Economic sanctions: challenges confronting the cryptocurrency industry

Back to International Commerce and Distribution Committee publications

Andrew Jacobson
Seward & Kissel LLP, New York
jacobsona@sewkis.com

 

The cryptocurrency industry has experienced extraordinary growth over the past decade, as the popularity and use of digital assets has expanded. While digital assets have numerous legitimate uses, criminal actors, including those in hostile jurisdictions, have often flocked to cryptocurrencies in an effort to conceal the unlawful nature of their transactions. Notably, United States regulators, including the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Department of Justice (DoJ), have taken steps to target the use of digital assets to evade sanctions and commit money laundering offenses.

The US’ economic sanctions programs are largely administered and enforced by OFAC, which has been delegated regulatory and enforcement authority via numerous statutes and presidential executive orders. The US currently maintains several dozen economic and trade sanctions programs, including with respect to Cuba, Iran, North Korea and Syria. The US also maintains sanctions programs that target corruption, terrorism and malicious cyber-related activities. This article will address the changing landscape of US sanctions over the past decade, with a particular focus on how US regulators have reacted to the growth of the cryptocurrency industry during that time period.

 

Sanctioned regimes and actors flock to cryptocurrencies

Sanctioned actors and those operating in sanctioned jurisdictions have flocked to cryptocurrencies over the past few years, as financial institutions and governments have cracked down on traditional money laundering and sanctions evasion schemes. Iran, for example, recently announced a national imperative to mine Bitcoin, licensing numerous cryptocurrency mining farms. There have also been numerous press reports regarding Iran’s efforts to employ digital assets, including Bitcoin, to undermine US economic and trade sanctions. North Korea has utilised cryptocurrencies as well, including in an effort to fund and promote cyberattacks, an example of which includes the Lazarus Group and its efforts to launder funds. Additionally, Venezuela’s government in 2018 attempted to establish its own national cryptocurrency, referred to as the Petro, in an effort to circumvent increasing US economic and trade sanctions.

Cryptocurrencies have also been the asset of choice for ransomware attackers. Ransomware is a form of malware that will often encrypt a victim’s data or computer systems, thereby blocking access to those systems. Ransomware attacks have increased in prevalence and scope worldwide, and as discussed below, cyber attackers have chosen cryptocurrencies (particularly Bitcoin) as their digital asset of choice.

Finally, criminal actors have sought to use privacy coins, or other external privacy mechanisms (such as mixers or tumblers) to disguise the nature of their transactions. Privacy coins are cryptocurrencies designed to provide users with a degree of anonymity in their transactions, compared to currencies such as Bitcoin and Ethereum, which operate on the public ledger. The use of privacy coins and external privacy mechanisms can make it difficult for financial institutions and law enforcement to trace source of funds and perform transaction due diligence.

OFAC and other US regulators respond

OFAC first announced in November 2018 that it would begin listing digital currency addresses affiliated with sanctioned actors to its Specially Designated Nationals and Blocked Persons List (SDN list). For the first time, OFAC publicly identified digital currency addresses that financial institutions were prohibited from transacting in, representing one of OFAC’s first forays into the cryptocurrency industry. Additionally, this was the first instance in which OFAC had taken action with respect to cryptocurrency under its cyber-related sanctions authorities, which are contained in Executive Order 13694, as amended by Executive Order 13757.

OFAC’s announcement that it would begin listing digital currency addresses was made in conjunction with additional actions taken regarding the SamSam ransomware schemes. Notably, OFAC sanctioned two Iran-based individuals who had assisted in exchanging Bitcoin ransom payments into Iran’s national fiat, rials, for Iranian cyber actors involved in the SamSam attacks. The DoJ also took action, indicting two separate Iranian nationals for authoring the SamSam ransomware malware and extorting victims for ransom payments in cryptocurrencies. The DoJ has taken additional actions with respect to unlawful cryptocurrency activities, including more recently in August 2020 against a terrorist financing campaign affiliated with ISIS and other terrorist groups. That action represented the DoJ’s largest-ever seizure of terrorist-affiliated cryptocurrency.

OFAC has continued to list digital currency addresses to its SDN list, and recently added privacy coins, including Zcash, Dash and a Monero payment ID. OFAC has also listed other digital currency addresses for coins that include Bitcoin, Ethereum, Litecoin and Bitcoin SV. 

 

Compliance expectations for the cryptocurrency industry

OFAC has made clear, including through public guidance, that those in the cryptocurrency industry have the same compliance obligations as those in traditional financial services, regardless of whether the transactions are denominated in digital or traditional fiat currency. In fact, while certain US securities and anti-money laundering laws apply to specific participants in an industry (eg, ‘financial institutions’ for the purposes of the Bank Secrecy Act), OFAC sanctions generally apply broadly to US persons and those subject to US jurisdiction (and in some instances, authorise prohibitions regarding the activities of non-US persons). Thus, individuals and companies that facilitate or otherwise process transactions utilising cryptocurrencies must ensure that they are not engaging in transactions that violate US sanctions. Since OFAC sanctions largely employ a ‘strict liability’ standard, knowledge or intent is not always necessary and inadvertent violations can be penalised. 

Given the challenges confronting the cryptocurrency industry, and OFAC’s strict liability standard, it is often recommended that companies and individuals embrace a ‘risk-based’ approach to compliance. OFAC’s Framework for Compliance Commitments, which was published in May 2019, provides guidance on OFAC’s expectations for deploying risk-based sanctions compliance programs. Specifically, OFAC recommends that companies assess the risks that their business activities pose, including with respect to companies’ size and sophistication, products and services, customers and counterparties and geographic locations. Under its Framework, OFAC recommends that sanctions compliance programs be structured with at least five essential components: 

  • management commitment and culture of compliance;
  • risk assessment, including ongoing and periodic assessments;
  • internal controls, including policies and procedures;
  • testing and auditing; and
  • training.

Implementing a sanctions compliance program to account for the risks posed by cryptocurrencies can be a challenge. Some of the greatest challenges involve screening counterparties and beneficiaries, tracing source of funds, and freezing digital assets that are subject to OFAC’s blocking requirements. OFAC has provided guidance on best practices for ‘blocking’ digital assets: for example, financial institutions may block each digital currency associated with a digital currency address that OFAC has identified as being affiliated with a sanctioned individual or entity, or the financial institution can use its own wallet to consolidate wallets that contain digital currencies subject to OFAC’s blocking requirements. Notably, blocking a digital currency can be particularly challenging when the transaction involves an ‘un-hosted’ wallet (eg, wallets in which the user controls the funds, as compared to ‘hosted’ wallets that are typically controlled by third parties such as exchanges). The challenge in blocking the assets of an un-hosted wallet is that the financial institution might not have sufficient access to the digital assets in order to freeze them. 

 

Conclusion

In short, the cryptocurrency industry is here to stay, and its growth will likely continue for the foreseeable future. Regulators, including those both inside and outside the US, have responded and will continue to evolve to the compliance challenges that arise. Expect the financial services industry to meet that challenge and continue to innovate going forward.

 

Back to International Commerce and Distribution Committee publications