The new frontier in sanctions – OFAC and Bitcoin
This post was written by Urszula McCormack, Leonie Tear and Jack Nelson
The United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has, for the first time, listed two Bitcoin addresses (“Addresses”) as identifiers on its Specially Designated and Blocked Persons (“SDN”) list. The Addresses are associated with two Iran-based individuals, Ali Khorashadizadeh (“AK”) and Mohammad Ghorbaniyan (“MG”).
As a result of this action, there are three key implications:
- Mandatory blocking – First, all property and interests in the property of AK and MG that are in the possession or control of US persons, in the US or transit the US must be blocked.
- Prohibited dealing – Second, persons subject to OFAC jurisdiction[i] are prohibited from dealing with AK or MG or any entity owned by them.
- Reporting – Finally, relevant persons must also make reports. All blocking must be reported to OFAC Compliance within 10 working days and suspicious transaction reports may also be required, depending on the circumstances, to relevant regulators.
In practice this means that affected entities (namely, businesses that deal in, custodise, accept for payment, or otherwise have a nexus with, digital assets) must take steps to identify transactions and assets that must be blocked and investigate any connections to the Addresses. According to OFAC, the Addresses have interacted with over 40 digital asset exchanges, including US-based entities that will all be impacted by this action.
Even if you are not technically subject to OFAC’s jurisdiction, it’s vital to remember that the allegations involve cybercrime, extortion and the proceeds of crime – creating blocking, no dealing and reporting requirements in numerous jurisdictions. As a result, the Addresses provide evidence that no business should ignore.
Importantly, the OFAC list is not static. More addresses are likely to be added in the near future, which means that it is essential to have a systemic approach to analytics and sanctions compliance.
This post explores this new frontier in the sanctions space. But first …
Key facts and practical points
What did AK and MG do?
OFAC alleges that AK and MG laundered Bitcoin ransom payments that had been obtained from “SamSam” ransomware attacks. SamSam ransomware was used in attacks on the networks of corporations, hospitals, universities and government agencies in the US, the UK and Canada. Once infected by SamSam, the cyber criminals would take control of the victims’ servers and demand a ransom in Bitcoin to relinquish control.
AK and MG are alleged to have helped launder the extortion proceeds by exchanging the Bitcoin into fiat (rial) through the Addresses, and depositing the rial back into the financial system. They have been sanctioned under Executive Order 13694 of 1 April 2015 that permits the blocking of persons engaging in signigicant malicious cyber-enabled activities.
What does OFAC hope to achieve?
Historically, the SDN list has named individuals, entities, vessels and aircraft owned or controlled by, or acting on behalf of targeted countries or due to non-country specific programs relating to serious crime (eg drug trafficking, human rights abuses, cyberattacks etc).
We have previously written about the latest US sanctions against Iran and the increasing regulation of digital exchanges. OFAC has stated that as Iran becomes more and more isolated from the reimposed sanctions against it, it will become desperate for access to US dollars. Ransomware attacks, many known to originate from Iran, demand digital asset payments, largely because of their anonymous nature and the holders then look at ways to exchange it for other digital assets, goods, service or, ideally, fiat. In light of this, digital currency exchanges, peer-to-peer exchangers and other digital asset service providers will need robust controls in place to protect their networks against illicit use.
OFAC has warned that it will:
“aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives”.
With the rise of the digital economy, and increasingly better analytics and expertise at the intelligence and regulatory levels, it is inevitable that more and more digital asset addresses will start to appear on the SDN list. Persons that engage in transactions with an SDN (or the linked digital asset addresses) could become the target of secondary sanctions – regardless of whether the transaction is denominated in digital assets or traditional fiat currency.
In its published statement regarding the action, OFAC highlight that during the two years of Donald Trump’s administration, OFAC has sanctioned more than 900 individuals, entities, aircraft and vessels relating to Iran:
“the highest-ever level of US economic pressure targeting the Iranian regime”.
It is clear that the US government intends to continue to put pressure on Iran and regulate the digital asset community.
How do I implement this…. practically?
Simple in theory …
Adding digital asset addresses as identifiers sounds simple enough – until you think about the practical questions of compliance:
- How do you block digital assets?
For this one, we have a head-start. To assist with the “how?” aspect of blocking digital assets, OFAC have issued new FAQs. New FAQ 646 states that entities can block each digital wallet associated with a tainted digital asset address or it can use its own wallet to consolidate wallets that contain the blocked digital assets, similar to an omnibus account.
- When will a digital asset transaction, or digital wallet, be deemed to be “connected” to a tainted address?
OFAC has not indicated what would constitute a safe degree of separation. Rather, any interaction with a tainted address may be capable of equally tainting that address.
We suggest this at least includes the Address being the originator or beneficiary address in any payment of Bitcoin, for the purposes of payment, trading, custody or otherwise.
- Can I use OFAC’s online search function to search the list for tainted digital asset address?
No. Unfortunately not, the addresses are indicators only – listed within the individual SDN profile. Screening will need to be conducted against a downloaded sanctions list or, more likely, by a third-party provider.
The problem is, traditional sanctions screening may not lend itself to identifying digital assets that should be blocked. Many digital asset businesses may have come into contact with the Addresses, this does not necessarily mean that the owners of those digital wallets are “associated” with the individuals the sanctions intend to target.
- How do you stop a Bitcoin transfer from a tainted address to your, or your business’, address?
The Bitcoin network is a push system – it is not possible to refuse a Bitcoin transfer. So, in theory at least, a “bad actor” could send Bitcoin to a “good actor”; the good actor cannot refuse the Bitcoin, and suddenly they are now the not-so-good-actor and the controller of a tainted Bitcoin address.
Simply returning the Bitcoin is also generally not an option – blocking is important. This is essential, but it also carries potential risk contractually if you do not have the right contractual rights in place.
- What about obscured digital asset transfers?
Pay to End Point (“P2EP”) and digital asset mixers allow people to structure transactions in a way that obscures to or from whom the Bitcoin is going. There is no doubt that sophisticated Iranian (and other) hackers might well understand how to do this and have access to the service providers that allow them to do so. Indeed, in this respect the Addresses represent the “low hanging fruit” of digital asset enforcement – and arguably a lack of technical sophistication on the part of AK and MG. OFAC estimates that over 7,000 transactions in Bitcoin, worth millions of US dollars, have been processed through the Addresses.
… challenging in practice
The upshot of the above is that digital asset service providers may find that they have transacted, in some way, with tainted addresses and/or be struggling to identify linked addresses or wallets. Without further guidance and thought, it is difficult to see what adding digital asset addresses to the SDN list will really achieve.
Analytics may solve some of these problems. For example, analytics services can often identify digital assets that have gone through a mixer. But would all addresses that have used the same mixer be tainted by the presence of a bad address among them? It could be tempting to suggest that anyone using a mixer is trying to hide something so the assets becoming tainted is justified. However, it seems to be a dangerous assumption to suggest that all digital assets that have been through a mixer are the proceeds of crime, intended to fund terrorism or evade sanctions – mixers, like many other products and services, are not only used for criminal purposes.
Arguably, the OFAC action could be viewed as premature without further guidance. Indeed, as can be seen here and here, people have been sending Bitcoin to the two Addresses, presumably to mock OFAC (not recommended!).
However, targeting digital assets with sanctions (and increased regulation) is no doubt a sign of things to come. Digital asset businesses should be thinking carefully now about how they build and implement effective financial crime controls, including sanctions screening tools and effective analytics. Perhaps this outcome was foreseen by OFAC – regulate first, and allow the fintech community to create the solutions that will allow compliance. Either way, the new frontier in sanctions compliance is here: and having a game plan is key.
The practical upshot is that you must:
- understand whether OFAC lists apply to your business, directly or indirectly;
- have a risk-based policy to deal with sanctions and digital asset addresses that deals with monitoring, blocking, dealing restrictions and reporting;
- consider engaging a third party digital asset analytics provider, unless you are confident you can do this in-house;
- integrate screening into your practical procedures – this can sometimes be as a swift as a few seconds; and
- provide adequate guidance and training to your financial crime, compliance, front-line and management teams.
Contact us if you need assistance.
[i] This is a complex area of US regulation and is highly dependent on the applicable sanction regime, sector and corporate ownership. It is essential to obtain legal advice regarding if / when US sanctions apply to you and / or your organisation. Even where not strictly applicable, a number of regulators in other jurisdictions tend to expect their regulated institutions to have reference to OFAC designations, and many also do so in practice given group-level policies and procedures.
Information in this article is based on public information, sanctions laws are complex and we strongly recommend seeking appropriate professional advice in relation to compliance. Note that the authors are only qualified to practice in the laws of Hong Kong, Australia and England & Wales.