Virtual currencies have enjoyed a massive spike in popularity in recent years, but this boost in usage has also brought with it the potential for abuse.
To prevent the exploitation of virtual currencies, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has recently enacted sanctions on illegal payments and unauthorized activities.
These recent developments emphasize the need for cryptocurrency compliance. Organizations and individuals must ensure that they do not engage in sanctioned financial transactions and activities when working with virtual currencies.
What Are Cryptocurrencies?
Cryptocurrency is a form of digital money based on blockchain technology. Much like traditional money, you can spend and invest it. The major difference here is that no centralized authority controls or manages the money. Instead, the task of verifying transactions is distributed across a digital blockchain that is made up of all connected users.
The blockchain acts as the ledger that records transactions. Every user with a blockchain has an up-to-date copy of general financial activity. To fight against fraud, users can contribute to transaction validation either through “Proof of work” or “Proof of stake.”
The former allows computers known as “miners” to verify groups of transactions known as blocks before adding them to the blockchain ledger. The latter technique involves pledging a certain amount of cryptocurrency in order to verify a certain number of transactions.
You might have heard of Bitcoin, but there are many cryptocurrencies available, each with unique features, advantages, drawbacks, and adoption rates.
Legal Action Against Suex
The first OFAC cryptocurrency sanction levied against a virtual currency platform was implemented recently against the Russian SUEX OTC, S.R.O. This cryptocurrency exchange was discovered to be a money laundering scheme for ransomware attackers.
A ransomware attack involves shutting down the victim’s network and demanding a ransom in order to unlock access. Even choosing to pay the ransom as a victim can put you at risk of sanctions, as your decision may fund future cybercriminal activities.
According to the Treasury, about 40% of the transactions in SUEX were illegal. The exchange and any others tied to the illicit activity will be barred from trading with U.S. entities in the future.
OFAC considers these cyberattacks a threat to national security, and this incident has not been the first. The SolarWinds incident occurred on U.S. soil with a major technology firm, and the Colonial Pipeline hack resulted in service disruptions for fuel delivery in various parts of the East Coast.
Being the target of an OFAC sanction has severe implications for your ability to do business within the United States, so it’s important to keep track of cryptocurrency regulations and find ways to keep your compliance level up.
OFAC’s Suggestions
OFAC has published Sanctions Compliance Guidance for virtual currency companies in response to growing concerns of illegal activities across cryptocurrency exchanges. This document specifies various responsibilities and ways to remain compliant, such as reporting and recordkeeping practices as well as licensing procedures for exercising exceptions to OFAC sanctions. It also details five best practices for OFAC compliance:
- Commitment from management to contribute to a healthy sanctions compliance program. Proper controls and resources must be diverted to compliance efforts within your company.
- Risk assessment for identifying vulnerabilities regularly. Businesses often do a complete review of all its touchpoints with third-parties to check for potential noncompliance incidents.
- Internal controls must be ready to address, report, escalate, and record these risks if they come up. Having the due diligence to protect yourself, your customers, and your business partners is part of the job.
- Auditing enables you to check on the effectiveness of your compliance efforts. This way, you can make continual improvements and recalibrations as the threat landscape changes over time.
- Training matters because your compliance program is only as strong as the awareness of your staff. Job-specific knowledge should be given to the employees on a regular basis to make sure everybody is on the same page.
In addition to these steps, remember to stay up-to-date on recent news in the fields of cryptocurrency and cybersecurity.
What We Can Learn From It
Do not make the assumption that the U.S. government may be going after cryptocurrencies in general. In fact, the Treasury does note that many cryptocurrency exchanges operate in legal activities and that it is possible to sanction illicit actors without punishing the rest of the genuine users.
The SUEX sanction should serve as a warning that the U.S. Treasury is serious about cracking down on illicit activities involving cryptocurrency exchanges. Virtual currency providers may have to check their own compliance levels and find ways to dig out malicious actors within their platforms.
To do so, these companies should look to implementing cybersecurity practices, including but not limited to:
- Data backups
- Plans for incident response
- Antivirus software
- Authentication tools
- Cybersecurity training
- Denied party screening and third party risk management
Even if you are the victim of sanctions in the future, OFAC will consider your cybersecurity precautions and your efforts to be transparent about the incident when deciding on your penalties.
For companies unsure about their current readiness to handle the rapid pace of changes to the compliance landscape, there are several options. Solutions provided by leading vendors, such as Descartes Visual Compliance, can help organizations rapidly deploy full-fledged compliance solutions, including denied and restricted party screening, sanctioned ownership screening to account for regulations such as the OFAC 50 percent rule, and export documentation and licensing management.
Compliance is an ongoing process, and the most important thing an organization can do to remain on the straight and narrow is to be aware of the ongoing changes in the compliance world as they occur, and to adapt to the changes in a timely manner.