Nashville, Tenn. (April 9, 2024) - The Office of Foreign Asset Control (OFAC) on October 15 issued its Sanctions Compliance Guidance for Virtual Currency (the "Guidance"), which provides that sanctions compliance obligations apply to transactions utilizing virtual currencies just as they do for dealings involving traditional currencies.

OFAC Sanctions Requirements

OFAC sanctions impose restrictions on financial or trade-related activities or the blocking of assets with a specific country, government, region, or individual. OFAC maintains list-based sanctions that publicly document individuals and entities for whom assets blocking is required or for whom financial/trade related activities are prohibited. The most common of these lists are the Specially Designated Nationals and Blocked Persons List ("SDN List") and the Consolidated Sanctions List.

Under the new guidance, once a U.S. person determines he or she is in possession of illicit virtual currency, certain steps must be taken. The holder of the currency must deny all parties access to the virtual currency, comply with OFAC's regulations on holding such a currency, and implement risk-based controls surrounding the currency. Such U.S. person must report the virtual currency to OFAC within 10 business days and annually thereafter for as long as the virtual currency is held by the U.S. person.

Virtual Currency Compliance Best Practices

Compliance with OFAC's Guidance depends on the type, size, sophistication, products and services offered, and geography of the business involved. There are five elements to constitute an effective virtual currency sanctions compliance program:

1) Management Commitment

For sanctions compliance, the Guidance recommends that senior management take the following actions:

  • Review and approve policies and procedures pertaining to sanctions;
  • Ensure resource allocation is sufficient in Human Resources, Information Technology, Legal and Compliance, and any other departments that support the sanction compliance function;
  • Delegate sufficient authority to the legal and compliance department; and
  • Appoint a dedicated sanctions compliance officer with appropriate technical and professional expertise.

2) Risk Assessment

Annual risk assessments are the cornerstone of every compliance program. Such risk assessment should review, at a minimum, the following:

  • The company's customer or client base;
  • The company's products/services;
  • The company's supply chain;
  • The company's third-party transactions;
  • The company's geographic location and location of third-party vendors;
  • Third-party risk assessments (e.g. do partners have adequate sanction procedures and controls in place)

3) Internal Controls

An effective sanctions compliance program should include policies and procedures (i.e. internal controls) aimed at guarding against the risks identified in the risk assessment. These can include policies and procedures to identify, escalate, report, and maintain records for transactions or activities prohibited by OFAC sanctions. An effective compliance program should prioritize due diligence/risk assessments on customers, business partners, and transactions to identify "red flags." Policies and procedures must be enforced and weaknesses should be flagged for remediation to prevent activity that might violate OFAC sanctions.

4) Testing and Auditing

One of the best ways to ensure the effectiveness of a sanctions compliance program is to test – either in a not-for-cause manner (preemptively) or a for-cause manner (in response to detected / suspected non-compliance) – the effectiveness of the program. For sanction-specific audits, the following four categories should take precedence:

  • Sanctions list screening (e.g. SDN List)
  • Keyword screening
  • IP address blacklists (automatic access restriction) / whitelist (automatic access approval) and ad hoc blocking
  • Investigation and reporting procedure

5) Training

OFAC sanctions training should be provided to all employees whose role involves sanctions compliance. This includes compliance staff, management, intake staff, and customer service personnel. Such training should be conducted, at a minimum, annually. Virtual currency compliance should be emphasized as subject to sanction compliance.

Takeaway

Due to OFAC's continued oversight on compliance with sanctions laws and regulations by U.S. persons, entities, and individuals, sanctions compliance for both traditional and virtual currencies continues to remain vital for business operations and transactions. Risk assessments, internal controls, training and education, commitment from management, and audits can ensure virtual currency sanctions compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.