OFAC and FinCEN Publish Virtual Currency Industry and Ransomware Guidance

On October 15, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an industry-specific brochure entitled, “Sanctions Compliance Guidance for the Virtual Currency Industry” (the “OFAC Guidance”). According to a press release, the OFAC Guidance “outlines sanctions compliance best practices tailored to the unique risks posed in this dynamic space, while new data from the Financial Crimes Enforcement Network . . . shows the increasing threat ransomware posed to the U.S. financial sector, businesses, and the public during the first half of 2021.” We previously discussed the sanctions risks related to ransomware payments on October 12, 2021, September 23, 2021, and October 7, 2020.

In sum, the growing prevalence of virtual currency as a payment method brings greater exposure to sanctions risks, including the risk that a sanctioned person or a person in a sanctioned jurisdiction might be involved in such transactions. The OFAC Guidance provides an overview of applicable OFAC sanctions requirements and provides examples of compliance best practices for companies in this industry. Both U.S. and non-U.S. companies should consider incorporating OFAC’s recommendations outlined in the OFAC guidance to mitigate the risk of violating U.S. sanctions.

Ransomware Trends According to a Report Published by FinCEN

 The Financial Crimes Enforcement Network (“FinCEN”) published a report on the same day, entitled Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021 (the “FinCEN Report”). The Anti-Money Laundering Act of 2020 (“AMLA”) mandates that FinCEN publish threat pattern and trend information derived from financial institutions’ Suspicious Activity Reports (“SARs”). The FinCEN Report is the first report issued pursuant to the AMLA that focuses on pattern and trend information pertaining to ransomware. The FinCEN Report further establishes that ransomware is a significant threat to the U.S. financial sector, businesses, and the public.

The notable conclusions discussed in the FinCEN Report are summarized below:

• Average Monthly Suspicious Amount of Ransomware Transactions: According to data generated from ransomware-related SARs, the mean average total monthly suspicious amount of ransomware transactions was $66.4 million and the median average was $45 million. FinCEN identified bitcoin (“BTC”) as the most common ransomware-related payment method in reported transactions.
• Top Ransomware Variants: Ransomware actors develop their own versions of ransomware, known as “variants,” and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in SAR data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.
• Insights from Blockchain Analysis: FinCEN identified and analyzed 177 unique convertible virtual currency (“CVC”) wallet addresses used for ransomware-related payments associated with the 10 most commonly reported ransomware variants in SARs during the review period. Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments.
• FinCEN Identified Ransomware Money Laundering Typologies: FinCEN identified several money laundering typologies common among ransomware variants in 2021 including threat actors increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (“AECs”) and avoiding reusing wallet addresses, “chain hopping” and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds.

Best Practices for Sanctions Compliance Policies for Companies in the Virtual Currency Industry

The OFAC Guidance cautions that OFAC sanctions have increasingly targeted individuals and entities that have used virtual currency in connection with malign activity, including ransomware payments, and strongly encourages a risk-based approach to sanctions compliance because there is no single compliance program or solution suitable to every circumstance or business. According the OFAC Guidance, below are the components of an effective sanctions compliance policy for a company in the virtual currency industry.

• Management Commitment: Senior management of companies in the virtual currency industry may consider taking the following steps to demonstrate their support for sanctions compliance: (i) review and endorse sanctions compliance policies and procedures; (ii) ensure adequate resources support the compliance function; (iii) delegate sufficient autonomy and authority to the compliance unit; and (iv) appoint a dedicated sanctions compliance officer with the requisite technical expertise.
• Risk Assessment: Although there is no “one-size-fits-all” risk assessment, the exercise should generally include a complete review of the company to assess its touchpoints to foreign jurisdictions or persons. This process allows the company to identify potential areas in which it may, directly or indirectly, engage with OFAC sanctioned persons, countries, or regions.
• Internal Controls: In the virtual currency industry, the internal controls a company implements will depend on, among other things, the products and services the company offers, where the company operates, the locations of its users, and what sanctions-specific risks the company identifies during its risk assessment process. Internal controls often involve the use of industry-specific tools, which are described in further detail below.
• Testing and Auditing: Companies that incorporate a comprehensive, independent, and objective testing or audit function within their sanctions compliance program are equipped to ensure that they are aware of how their programs are performing and what aspects need to be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment.
• Training: OFAC training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted on a periodic basis, and, at a minimum, annually. Effective OFAC training for the virtual currency industry should account for frequent changes and updates to sanctions programs, as well as new and emerging technologies in the virtual currency industry.

Industry-Specific Tools for Internal Controls

With respect to internal controls, the OFAC Guidance recommended several industry-specific tools for companies in the virtual currency industry. These tools include, but are not limited to, the following.

• Geolocation Tools: Virtual currency companies with strong sanctions compliance programs should be able to use geolocation tools to identify and prevent IP addresses that originate in sanctioned jurisdictions from accessing a company’s website and services for activity that is prohibited by OFAC’s regulations, and not authorized or exempt.
• Know Your Customer (“KYC”) Procedures: Virtual currency companies should obtain information about customers during onboarding and throughout the lifecycle of the customer relationship and use such information to conduct due diligence sufficient to mitigate potential sanctions-related risk. Higher-risk customers may warrant additional due diligence.
• Transaction Monitoring and Investigation Software: Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses or other identifying information (e.g., originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data) associated with sanctioned individuals and entities listed on sanctions lists, or located in sanctioned jurisdictions.
• Implementing Remedial Measures: Upon learning of a weakness in a company’s sanctions compliance internal controls, virtual currency companies should take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
• Sanctions Screening: Virtual currency companies should consider implementing screening-related best practices into their sanctions compliance programs, including but not limited to, the following: (i) screening customer information against OFAC-administered sanctions lists; (ii) screening transactions to identify addresses, including physical, digital wallet, and IP addresses, and other relevant information with potential links to sanctioned persons or jurisdictions; and (iii) utilizing screening tools’ fuzzy logic capabilities to account for common name variations and misspellings.
• Risk Indicators or Red Flags: In addition to screening transaction and other KYC identifying information, virtual currency companies should also consider monitoring transactions and users for risk indicators or “red flags” that may indicate a sanctions nexus.

OFAC Frequently Asked Questions

On the same day, OFAC updated two related Frequently Asked Questions (“FAQs”). Each FAQ is described below.

FAQ 559 provides a definition for the following terms: digital currency, digital currency wallet, digital currency address, and virtual currency, for the purpose of OFAC’s sanctions programs. In particular, OFAC defines “virtual currency” as “a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; and is neither issued nor guaranteed by any jurisdiction.”

FAQ 646 clarifies how to “block” a digital currency. According to FAQ 646, once a U.S. person determines that they hold virtual currency that is required to be blocked pursuant to OFAC’s regulations, the U.S. person must deny all parties access to that virtual currency, ensure that they comply with OFAC regulations related to the holding and reporting of blocked assets, and implement controls that align with a risk-based approach.

Finally, OFAC also cites the following existing FAQs for more information: FAQ 560, FAQ 561, FAQ 562, FAQ 563, FAQ 594, FAQ 547, FAQ 564, FAQ 565, and FAQ 566.

We will continue to monitor developments in this area, and encourage you to subscribe to be kept informed of latest developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.