OFAC Sanctions Guidance For Virtual Currency Companies: What You Need To Know


  • Spencer Schulten and Geoff Lash
  • Published: 22 October 2021


In October 2021, the Office of Foreign Asset Control (“OFAC”) published a guidance document outlining sanctions compliance obligations for virtual currency, including best practices.1  Although the document introduces few, if any, new points of view, its publication does signal OFAC’s intent to prioritize regulation of virtual assets and related BSA/AML and sanctions concerns.2    

Of particular note are the following areas:

1. Management Commitment to a sanctions compliance program. OFAC highlighted that members of the virtual currency industry have implemented sanctions compliance programs, including written policies and procedures, weeks or months after beginning virtual activities, creating significant sanctions risks and related enforcement scenarios.3  OFAC believes it is never too early to integrate sanctions risks into daily operations involving virtual currencies, even during beta testing and prior to launching a new product.

2. Continued Important of a well-calibrated sanctions risk assessment. OFAC recommends that virtual currency participants conduct a routine sanctions risk assessment to identify potential sanctions issues a company may encounter during its daily operations. A virtual currency company’s risk assessment process should be “tailored to the types of products and services offered and the locations in which such products and services are offered.- Appropriately customized risk assessments should reflect a company’s customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations, and may also include evaluating whether counterparties and partners have adequate compliance procedures,” and should be performed prior to providing products and services to customers.4 

3. Enforcement Priorities. OFAC’s guidance document highlights several enforcement cases, with the common theme that virtual currency companies that have, but fail to make use of, information relevant to sanctions compliance, will be held accountable. In one instance, BitGo, Inc. (“BitGo”), a technology company based in Palo Alto, California, that implements security and scalability platforms for digital assets and offers non-custodial secure digital wallet managementservices, has agreed to remit $98,830 to settle its potential civil liability for 183 apparent violations of multiple sanctions programs (the “Apparent Violations”). As a result of deficiencies related to BitGo’s sanctions compliance procedures, BitGo failed to prevent persons apparently located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using its non-custodial secure digital wallet management service. BitGo had reason to know that these users were located in sanctioned jurisdictions based on Internet Protocol (IP) address data associated with devices used to log in to the BitGo platform.At the time of the transactions, however, BitGo failed to implement controls designed to prevent such users from accessing its services.5    

In a second instance, a U.S. company that offers digital asset custody, trading, and financing services internationally entered into a settlement agreement with OFAC for processing virtual currency transactions on behalf of individuals who appeared to be located in sanctioned jurisdictions. Although the company tracked its users’ IP addresses when users logged in for security purposes, the company did not use the IP address information it collected to screen for and prevent potential sanctions violations. As a result, the company failed to prevent use of its non-custodial secure digital wallet management service by individuals with IP addresses located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria—all sanctioned jurisdictions at the time of settlement.6 

4. Transaction Monitoring and Investigation. OFAC also noted that companies operating in the virtual currency industry should employ tools sufficient to identify and block transactions associated with blocked persons, including transactions associated with those virtual currency addresses included on the SDN List. Additionally, OFAC’s inclusion of virtual currency addresses on the SDN List are not solely for screening purposes. OFAC stated that virtual currency addresses on the SDN List may assist the industry in identifying other virtual currency addresses that may be associated with blocked persons or otherwise pose sanctions risk, even if those other addresses are not explicitly listed on the SDN List. For example, “unlisted virtual currency addresses that share a wallet with a listed virtual currency address may pose sanctions risk because the sharing of a wallet may indicate an association with a blocked person.” Similarly, according to OFAC guidance, virtual currency companies may consider conducting a historic transaction review (i.e., a “lookback”) of activity after OFAC lists a virtual currency address on the SDN List to identify connections to the listed address.7 

Virtual currency companies should take note of the above guidance, and begin to implement robust compliance processes sooner, rather than later. Such processes should include fulsome Know Your Customer (“KYC”) and related verification procedures. For individuals, this includes: legal name, date of birth, physical and email address, nationality, IP addresses associated with transactions and logins, bank information, and government identification and residency documents. For entities, this includes: entity name (including trade and legal name), line of business, ownership information, physical and email address, location information, IP addresses associated with transactions and logins, information about where the entity does business, bank information, and any relevant government document. Virtual currency companies should also incorporate processes for enhanced due diligence for any customer that presents heightened risk.  

Additionally, firms should incorporate geolocation tools and IP address blocking controls. According to OFAC, virtual currency companies with strong sanctions compliance programs should be able to use geolocation tools to identify and prevent IP addresses that originate in sanctioned jurisdictions from accessing a company’s website and services for activity that is prohibited by OFAC’s regulations (and not exempt/authorized).

For further information, please contact:  
• Spencer Schulten, Esq. | US Head of Financial Crimes Compliance| spencer.schulten@capco.com
• Geoff Lash | US Managed Services Lead – Financial Crimes Compliance | geoffrey.lash@capco.com


 1. “Sanctions Compliance Guide for the Virtual Currency Industry,” virtual_currency_guidance_brochure.pdf (treasury.gov).
 2. OFAC defines “virtual currency” as a “digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; and is neither issued nor guaranteed by any jurisdiction.
 3. See OFAC’s A Framework for OFAC Compliance Commitments, which provides further detail on the five essential components of a sanctions compliance program.
 4. See, “Sanctions Compliance Guide for the Virtual Currency Industry,” at pg. 12.
 5. See, 20201230_bitgo.pdf (treasury.gov)
 6. See, 20210218_bp.pdf (treasury.gov).
 7.See, “Sanctions Compliance Guide for the Virtual Currency Industry,” at pg. 15.