The Treasury Department has slapped a $507,375 fine against a bitcoin payments processor for sanctions compliance failures that allowed transactions with parties in Cuba, North Korea, Iran, and elsewhere — only the second such enforcement action ever taken over digital currency transactions, but probably not the last.
The firm in question is BitPay, headquartered in Atlanta and one of the early players in bitcoin transaction processing (founded in 2011). According to a settlement order from the Office of Foreign Assets Control, BitPay handled more than 2,100 transactions in the mid-2010s for individuals who resided in six countries under U.S. economic sanctions.
BitPay works as a middleman in bitcoin transactions, where merchants hire the company to accept digital payments from individuals on the merchants’ behalf. Then BitPay converts those digital currencies into real currencies, and relays that money back to the merchants.
So what was the compliance failure? According to OFAC, BitPay processed transactions from individuals who, based on their IP addresses and information available on invoices, were living in those sanctioned countries.
More specifically, BitPay did screen its own customers (the merchants) against OFAC’s list of Specially Designated Nationals and Blocked Persons, and conducted due diligence to assure that those merchants weren’t located in sanctioned jurisdictions. But BitPay did not screen location data it obtained about those merchants’ customers.
For example, at times BitPay would receive information about those merchants’ buyers including name, address, email address, and phone number. Beginning in November 2017, BitPay also obtained buyers’ IP addresses. “However,” OFAC tartly noted, “BitPay’s transaction review process failed to analyze fully this identification and location data.”
OFAC says the problematic transactions happened from June 2013 to September 2018, and conveyed about $128,000 of economic benefit to those persons living in sanctioned jurisdictions.
On Factors and Penalties
The statutory maximum civil penalty in a case like this would be $619.7 million. (At the rate bitcoin is appreciating, you could probably grab one now and pay off that penalty in about a week.) Because BitPay’s apparent violations qualify as a non-egregious case, OFAC guidelines suggest a base penalty of only $2.25 million.
So how did we get from $2.25 million all the way down to $507,375? As always with OFAC enforcement actions, a mix of aggravating and mitigating factors enter the picture.
On the aggravating side, BitPay “failed to exercise due caution or care for its sanctions compliance obligations” because it had enough information at hand to screen those customers, but failed to do so for five years. Moreover, BitPay didn’t voluntarily disclose the apparent violations and did convey more than $128,000 in benefits to the customers.
On the mitigating side, however, BitPay did implement a sanctions screening program for its merchant customers as early as 2013, and had formalized that program by 2014. Its training materials also made clear that BitPay did not allow merchant sign-ups from Cuba, North Korea, Iran, Sudan, Syria, and Crimea (the countries at issue here), or any trade with sanctioned persons or businesses generally. BitPay also had a clean record prior to this incident, and did cooperate in OFAC’s investigation once regulators knocked on the company’s door.
Moreover, BitPay also implemented enhanced screening processes to prevent future violations. Its new measures include:
- Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria, so nobody from those places can connect to BitPay at all;
- Adopting new policies to check the physical and email addresses of merchants’ buyers when that information is provided by the merchant; and
- Launching a mandatory “BitPay ID” program for people who want to pay a BitPay invoice of $3,000 or more, where the customer must provide an email address, proof of identification, and a selfie photo.
The overhaul seems to have been led by Jeremie Beaudry, who joined BitPay as chief compliance officer at the end of 2018. He stayed for eight months, “managed the largest AML/ATF/OFAC overhaul in BitPay’s eight-year history,” according to his LinkedIn profile, and then decamped to the Celsius Network, a cryptocurrency startup in New York. (BitPay’s head of legal and compliance these days is Eden Doniger.)
Anyway, with all those factors whirled together in the OFAC penalty calculator, the agency landed on a final penalty of $507,375.
Sanctions Compliance for Bitcoin
OFAC also took the opportunity in its settlement order to remind digital currency players that, as much as they might dream of a transactional utopia free from the confines of financial regulation, sanctions compliance rules still apply to you too:
Companies involved in providing digital currency services — like all financial service providers — should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks. Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.
Take that, Fed haters!
OFAC also has some FAQ guidance about digital currencies and sanctions risk, although to my thinking all you need to know is asked and answered in the second FAQ:
Q: Are my OFAC compliance obligations the same, regardless of whether a transaction is denominated in digital currency or traditional fiat currency?
A: Yes, the obligations are the same…
Compliance officers for firms dabbling in digital currencies would probably be better served acquainting themselves with OFAC’s guidance for effective sanctions compliance programs, issued in 2019. Even large and sophisticated firms can trip over themselves building an effective sanctions compliance program, so I shudder to think of how young, fast-growing digital startups might handle the issue.