On February 18, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced the entry into a $507,375 settlement with BitPay, Inc. (“BitPay”), a bitcoin payment service provider headquartered in Atlanta, Georgia, for over two thousand apparent violations of multiple U.S. sanctions programs.1
According to OFAC, between approximately June 2013 and September 2018, BitPay processed 2,102 digital currency-related transactions (worth approximately $129,000) on behalf of individuals who, based on Internet Protocol (IP) addresses and information available in invoices, were located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, or Syria, jurisdictions all subject to comprehensive U.S. sanctions regimes. These apparent violations related to BitPay’s payment processing service, which enables its merchants to accept digital currency as payment for goods and services from its customers. Specifically, BitPay received digital currency payments on behalf of its merchant customers from those merchants’ buyers located in sanctioned jurisdictions, and then converted that digital currency to fiat currency for its merchants.
It appears that BitPay conducted due diligence on its own customers (i.e., the merchants) to ensure compliance with U.S. sanctions, including screening them against OFAC’s Specially Designated Nationals and Blocked Persons List (the “SDN List”). However, OFAC noted that BitPay failed to screen location data that it obtained about its merchants’ buyers, from whom it was receiving digital currency, even though it was at times in receipt of information about those merchants’ buyers that could have indicated a potential dealing with a sanctioned jurisdiction, including a buyer’s name, address, email address, phone number, and/or IP address. Thus, because BitPay’s transaction review process did not analyze fully this identification and location data, buyers who, based on those information indicators, were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from U.S. and non-U.S. merchants using digital currency on BitPay’s payment service platform.
The statutory maximum civil monetary penalty that OFAC could have imposed against BitPay was $619,689,816. However, in settling the matter for $507,375, OFAC considered several mitigating factors, including BitPay’s commitment to employ the following measures to minimize the risk of similar conduct occurring again:
- Blocking IP addresses that appear to originate in sanctioned jurisdictions from connecting to the BitPay website or from viewing any instructions on how to make payment;
- Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
- Launching a new customer identification tool requiring merchants’ customers to provide an email address, proof of identification/photo ID, and a selfie photo to pay an invoice.
The BitPay settlement shows that OFAC expects that companies providing digital currency services understand the sanctions risks associated with their activities and take steps necessary to mitigate those risks. In other words, the OFAC compliance obligations for digital payment service providers, such as BitPay, are no different than those of any other financial service provider.
In its FAQs on Virtual Currency,2 OFAC states that firms that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or other prohibited trade or investment-related transactions. This includes transactions that evade or avoid, have the purpose of evading or avoiding, cause a violation of, or attempt to violate prohibitions imposed by OFAC under various sanctions authorities.
As such, OFAC stresses that participants of digital currency transactions, including technology companies, administrators, exchangers, users, and other payment processors, should develop a tailored, risk-based compliance program that includes sanctions list screening and other appropriate measures. Although there is no one compliance program or solution suitable for every circumstance, OFAC notes that an adequate compliance solution should consider a variety of factors relative to the business involved, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations.
Within this framework, the BitPay enforcement action highlights the importance of screening all available information, including IP addresses and other location data of customers and counterparties, to mitigate sanctions risks associated with the provision of digital currency services.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.