Go back to menu

OFAC Risk

Isn't virtual for digital currency payment processors

19 February 2021

On February 18, 2021, the US Department of the Treasury's Office of Foreign Assets Control ("OFAC") announced a settlement of apparent US sanctions violations by Atlanta, Georgia-based BitPay, Inc. ("BitPay") involving its provision of digital currency payment processing services to purchasers of goods and services located in Crimea, Cuba, Iran, North Korea, Sudan and Syria.

The case highlights the sanctions risks for US companies that provide services in connection with digital currency payments and indicates sanctions compliance controls that may be appropriate to mitigate such risks. BitPay did not voluntarily self-disclose the apparent violations, but OFAC determined that they were not egregious and therefore assessed a base penalty of $2,255,000. OFAC then reduced the final penalty to $507,375 based on a number of mitigating factors including BitPay's cooperation with OFAC, remedial measures and compliance enhancements.

During June 2013 to September 2018, BitPay processed 2,102 transactions on behalf of individuals located in OFAC-sanctioned jurisdictions who were purchasing goods or services from merchants using BitPay's digital currency payment processing services. BitPay received digital currency payments from the individuals located in sanctioned jurisdictions, converted the digital currency into fiat currency, and then relayed the payments to its merchant customers. OFAC determined that although BitPay screened its merchant customers against the OFAC Specially Designated Nationals (SDN) list and conducted due diligence to confirm that the merchants were not located in sanctioned jurisdictions, that it failed to screen data of the individual buyers that it received. Specifically, BitPay received information at the time of certain transactions that included the individual buyers' names, addresses, emails, and phone number that indicated the buyers were located in sanctioned jurisdictions. Further, from November 2017 onwards, BitPay obtained buyers' IP addresses. However, OFAC determined that BitPay's transaction review process failed to analyze this data for sanctions compliance purposes. OFAC found that BitPay "failed to exercise due caution or care for its sanctions compliance obligations when it allowed persons in sanctioned jurisdictions to transact with BitPay's merchants using digital currency for approximately five years, even though BitPay had sufficient information to screen those customers."

After learning of the OFAC violations, BitPay adopted remedial measures that included: (i) implementing mechanisms to block buyers with IP addresses in sanctioned jurisdictions from connecting to the BitPay website or viewing instructions on how to make a payment; (ii) conducting sanctions reviews of buyers' physical and email addresses when provided by merchants; and (iii) launching a mandatory identification tool for buyers wishing to make a digital currency payment equivalent to $3,000 or more, which requires buyers to provide an email address, proof of identification/photo ID, and a selfie photo.

Previous OFAC settlements also have identified that companies providing online services, including financial institutions providing online account services, should use IP blocking mechanisms and screening to mitigate sanctions risks.2 Companies providing digital currency services also should review OFAC's FAQs on virtual currency that among other things emphasize that "firms that facilitate or engage in online commerce or process transactions using digital currency, are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions."