RegTrail Insights: OFAC Fines Digital Asset Platform $7.6 million for Sanctions Violations

OFAC’s ‘A Framework for OFAC Compliance Commitments’ which was published in May 2019 provides organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States or U.S. persons, or that use goods or services exported from the United States, with OFAC’s perspective on the essential components of a sanctions compliance programme.

The Framework also outlines how OFAC may incorporate these components into its evaluation of apparent violations and resolution of investigations resulting in settlements. The Framework includes an appendix that offers a brief analysis of some of the root causes of apparent violations of U.S. economic and trade sanctions programmes OFAC has identified during its investigative process.

OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance programme (SCP).

Each programme should be predicated on and incorporate at least five essential components of compliance:

1. Management commitment;
2. Risk assessment;
3. Internal controls;
4. Testing and auditing; and
5. Training

[1] Management Commitment

OFAC notes that management commitment is a critical factor in determining the success of an SCP. Effective management support includes the provision of (i) adequate resources to the compliance unit(s) and (ii) support for compliance personnel’s authority within an organization.

Management Commitment Checklist. The following is a summary list of actions senior management should perform within a SCP. 

• Senior management has reviewed and approved the organization’s SCP.
• Senior management ensures that its compliance unit(s) is/are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls the organization’s OFAC risk.
• Senior management ensures the existence of direct reporting lines between the SCP function and senior management, including routine and periodic meetings between these two elements of the organization.
• Senior management has taken, and will continue to take, steps to ensure that the organization’s compliance unit(s) receive adequate resources—including in the form of human capital, expertise, information technology, and other resources, as appropriate—that are relative to the organization’s breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
• Senior management promotes a “culture of compliance” throughout the organization.
• Senior management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC, or malfunctions, deficiencies, or failures by the organization and its personnel to comply with the SCP’s policies and procedures, and implements necessary measures to reduce the occurrence of apparent violations in the future.

[2] Risk Assessment

OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. One of the central tenets of this approach is for organizations to conduct a routine, and if appropriate, ongoing “risk assessment” for the purposes of identifying potential OFAC issues they are likely to encounter. The results of a risk assessment are integral in informing the SCP’s policies, procedures, internal controls, and training in order to mitigate such risks.

The exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world. This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with OFAC prohibited persons, parties, countries, or regions.

For example, an organization’s SCP may conduct an assessment of the following:

1. Customers, supply chain, intermediaries, and counterparties;
2. The products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and
3. The geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties.

Conducting a Sanctions Risk Assessment checklist. The purpose of a risk assessment is to identify inherent risks in order to inform risk-based decisions and controls. Below is a list of risk assessment actions recommended by OFAC.

• The organization conducts, or will conduct, an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for the potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization.
• As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business.
• Existing information used within a risk assessment include (i) On-boarding and (ii) Mergers and Acquisitions (M&A)
• The organization has developed a methodology to identify, analyze, and address the particular risks it identifies.
• The risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.

[3] Internal Controls

An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC.

Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP should be capable of adjusting rapidly to changes published by OFAC. These include the following:

1. Updates to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (“SSI List”), and other sanctions-related lists;
2. New, amended, or updated sanctions programmes or prohibitions imposed on targeted foreign countries, governments, regions, or persons, through the enactment of new legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or other OFAC actions; and
3. The issuance of general licenses.

Internal Controls Checklist. Effective OFAC compliance programmes generally include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that is prohibited by the sanctions programmes administered by OFAC. Below is a list of internal control actions recommended by OFAC.

• The organization has designed and implemented written policies and procedures outlining the SCP. These policies and procedures are relevant to the organization, capture the organization’s day-to-day operations and procedures, are easy to follow, and are designed to prevent employees from engaging in misconduct.
• The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable the organization to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC.
• To the extent information technology solutions factor into the organization’s internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization’s risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness.
• The organization enforces the policies and procedures it implements as part of its OFAC compliance internal controls through internal and/or external audits.
• The organization ensures that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programmes administered by OFAC.
• The organization ensures that, upon learning of a weakness in its internal controls pertaining to OFAC compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
• The organization has clearly communicated the SCP’s policies and procedures to all relevant staff, including personnel within the SCP programme, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing SCP responsibilities on behalf of the organization.
• The organization has appointed personnel for integrating the SCP’s policies and procedures into the daily operations of the company or corporation.

[4] Testing and Auditing

Audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies programme weaknesses and deficiencies, and it is the organization’s responsibility to enhance its programme, including all programme-related software, systems, and other technology, to remediate any identified compliance gaps.

Testing and Auditing checklist. A comprehensive, independent, and objective testing or audit function within an SCP ensures that entities are aware of where and how their programmes are performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment, as appropriate. Below is a list of testing and auditing actions recommended by OFAC.

• The organization commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.
• The organization commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its SCP and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls.
• The organization ensures that, upon learning of a confirmed negative testing result or audit finding pertaining to its SCP, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

[5] Training

An effective training programme is an integral component of a successful SCP. The training programme should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following:

1. Provide job-specific knowledge based on need;
2. Communicate the sanctions compliance responsibilities for each employee; and
3. Hold employees accountable for sanctions compliance training through assessments.

Training checklist. An adequate training programme, tailored to an entity’s risk profile and all appropriate employees and stakeholders, is critical to the success of an SCP. Below is a list of training actions recommended by OFAC.

• The organization commits to ensuring that its OFAC-related training programme provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support the organization’s OFAC compliance efforts.
• The organization commits to provide OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
• The organization commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile.
• The organization commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, it will take immediate and effective action to provide training to or other corrective action with respect to relevant personnel.
• The organization’s training programme includes easily accessible resources and materials that are available to all applicable personnel.

Analysis of Enforcement Decision – Virtual Currency Platform sanction violations.

Aggravating factors leading to the fine. OFAC determined the following to be aggravating factors against Poloniex:

1. Poloniex failed to exercise due caution or care for its sanctions compliance obligations when it operated with no sanctions compliance programme for more than a year (January 2014 to May 2015) after beginning to offer digital asset services worldwide.
2. Even when it implemented a sanctions compliance programme, Poloniex did not apply it consistently across sanctioned jurisdictions nor to pre-existing accounts; and
3. Poloniex had reason to know that the users involved in the apparent violations were located in sanctioned jurisdictions based on those users’ physical address data and IP address data.

Mitigating factors reducing overall fine. OFAC acknowledged mitigating factors which supported a lower overall fine.

Specifically, Poloniex was acquired by Circle, another digital asset platform. Circle implemented its own compliance measures for the Poloniex Trading Platform, which further improved Poloniex’s sanctions compliance programme. Those measures, in addition to other subsequent remedial measures, included:

• Freezing users’ accounts until KYC verification was completed;
• Implementing an automated review and verification tool for identity documents;
• Implementing a protocol that prevented users from activating an account if the profile information matched a sanctioned country;
• Implementing geolocation restrictions with respect to Syria, Iran, Cuba, Sudan, and North Korea;
• Closing any accounts that listed “Crimea” in the profile information, and identification and blocking of IP ranges associated with certain internet service providers operating in Crimea;
• Creating a “Crimea IP blacklist” and “Crimean city/region keywords list” against which all account information was screened; and
• Enhancing its training programme and hiring additional experienced compliance personnel.

Sanctions Compliance Considerations– Virtual Currency Industry. OFAC notes that the fine is a reminder of the responsibilities bestowed on online digital asset companies - like all financial service providers – to ensure that they do not engage in transactions prohibited by OFAC sanctions, such as providing services to persons in comprehensively sanctioned jurisdictions. To mitigate such risks, online digital asset companies should develop a tailored, risk-based sanctions compliance programme.

OFAC’s Sanctions Compliance for the Virtual Currency Industry explains that it strongly encourages a risk-based approach to sanctions compliance predicated on and incorporating five essential components of compliance:

1. Evaluating sanctions-related risks in their lines of business;
2. Building a risk-based sanctions compliance programme;
3. Protecting their business from sanctions violations and intentional misuse of virtual currencies by malicious actors; and
4. Understanding OFAC’s recordkeeping, reporting, licensing, and enforcement processes.