So, BitPay, which “offers a payment processing solution for merchants to accept digital currency as payment for goods and services”, settled 2,102 apparent violations of multiple programs that were considered non-egregious, but not voluntarily self-disclosed. The total value of the transactions involved was only $128,582.61 (and the actual revenue to BitPay was a tiny fraction of that).
What BitPay did
Between approximately June 10, 2013 and September 16, 2018, BitPay processed 2,102 transactions on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions (the “Apparent Violations”). The Apparent Violations related to BitPay’s payment processing service, which enables merchants to accept digital currency as payment for goods and services. Specifically, BitPay received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then relayed that currency to its merchants.
While BitPay screened its direct customers—the merchants— against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and conducted due diligence on them to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ buyers. Specifically, BitPay at times would receive information about those merchants’ buyers at the time of the transaction, including a buyer’s name, address, email address, and phone number. Beginning in November 2017, BitPay also obtained buyers’ IP addresses. However, BitPay’s transaction review process failed to analyze fully this identification and location data. As a result, buyers who, based on those information indicators, were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from merchants in the United States and elsewhere using digital currency on BitPay’s platform.
General Factors – Aggravating and MitigatingNote: the base penalty here is $2,255,000.
OFAC determined the following to be aggravating factors:
(1) BitPay failed to exercise due caution or care for its sanctions compliance obligations when it allowed persons in sanctioned jurisdictions to transact with BitPay’s merchants using digital currency for approximately five years, even though BitPay had sufficient information to screen those customers; and
(2) BitPay conveyed a total of $128,582.61 in economic benefit to individuals in several jurisdictions subject to OFAC sanctions, thereby harming the integrity of those sanctions programs.
OFAC determined the following to be mitigating factors:
(1) BitPay had implemented certain sanctions compliance controls as early as 2013, including conducting due diligence and sanctions screening on its merchant customers, and formalized its sanctions compliance program in 2014;
(2) BitPay made clear in its training to all employees, including senior management, that BitPay prohibited merchant sign-ups from Cuba, Iran, Syria, Sudan, North Korea, and Crimea, as well as trade with sanctioned individuals and entities;
(3) BitPay is a small business that has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the earliest Apparent Violation;
(4) BitPay cooperated with OFAC’s investigation into these Apparent Violations; and
(5) BitPay has represented that it has terminated the conduct that led to the Apparent Violations and undertook the following measures intended to minimize the risk of recurrence of similar conduct in the future:
• Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment;
• Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
• Launching “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID, and a selfie photo.
(6) As part of its agreement with OFAC, BitPay has undertaken to continue its implementation of these and other compliance commitments.
The Lesson to be Learned
This action highlights that companies involved in providing digital currency services—like all financial service providers—should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks. Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.
To mitigate such risks, administrators, exchangers, and other companies involved in using digital currencies should develop a tailored, risk-based sanctions compliance program. OFAC’s Framework for OFAC Compliance Commitments notes that each risk-based sanctions compliance program will vary depending on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations, but should be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Within that framework, this enforcement action emphasizes the importance of screening all available information, including IP addresses and other location data of customers and counterparties, to mitigate sanctions risks in connection with digital currency services.It’s a hefty fine given that it was multiple times the actual transaction value, much less the revenue. Consider that the average transaction, according to OFAC’s accounting, was about $60 – and that the firm had a deficient compliance program, not a non-existent one. And when you look at the other factors – small company, cooperation and remediation, no recent enforcement actions, and no clear willfulness – it seems harsh on its face.
Something tells me that the reason why this was so large compared to the actual transferred value is deterrence value – which , you notice, is never mentioned explicitly in an enforcement action. I wonder if the payment processor had been a traditional one, and not one that specialized in virtual currency, whether the fine would have been as large.