
Testing the effectiveness of an OFAC compliance program helps ensure it’s working as it should – and helps identify what needs improving or adjusting based on changing sanctions risks. Again, OFAC identifies best practices for digital asset companies:
- Sanctions list screening: Ensure the screening of Specially Designated Nationals And Blocked Persons List (SDN) and other sanctions lists works and effectively flags transactions that need further review.
- Keyword screening: Make sure screening tools correctly flag geographic keywords as part of Know Your Customers (KYC) or other transaction screening.
- IP blocking: Ensure IP address software prevents users from sanctioned jurisdictions from accessing a company’s products and services. Geofencing software can help here.
- Investigation and reporting: Review procedures for investigating transactions that have a potential sanctions nexus as well as procedures for reporting to OFAC.
The scope of a company’s sanctions-specific training depends on its size, sophistication, and risk profile. Employees in compliance, management, and customer service should all receive periodic training – at least annually.
An effective training program will:
- Provide job-specific knowledge based on each employee’s needs.
- Communicate each employee’s sanctions compliance responsibilities.
- Hold employees accountable for meeting training requirements.
Sanctions Compliance Is About Location, Location, Location
Geopolitical conflict has escalated the amount and complexity of sanctions; however, common themes run through these sanctions, one of which is location. This means that a critical element of sanctions compliance is the ability to block users and transactions from sanctioned jurisdictions – including the list of OFAC-sanctioned countries.
In 2021, OFAC fined BitPay, a platform that allows merchants to process digital currencies, over US$500,000 for accepting transactions from persons in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria – even though BitPay had gathered IP addresses and other location data from these customers.
To effectively block sanctioned individuals and transactions, a cryptocurrency business needs to know their customers’ true location – are they where they say they are? To do this, many financial institutions, including crypto exchanges and wallets, rely on IP addresses to verify location.
But, as OFAC’s virtual currency guidance so vividly highlights, IP addresses are one of the easiest location data points to manipulate. In only three months, for example, GeoComply detected 1,760 attempted transactions from Russia with IP addresses manipulated to appear as though users were located in the United States (see figure below).
To mitigate sanctions risks and stop bad actors from exploiting the U.S. financial system, digital asset companies need precision geolocation tools that:
- Identify a user’s true location using device-based geolocation.
- Block transactions from all sanctioned regions while still serving legitimate users.
- Detect location spoofing via VPNs, proxies, fake GPS apps and other anonymizers.
That’s where GeoComply can help.
Conclusion: Manage Sanctions Risks with Compliance-grade Geolocation
GeoComply’s software uses device-based geolocation data signals from multiple sources – such as GPS and Wi-Fi triangulation – to pinpoint a user’s true location within meters. These data signals are verified for authenticity by detecting the use of location spoofing tools, such as VPNs, to manipulate an IP address.
The software also combines real-time and historical geolocation data to help detect and flag patterns of location fraud. Models are constantly updated with the use of machine learning and human intelligence.
This is the same compliance-grade geolocation used in the highly regulated U.S. iGaming and sports betting industry, with its strict, state-specific requirements. GeoComply’s software ensures betting remains within the permitted jurisdiction – even close to the border (see figure below).
This precise location is essential to compliance, especially in a country like Ukraine with its complex sanctions requirements. Crypto companies and other financial institutions can block transactions originating from the Ukrainian separatist regions, while still serving legitimate customers in nearby jurisdictions.
As sanctions against Russia and other jurisdictions increase, OFAC’s virtual currency guidance for building an effective sanctions compliance program becomes even more important. OFAC’s best practices – such as a more advanced geolocation strategy – will help ensure all financial institutions are able to uphold sanctions and AML laws, reduce the risk of enforcement actions, and protect the customers they serve.
Interested in raising the bar for AML and sanctions compliance?