Office of Foreign Assets Control (OFAC)
The purpose of this blog post is to give an overview of the Office of Foreign Assets Control (OFAC) as it relates to cryptocurrencies.
INTRODUCTION
Founded in 1950, OFAC is a financial intelligence and enforcement agency operating under the auspices of the U.S. Department of Treasury, specifically the Office of Terrorism and Financial Intelligence. OFAC is tasked with administering and enforcing economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, drug traffickers and other threats deemed to pose a risk to the national security, foreign policy or economy of the U.S.
In terms of enforcement, OFAC may impose fines, freeze assets, bar parties from operating in the U.S. and refer investigations to the Department of Justice for criminal prosecution. In this vein, OFAC maintains the Specially Designated Nationals and Blocked Persons List (SDN List), which is a list of individuals, entities, and nations with whom it is illegal to transact.
As it relates to cryptocurrencies, OFAC has become increasingly more involved in enforcement actions, alongside the SEC, CFTC and FinCEN. Most of the actions taken by OFAC involve applying existing enforcement frameworks (such as the SDN list) to the cryptocurrency industry.
Specially Designated Nationals and Blocked Persons List
As noted above, the SDN list is a comprehensive list of individuals, entities, geographic regions and nations with whom it is illegal to transact, as designated by OFAC. The prohibition also extends to entities that are directly or indirectly owned 50% or more by blocked individuals/entities.
Placement on the list has serious consequences. Namely, it is immediately illegal for all U.S. persons and businesses to transact with and engage in business with any blacklisted individuals/entities. Importantly, it does not matter if a U.S. individual or entity actually intends to violate this prohibition or is even aware of such a prohibition. In other words, unknowingly transacting with a blacklisted individual or entity creates a potential for significant civil fines and criminal penalties.
In late 2018, OFAC began designating certain individuals and their associated blockchain addresses engaging in criminal activity using virtual currencies. For example, see:
Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses (designating two Iranian individuals and their associated bitcoin addresses for laundering funds through SamSam ransomware derived bitcoin).
Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity (designating ten individuals and two entities associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), and their associated bitcoin addresses).
Treasury Sanctions Corrupt Actors in Africa and Asia (designating a Chinese individual who launched and transacted in cryptocurrencies to further a network of criminal enterprises).
Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group (designating two North Korean individuals and their bitcoin addresses associated with the Lazarus Group that hacked multiple cryptocurrency exchanges).
OFAC has also designated a number of entities and cryptocurrency enterprises:
Treasury Takes Robust Actions to Counter Ransomware (designating virtual currency exchange SUEX OTC as a result of money laundering and running a number of ransomware schemes, with over 40% of SUEX's transaction history being associated with illicit actors).
Treasury Sanctions Russia-Based Hydra, World’s Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex (designating the darknet market, Hydra, and 100 associated cryptocurrency addresses, and virtual currency exchange Garantex).
OFAC’s designation of virtual currency mixers/tumblers has garnered the most recent public attention.
These mixers/tumblers are blockchain protocols that are designed to allow anonymous cryptocurrency transactions by obfuscating the origin and destination of cryptocurrencies through the “mixing” of funds with other users. Such mixers/tumblers are popular among hackers and cyber thieves because it allows them to mix their illegally obtained cryptocurrencies with the cryptocurrencies of other, legitimate users, thereby making it harder to trace the ill-obtained cryptocurrencies back to the criminal.
As such, OFAC has started to sanction mixer/tumbler providers.
For instance, Blender.io (operating on the bitcoin blockchain) was the first mixer to be sanctioned in May 2022. U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats. OFAC found that Blender.io had assisted in the transfer of over $500 million worth of bitcoin since its creation in 2017 and played a role in helping North Korea’s Lazarus Group launder over $20.5 million in proceeds from the Axie Infinity hack.
Shortly thereafter in August 2022, OFAC sanctioned the popular mixer Tornado Cash (operating on the Ethereum blockchain). U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash. OFAC determined that the mixer had been used to launder $7 billion worth of cryptocurrency since its creation in 2019 (including large amounts stolen by Lazarus Group). The move was criticized by some in the industry, citing First Amendment concerns because such sanctions restricted Americans’ ability to use the tool for legitimate purposes and that it operated as ban on a technology as opposed to a sanction on an individual/entity, particularly when it was reported that only 10.5% of the mixed cryptocurrency constituted stolen funds. See U.S. Treasury sanction of privacy tools places sweeping restrictions on all Americans; OFAC Sanctions Popular Ethereum Mixer Tornado Cash for Laundering Crypto Stolen by North Korea's Lazarus Group.
Accordingly, all U.S. individuals and businesses must be careful to avoid inadvertently transacting with the above sanctioned individuals, entities and protocols.
OFAC released a set of FAQs regarding the sanctions on Tornado Cash to help individuals better understand their obligations.
GUIDANCE
OFAC released a “Sanctions Compliance Guidance” brochure aimed at providing a general overview of OFAC compliance considerations and detailing specific efforts individuals/entities involved in the virtual currency industry should take, such as:
Geographic and SDN screening;
Reviewing and endorsing sanctions compliance policies and procedures;
Ensuring adequate resources, including human capital, expertise, IT and other resources supporting the compliance function;
Delegating sufficient autonomy and authority to the compliance unit;
Appointing a dedicated sanctions compliance officer with the requisite technical expertise;
Conducting routine risk assessments to identify potential sanctions issues;
Developing controls to identify, interdict, escalate, report (as appropriate), and maintain records for transactions or activities prohibited by OFAC-administered sanctions;
Incorporating geolocation tools, IP address blocking controls and transaction monitoring and investigation software; and
Developing Know-Your-Customer (KYC) procedures.
The brochure contains many additional details and examples for implementing a proper and effective OFAC compliance program.
OFAC also released guidance on potential sanctions risks for facilitating ransomware payments. The guidance advises against making ransomware payments in cryptocurrencies because there is no guarantee that such payments will result in companies/individuals regaining access to their data. However, if such payments must be made, the guidance advises the affected individual/entity to immediately contact OFAC and related agencies so as to mitigate any enforcement action OFAC might otherwise bring for transaction with a sanctioned person/entity.
ENFORCEMENT
As noted above, OFAC has enforcement authority to fine individuals/entities that violate its sanctions. So far, OFAC has used its enforcement authority twice.
First, OFAC fined BitGo, a technology company offering security and scalability platforms for digital assets and non-custodial secure digital wallet management services, $98,830 for failing to prevent users in sanctioned countries from using its hot wallet management service, despite BitGo’s possession of the IP addresses of said users that, in OFAC’s view, should have alerted BitGo of their location. OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions.
There were 183 violations and the transactions themselves were only valued at a little over $9,000. The penalty was mitigated due to BitGo’s cooperation with OFAC, the appointment of a chief compliance officer and a process to screen all accounts against the SDN List.
Second and similarly, OFAC fined BitPay, a company offering payment processing solutions for merchants to accept digital currency as payment for goods and services, $507,375 for allowing individuals located in sanctioned territories to transact with merchants in the United States even though BitPay had the individuals’ IP addresses and other location data.
However, in contrast with its earlier fine against BitGo, the $507,375 fine was nearly five times the sanctioned transaction amount of $129,000.
OFAC’s enforcement guidelines are located here and details definitions, types of OFAC responses to various violations, factors affecting administrative action and the various civil penalties that could be imposed. 31 C.F.R. § 501 App'x A.
STATEMENTS
Sigal Mandelker, the undersecretary for Terrorism and Financial Intelligence (which oversees OFAC), gave remarks at a CoinDesk Consensus Conference in 2019. Remarks at CoinDesk Consensus Conference. Mandelker commented that the Treasury has noticed a huge amount of effort by sanctioned entities to use existing virtual currency channels to evade sanctions and to invent their own (e.g., national digital currencies on the part of Venezuela and Russia).
Mandelker also emphasized the need for virtual currency businesses to establish compliance protocols and that the four elements of a successful program are: (1) a tailored, risk-based program; (2) know-your-customer procedures; (3) preventing transactions with individuals/entities on the SDN List; and (4) clear communication to customers.
Wally Adeyemo, Deputy Secretary of the Treasury, gave remarks at a LINKS Conference in November 2021. Deputy Secretary of the Treasury, Remarks at LINKS Conference Presented by Chainalysis. Specifically, Adeyemo commented that the potential for ransomware and illegal activity in cryptocurrency was not a reason to “get rid of” cryptocurrencies, but rather to address the problem as a cybercrime and national security problem.
Adeyemo also noted that mixers (discussed above) and other darknet markets used to launder funds are “at the top of our list of concerns.” Adeyemo concluded by advising cryptocurrency service providers to include and ensure compliance at product launch and to then to build it into the “fundamental architecture” of the company.
FAQs
OFAC has issued various FAQs over the years to help individuals better understand OFAC’s regulatory framework and accompanying sanctions. The FAQs are divided into certain categories and are linked below:
Cyber-Related Sanctions (including Tornado Cash FAQs)
Disclaimer: This blog and the content herein are available for informational and educational purposes only. The content herein is not a solicitation to provide legal services and is not legal or investments advice on any subject matter. Nothing in this blog shall create an attorney-client relationship. The legal information in this blog is provided “as is” without any representations or warranties, express or implied. The author makes no representations or warranties in relation to the legal information on this website. You must not rely on the information on this website as an alternative to legal advice from your attorney or investment advisor. Please see the disclaimer section for more information.
