When the United States first began going after crypto companies for violating its economic sanctions rules, it didn’t exactly start with a bang.
In December, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced a settlement with crypto wallet provider BitGo after the Palo Alto firm failed to prevent persons apparently located in the Crimea region, Iran, Sudan, Cuba and Syria “from using its non-custodial secure digital wallet management service.” The penalty for the “183 apparent violations” of U.S. sanctions? An underwhelming $98,830.
This was “the first published OFAC enforcement action against a business in the blockchain industry,” according to law firm Steptoe, though six weeks later, the OFAC reached a similar settlement with BitPay, a payment processing firm, for 2,102 “apparent violations of multiple sanctions programs,” in which BitPay reportedly allowed persons in the same countries as in the BitGo case — but with the addition of North Korea — “to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform even though BitPay had location information, including Internet Protocol addresses and other location data, about those persons prior to effecting the transactions.” BitPay agreed to pay $507,375 to resolve its potential civil liability.
But future violators may not be treated so leniently.
It’s worth mentioning that economic sanctions are typically applied “against countries and groups of individuals, such as terrorists and narcotics traffickers,” according to the United States Treasury, typically “using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.”
More enforcement actions are coming
“The crypto industry should absolutely expect more enforcement actions from OFAC, and it can expect that there will be much larger penalties as well,” David Carlisle, director of policy and regulatory affairs at Elliptic, tells Magazine. “OFAC’s first two enforcement actions in this space were fairly simple cases, where the underlying violations were not egregious, and the fines were small. But the next cases could be different,” he says, adding:
“There will undoubtedly be other cases out there that involve much more serious and egregious violations — and we can expect that OFAC will issue fines against crypto businesses that are much larger than those we’ve seen thus far.”
Expect more enforcement actions like those targeting BitPay and BitGo, Doug McCalmont, founder of BlocAlt Consulting LLC, tells Magazine, as well as “the expansion of targeted individuals, such as coders linked to the technology.”
Sanctions regimes have been applied extensively in recent years by the United States, as well as the European Union and United Nations, often targeting “rogue” nation-states, such as North Korea and Iran. One of the best-known early crypto cases involved Virgil Griffith, a former hacker, who was arrested in April 2019 after he spoke at a blockchain and cryptocurrency conference in North Korea, in violation of sanctions against that outcast nation, the U.S. charged.
“Sanctions violations are a real problem,” says David Jevans, CEO of CipherTrace, whose crypto forensics firm recently found that more than 72,000 unique Iranian IP addresses are linked to more than 4.5 million unique Bitcoin addresses, “suggesting that sanction violations are likely rampant and mostly undetected by virtual asset service providers,” he tells Magazine.
It’s not only U.S. authorities who are concerned about “bad actors” using the nascent blockchain technology to dodge economic sanctions. Agata Ferreira, assistant professor at the Warsaw University of Technology, tells Magazine that authorities in Europe “are becoming more active and more focused. The crypto space is under increasing scrutiny, and I do think this trend will remain and accelerate.”
Nor is OFAC’s recent crypto focus surprising, according to Robert A. Schwinger, partner in the commercial litigation group at Norton Rose Fulbright. The United States government has no choice but to rein in this new, cryptocurrency asset class because “not to do so would expose it to the risk that its sanctions regime could be rendered toothless by new financial technology. Players in the cryptocurrency space who ignore the restrictions imposed by U.S. international sanctions are being put on notice that they do so at their peril,” he wrote on Law.com.
Is DeFi problematic?
As crypto adoption grows, it seems only inevitable that its decentralized finance (DeFi) networks will push up against more nation-state prerogatives, including economic sanctions. But isn’t there something inherently problematic about cracking down on a decentralized exchange (DEX)? Does the exchange even have a headquarters address? Is anyone even home at home? And should it even answer to someone if it’s truly decentralized?
Enforcing regulations in a decentralized world presents certain challenges, Timothy Massad, former chairman of the U.S. Commodity Futures Trading Commission and now a senior fellow at Harvard University Kennedy School, tells Magazine, but U.S. regulators are “trying to figure it out.” Might the government eventually put more pressure on developers at DeFi firms, including decentralized exchanges? “Yes, they can build into the code some proper procedures… but it’s a lot easier to go after centralized intermediaries,” says Massad.
“I think we’ll see DeFi developers come under real pressure to ensure their platforms can’t be abused for sanctions evasion — for example, by enforcing address blacklisting,” says Carlisle, adding, “There’s a lot of talk lately about [traditional] financial institutions taking interest in DeFi, but it’s hard to imagine major institutions participating in DeFi unless they’re confident it can be compatible with sanctions requirements.”
DeFi projects are “decentralized, disintermediated and borderless — everything our legal and regulatory frameworks are not,” Ferreira informs Magazine. The latter are built around centralized, intermediated and jurisdiction-based architecture. “Therefore, this is a challenge and a learning curve for regulators, and not all proposed solutions will be optimal,” Ferreira adds.
The European Union is aware of the DeFi compliance challenge. Its recent Markets in Crypto-Assets (MiCA) regulatory proposal “will force DEXs to have legal entities in order to transact with EU citizens, effectively banning fully decentralized exchanges,” Jevans tells Magazine. He adds, “Many so-called DEXs have very centralized governance, venture capital investors and physical headquarters, causing the FATF to categorize them as VASPs.”
Meeting compliance demands for digital service firms like BitPay and BitGo will require some effort. “Trying to identify where a counterparty is located in a crypto transaction is inherently difficult due to the nature of the technology,” observes Carlisle, but crypto firms need to realize that anytime they undertake a transaction “and don’t make an effort to identify the source or destination of funds, they’re taking on a major risk of sanctions violations.”
Crypto mining, too, carries sanctions-compliance risks. “If you process transactions on behalf of participants in a mining pool that’s connected to a country like Iran, or pay a fee to an Iranian miner,” you could run afoul of OFAC, says Carlisle. There are sanctions risks, too, in handling ransomware payments “because some ransomware campaigns have involved cybercriminals in places like North Korea and Iran.”
Then, too, the growing use of privacy coins, like Monero and Dash, which hide users’ addresses and transaction amounts — unlike Bitcoin — makes the task more difficult, arguably.
Forensic blockchain firms, however, are looking into how to “improve sanctions compliance on the part of virtual asset service providers,” McCalmont comments. CipherTrace, for example, has developed the ability to track the anonymity enhanced currency (AEC) Monero, once thought to be “the gold standard of AECs.” He adds:
“These [forensic] firms will rise to the occasion and roll out capabilities that will ‘circumvent’ any compliance ‘speed bumps’ utilized by decentralized exchanges. It really is somewhat of a regulatory arms race.”
And the stakes appear to be rising.
“There’s overwhelming evidence at this stage that sanctioned countries are using crypto,” says Carlisle, concluding, “North Korea’s crypto-related cybercrime has raised at least hundreds of millions of dollars. Iran and Venezuela have looked to crypto mining as a method for sanctions evasion and to generate revenue.”
To stay ahead in the “regulatory arms race,” some crypto companies are now using tools such as blockchain analytics, recounts Carlisle, to identify whether a crypto wallet belongs to a sanctioned party, but even then, staying compliant can be tricky. “Not only do you need to screen addresses against the OFAC list, you should have systems that are calibrated to detect more subtle signs of sanctions risk, and your staff must be trained to handle situations that involve possible sanctions issues.”
OFAC, too, is operating on the principle of strict liability. “You can be held to account even if you were acting in good faith” with no wrong-doing intended, adds Carlisle. “The crypto industry will need to operate to very high standards of sanctions compliance to avoid run-ins with OFAC.”
Part of a larger, global regulatory trend
Recent sanctions activity is just part of a global crackdown that can be expected in the crypto sector, some say. In May, the U.S. Treasury Department announced stricter new rules for Bitcoin and other cryptocurrencies. Crypto transfers worth $10,000 or more will have to be reported to the Internal Revenue Service.
This Treasury Department action is likely to be “the first major step towards a global regulation” for cryptocurrencies, according to Nigel Green, CEO and founder of deVere Group, in a public statement. “This is inevitable as the market grows and matures.”
Nor should the crypto community fight it — they should embrace it, suggests Green. “Proportionate regulation should be championed,” he says, further explaining:
“It would help protect investors, shore-up the market, fight criminality, and reduce the potential possibility of disrupting global financial stability, not to mention offering a potential long-term economic boost to those countries that introduce it.”
In the absence of new crypto legislation and regulatory guidance, the players themselves — i.e., the crypto and blockchain industry — need to get their house in order, James Cooper, associate dean of experiential learning at California Western School of Law in San Diego, tells Magazine, adding, “We have an obligation to create self regulatory organizations. […] The industry has got to push out all the bad actors.”
If 95% percent of media stories and the public’s conversation about crypto focuses on ransomware or Iranian miners or criminal entities, “then something is wrong,” continues Cooper, because all the good things, like blockchain for food security or blockchain for vaccine tracing, get pushed out.
A Bretton Woods for crypto?
“We need our Bretton Woods moment,” opines Cooper, referring to the multi-governmental agreement that set the outlines of international finance after World War II. Something similar is needed for the crypto century.
Not all agree. “The Bretton Woods Agreement centralized monetary policy,” says Jevans, and it “is an approach that is unlikely to be accepted in the decentralized blockchain economy since different projects have wildly varying objectives and governance models.”
More promising in his view are the Financial Action Task Force’s recent updated compliance guidelines, which make clear “that decentralized exchanges as well as other DeFi platforms do bear responsibility for ensuring compliance with global sanctions as well as Anti-Money Laundering and Counter-Terrorism Financing laws. The solution is for these entities, now classified as VASPs by the FATF, to adopt solutions that enable them to achieve compliance without sacrificing decentralization and user privacy.”
Many have called for international collaboration for addressing these new technological developments, like crypto and blockchain, notes Ferreira, but “I am not sure how feasible it is. Authorities sometimes act when there is a trigger. Libra was such a trigger — and a wake up call — for authorities.” She adds, “Maybe we will see other events in the future that could mobilize authorities to more internationally coordinated action.”
Decentralization at odds with the law?
But isn’t there an inherent conflict, though, between economic sanctions — imposed by sovereign nations, or quasi governments like the U.N. — and decentralized finance?
One of the strengths of decentralized finance, according to proponents, after all, is that it’s a hedge against centralized government corruption, including authoritarianism. Might a blanket ban on Iranian users, for example, also shut out Iranian dissidents looking to transfer money outside the reach of the government? “Absolutely,” answers McCalmont:
“I, a ‘regular Joe guy,’ can create an account on a decentralized exchange within minutes and immediately transfer funds to North Korea, Syria, Iran — completely under the radar and with little effort — speaks volumes. If those dissidents have a will, there is without a doubt a way.”
All in all, what may be required here is a mean between two undesirable outcomes. A young, evolving sector like the crypto and blockchain industry will inevitably have “vacuums” that nefarious, non-state actors will seek to exploit “until the state comes in and kicks them out,” Cooper tells Magazine.
That’s to be expected. But the U.S. has gone through four years of anti-regulation rhetoric, at least at the national level, and now, under a new administration, a danger exists that it may seek to monopolize all digital assets — and snuff out innovation.
Doing nothing is bad, continues Cooper, but the U.S. government — or any other state — monopolizing digital assets, whether through a central bank digital currency or other means, is also undesirable. The challenge is “finding the sweet spot.”