BitPay allowed persons who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay's platform even though BitPay had location information, including Internet Protocol (IP) addresses and other location data, about those persons prior to effecting the transactions.

Deficiencies in BitPay’s sanctions compliance system enabled persons in those sanctioned jurisdictions to engage in approximately USD129,000 worth of digital currency-related transactions with BitPay’s merchant customers.

The settlement amount reflects OFAC’s determination that BitPay’s apparent breaches were not voluntarily self-disclosed and were non-egregious.This action emphasizes that OFAC obligations apply to all U.S. persons, including those involved in providing digital currency services.

As part of a risk-based approach, OFAC encourages companies that provide digital currency services to implement sanctions compliance controls commensurate with their risk profile.

Description of the Conduct Leading to the Apparent Breaches

Between approximately 10 June, 2013 and 16 September, 2018, BitPay processed 2,102 transactions on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions (the “Apparent Breaches”). The Apparent Breaches related to BitPay’s payment processing service, which enables merchants to accept digital currency as payment for goods and services.

Specifically, BitPay received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency and then relayed that currency to its merchants.

While BitPay screened its direct customers—the merchants— against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and conducted due diligence on them to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ customers. Specifically, BitPay at times would receive information about those merchants’ customers at the time of the transaction, including a merchant's customer’s name, address, email address and phone number.

Beginning in November 2017, BitPay also obtained buyers’ IP addresses. However,BitPay’s transaction review process failed to analyse fully this identification and location data. As a result, buyers who, based on those information indicators, were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from merchants in the United States and elsewhere using digital currency on BitPay’s platform.This conduct resulted in Apparent Breaches of Executive Order 13685 of December 19, 2014, “Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine”; the Cuban Assets Control Regulations, 31 C.F.R. §515.201; the North Korea Sanctions Regulations, 31 C.F.R. §510.206; the Iranian Transactions and Sanctions Regulations, 31
2 C.F.R. §560.204; the Sudanese Sanctions Regulations, 31 C.F.R. §538.205 (SSR)1; and the Syrian Sanctions Regulations, 31 C.F.R. §542.207.

Penalty Calculation and General Factors

Analysis

The statutory maximum civil monetary penalty applicable in this matter is USD619,689,816. OFAC determined that BitPay did not voluntarily self-disclose the Apparent Breaches The Apparent Breaches constitute a non-egregious case. Accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines (“Enforcement Guidelines”), the base civil monetary penalty amount applicable in this matter is USD2,255,000. The settlement amount of USD507,375 reflects OFAC’s consideration of the General Factors under the Enforcement Guidelines.

OFAC determined the following to be aggravating factors:
(1)BitPay failed to exercise due caution or care for its sanctions compliance obligations when it allowed persons in sanctioned jurisdictions to transact with BitPay’s merchants using digital currency for approximately five years, even though BitPay had sufficient information to screen those customers; and
(2)BitPay conveyed a total of USD128,582.61 in economic benefit to individuals in several jurisdictions subject to OFAC sanctions, thereby harming the integrity of those sanctions programs.

OFAC determined the following to be mitigating factors: (1)BitPay had implemented certain sanctions compliance controls as early as 2013, including conducting due diligence and sanctions screening on its merchant customers, and formalised its sanctions compliance system in 2014;

(2)BitPay made clear in its training to all employees, including senior management, that BitPay prohibited merchant sign-ups from Cuba, Iran, Syria, Sudan, North Korea, and Crimea, as well as trade with sanctioned individuals and entities;

(3)BitPay is a small business that has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the earliest Apparent Violation;

(4)BitPay cooperated with OFAC’s investigation into these Apparent Violations; and(5)BitPay has represented that it has terminated the conduct that led to the Apparent Violations and undertook the following measures intended to minimize the risk of recurrence of similar conduct in the future:

•Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment;
•Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies as a sanctioned jurisdiction address or email top-level domain; and
•Launching “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above USD3,000.

As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID, and a selfie photo. (6)As part of its agreement with OFAC, BitPay has undertaken to continue its implementation of these and other compliance commitments.

Compliance Considerations

This action highlights that companies involved in providing digital currency services—like all financial service providers—should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks. Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in unauthorised transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property or engaging in prohibited trade or investment-related transactions.

To mitigate such risks, administrators, exchangers, and other companies involved in using digital currencies should develop a tailored, risk-based sanctions compliance system.

OFAC’s Framework for OFAC Compliance Commitments notes that each risk-based sanctions compliance program will vary depending on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties and geographic locations but should be predicated on and incorporate at least five essential components of compliance:
(1) management commitment;
(2) risk assessment;
(3) internal controls;
(4) testing and auditing; and
(5) training.

Within that framework, this enforcement action emphasises the importance of screening all available information, including IP addresses and other location data of customers and counterparties, to mitigate sanctions risks in connection with digital currency services.

That's what they say, but it's not the whole story. There is a footnote that shows where things are going to get sticky as Biden unravels Trump's various positions.

Effective October 12, 2017, pursuant to Executive Order 13761 (as amended by Executive Order 13804), U.S. persons are no longer prohibited from engaging in transactions that were previously prohibited solely under the SSR. Consistent with the revocation of these sanctions, OFAC removed the SSR from the Code of Federal Regulations on June 29, 2018. However, the revocation of these sanctions does not affect past, present, or future OFAC enforcement investigations or actions related to any apparent violations of the SSR arising from activities that occurred prior to October 12, 2017.

There's an interesting legal point: if something is "revoked" it is cancelled "ab initio." That means it is like it never existed. So if the SSR were actually "revoked" there should be no legal basis for any action and, indeed, any action that has been taken under them should, itself, be undone.

The Department of the Treasury's assertion that it is entitled to take action in respect of things done under the SSR which, if they were revoked, never existed, is contrary to the most basic rule of legal interpretation.

Also, see "BitGo and sanctions: USA's OFAC applies penalty to crypto-services business"