BitPay Inc. Enforcement Action Highlights Sanctions Compliance Risks for Virtual Currency Service Providers

On February 18, 2021, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) entered into a settlement of $507,375 with BitPay Inc. for violations of multiple U.S. sanctions programs. According to the settlement, BitPay allowed its platform to be used by persons in Cuba, North Korea, Iran, Sudan, Syria and the Crimea region to transact with merchants in the United States. The latest settlement is noteworthy for the involvement of a digital currency service provider and its discussion of OFAC’s expectations regarding compliance for companies in this growing financial and commercial sector.

BitPay is a blockchain payment technology company based in Atlanta, Ga., and serves as a platform enabling merchants and individual customers in the United States and around the world to transact in Bitcoin and accept payments in the virtual currency for goods and services. Among other services, BitPay receives digital currency payments on behalf of its merchant customers from those merchants’ buyers, it converts the digital currency to fiat currency, and then relays that currency to its merchants. BitPay reportedly had compliance processes in place, including screening its direct merchant customers, against OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List) and conducting certain due diligence to ensure they were not located in sanctioned jurisdictions.

OFAC, however, determined that BitPay did not adequately screen for the buyers transacting with the merchants, even though BitPay had location information such as Internet Protocol (IP) addresses and other location data indicating buyer locations prior to effecting the transactions. Between 2013 and 2018, several of the buyers who were located in sanctioned jurisdictions such as Cuba, North Korea, Iran, Sudan, Syria and Crimea used the platform to engage in transactions with U.S. and non-U.S. merchants in digital currency. In all, BitPay processed 2,102 transactions on behalf of persons from sanctioned jurisdictions worth approximately $129,000. BitPay had not made a voluntarily disclosure and the apparent violations exposed BitPay to a maximum civil penalty of over US$619 million.

As part of the settlement, and in consideration of certain mitigating factors, OFAC agreed to a lower fine of $507,375. BitPay undertook a number of compliance measures to minimize the risk of similar conduct occurring in the future, including:

• Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment;
• Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
• Launching “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID, and a selfie photo.

This settlement highlights OFAC’s expectation that digital services providers must take compliance steps necessary to mitigate the risk of sanctions violations, similar to other financial service providers. While privacy and some level of anonymity may draw certain users of virtual currency, the payment processors, wallets and other companies in the ecosystem can be regulated financial institutions under U.S. law and have customer due diligence (CDD), know your customer (KYC) and other anti-money laundering obligations. For U.S. sanctions purposes, OFAC’s settlement with BitPay reinforces the expectation that compliance also include SDN and denied party screening as well as assessment of IP address and geolocation. OFAC focused on the information BitPay had access to for individual end users acting through BitPay’s direct merchant customers, and the enhanced compliance measures adopted by BitPay as part of the settlement helped to ensure its access to better CDD/KYC information for indirect users as well as direct customers.

Digital currency service providers, like more traditional financial institutions and technology-driven fintech companies, will be expected by regulators to develop a tailored, risk-based compliance program with sanctions compliance as a key consideration. In the BitPay settlement announcement, OFAC reaffirms that AML and sanctions compliance in the virtual currency and digital asset space will remain an area of U.S. government focus and evolving guidance.