The department proposed new customer verification rules, released a statement on stablecoins and fined a company for sanctions violations
By Samuel Rubenfeld
Thursday, December 31, 2020
The U.S. Treasury Department ended the year taking a number of actions aimed at preventing financial crime through digital currencies, including by imposing a fine on a technology company that allowed users in sanctioned jurisdictions to make transactions due to deficiencies in its compliance procedures.
BitGo Inc., a digital asset security and cryptocurrency firm based in Palo Alto, California, failed to prevent users in Crimea, Cuba, Iran, Syria and Sudan from using its services despite having a record of their locations, according to a notice posted Wednesday by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). Between March 2015 and December 2019, BitGo processed 183 digital currency transactions worth about USD 9,130 on their behalf, the OFAC notice said. At the time, the company tracked IP addresses for security purposes but didn’t use the information for sanctions compliance, according to OFAC.
“This action highlights that companies involved in providing digital currency services—like all financial service providers—should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks,” OFAC said.
BitGo, which didn’t self-disclose the sanctions violations, agreed to pay USD 98,830 to resolve the matter, OFAC said, deeming the case as non-egregious. The company didn’t have a public response posted to its website as of Thursday.
Users in the sanctioned jurisdictions signed up for the company’s “hot wallet” secure digital wallet management service, and they were able to create and use digital currency wallets on BitGo’s online platform to conduct their transactions, OFAC said. A hot wallet allows a user to send and receive cryptocurrencies without a dedicated bank or wallet to secure its tokens; BitGo offers the use of both hot and cold wallets, as well as a variety of other digital services, according to its website.
Prior to April 2018, BitGo allowed users to open accounts using only a name and email address; the company then amended its practices, requiring new account holders to verify their location. After learning of the sanctions violations, the company implemented an OFAC sanctions compliance program and undertook a series of remedial measures, including IP address blocking and email-related restrictions for sanctioned jurisdictions, according to OFAC’s notice.
OFAC in May 2019 published a framework to help organizations with sanctions compliance.
BitGo now screens all accounts, including hot wallet accounts, against the U.S. sanctions lists, including cryptocurrency wallet addresses identified by OFAC as blocked property, the notice said. The company also retroactively batch screened all of its users and documents all of its sanctions compliance efforts under its new sanctions compliance program, according to OFAC.
“Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions,” OFAC said in the notice.
OFAC in September identified dozens of cryptocurrency addresses as part of its sanctions designations of members of a Russian troll farm and Russian men accused of engaging in a phishing operation. In late 2018, OFAC began identifying addresses, the alphanumeric identifiers linked to online wallets, as the blocked property of a sanctioned party.
Earlier this month, the Treasury, as part of a working group on financial markets, issued a statement about its initial assessment of regulatory and supervisory considerations for digital payments systems using stablecoins, a cryptocurrency tied to an outside asset such as the U.S. dollar or gold. Stablecoin arrangements must comply with applicable U.S. requirements and meet applicable anti-money laundering and counter-terrorist financing (AML/CFT) regulations before bringing the product to market, according to the statement.
Also in December, the Financial Crimes Enforcement Network (FinCEN), another office of the Treasury, requested comments on proposed regulations for transactions involving convertible virtual currencies (CVC) or digital assets with legal tender status (LTDA).
Determining the true amount of illicit activity conducted in cryptocurrency is challenging, but in 2019 alone FinCEN received about USD 119 billion in suspicious activity reporting (SAR) associated with CVC activity taking place in the U.S., according to the proposal. That amount would equate to nearly 12 percent of total CVC market activity being relevant to a possible violation of law or regulation, the proposal said, citing industry estimates.
Under the proposed rule, banks and money services businesses (MSBs) would be required to apply existing reporting requirements to CVC and LTDA transactions exceeding USD 10,000 in value. Financial institutions would also have to verify the identity of customers conducting transactions of more than USD 3,000 in value through wallets not hosted by a financial institution, or hosted by a financial institution in a jurisdiction promulgated on a new FinCEN list.
The new list, called the Foreign Jurisdictions List, would initially comprise jurisdictions already designated by FinCEN as places of primary money laundering concern, but in the future could be expanded to places with poor cryptocurrency regulation, according to the proposed rule.
Illicit finance risks are “enhanced” if a user can engage with the CVC through unhosted wallets or through wallets hosted by a foreign financial institution not subject to effective AML regulation, the proposal said. Malign actors may seek to exploit the potential gaps in recordkeeping and reporting, FinCEN said.
The deadline to submit a response to the proposal is Monday, Jan. 4, 2021.
“This rule addresses substantial national security concerns in the CVC market, and aims to close the gaps that malign actors seek to exploit in the recordkeeping and reporting regime,” said Secretary Steven T. Mnuchin. “The rule, which applies to financial institutions and is consistent with existing requirements, is intended to protect national security, assist law enforcement, and increase transparency while minimizing impact on responsible innovation.”
Latest on Kharon