Logo for print

OFAC Ransomware Update

Updates By: Seth D. DuCharme

On Friday, OFAC published a compliance guide aimed at the virtual currency industry, which promotes sanctions compliance amid the rise of ransomware attacks. Similar to OFAC’s recent advisory, this compliance guide is yet another initiative relating to the U.S. Treasury Department's ongoing efforts to combat ransomware and many other flourishing crypto-related crimes. The guide includes an introduction to sanctions compliance requirements and makes clear that the requirements apply to the virtual currency industry just as they apply to traditional financial institutions, carrying both civil and criminal penalties for violations. The OFAC guidance offers examples of compliance best practices for companies in this industry, including technology companies, exchange platforms, wallet providers, and miners, as well as more traditional financial institutions that may have exposure to cryptocurrencies. Some key recommendations by OFAC to remain complaint include:

  • Implementing a robust compliance program, including sanctions list and geographic screening, investigations, and transaction monitoring;
  • Establishing adequate internal controls to identify, interdict, escalate, and report transactions prohibited by OFAC-administered sanctions;
  • Ensuring senior management commitment to compliance efforts; and
  • Conducting routine risk assessment exercises to identify potential areas in which the company may, directly or indirectly, engage with OFAC sanctioned persons, countries, or regions.

OFAC warned that failure to take sanctions risks seriously could lead to enforcement actions, as it has in the past. For example, BitPay, a cryptocurrency payment processing platform, entered into a $507,000 settlement with OFAC in 2021. Significantly, OFAC did not allege that BitPay knowingly violated sanctions laws, rather, OFAC alleged that BitPay had inadequate internal control policies in place which failed to identify potential sanctions violations. OFAC’s enforcement action underscores the importance of implementing risk-based sanctions compliance controls commensurate with the risk profile of an organization.

The OFAC guidance is the latest in a series of moves by the Biden administration to combat ransomware attacks by making it more difficult for ransomware groups to profit from their crimes. Accordingly, there is increasing pressure on the virtual currency industry to take action against those exploiting their services. Sanctions risks are vulnerabilities that, if ignored or mishandled, can lead to subsequent enforcement actions, harm to U.S. national security interests, and negative impacts on a company’s reputation and business. Bracewell attorneys are available to help organizations navigate this challenging legal landscape and build strong and effective compliance programs.