The Office of Foreign Assets Control ("OFAC") of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States1.
In the cryptocurrency/blockchain business and Web 3.0 ecosystem - understood as a “new” internet built, operated, and owned by a community of users -, this is not different. The regulatory agencies and governments expect the crypto firms and the operators in the Web 3.0 ecosystem to also comply with AML/CFT regulations2 and Sanctions regimes3, otherwise they will be subject to fines and other penalties.
In August 2022, OFAC sanctioned a cryptocurrency “mixer”4 – programmes used to increase the anonymity of crypto transactions – for its alleged use in money-laundering, and, on 11 October 2022, an agreement5 between OFAC and a crypto firm settled a fine of $24,280,829.20 due to violation of Sanctions Compliance.
Crypto firms need to ensure that the controls in place can appropriately identify and mitigate risks generated by the fast pace of the transactions and the elevated anonymity level in a global customer base, peculiar to its own business, while navigate the complex and intricate Sanctions regimes, altogether. Likewise, the community of users of Web 3.0 that advocates the benefits of a novel, more efficient and fair ways of coordinating activities across jurisdictions, need to focus on developing collective solutions to identify and inhibit bad actors from misusing the technology and enforcing penalties.
Whenever these controls are not sufficient, resulting in deficiencies, as observed in the latest OFAC’S enforcements, for instance, the crypto firm/Web 3.0 operator will be subject to a fine. Therefore, relevant to learn the valuable lessons presented by the enforcement actions on how to build a Sanctions Compliance Program and what regulators expect crypto firms to do to prevent Sanctions risk.
Along with the Compliance Program essentials predicated in the management commitment, risk assessment, internal controls, testing and auditing and training, the crypto firm is expected to6:
- have effective internal controls in place to proceed with complete screening on customers and transactions, also focusing on a nexus to sanctioned jurisdictions, in addition to formal demonstration of understanding of Sanctions regulations, through policies and procedures;
- have a tailored and risk-based Sanctions Compliance Program in place and additional independent audits of its Sanction’s Compliance functions;
- conduct additional Sanctions Compliance training for all relevant staff;
- ensure that its Sanctions Compliance service providers are aligned and compliant with the institution’s Sanctions Compliance risk; and
- timely implement remedial measures after becoming aware of a potential Sanctions issue.
At this stage, with more repertoire and guidance available about AML/CFT and Sanctions Compliance, enforcement actions with larger penalties shall be expected. Therefore, it is advisable that financial service providers, notably, crypto firms increase their attention to the importance of building effective AML/CFT and Sanctions Compliance Programs or improving the existent ones.
Summary
The article shares inputs on the importance of crypto firms being compliant with AML/CFT and Sanctions regulations, using a recent OFAC’s enforcement as starting point.
Special thanks to Ana Carolina Brönnimann and Dominique Jaussi for their valuable contribution to this article.