The U.S. Treasury Department on Thursday announced the following:
BitPay, Inc. (“BitPay”), a private company based in Atlanta, Georgia, that offers a payment processing solution for merchants to accept digital currency as payment for goods and services, has agreed to remit $507,375 to settle its potential civil liability for 2,102 apparent violations of multiple sanctions programs. BitPay allowed persons who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform even though BitPay had location information, including Internet Protocol (IP) addresses and other location data, about those persons prior to effecting the transactions. BitPay’s sanctions compliance program deficiencies enabled persons in these sanctioned jurisdictions to engage in approximately $129,000 worth of digital currency-related transactions with BitPay’s merchant customers. The settlement amount reflects OFAC’s determination that BitPay’s apparent violations were not voluntarily self-disclosed and were non-egregious.
This action emphasizes that OFAC obligations apply to all U.S. persons, including those involved in providing digital currency services. As part of a risk-based approach, OFAC encourages companies that provide digital currency services to implement sanctions compliance controls commensurate with their risk profile.
Description of the Conduct Leading to the Apparent Violations
Between approximately June 10, 2013 and September 16, 2018, BitPay processed 2,102 transactions on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions (the “Apparent Violations”). The Apparent Violations related to BitPay’s payment processing service, which enables merchants to accept digital currency as payment for goods and services. Specifically, BitPay received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then relayed that currency to its merchants.
While BitPay screened its direct customers—the merchants— against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and conducted due diligence on them to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ buyers. Specifically, BitPay at times would receive information about those merchants’ buyers at the time of the transaction, including a buyer’s name, address, email address, and phone number. Beginning in November 2017, BitPay also obtained buyers’ IP addresses. However, BitPay’s transaction review process failed to analyze fully this identification and location data. As a result, buyers who, based on those information indicators, were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from merchants in the United States and elsewhere using digital currency on BitPay’s platform.
This conduct resulted in Apparent Violations of Executive Order 13685 of December 19, 2014, “Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine”; the Cuban Assets Control Regulations, 31 C.F.R. §515.201; the North Korea Sanctions Regulations, 31 C.F.R. §510.206; the Iranian Transactions and Sanctions Regulations, 31 C.F.R. §560.204; the Sudanese Sanctions Regulations, 31 C.F.R. §538.205 (SSR)1; and the Syrian Sanctions Regulations, 31 C.F.R. §542.207.
Penalty Calculation and General Factors Analysis
The statutory maximum civil monetary penalty applicable in this matter is$619,689,816. OFAC determined that BitPay did not voluntarily self-disclose the Apparent Violations and the Apparent Violations constitute a non-egregious case. Accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines (“Enforcement Guidelines”), the base civil monetary penalty amount applicable in this matter is $2,255,000. The settlement amount of $507,375 reflects OFAC’s consideration of the General Factors under the Enforcement Guidelines.
OFAC determined the following to be aggravating factors:
(1)BitPay failed to exercise due caution or care for its sanctions compliance obligations when it allowed persons in sanctioned jurisdictions to transact with BitPay’s merchants using digital currency for approximately five years, even though BitPay had sufficient information to screen those customers; and
(2)BitPay conveyed a total of $128,582.61 in economic benefit to individuals in several jurisdictions subject to OFAC sanctions, thereby harming the integrity of those sanctions programs.
OFAC determined the following to be mitigating factors:
(1)BitPay had implemented certain sanctions compliance controls as early as2013, including conducting due diligence and sanctions screening on its merchant customers, and formalized its sanctions compliance program in 2014;
(2)BitPay made clear in its training to all employees, including senior management, that BitPay prohibited merchant sign-ups from Cuba, Iran, Syria, Sudan, North Korea, and Crimea, as well as trade with sanctioned individuals and entities;
(3)BitPay is a small business that has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the earliest Apparent Violation;
(4)BitPay cooperated with OFAC’s investigation into these Apparent Violations;and
(5)BitPay has represented that it has terminated the conduct that led to the Apparent Violations and undertook the following measures intended to minimize the risk of recurrence of similar conduct in the future:
• Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment;
• Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
• Launching “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID, and a selfie photo.
(6) As part of its agreement with OFAC, BitPay has undertaken to continue its implementation of these and other compliance commitments.
This action highlights that companies involved in providing digital currency services—like all financial service providers—should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks. Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.
To mitigate such risks, administrators, exchangers, and other companies involved in using digital currencies should develop a tailored, risk-based sanctions compliance program. OFAC’s Framework for OFAC Compliance Commitments notes that each risk-based sanctions compliance program will vary depending on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations, but should be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Within that framework, this enforcement action emphasizes the importance of screening all available information, including IP addresses and other location data of customers and counterparties, to mitigate sanctions risks in connection with digital currency services.
Additional guidance from OFAC related to the provision of digital currency services can be found here: https://home.treasury.gov/policy-issues/financial-sanctions/faqs/topic/1626.
OFAC Enforcement and Compliance Resources
On May 2, 2019, OFAC published A Framework for OFAC Compliance Commitments in order to provide organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States or U.S. persons, or that use U.S.-origin goods or services, with OFAC’s perspective on the essential components of a sanctions compliance program. The Framework also outlines how OFAC may incorporate these components into its evaluation of apparent violations and resolution of investigations resulting in settlements. The Framework includes an appendix that offers a brief analysis of some of the root causes of apparent violations of U.S. economic and trade sanctions programs OFAC has identified during its investigative process.
Information concerning the civil penalties process is discussed in OFAC regulations governing the various sanctions programs and in 31 C.F.R. Part 501. On November 9, 2009, OFAC published Appendix A to Part 501, the Economic Sanctions Enforcement Guidelines. See 74 Fed. Reg. 57,593 (Nov. 9, 2009). The Economic Sanctions Enforcement Guidelines, as well as recent final civil penalties and enforcement information, can be found on OFAC’s website at http://www.treasury.gov/ofac/enforcement.
For more information regarding OFAC regulations, please visit: http://www.treasury.gov/ofac.
1 Effective October 12, 2017, pursuant to Executive Order 13761 (as amended by Executive Order 13804), U.S. persons are no longer prohibited from engaging in transactions that were previously prohibited solely under the SSR. Consistent with the revocation of these sanctions, OFAC removed the SSR from the Code of Federal Regulations on June 29, 2018. However, the revocation of these sanctions does not affect past, present, or future OFAC enforcement investigations or actions related to any apparent violations of the SSR arising from activities that occurred prior to October 12, 2017.