On February 18, 2021, the US Department of the Treasury’s Office of Foreign Assets control (OFAC) announced a $507,375 settlement with BitPay, Inc. (BitPay).  This civil settlement resolved apparent violations of multiple sanctions programs related to digital currency transactions, and is the second OFAC enforcement case brought against a business in the blockchain industry.  This case follows OFAC’s December 2020 civil enforcement action against another blockchain industry company, BitGo, Inc. (BitGo), for alleged violations of multiple US sanctions programs related to digital currency transactions.  See our prior blog post on the BitGo action here.

BitPay, based in Atlanta, Georgia, offers a payment processing solution for merchants to accept digital currency as payment for goods and services.  The apparent sanctions violations relate to digital currency transactions on the BitPay platform between individuals located in Cuba, North Korea, Iran, Sudan, Syria, and the Crimea region of Ukraine (annexed by Russia) and merchants in the United States and elsewhere.  OFAC acknowledged that BitPay screened its customers, the merchants, against US sanctions lists, but stated that BitPay had reason to know that purchasers dealing with the merchants were located in comprehensively sanctioned jurisdictions because the company had location information, including Internet Protocol (IP) address data, about those persons.  This case was not voluntarily disclosed, but OFAC found that the violations were not egregious.

According to OFAC, BitPay allowed persons in comprehensively sanctioned jurisdictions to conduct approximately $129,000 worth of digital currency transactions with BitPay’s merchant customers.  As described in OFAC’s enforcement release, between approximately June 10, 2013, and September 16, 2018, BitPay processed 2,102 transactions from individuals with IP addresses located in the sanctioned jurisdictions.  The transactions related to BitPay’s payment processing service.  BitPay allegedly received digital currency payments on behalf of its merchant customers from those merchants’ buyers, who were located in sanctioned jurisdictions.  BitPay then converted the digital currency into fiat, and then relayed that currency to its merchant customers.

BitPay collected certain pieces of information on the buyers including the buyers’ name, address, email address, and, starting in November 2017, the buyer’s IP addresses.  However, BitPay’s transaction review process did not appropriately analyze this location and identification information, resulting in persons located in the comprehensively sanctioned jurisdictions making purchases from US merchants.

OFAC has previously cited companies for violations based, at least in part, on a failure to implement IP geo-blocking in a number of non-blockchain contexts, including actions targeting Amazon, Toronto-Dominion Bank, and Standard Chartered Bank, and in the BitGo action noted above.

Pursuant to OFAC’s Enforcement Guidelines, OFAC identified two factors that it determined to be aggravating factors:

  • BitPay failed to exercise “due caution or care for its sanctions compliance obligations” by allowing persons in sanctioned jurisdictions to transact with BitPay’s merchants using digital currency for approximately five years, while BitPay allegedly had sufficient location information to screen those customers; and
  • BitPay conveyed $128,582.61 in economic benefit to individuals located in several sanctioned jurisdictions, thereby damaging the integrity of those sanctions programs.

However, OFAC also found a number of mitigating factors:

  • BitPay implemented certain sanctions compliance controls as early as 2013, including due diligence and sanctions screening efforts on its merchant customers, and formalized its sanctions compliance program in 2014;
  • BitPay provided employee training, including to senior management, that merchant sign-ups from Cuba, Iran, Syria, North Korea, and Crimea, as well as trade with sanctioned individuals and entities, were prohibited;
  • BitPay is a small business and had not received a penalty notice or Finding of Violation from OFAC in the previous five years from the date of the earliest apparent violation;
  • BitPay cooperated with OFAC’s investigation into the apparent violations and terminated the conduct that led to the violations; and
  • BitPay implemented a series of measures intended to minimize the risk of a recurrence of the conduct in question. The controls included blocking IP addresses that appear to originate in comprehensively sanctioned jurisdictions, checking physical and email addresses of merchants’ buyers to prevent completion of an invoice if BitPay identifies a sanctioned jurisdiction address or email domain associated with a sanctioned jurisdiction, and launching BitPay ID, a customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice of $3,000 or above.

The company could have faced a statutory maximum civil monetary penalty of $619,689,816, but the penalty was reduced to $507,375 in accordance with OFAC’s Enforcement Guidelines.

The enforcement release highlighted the importance of having an appropriate risk-based compliance program and emphasized that companies providing digital asset services should take steps to mitigate sanctions risks associated with such services.  The agency’s Framework for OFAC Compliance Commitments lays out factors it looks for when reviewing such programs.  With respect to sanctions screening, OFAC noted that this case “emphasizes the importance of screening all available information, including IP addresses and other location data of customers and counterparties, to mitigate sanctions risks in connection with digital currency services.”  Taken together, OFAC’s recent actions against BitGo and BitPay suggest the agency is placing increased focused on the blockchain industry and that companies that have not adopted and implemented a robust OFAC compliance program may be at risk in future enforcement actions.