BitPay’s $507K OFAC Sanctions Violations Settlement

The Treasury Department’s Office of Foreign Asset Control continues to focus enforcement activities on digital currency companies. This focus is likely to increase given recent comments by Janet Yellen, the head of the Treasury department, criticizing digital currencies and the utility of this rapidly growing new technology. Last year, OFAC announced an enforcement action against BitGo, a digital wallet asset management service.

In OFAC’s latest enforcement action, BitPay, Inc. (BitPay), a private company based in Atlanta, Georgia which provides payment processing for merchants to accept digital currency as payment for goods and services, agreed to pay $507,375 to settle violations of various OFAC sanctions programs.

The Violations

BitPay engaged in 2,102 violations of sanctions programs in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan and Syria. In particular, BitPay processed transactions for customers with merchants in the United States and elsewhere using digital currency on BitPay’s platform, even though BitPay had location information, including IP addresses and other location data about those persons prior to completing the transactions.

As a result, BitPay processed transactions totaling approximately $129,000 in digital currency with BitPay merchant customers. Specifically, BitPay received digital currency payments from its merchant customers on behalf of the merchants’ buyers who were located in sanctioned jurisdictions, BitPay converted the digital currency to fiat currency and then BitPay relayed that currency to its merchants.

Between approximately June 10, 2013 and September 16, 2018, BitPay processed 2,102 transactions on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions. BitPay screened its merchant customers against OFAC’s SDN List and conducted due diligence on them to ensure they were not located in sanctioned jurisdictions. However, BitPay failed to screen location data that it obtained about its merchants’ buyers to confirm the location and screen the customers against OFAC’s SDN List.

Specifically, BitPay at times received information about merchants’ buyers, including a buyer’s name, address, email address and phone number. Starting in November 2017, BitPay also obtained buyers’ IP addresses. BitPay’s transaction review process failed to review and analyze buyer identification and location data. As a result, buyers who were located in Crimea, Cuba, North Korea, Iran, Sudan and Syria were able to make purchases from merchants in the United States and elsewhere using digital currency on BitPay’s platform.

BitPay did not voluntarily disclose the sanctions violations. OFAC determined that the violations were not egregious. OFAC determined that BitPay failed to exercise due caution or care for its sanctions compliance obligations when it allowed persons in sanctioned jurisdictions to transact with BitPay’s merchants using digital currency for approximately five years, even though BitPay had sufficient information to screen those customers.

Remediation

BitPay implemented sanctions compliance controls in 2013 for conducting due diligence and sanctions screening on its merchant customers but failed to extend its controls to merchants’ buyers. Notwithstanding this omission, BitPay employees were trained that BitPay was subject to sanctions prohibitions involving Cuba, Iran, Syria, Sudan, North Korea and Crimea, as well as sanctioned individuals and entities.

To remediate the violations, BitPay has blocked IP addresses that originate in Cuba, Iran, North Korea and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment. In addition, BitPay checks physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain and has implemented “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID and a selfie photo.

OFAC’s enforcement action underscores the importance of sanctions compliance for digital currency companies and the implementation of risk-based sanctions compliance controls commensurate with their risk profile. As stated by OFAC,

“Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property or engaging in prohibited trade or investment-related transactions.”

This article was republished with permission from Michael Volkov’s blog, Corruption, Crime & Compliance.