Sanctioned actors may try evade the reach of U.S. and allied sanctions measures by hiding behind non-sanctioned and third-country entities, FinCEN warns. They may obscure their identity by, for example, using shell companies to conduct wire transfers or transact with accounts to send or receive funds from a sanctioned institution, among other listed red flags. Further, with the proliferation of cryptocurrency, sanctioned actors may attempt to use convertible virtual currency (CVC) and anonymizing tools to protect their assets. By their very nature, virtual currencies may exist separate from any regulated financial system and the use of privacy coins and other measures can anonymize transaction participants in some cases. The FinCEN alert is the latest reminder that anti-money laundering, countering the financing of terrorism, counter proliferation (AML/CFT/CP), and sanctions compliance obligations apply equally to cryptocurrency as they do to fiat currency.

In addition to more traditional red flags of potential sanctions evasion, FinCEN highlighted the following red flags of identify suspicious cryptocurrency activities:

• Transactions initiated with IP addresses from non-trusted sources (i.e. VPNs), locations in Russia, Belarus, embargoed regions, or other FATF-identified jurisdictions with known AML/CFT/CP deficiencies.
• Transactions connected with crypto wallets listed on OFAC’s Specially Designated Nationals List (SDN List).
• Transactions with crypto exchangers or foreign-located money services business in high-risk jurisdictions with AML/CFT/CP deficiencies.

Should a transaction raise red flags of potential sanctions evasion, financial institutions are required to report the associated activity and should conduct appropriate due diligence in accordance with the Bank Secrecy Act, USA PATRIOT Act, and other authorities. FinCEN also encourages financial institutions to use the information sharing authorities under Section 314(b) of the USA PATRIOT Act.

Financial institutions should carefully review FinCEN’s alert and ensure that appropriate compliance controls are in place to detect, remediate, and report potential sanctions evasion.

The Guidance provides additional insight into OFAC’s expectations with respect to identifying sanctioned parties online, which is helpful for any company that provides services to customers over the internet, even if not directly dealing with virtual currencies.

Level setting

As with fiat currency, OFAC’s Guidance confirms that participants in the virtual currency space must “block” virtual currency by denying all parties access to the asset and report the blocked property to OFAC within 10 business days. However, there is no requirement to convert the virtual currency into fiat currency or to hold the virtual currency in an interest-bearing account, unlike other blocked funds.

Best Practices for the Virtual Currency Industry

Management Commitment – Many members of the fast-growing virtual currency industry may be slow to develop and implement sanctions compliance programs, which can risk exposure to sanctions violations. OFAC counsels early managerial commitment to the development and implementation of compliance programs. Building these processes in early can prevent costly violations later on.

Risk Assessment – The Guidance recommends that companies conduct routine risk assessments to identify potential sanctions issues before providing services or products to customers. The risk assessment should be tailored to what and where products or services are offered, account for customers, reflect the company’s supply chain, and also evaluate counterparty and partner risk, including whether those parties have adequate compliance procedures. The results of that assessment should feed into the development of an effective sanctions compliance policy. Outside advisors can help craft risk assessments that highlight key risks for virtual currency companies.

Internal Controls – The Guidance document contains a number of recommendations related to internal controls and processes that should be considered in designing a sanctions compliance program for virtual currencies and digital payments. As noted above, many of these recommendations apply to any company that provides digital services over the internet and reflect lessons learned from recent enforcement actions targeting online commerce. These tools include:

• Geolocation and IP Address Blocking – As in several recent enforcement actions (including those involving Payoneer, BitGo, and Amazon), the Guidance makes clear that OFAC expects companies to consider IP address geolocation data to identify customers that may be in or ordinarily reside in sanctioned jurisdictions and to adopt blocking controls that deny access to IP addresses associated with sanctioned jurisdictions. OFAC notes that analytics tools can play an important role in identifying the likely location of customers by addressing IP address geolocation misattribution caused by the use of anonymization services like Virtual Private Networks (VPNs). Other information, such as an address from a customer or counterparty, an email address top-level domain (e.g., [email protected] or [email protected]), or transactional details, like an invoice, can also be relevant for a company’s sanctions controls, even if that information was initially obtained for a non-compliance purpose.
• Know Your Customer (KYC) Procedures – Conducting due diligence at onboarding, during periodic reviews, and when processing transactions helps to reduce potential sanctions-related risks. For individuals, this means screening customers’ names, dates of birth, physical and email addresses, nationality, IP addresses associated with transactions and logins, bank information, and government-issued or other documentation against sanctions lists (like the SDN List) and for any “red flags.” For entities, this can also include type of business, ownership information, physical and email address, and where the entity does business. A keyword list of sanctioned jurisdiction cities and regions can also be an important part of a KYC screening.
• Transaction Monitoring and Investigation – OFAC’s Guidance endorses the use of software to monitor and investigate transactions involving sanctioned individuals and entities or persons located in sanctioned jurisdictions based on identifying information associated with transaction data. As of 2018, OFAC began to include virtual currency addresses in the “ID #” field for persons listed on the SDN List. Companies should calibrate software to identify and block transactions associated with those virtual currency addresses, in addition to those otherwise associated with SDNs or persons located in sanctioned jurisdictions.
• Implementing Remedial Measures – Should a virtual currency company identify an apparent sanctions violation, that company should take immediate and effective remedial actions, which OFAC may consider as a mitigating factor in a potential enforcement action.
• Monitoring Transactions and Users for “Red Flags” – OFAC’s Guidance notes that there are several “red flags” that may indicate a transaction’s or user’s connection to sanctions, including providing inaccurate or incomplete KYC information at onboarding; attempting to access a virtual currency exchange from an IP address or VPN connected to a sanctioned jurisdiction; failing or refusing to provide updated KYC information or to provide requested additional transaction information; and, attempting to transact with a virtual currency address associated with a blocked person or a sanctioned jurisdiction.

• Ensuring sanctions and KYC screening tools effectively flag transactions and customers related to SDNs or sanctioned jurisdictions;
• Confirming IP address software properly prevents sanctioned jurisdiction access; and
• Reviewing procedures for investigating and, if applicable, blocking and reporting to OFAC flagged transactions identified through the screening process.

Final Considerations

Last year Venezuelan President Nicolas Maduro declared that Venezuela would issue a digital currency to help the Venezuelan government and Petroleos de Venezuela, S.A. (PdVSA), the state-owned oil company, avoid U.S. sanctions. New guidance released by OFAC today confirms that the Venezuelan “petro” and “petro gold” currencies are subject to the new restrictions.

According to OFAC, two Cartier boutiques in the United States sold jewelry to a customer who directed Cartier to ship the items to an address in Hong Kong. It turns out that the jewelry was destined to a blacklisted Specially Designated National (SDN) that was listed pursuant to OFAC’s narcotics trafficking sanctions regulations. OFAC pointed out that the name of the entity receiving the goods and the ship to address were exact matches to the entry on OFAC’s SDN List. If the company had checked the SDN List, it would have quickly determined that the transaction was impermissible under U.S. sanctions laws.

OFAC used the case to specifically call on retailers who ship goods overseas to adopt sanctions compliance programs. Luxury brands like Cartier may be at particular risk for sanctions violations —OFAC pointed out that an aggravating factor in the case was that Richemont operates in an industry (the luxury goods market) that has a high risk of illicit money laundering activity.

Contact our export and sanctions team if you have questions about your company’s sanctions risk profile.

Lesson One: Don’t launder money for North Korean SDNs engaged in proliferation schemes. If you want to know more about how North Korea attempts to launder funds, check out this detailed and fascinating report on the topic.

Lesson Two: If you conduct a transaction in U.S. dollars, even if all other aspects of the transaction occur outside of the United States, the U.S. government will likely claim jurisdiction over the transaction.

In the Mingzheng case, the U.S. government asserted jurisdiction because the Chinese companies used U.S. dollars, which triggered indirect dollar clearing transactions in the United States:

Although North Korean financial facilitators engage in U.S. dollar transactions overseas, funds are still cleared through a U.S. correspondent bank account, thereby triggering the U.S. economic sanctions. . . These U.S. dollar payments, which cleared through U.S. correspondent banking accounts, violated U.S. law, because Mingzheng was surreptitiously making them on behalf of FTB, whose designation [as an SDN] precluded such transactions.

In other words, the U.S. government is claiming that the Chinese companies caused U.S. banks to conduct dollar clearing transactions for the ultimate benefit of a blacklisted SDN, an activity that is prohibited under U.S. law. Most international trade transactions denominated in U.S. dollars will generate this type of activity in the United States, potentially triggering U.S. jurisdiction over the underlying transactions.

Conducting transactions denominated in U.S. dollars is only one way that non-U.S. companies can become subject to U.S. sanctions laws. Non-U.S. companies can also get in trouble if they conduct a transaction with an SDN or embargoed territory (currently the Crimea region of Ukraine, Cuba, Iran, North Korea, and Syria) that involves U.S. companies, products, or persons. The classic example here is of a non-U.S. company ordering products from the United States in order to resell them to an SDN or embargoed territory. A similar and common issue arises when a non-U.S. company has employees who are U.S. citizens. Such employees must be fully recused from any business related to SDNs or embargoed territories. ‘Secondary’ sanctions are another way that non-U.S. companies can become subject to U.S. sanctions, but that’s a complex story for another blog post.

The takeaway: If you conduct a transaction that is or may become subject to U.S. law, you need to ensure that all aspects of the transaction complies with U.S. sanctions rules. A basic and important due diligence step is to screen all such transactions against the U.S. SDN List and identify any transactions that might involve sanctioned countries or territories.