In the wake of Russia’s invasion of Ukraine, sanctions have come to the forefront of economic trade with many nations adding individuals and entities to their sanctions lists in the last month.
In light of the severity of enforcement actions for those that do not comply, here, Coinfirm’s Regulatory Affairs team overviews: what sanctions are and the main regulatory bodies to be aware of, the issues around blockchain technology regarding them and more.
Sanctions represent a wide range of political and economic restrictions, implemented against countries, entities or individuals with the aim of maintaining or restoring local and international peace and security by influencing the behaviour of a particular country’s governments, individuals or groups.
For example, various countries have imposed sanctions against Russia following the annexation of Crimea (2014) and most recently (2022) in the aftermath of the unprovoked invasion of Ukraine, in an effort to discourage Russia’s continuation of the attack.
A regime or programme is the system in which sanctions are applied in a given scenario.
For example, OFAC ‘Iran sanctions’ programme lists sanctions against Iran. On the other hand, there are 3 OFAC sanctions programmes applying to Russia: ‘Russia Harmful Foreign Activities’; ‘Ukraine/Russia Related Sanctions’ and ‘Magnitsky Sanctions’ programmes.
The basis of sanctions creation is the assurance of economic and political security of a jurisdiction, and/ or international security when all diplomatic attempts at resolving a conflict have failed.
This goal is secured by imposing restrictions against certain countries, entities or individuals considered to pose a certain degree of risk to political and economic stability.
Sanctions are essentially the largest firepower a country has against another country short of military force.
Countries: sanctions are imposed against an entire jurisdiction restricting all direct or indirect imports/exports, trade brokering, financing or facilitating against most goods, technologies and services and others. Engaging in these activities with either an individual or legal entity from a sanctioned country is prohibited, unless granted special authorisation by the sanctions regulator for specific transactions. Examples of sanctioned countries by OFAC are Cuba, North Korea, Iran and Syria.
Legal entities and groups: companies from targeted countries and other entities (such as terrorist groups) are subject to asset freezes or other targeted restrictions.
Industries, vessels and aircraft: restrictions can be linked to those related to a specific sanctioned jurisdiction.
Individuals: particular individuals or groups of individuals (such as drug traffickers, weapon proliferators and corrupt leaders) can be targeted by various measures such as financial restrictions and/or travel bans.
On a macro level, there are sanctions agreed upon by multiple nations against the same target, which we call multilateral and those imposed by a single country, called unilateral.
On a micro level, both the multilateral and unilateral ones apply the following restrictions:
Comprehensive sanctions – sanctions of the widest range. Typically this term is used in the context of OFAC (US) comprehensive sanctions that are directed at entire countries or regions and restrict specific interactions with their general population, entities and government.
Note that this term may have a slightly different scope in the case of EU or UN sanctions. In the EU comprehensive sanctions refer to those targeting governments.
Sectoral Sanctions – prohibit specific business dealings with sanctioned subjects within a specific sector, such as financial or energy-related transactions. E.g. financial sectoral sanctions would (among others) prohibit providing financing or issuing debt for a sanctioned entity (type applied by the UK and the USA).
Targeted or Selective Sanctions directed at specific individuals, companies and organizations (type applied by most sanction issuers (type applied by UN, EU, UK and USA).
Secondary Sanctions – sanctions penalizing entities breaching sanctions, e.g. a company with high volumes frequent dealings with Iran can be sanctioned (type applied by the USA).
Regardless of the type of sanction, it is a criminal offence to breach a sanction without an appropriate licence or authorisation from the appropriate sanction regime. Fines range up to millions of dollars depending on the offence, to even prison sentences for the liable parties involved – if the breach was considered to be taken place willfully.
The main sanction regimes in the world are those of the European Union (EU), the United Nations (UN) and the US’ Office of Foreign Assets Control (OFAC).
Sanctions are introduced by legislative means (such as Acts/Executive Orders and regulations depending on the jurisdiction) and administered and enforced by sanctions bodies respective to each jurisdiction (such as OFAC in the US or OFSI in the UK).
There is no single international regulatory body that introduces and enforces sanctions.
The UN Security Council and the EU introduce multilateral sanctions. As they have no authority to enforce them, this responsibility falls onto the Member States. Currently, there are 193 UN Member States and 27 in the EU.
Each country has its own sanctions bodies that introduce unilateral sanctions and administer and enforce them. In the UK, the HM Treasury implements and enforces financial sanctions, through its Office of Financial Sanctions Implementation (OFSI). In the US, the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions.
Sanctions are created by a variety of international, regional and state bodies as follows:
Each country must abide by the sanctions regulations imposed by the regulatory body they fall under:
All financial institutions within UN Member States must comply with UN Sanctions, thus it’s expected of them to perform UN sanctions searches as part of their AML/CFT compliance programme, as dictated by regulations developed and implemented by domestic authorities in view of UN’s lack of direct legislative power to enforce its sanctions within Member States.
EU Sanctions are binding on Member State nationals inside or outside the territory of the EU, on any legal person or entity incorporated or constituted under the law of a Member State, as well as on branches of EU companies in third countries.
UK Sanctions apply to all individuals and legal entities who are within or undertake activities within the UK’s territory, as well as all UK nationals and legal entities established under UK law, including their branches, irrespective of where their activities take place.
US Sanctions apply to all US citizens and permanent residents (irrespective of their origin) on or outside US territory, as well as to legal entities established under US law and their branches, irrespective of where they conduct business.
OFAC’s Cuba, Iran, and North Korea sanctions programmes extend sanctions prohibitions to certain foreign entities owned or controlled by U.S. persons or U.S. financial institutions. Additionally, any transaction that causes a violation — including a transaction by a non-U.S. person that causes a U.S. person to violate sanctions — is also prohibited.
All international, regional and state bodies that issue sanctions will have lists of sanctioned countries, entities and individuals these are imposed upon.
Sanctions related to countries can be found on regulators’ websites:
Lists of sanctioned entities and individuals are called Sanctions Lists of Designated Persons, Consolidated Lists, or simply Sanctions Lists:
Regulators may keep a separate list for sectoral sanctions:
The level of due diligence obliged entities must apply to ensure no dealings with sanctioned parties are allowed, would depend on:
The sanctions checks would entail at minimum, the following, to identify DIRECT sanctions risk for regulated companies:
Note the following:
– All sanctions lists are available online for free. There are many paid sanctions screening software solutions at the market. The usual benefit of using the paid ones is the fuzzy matching logic (the system can find a match even with spelling mistakes or spelling variation) and the fact that many >50% owners are included. In contrast, using a free list may be compromised by spelling variations. Also, the free list will not include many >50% owners lists that paid solutions do, based on companies’ ownership research.
Depending on the company’s business profile, regulated status and risk appetite, it may also consider the introduction of *mitigating measures for INDIRECT sanctions risks. Some examples of such measures are:
*Please note these are only illustrative examples and the list is not exhaustive.
Sanction checks should not constitute a one-off exercise done only at the time of the customer onboarding. Relevant sanctions checks should be repeated throughout the duration of the customer relationship to identify any changes to the customer profile that may change sanctions risk assessment. For regulated businesses, this is an integral part of meeting the obligations of ongoing monitoring of customers.
Moreover, sanctions lists are updated on an ongoing basis and therefore ongoing monitoring for sanction lists additions is required to ensure that if your customer is added to the sanction list, this new sanction risk is identified immediately.
Each obliged entity must abide by the reporting obligation regulations imposed by the regulatory body they fall under:
In the EU, economic operators are required to freeze funds and report any sanctions breech immediately after they are aware of the situation, to the competent authorities of the Member State where they are resident or located, and to transmit the information, directly or through the relevant Member States, to the Commission.
Financial entities who become aware of a legal person or entity being owned or controlled by a sanctioned person or entity must inform the competent authority of the relevant Member State and the Commission either directly or through the Member State.
Member States may apply additional reporting requirements under AML regulations.
Information on how to directly report sanctions violations to the Commission can be found here.
In the UK, reporting obligations fall on ‘relevant firms’ (i.e. mostly regulated firms) and individuals working for them.
Reporting must be done to OFSI ‘as soon as practicable’ when there is knowledge or reasonable cause to suspect that a person is designated or has committed an offense under the regulations.
More details on reporting obligations under UK law can be found by accessing this link.
In the US, any transactions that indicate sanctions breach or attempt to do so must be blocked and placed into an interest-bearing account on the company’s books from which only OFAC-authorized debits may be made.
The blocking also must be reported to OFAC within 10 business days.
Independent jurisdictions may have different sanctions reporting obligations as stated in their local regulations.
Apart from sanctions-related reporting obligations, regulated businesses must consider other applicable reporting requirements for sanctions-related cases.
You identified an indirect de minimis (i.e. very small) sanction risk on your customer – a shareholder owning 2% of your customer entity is sanctioned. Through your risk analysis at the time of onboarding, you concluded that the shareholder has no control of the company and got comfortable with the risk. However, later ongoing monitoring reveals that the customer ownership structure got more complex and opaque. Based on the facts collected, you formulate a suspicion that the company is being used by the 2% shareholder to evade sanctions. This suspicion must be reported as a SAR to the relevant authority – even though you may not be in breach of sanctions, you need to report the suspicion of potential sanction evasion.
The 50 percent rule considers scenarios where entities owned in excess of 50%, directly or indirectly, by a person subject to asset freeze – financial sanctions will apply to the entity as well and shall be considered blocked.
This rule is imposed by the US’ OFAC, the UK and EU.
Regulated entities in the crypto space (VASPs and traditional FIs with exposure to crypto) are required under AML laws to perform KYC verification and other forms of Due Diligence (DD) on their crypto users. As part of this verification process, sanctions checks apply as well, and the process remains the same as that employed by the fiat/traditional financial industry.
Although non-regulated entities would not have the same AML/CDD obligations, some sanctions programmes also apply to them (i.e. they impose obligations on any person within a given country, regulated or non-regulated). Moreover, the sanctions body with the biggest enforcement effectiveness (OFAC) applies a so-called ‘strict liability’. What that means in practice is that a person/entity obliged to comply with sanctions can be made liable for a sanction breach even if they had absolutely no knowledge of being in the breach.
On top of the above, there are reputational considerations. While sanction fines may be settled with money, damaged reputation of your business may take years to be re-built.
Some sanctions-related obligations may pose more difficulties in the crypto industry. OFAC’s sanctions regulations require restricting access to virtual assets when a client is discovered to be a designated person and block the assets.
However, as one of the inherent natures of blockchain technology is the swiftness of transactions, with the impossibility to stop them once initiated, crypto business may need to consider alternative sanction mitigating measures on top of ‘traditional’ ones applied in fiat finance.
An example is automatic blocking of transactions in decentralised finance (DeFi) through an API call to a sanctions oracle (e.g. Coinfirm’s AML Oracle) embedded in a DeFi smart contract.
What are the differences between sanction obligations in fiat/traditional finance and crypto?
The short answer is none, bar some minor detail differences*. In the recent climate of unprecedented sanctions imposed on Russia and the threat of sanctions evasions using crypto, there has been a set of guidance papers and reminders issued by the regulators and sanction bodies emphasising that sanction programmes apply to crypto in the same way as they do to traditional finance.
Some examples of such statements:
*E.g. under OFAC programmes, changes from sanctions regulations in the fiat industry involve:
The nascent character of the crypto assets industry, developing regulatory framework and some characteristics of crypto assets technology may create an increase of sanctions non-compliance.
In order to properly address and mitigate these risks, the first step is the awareness and understanding of their nature. Recently, with the increased focus on sanctions in crypto, there have been a few papers published pointing out what these vulnerable areas are:
The President of the United States, in the Executive Order issued March 9, 2022, on Ensuring Responsible Development of Digital Assets, recognised the benefits of adopting digital assets and modernise the public payment systems, and has also addressed certain risks that come with it, such as ‘’digital assets [being] used as a tool to circumvent United States and foreign financial sanctions regimes and other tools and authorities‘’, especially in view of VASPs’ hardships in adopting parts of the imposed measures.
In this respect, the President adds that ‘’the new and unique uses and functions that digital assets can facilitate may create additional economic and financial risks requiring an evolution to a regulatory approach that adequately addresses those risks.’’
Regulators have not overlooked this aspect and have started to take a deep dive into how to better assist financial system players in the crypto sphere, to implement proper mitigating procedures while avoiding disruption of business.
Some root causes identified by OFAC for sanctions compliance violations, which VASPs need to be mindful of, are:
The full list, as part of the Framework for OFAC Compliance document, can be found here.
Other factors, in addition to OFAC’s findings, aiding to circumvent sanctions are:
OFAC’s Sanctions Compliance Best Practices for the Virtual Currency Industry mentions that:
‘’All companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies or their service providers, are encouraged to develop, implement, and routinely update, a tailored, risk-based sanctions compliance program. Such compliance programs generally should include sanctions list and geographic screening and other appropriate measures as determined by the company’s unique risk profile.’’
In order to address sanctions risks, a VASP must first identify them. An effective sanctions compliance programme is the first step in the right direction as this entails:
Further, to mitigate risks, VASPs should implement internal controls based on:
Remedial measures in identifying weaknesses in internal controls and implementing of new ones to prevent future violations can include among others:
Due to the nature of transactions performed on blockchains, internal controls would require:
Examples of information from Know Your Customer (KYC) that may support sanctions controls:
Individuals: legal name, date of birth, nationality, ID, physical and email address, IP addresses associated with transactions and logins, banking information.
Legal Entities: line of business, trade and legal name, physical and email address, ownership information, jurisdictions where the entity does business, IP addresses associated with transactions and logins, banking information, any other relevant official documents.
Software can be used for: screening, conducting investigations, transaction monitoring, geolocation tracking and IP address blocking, among others.
VASPs are at liberty to develop their own in-house software, or make use of third-party ones.
Blockchain Transaction Monitoring and Investigation software can:
In 2018 OFAC began including on the SDN List certain known virtual currency addresses related to listed persons and entities.
Some blockchain analytics tools (e.g. Coinfirm’s) can identify unlisted addresses that appear to be controlled by the same person controlling a listed address, thus allowing for increased sanctions controls.
Non-exhaustive list of red flags on spotting suspicious activity potentially related to sanctions circumvention as indicated by FinCEN, OFAC and the Financial Conduct Authority (FCA):
In addition, “red flags” indicative of money laundering or other illicit activity which may also be indicative of potential sanctions evasion.
Links to red flags non-exhaustive lists:
At the moment of publication of this content (March 2022), the only sanctions enforcement actions and sanctions designation in the crypto space have been taken by OFAC. Considering the current sanctions-focused climate, it is reasonable to expect that the number of crypto-related designations and enforcement actions will significantly increase.
As of March 2022, OFAC has so far:
The US Department of Treasury issued on September 21, 2021, an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.
It emphasizes the implications of financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response in facilitating ransomware payments to cyber actors on behalf of victims, such as encouraging future ransomware payment demands and violating OFAC regulations.
Potential sanctions risks associated with making and facilitating ransomware payments is that Illicit gains stemming from ransomware may aid individuals/entities with sanctions nexus to profit and advance their illicit aims.
The message that this OFAC paper is sending to the crypto industry is: if you handle ransomware payments or proceeds, you may be in breach of sanctions given a number of ransomware parties are subject to sanctions. Considering OFAC’s strict liability, sanction breach occurs even if you are not aware of the breach.
Context: Violations of Multiple Sanctions Programmes Related to Digital Currency Transactions
BitGo knowingly allowed users, between 2015 and 2019, located in sanctioned jurisdictions to access their services, as they had visibility over the Internet Protocol (IP) address data associated with devices used to log in to the platform.
The users logged in from the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria.
BitGo failed to implement controls designed to prevent such users from accessing its services.
Resolution: OFAC determined that BitGo did not voluntarily self-disclose the Apparent Violations and that the Apparent Violations constitute a non-egregious case and the statutory maximum civil monetary penalty applicable in this matter is over $53 million.
Case source: Treasury Press Release
Context: SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, which facilitated financial transactions for ransomware actors for their own illicit gain.
The company facilitated transactions involving illicit proceeds from at least eight ransomware variants totalling to over 40% of their known transaction history, leading it to now being a designated entity by OFAC.
Resolution: The company was designated on September 21, 2021, and all property and interests in property of the designated target that is subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.
Case source: Treasury Press Release
Context: designation of Chatex, a virtual currency exchange, and its associated support network, for facilitating financial transactions for ransomware actors.
Analysis of Chatex’s known transactions indicated that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware.
Chatex has direct ties with SUEX OTC, S.R.O. (Suex), using Suex’s function as a ‘nested’ exchange to conduct transactions.
Resolution: Chatex was designated on November 8, 2021, for providing material support to Suex and the threat posed by criminal ransomware actors.
Case source: Treasury Press Release
Context: IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd provided material support and assistance to Chatex – designated entity.
These three companies set up infrastructure for Chatex, enabling their operations.
Case source: Treasury Press Release
Regulators take non-compliance with sanctions stipulations extremely seriously.
Coinfirm was founded with the mission to make the blockchain economy a safer space and to prove the technology promises an improvement to the traditional financial system. And the open-source nature of blockchain means that it is generally easier – and cheaper – to ascertain illicit fund flows.
So don’t delay.