The U.S. government has recently been active with respect to regulating cryptocurrencies. For its part, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) recently released guidance—issued in the form of Frequently Asked Questions (FAQs)—explaining that transactions involving cryptocurrencies, also known as virtual or digital currencies, will be treated the same as other transactions—a position that multiple Treasury Department officials have signaled for several months.
Notably, OFAC’s guidance was announced contemporaneously with President Trump’s Executive Order prohibiting transactions related to virtual currencies issued by, for, or on behalf of the Venezuelan government. Venezuela issued the “petro” in February 2018, a cryptocurrency that U.S. officials said was created to evade U.S. sanctions against the country. Venezuela’s actions, and the U.S. response, show that the U.S. government is focused not just on sanctions violations involving traditional financial transactions, but also on the emerging use of digital currencies, including those issued by foreign governments.
OFAC Virtual Currency Guidance
Under OFAC’s newly issued FAQs, U.S. persons will have the same sanctions compliance obligations regardless of whether transactions involve “real” currencies or cryptocurrencies. OFAC will work with law enforcement to ensure that the use of “new payment mechanisms” will not create a blind spot for sanctions enforcement. Specifically:
FAQ 559 defines the key terms of “virtual currency” (an expansive definition), “digital currency”, “private keys”, “wallet”, “digital currency address”, “hosted wallet provider”, and “wallet provider”.
FAQ 560 explains that compliance obligations “are the same, regardless of whether a transaction is denominated in digital currency or traditional fiat currency,” meaning that companies and other persons are expected to develop “tailored risk-based compliance programs” that address the risks posed by virtual currencies.
FAQ 561 states that “OFAC may include as identifiers on the SDN List specific digital currency addresses associated with blocked persons.”
FAQ 562 states that “parties who identify digital currency identifiers or wallets that they believe are owned by, or otherwise associated with, an [Specially Designated Person (SDN)] and hold such property should take the necessary steps to block the relevant digital currency and file a report with OFAC.”
FAQ 563 explains the format that digital currency addresses will take on the SDN List.
Applicability of New OFAC Guidance
In general, U.S. sanctions laws apply broadly to individuals and entities that are considered “U.S. Persons.” U.S Persons generally include all U.S. citizens and permanent resident aliens, wherever located or resident; all entities organized under the laws of the United States (including their foreign branches); and all individuals physically located in the United States. U.S. sanctions also restrict transactions involving designated persons in other countries around the world, including individuals and entities identified on the List of Specially Designated Nationals (SDN List), and entities in which such persons hold an ownership interest of 50% or more.
Impact of OFAC’s New FAQs
In light of OFAC’s FAQs, sanctions violations involving cryptocurrencies are expected to result in enforcement actions that are similar to those imposed on persons that use “real” currencies. Nonetheless, cryptocurrencies present unique challenges to companies that seek to balance their market obligations with their obligations to comply with sanctions laws. Negotiating with hackers is one area that may cause particular problems for companies as the use of virtual currencies becomes more widespread.
A hacker who is able to infiltrate company systems may demand payment in the form of bitcoin or another virtual currency. For example, the hackers who launched a ransomware attack that shut down the City of Atlanta’s computer systems in mid-March demanded a bitcoin ransom of approximately US$51,000. If the hacker’s digital currency address or wallet is on the SDN List, a company’s attempt to recover its information by conducting a transaction with the wallet may constitute a sanctions violation. This dilemma may leave companies with an impossible choice between complying with U.S. sanctions laws and freeing themselves from a hack. Because OFAC has not yet enforced sanctions laws under such a scenario, it is unclear whether companies could assert duress as a defense after paying a virtual ransom.
In addition, compliance itself may become logistically impossible due to the nature of hacking threats. If companies are unable to properly screen a wallet because their systems have been compromised, they may face an even more difficult decision of whether to pay a ransom that might violate sanctions laws and expose them to civil and criminal liability. We expect more guidance to emerge in this field.
In the meantime, companies must remain vigilant about conducting rigorous diligence on their transactions and ensuring compliance with sanctions laws, including transactions involving digital currency addresses or wallets associated with persons on the SDN list.
For example, because FAQ 562 notes that OFAC’s digital currency address listings will not be exhaustive, companies must take steps to block addresses that they believe are associated with an SDN and file reports with OFAC about a digital currency address’ suspected SDN association. Companies must also ensure that their screening tools are able to screen unique alphanumeric identifiers that will now be listed on the SDN list. We expect that OFAC will clarify the scope of “associated” within FAQ 562, which will help determine how companies must adjust their compliance programs.o block addresses that they believe are associated with an SDN and file reports with OFAC about a digital currency address’ suspected SDN association. Companies must also ensure that their screening tools are able to screen unique alphanumeric identifiers that will now be listed on the SDN list. We expect that OFAC will clarify the scope of “associated” within FAQ 562, which will help determine how companies must adjust their compliance programs.