4D Talks Crypto Compliance: Tornado Cash in the Post-Sanctions Era

Zonff Partners

特邀专栏作者

2022-10-18 11:00

This article is about 15251 words, reading the full article takes about 22 minutes

Four perspectives on the compliance issues of the current encryption market.

Original Title: "Crypto Compliance: Tornado Cash in the Post-Sanctions Era｜ZONFF Research"

Author: Sullivan, Investment Director, Zonff Partners

On August 8, 2022, the U.S. Department of the Treasury added Tornado Cash addresses on Ethereum to the U.S. Office of Foreign Assets Control (OFAC) U.S. Specially Designated Nationals List (SDN) list. A few days later, Alexey Pertsev, the developer of Tornado Cash, was arrested and imprisoned in the Netherlands. This was the first time in history that an on-chain smart contract was directly sanctioned by OFAC. Widely discussed. Affected by this incident, many encryption companies, especially DeFi companies and employees began to worry about their own security and business compliance.

This article will briefly discuss the compliance issues in the current encryption market from four perspectives: encryption regulatory framework, Tornado Cash sanctions incident, OFAC, and encryption enterprise compliance guidance and practice.

Crypto Regulatory Framework

1.1 Overview of encryption regulation in various countries

image description

USA

USA

Singapore

Singapore

Crypto exchanges and trading are legal in Singapore, a country that has taken a friendlier stance on the issue than some of its regional neighbors. Although cryptocurrencies are not considered legal tender, the Singaporean tax authorities treat Bitcoin as a “commodity” and therefore impose Goods and Services Tax (Singapore’s version of Value Added Tax). In 2017, the Monetary Authority of Singapore (MAS) clarified that while it was not in its position to regulate cryptocurrencies, it would regulate the issuance of tokens if those tokens were classified as “securities.”

China

China

The People's Bank of China (PBOC) banned financial institutions from handling bitcoin transactions in 2013 and further banned ICOs and domestic cryptocurrency exchanges in 2017. To justify the ban, the PBOC defined ICO financing (through illegal sales and circulation of tokens) as unapproved public financing, which is illegal under Chinese law.

European Union

European Union

Cryptocurrencies are widely considered legal across the European Union, but regulations for cryptocurrency transactions vary from member state to member state. Cryptocurrency taxes vary from country to country, with many member states levying a capital gains tax of 0-50% on profits derived from cryptocurrencies. In 2015, the Court of Justice of the European Union ruled that exchanges of traditional currencies for cryptocurrencies should be exempt from VAT.

In January 2020, the European Union's Fifth Anti-Money Laundering Directive (5AMLD) incorporated cryptocurrency-fiat currency exchanges into EU anti-money laundering legislation, requiring exchanges to perform KYC/CDD on customers and meet standard reporting requirements. In December 2020, 6AMLD came into force: the directive makes cryptocurrency compliance more stringent by adding cybercrime to the list of predicate offenses for money laundering.

Cryptocurrency exchanges are currently not regulated at the regional level. In some member states, exchanges must register with their respective regulators, such as the German Financial Supervisory Authority (BaFin), the French Financial Market Supervisory Authority (AMF), or the Italian Ministry of Finance. The authorizations and licenses of these regulators can be exchanged, allowing them to operate under the EU-wide regime.

latin america

In Latin America, countries have different regulatory attitudes towards cryptocurrencies. Countries with stricter regulations include Bolivia, which has a blanket ban on cryptocurrencies and exchanges, and Ecuador, which has banned all cryptocurrencies except the government-issued SDE token. In contrast, in Mexico, Argentina, Brazil, Venezuela, and Chile, retail stores and merchants generally accept cryptocurrencies as a form of payment.

Cryptocurrencies are generally considered assets in Latin America for tax purposes. They are generally subject to capital gains tax throughout the region, while transactions in Brazil, Argentina and Chile are also subject to income tax in some cases.

In September 2021, El Salvador became the first country in Latin America to adopt bitcoin as legal tender, launching a government digital wallet app and allowing consumers to use the cryptocurrency (as well as pay in U.S. dollars) for all transactions. The government of El Salvador has since announced plans to build a "bitcoin city," despite the move sparking domestic and international criticism.

1.2 Troika of U.S. Encryption Regulation

Although the regulatory policies of different countries and regions around the world are different, the jurisdiction of the regulatory authorities of each country has geographical restrictions. Accordingly, since the jurisdiction of the U.S. regulator can cover the widest range of global encryption users, its law enforcement influence on encryption companies/individuals will be far greater than that of other countries. Therefore, the U.S. encryption regulatory policy trends deserve more attention from global encryption companies and practitioners.

In the United States, cryptocurrencies have been the focus of federal and state governments. At the federal level, most of the attention has been at the level of administrative agencies, including the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the U.S. Department of the Treasury. The three can be briefly classified as the troika of U.S. encryption regulation.

In the "troika" of encryption regulation in the United States, the SEC and CFTC mainly determine the attributes of assets (belonging to commodities or securities?), and conduct corresponding supervision on Tokens that they consider to be securities or commodities; More diverse, the IRS mainly looks at whether encrypted transactions are taxable, FinCEN mainly focuses on money laundering and anti-terrorism in the United States, and OFAC is mainly responsible for implementing financial sanctions against overseas blacklisted institutions or individuals. All three need to track transaction data on the chain for a long time. Analysis and judgment, precise law enforcement.

1.2.1 US Securities and Exchange Commission (SEC)

The SEC usually has regulatory power over the issuance or resale of any tokens or other digital assets that constitute securities, and it mainly regulates ICO and token attributes. In 2021, SEC Chairman Gary Gensler stated in his speech that the SEC is studying various fields of encryption. At present, there are at least seven topics that the SEC is paying close attention to, including: custody, stable currency, trading platform, lending platform, ICO, decentralized finance (DeFi), ETFs (not limited to Bitcoin).

According to US securities laws, if a digital asset is determined to be a security, the issuer must register the security with the SEC or satisfy an exemption from registration under the registration requirements. On the whole, the SEC is the most active among various departments, and it is also the department with the most existing supervision cases. The core of its supervision is the keyword "securities". Therefore, when studying whether blockchain tokens are securities, Judging whether it accepts SEC supervision still needs to be judged on a case-by-case basis in accordance with the principle of substance over form. But judging from the current situation, most assets except BTC and ETH will hardly escape the definition of securities, especially some newly issued assets will definitely face the SEC's full-process and all-round regulatory requirements.

1.2.2 Commodity Futures Trading Commission (CFTC)

The U.S. Commodity Futures Trading Commission is one of the financial regulatory agencies in the United States. CFTC is an independent agency of the U.S. government responsible for regulating commodity futures, options and financial futures and options markets. It is understandable that if a digital asset has not yet been defined as a security, the trading scope of its derivatives is mainly regulated by the CFTC. At the same time, this is also the place where the CFTC and the SEC have the most discussion on regulatory authority at present and in the future, and it also determines the follow-up supervision to a certain extent. dominance.

1.2.3 US Department of the Treasury

a. Internal Revenue Service (IRS)

In March 2014, the IRS announced that "cryptocurrencies" such as Bitcoin and other cryptocurrencies would be taxed by the IRS as "property" rather than currency.

For individuals filing federal income tax returns, gains or losses from the sale of cryptocurrencies held as “capital assets” (i.e., for investment purposes) should be reported on (i) Schedule D of IRS Form 1040, and (ii) IRS Reported on Form 8949 (Sales and Other Dispositions of Capital Assets), any realized gains in cryptocurrency held by an individual as a capital asset for more than one year are subject to capital gains tax; individuals held as a capital asset for one year or less Any realized gains in cryptocurrencies are subject to ordinary income tax.

b. Financial Crimes Enforcement Agency (FinCEN)

The Financial Crimes Enforcement Agency (FinCEN) is a government agency, operated domestically and internationally by the U.S. Department of the Treasury, consisting of three main bodies: law enforcement, regulators, and financial services.

Key points of concern include:

(1) Prevent and punish money laundering and related financial crimes;

(2) track suspicious persons and activities by studying mandatory disclosure information of financial institutions;

On the whole, FinCEN is currently mainly involved in the field of exchanges. Opening an exchange business in the United States, or a similar encrypted Treasury business requires more attention to the regulatory guidelines of this department. The anti-money laundering law in the "Bank Secrecy Act" ("BSA") is the most important part, especially when it comes to cross-border transfers of funds, etc., including between stablecoins, between different cryptocurrencies, between stablecoins and fiat currencies exchange. In addition, as permissionless decentralization, DeFi products that focus on exchanging assets, lending and creating synthetic assets will also become the top priority of supervision in the foreseeable future.

c. Office of Foreign Assets Control (OFAC)

OFAC, the Office of Foreign Assets Control of the U.S. Department of the Treasury, its mission is to manage and implement all economic and trade sanctions based on U.S. national security and foreign policy, including all terrorism, transnational drug and narcotics transactions, weapons of mass destruction Sanctions in the financial sphere for proliferating behavior. OFAC is authorized by special legislation to control and freeze all foreign assets in the United States. It is also responsible for cooperating closely with European allies of the United States on foreign economic and trade sanctions. Its main jurisdiction is in the fields of transnational and terrorism, and it is also the protagonist of the Tornardo Cash sanctions incident.

OFAC pays attention to illegal financial activities that affect the national security of the United States, and all protocols, networks, and applications that can potentially be used by criminals in these criminal fields will receive its long-term attention. OFAC's Sanctions List SDN (U.S. Specially Designated Nationals List) is a very strong regulatory tool, and the consequences of being sanctioned are very serious. For many DeFi products, the regulatory guidance issued by OFAC should be the first compliance document that needs to be studied and followed.

US Issues First Sanctions Against Smart Contracts - Tornado Cash

On August 8, 2022, the official website of OFAC of the U.S. Department of the Treasury showed that some addresses that interact with the Tornado Cash protocol or related Ethereum addresses were placed on the SDN List for sanctions. The above smart contracts are directly sanctioned by OFAC.

image description

Image credit: US DEPARTMENT OF THE TREASURY

2.1 The reason why Tornado Cash was sanctioned by OFAC

According to the reasons for the sanctions disclosed on the official website of the U.S. Department of the Treasury, Tornado Cash has been used to launder more than $7 billion worth of cryptocurrencies since its creation in 2019. These include the theft of more than $455 million by the Lazarus Group, a state-backed hacking group in the Democratic People’s Republic of Korea (DPRK), which was sanctioned by the United States in 2019, the largest known cryptocurrency heist to date. Tornado Cash was subsequently used to launder over $96 million in malicious cyber actor funds from the Harmony Bridge Heist on June 24, 2022, and at least $7.8 million from the Nomad Heist on August 2, 2022.

OFAC stated in its disclosure on its official website that: Tornado Cash (Tornado) is a cryptocurrency mixer running on the Ethereum blockchain that indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparty without requiring Identify its source. Tornado takes various transactions and mixes them together before transmitting them to their respective recipients. While the purported purpose is to increase privacy, mixers like Tornado are often used by illicit actors to launder money, especially those stolen in major heists. Tornado was sanctioned by OFAC for allegedly providing substantial assistance to illegal cyber activities that could pose a significant threat to the national security, economic health, or financial stability of the United States.

2.2 Impact on Tornado Cash

So far, Tornado has been affected mainly in two parts:

Some Ethereum and USDC addresses and USDC assets that interact with Tornado Cash are included in SDN
Tornado Cash's Github code base and front-end official website have restricted access

According to the OFAC sanctions, the property of the subject of the SDN list in the United States will be frozen, and any American (including US citizens, US green cards, institutions or legal persons registered and established in accordance with US laws, and people located in the US) will not be allowed to trade with them, which also means This means that the SDN subject will not be able to clear and trade US dollars. That is to say, "Americans" are forbidden to have a relationship with them, otherwise, in addition to fines, they may even be held criminally responsible.

For the Ethereum and USDC addresses included in the SDN, according to the OFAC sanctions, the USDC issuer Circle officially blacklisted the Ethereum addresses on the U.S. Treasury Department’s sanctions list after the sanctions were issued. Uniswap blocked 253 crypto addresses related to stolen funds or sanctions, and lending protocol Aave similarly blocked numerous addresses that had interacted with Tornado Cash for transfers. (The sanctioned address SDN List Cyber-related Designation disclosed on the official website of the U.S. Department of the Treasury: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20220808)

As for Tornado itself, this sanction has resulted in restricted access to Tornado Cash, and users will not only be unable to log on to the Tornado Cash official website, but third-party node operators like Infura and Alchemy will also stop supporting Tornado Cash related services. In addition, users of MetaMask, the most widely used Ethereum wallet, are now prohibited from interacting with Tornado Cash (because MetaMask relies on Infura to interact with Ethereum, users who still want to use Tornado Cash unless they manually set MetaMask node configuration, do not use Infura, To ensure that MetaMask can interact with Tornado Cash), this severely limits the number of Tornado Cash users.

The sanctions against Tornado Cash have affected a large number of users' access to the protocol, collaborative development of code, and some protocol functions, such as the Distributed Relayer Network. It will make it more difficult for ordinary users to participate in these activities. However, since Tornado Cash is a decentralized application deployed on Ethereum (a blockchain that cannot be tampered with), the application itself will continue to run unaffected on the network, with little or no way to stop it.

2.3 The Procedural Compliance Controversy of the Tornado Cash Sanction itself

Due to the decentralized nature of Tornado Cash, the sanctioned cryptocurrency wallets listed by OFAC cannot indicate that there are entities, legal persons, or natural persons behind these sanctioned wallets that can be sanctioned, because wallets installed on Ethereum smart contracts can It is not controlled by people, and the currency is automatically mixed according to the code. There is no evidence that the natural or legal entity that deployed Tornado Cash now controls the program. In the logic of Tornado Cash, users who mix coins can come from all corners of the country, but there is no central review team or mechanism to identify these customers, but this is not necessarily intentional, but the system and algorithm are automatically decentralized match and process. In this case, some lawyers think that whether OFAC can include an automatic agreement in SDN, is this situation unconstitutional?

If the sanctioned Tornado Cash is an entity, if the entity believes that OFAC's sanctions are unfair, it can defend itself through legal means and file a lawsuit in federal court. Since only entities can file lawsuits, and only entities can petition to be removed from the SDN list, is it unfair to sanction entities without a center? At the same time, sanctioning relevant wallets cannot change the automatic transaction behavior of the automatic algorithm, so does the sanction violate the original intention of OFAC, which is to prompt an organization or individual to change their behavior.

Coin Center, a cryptocurrency think tank, believes that OFAC's sanction of Tornado Cash is beyond the authority of the organization, because the sanctions have not been promoted on the "entity" and cannot effectively change behavior. Finally, it is not within the scope of the blockade of "property" stipulated by IEEPA ("International Emergency Economic Rights Act"), and it does not provide the procedural due process requirements stipulated in the US Constitution, so OFAC's actions are beyond its own administrative power.

After the Dutch government detained Tornado Cash founder Alex Pertsev, a rally of more than 50 people marched in Amsterdam on August 20 to protest against the detention and demand the release of Alek Pertsev. At present, lawyers who have doubts about OFAC's sanctions are organizing forces to contact OFAC and trying to promote protests and lawsuits at the legal level.

Office of Foreign Assets Control (OFAC) Overview

3.1 Origin of OFAC

The Office of Foreign Assets Control (OFAC) was established in 1950. It is an agency under the U.S. Department of the Treasury. It mainly imposes economic or trade sanctions on foreigners and organizations that oppose U.S. interests. It has great power and reputation. Relatively small, the sanction effect is obvious, and often being on the OFAC list will have a profound impact on the sanctioned target.

The creation of OFAC originated from a bill passed by Congress in 1977 - "International Emergency Economic Powers Act" (referred to as IEEPA). IEEPA gives the President (the executive branch of the country) the power to declare a national emergency, thereby preventing persons and organizations under U.S. jurisdiction from engaging in any activities involving foreign powers that harm U.S. interests. IEEPA gives OFAC the power to block property, and at its core is "property." After 9/11, in order to better combat terrorist organizations financially, then US President Bush pushed Congress to pass another bill, the "American Patriot Act", which essentially expanded the executive powers proposed by IEEPA and gave OFAC a lot of big power. The act allows OFAC to block property "under investigation (Pendency of an Investigation)" without having to offer an explanation or provide corroborating evidence.

OFAC's mission is to manage and enforce all economic and trade sanctions based on U.S. national security and foreign policy, including financial sanctions against all terrorism, transnational drug and narcotics transactions, and proliferation of weapons of mass destruction. The current OFAC It remains the most important U.S. government department for economic and trade sanctions against specific countries, regions, and individuals. In recent years, with the deepening of the worldwide anti-corruption and anti-money laundering campaign, OFAC's policies and instructions have become operating principles that cannot be ignored by the world's financial industry, especially the United States and financial institutions that are closely related to the US financial industry.

3.2 OFAC Main Penalty Types

Before OFAC began to wave the big stick of sanctions to the cryptocurrency and blockchain industries, OFAC's traditional sanctions were generally individuals and organizations related to sovereign states that ideologically challenged the United States. In October 2021, OFAC issued a compliance guide for cryptocurrencies (Sanctions Compliance Guide for the Virtual Currency Industry), which reiterated OFAC's sanctions types, which fall into four categories:

i) Extensive commercial sanctions and blockades, currently mainly targeting Iran, North Korea, Cuba, Syria, and Crimea;

ii) sanctions against a government or regime;

iii) List system (currently, many sanctions in the cryptocurrency industry use the list system, including this Tornado Cash sanctions);

iv) industry system, for a specific industry in certain foreign countries;

3.3 Main Reasons for Penalties by OFAC

According to the "A Framework for OFAC Compliance Commitments" issued by the U.S. Department of the Treasury, there are five reasons why encryption companies should pay attention to the penalties imposed by OFAC:

A. Lack of a formal OFAC Sanctions Compliance Program (SCP)

OFAC does not require companies to have a formal Sanctions Compliance Program (SCP), but OFAC encourages organizations subject to U.S. jurisdiction, especially those engaged in international trade, or trading or having any customers or counterparties located outside the United States to adopt a formal SCP . As can be seen from the numerous civil fines OFAC has already finalized, the absence of an SCP is one of the leading causes of sanctions violations identified during OFAC's investigations. In addition, OFAC often identifies this factor as an aggravating factor when making sanctions determinations.

B. Transactions with Sanctioned Non-U.S. Persons (Including Through Foreign Subsidiaries or Affiliates)

Organizations subject to U.S. jurisdiction—particularly those with foreign operations and subsidiaries outside the U.S.—engage in violations of OFAC regulations by transferring business opportunities to foreign subsidiaries to conduct transactions with non-U.S. locations in countries, territories, or individuals subject to OFAC sanctions transactions or activities.

C. Sanctions Screening Software Not Updated or Filter Faulty

Many organizations screen their customers, supply chains, intermediaries, counterparties, business and financial documents, and transactions to identify and avoid transactions with territories and parties sanctioned by OFAC. Occasionally, organizations fail to update their sanctions screening software to incorporate updated sanctions-listed entities into their organization's internal SDN list or SSI list.

D. Improper due diligence on customers

One of the fundamental components of an effective OFAC risk assessment and SCP is conducting due diligence on an organization's customers, supply chain, intermediaries, and counterparties. The various sanction actions taken by OFAC involve reasons ranging from organizations' inadequate or incomplete due diligence on their customers, such as their controlling entities, geographic locations, related parties, and transactions themselves, as well as their knowledge and awareness of OFAC sanctions.

E. Personal responsibility

In some cases, individual employees—particularly those in supervisory, managerial, or executive-level positions—have been the primary contributors to causing or contributing to violations of regulations administered by OFAC. Specifically, in some of these cases, employees of foreign entities also worked to conceal and conceal their activities from others within the corporate organization, including compliance officers, as well as from regulators or law enforcement. In such cases, OFAC will consider using its enforcement agencies to target not only the violating entity, but also individuals.

3.4 Impact of OFAC Penalties

Failure to comply with OFAC sanctions requirements could result in significant damage to the integrity and effectiveness of the U.S. sanctions program and its related policy objectives. As a result, civil and criminal penalties for violations can be severe and vary by sanctions program.

How to do the compliance strategy of encryption enterprises

Since the birth of BTC, related crimes in the Crypto industry have been concentrated in the financial field, especially DeFi, which has developed rapidly in recent years. Compared with other types of crimes, crimes in the economic and financial fields often involve a wide range of people and involve huge amounts of money (for example, the amount involved in the sanctioned Tornado Cash this time is hundreds of millions), so it is also the main focus of regulatory agencies in various countries. Regulatory handle.

Compared with DeFi, the market demand for Crypto compliance in other fields is relatively small or there are relatively mature standardized processes. For example, blue-chip NFT IP infringement issues such as BAYC/Clonex, even if the infringer uses the aforementioned IP image for profit-making business operations without permission, the IP holder often just asks the other party to remove the IP image after spending time and money. It is difficult to obtain high compensation. And due to the decentralized and global nature of NFT itself, cross-border execution will also become difficult. In addition, in practice, another thing that meets the market demand for regulatory compliance is the exchange license. This field already has a relatively mature standardized process, and there are many intermediaries in the market that can do business in this field. I will not do it here. Discuss more. Therefore, this article mainly focuses on the DeFi field, and discusses compliance strategies from the perspective of the project side in combination with regulatory penalties in practice.

4.1 First of all, DeFi projects can be divided into two levels in terms of compliance: (1) smart contracts themselves; (2) project companies that provide various front-end services.

The composition of a DeFi project, in addition to the smart contracts that are decentralized and automatically run, also requires some human support to facilitate users. For example, Uniswap not only realizes the attributes and functions of decentralized exchanges through smart contracts, but also requires Uniswap Labs to hire staff to run front-end websites or use Twitter for marketing. For Uniswap Labs, the compliance requirements it faces are also closer to an ordinary company.

A. The smart contract itself

image description

Image credit: TRM Labs

B. Project companies that provide various front-end services

As a company that provides front-end services behind smart contracts, it will be more directly affected by sanctions. For example, after Tornado Cash was sanctioned, its own front-end website could not connect to the Metamask wallet for normal use, its Twitter account was also suspended from updating, and its Github code base was also restricted.

For the project company, as a legal entity that provides DeFi-related financial services, it should complete relevant requirements in accordance with local laws and regulations, such as application and registration for operating licenses or compliance requirements for Internet information services.

4.2 Internal compliance settings - Sanctions Compliance Program (SCP)

Regarding the understanding of the aforementioned two levels of DeFi compliance, as a project party, it is still possible to meet the regulatory compliance requirements through the internal arrangements of the project company. According to the "Sanctions Compliance Guidance for the Virtual Currency Industry" issued by OFAC of the U.S. Department of the Treasury in October 2021, DeFi project parties can arrange the following five parts in terms of internal compliance:

A. Management Commitment

Senior management's rigorous adherence to the company's sanctions compliance program is one of the most important factors in determining the program's success, and senior management support is critical to ensuring that sanctions compliance efforts are adequately resourced and fully integrated into the company's day-to-day operations . An appropriate tone from the top can also help legitimize the program, empower the company to sanction compliance personnel, and foster a culture of compliance across the company.

The importance of management's strict adherence to a company's risk-based sanctions compliance program is as important in the cryptocurrency industry as it is in any other industry. In many cases, OFAC observed that members of the cryptocurrency industry did not begin to comply with OFAC sanctions policies and procedures until months or even years after they had begun operations. Delays in the development and implementation of sanctions compliance programs could expose cryptocurrency firms to various potential sanctions risks.

From a practical point of view, the senior management of the project party can consider the following steps to demonstrate their support for sanctions compliance:

Review and approve sanctions compliance policies and procedures
Ensure adequate resources (including human capital, expertise, information technology and other resources) to support the compliance function
Grant sufficient autonomy and power to the compliance department
Appoint at least one dedicated Sanctions Compliance Officer with the requisite technical expertise and expertise in OFAC's regulations, processes, and operations; who understand complex financial and commercial activities, apply their understanding of OFAC in these programs and have the ability to identify issues, risks, and prohibited activities related to OFAC

B. Risk Assessment

Sanctions risks, if ignored or mishandled, could result in violations of OFAC regulations and subsequent enforcement actions, harm U.S. foreign policy and national security interests, and negatively impact a company's reputation and business. OFAC recommends that companies in the cryptocurrency industry with sanctions compliance programs conduct routine and, where appropriate, ongoing risk assessments to avoid sanctions issues that the company may encounter.

While there is no "one size fits all" risk assessment, it should generally include a comprehensive review of the company to assess its potential exposure to OFAC-sanctioned individuals, countries, or regions. Through regular risk assessments, project parties can adjust internal compliance screening criteria in real time to meet the latest regulatory requirements.

Case: Diagnosing a relationship at risk

In 2021, OFAC entered into a settlement agreement with a U.S. cryptocurrency payment service provider for processing virtual currency transactions between the firm's customers and individuals located in sanctioned jurisdictions. While the company's sanctions compliance controls included screening its direct customers (to B merchants in the U.S. and elsewhere) for potential sanctions ties, the company failed to screen for allegations of use of its payment processing platform and purchases from platform merchants. Personal Sanctions Information. Specifically, before a transaction is made, the company receives some buyer information, such as name, address, phone number, email address, and sometimes Internet Protocol (IP) address. A comprehensive risk assessment, including understanding who is accessing a company's platform or service, can help a project determine the appropriate screening criteria for each of its products and services.

C. Internal Controls

An effective sanctions compliance program will include policies and procedures designed to address the risks identified in the company's risk assessment. These may include identifying, blocking, escalating, reporting (if applicable), and maintaining records of transactions or activities prohibited by sanctions imposed by OFAC. An effective sanctions compliance program will enable companies to conduct adequate due diligence on customers, business partners and transactions, and to identify “red flags”. Red flags indicate that illegal activity or compliance hurdles may be taking place, prompting companies to investigate and take appropriate action. Companies should implement policies and procedures and identify weaknesses (including through root cause analysis of any violations) and remediate them to prevent activities that may violate sanctions.

In the Crypto industry, the implementation of internal controls by a company will depend on the products and services offered by the company, the location of the company's operations, the location of users, and the specific sanctions risks identified by the company during the risk assessment process. While OFAC does not require the cryptocurrency industry to use any specific in-house or third-party software, these can be useful tools for an effective sanctions compliance program.

Case: double scrutiny

One sanction risk faced by members of the cryptocurrency industry arises from the use of its products and services by users located in sanctioned jurisdictions. In 2020, a U.S. company that provides digital asset custody, trading, and financing services internationally entered into a settlement agreement with OFAC for processing cryptocurrency transactions for individuals located in sanctioned jurisdictions. Although the company tracks the IP addresses of its users when they log in for security purposes, the company does not use the IP address information it collects to screen for and prevent potential sanctions violations. As a result, while the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria was sanctioned as jurisdictions at the time, the company failed to prohibit individuals from those regions from using its non-custodial secure digital wallet management service, implement internal controls to Screening available data and blocking activity involving certain IP addresses can prevent sanctions violations.

OFAC recommends that program companies employ the following options to strengthen internal controls as part of an effective sanctions compliance program:

a) Know Your Customer (KYC) Procedures

Know Your Customer (KYC) Procedures - Obtain information about clients early in the engagement and throughout the life of the client relationship and conduct adequate due diligence on this information to mitigate potential sanctions-related risks. This information can be used in the sanctions screening process to prevent non-compliance. For example, information gathering may include the following elements during the initial stages of engagement, periodic review and processing of customer transactions:

Individuals: legal name, date of birth, physical and email address, nationality, IP address in connection with transactions and logins, banking information, and government identification and residency documents.

Entities: Entity name (including business and legal name), line of business, ownership information, physical and email addresses, location information, IP addresses in connection with transactions and logins, information about how the entity conducts business, banking information and any relevant government document.

High-risk clients may require additional due diligence. For example, this could include examining customer transaction history for links to sanctioned jurisdictions or transactions to cryptocurrency addresses that have been associated with sanctioned actors. In addition, information collected under existing anti-money laundering (AML) obligations, where applicable, may also assist in assessing and mitigating sanctions risk.

b) Sanctions Screening

Sanctions screening is probably the most important component of Crypto's internal controls and may include geographic location, customer identification, transaction screening, and more. Crypto companies should consider implementing the following in their sanctions compliance program:

Screen customer information against sanctions lists administered by OFAC, including SDN lists
Screen transactions to identify addresses associated with sanctioned persons or jurisdictions, including physical, digital wallet and IP addresses, and other relevant information
Utilizes the fuzzy logic capabilities of the filter tool to retrieve common name changes and misspellings, such as: misspellings or alternative spellings (e.g., “Yalta, Krimea”) associated with sanctioned jurisdictions for individuals on the OFAC Sanctions List Changes in capitalization, spacing, or punctuation of names (for example, "Krayinvestbank" may appear on the SDN list, but "Krajinvestbank" or "Kray Invest Bank" may appear in the Crypto company's transaction information)
Ongoing sanctions screening and risk-based re-screening to retrieve changed client information, updated OFAC sanctions lists, or changes in regulatory requirements

c) Identify risk indicators or red flags

Risk indicators or red flags: In addition to KYC information identification and sanctions screening, Crypto companies should also consider monitoring transactions and users to detect risks, as well as "red flags" that may indicate sanctions. Examples of risk indicators might include the following individual or entity actions:

Providing inaccurate or incomplete customer identification or KYC information when attempting to open an account
Access cryptocurrency exchanges through IP addresses or VPNs associated with sanctioned jurisdictions
Failure to respond or refusal to provide updated customer identity or KYC information
Failure to Respond to or Refusal to Provide Additional Transaction Information to Crypto’s Requests
Attempting to transact with a cryptocurrency address associated with a sanctioned individual or jurisdiction

Additionally, where appropriate, “red flags” that indicate money laundering or other illicit financial activity may also indicate potential sanctions evasion

d) Transaction monitoring and investigation

Transaction monitoring and investigation software can be used to identify cryptocurrency addresses listed on the SDN that are associated with sanctioned individuals and entities, or located in sanctioned jurisdictions. Such internal controls help to enable project companies to prevent the transfer of assets to addresses associated with sanctioned persons and to avoid violating U.S. sanctions. Those in the crypto industry can also use transaction monitoring and investigation tools to continuously review historical or other identifying information on such addresses to better understand their sanctions exposure and identify gaps in sanctions compliance programs.

In 2018, OFAC began using certain known cryptocurrency addresses as identifying information for persons listed on the SDN list. These cryptocurrency addresses can be searched using the "ID#" field in the OFAC Sanctions List Search Tool. As a compliance practice, companies operating in the cryptocurrency industry should use transaction monitoring and investigation software like this to identify cryptocurrency addresses and sanctioned individuals on the SDN list. In addition, OFAC's inclusion of cryptocurrency addresses on the SDN List may help the industry identify additional cryptocurrency addresses that may be associated with sanctioned parties or otherwise pose a sanctions risk, even if those other addresses are not explicitly listed on the SDN List.

e) Available remedies

In response to OFAC enforcement actions, the program company may take actions to correct the causes of its apparent violations, identify weaknesses in its internal controls, and implement new controls to prevent future violations.

Some of these remedies include:

Implement IP address blocking and email-related restrictions in sanctioned jurisdictions
Create a keyword list of sanctioned jurisdiction cities and regions for screening KYC information
Review and update end user agreements to include information required by U.S. sanctions
Retroactive bulk filter for all users
Implement OFAC-related training programs for all employees
Additional sanctions compliance training for those associated with compliance efforts
Hire additional compliance staff and a dedicated supervisor or sanctions compliance officer

D. Testing and Auditing

The best way to ensure a sanctions compliance program is working as intended is to test the effectiveness of the program. Companies that incorporate a comprehensive, independent and objective testing or audit function into their sanctions compliance program can gain insight into how well their program is performing and what needs to be updated, enhanced or recalibrated in response to changes in risk assessment or sanctions environment.

Depending on the size and maturity of a company, it may decide whether to conduct an internal or external audit of its sanctions compliance program. Some of the ways testing and auditing procedures in cryptocurrency industry sanctions compliance programs include:

Sanctions List Screening - Ensures that screening of SDN lists and other sanctions lists works efficiently and properly flags transactions for further review
Keyword Screening - Ensure that screening tools appropriately flag keywords relevant to KYC-related screening or other screening
IP Blocking - Ensuring that IP address software correctly blocks users from accessing its products and services from sanctioned jurisdictions
Investigations and Reporting - Review procedures to investigate transactions identified during the screening process as having potential sanctions ties (e.g., transactions involving sanctioned persons or related to sanctioned jurisdictions), and reporting blocked property or denials to OFAC transaction procedure

E. Compliance training (Training)

Finally, the project company should develop training for its internal staff on the sanctions compliance program. The extent of corporate training will depend on the size, complexity, and risk profile of the firm, and OFAC training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted on a regular basis and at least annually. A well-established OFAC training program will provide job-specific knowledge as needed, communicate the sanctions compliance approach to each employee, and allow employees to meet training requirements through the use of an assessment system. In addition, OFAC training should be constantly updated and adjusted for the ever-changing and emerging technologies of the cryptocurrency industry.

end

In the context of the current expansion of the encryption market, more and more compliance requirements have become a topic that entrepreneurs in the encryption field cannot ignore. At the same time, many traditional contract-based security audit companies, such as Certik, have also begun to launch compliance audit services. In the foreseeable future, both exchanges and DeFi companies will show considerable demand in the compliance market.

Reference article:

Encryption legal experts debate WEB3 regulation: compliance or decentralization?

How can we better deal with the threat of censorship after the US government sanctioned Tornado Cash?

4D Long Article: The History of Cryptocurrency Regulation in the United States Onslaught of Virtual Currency Regulation and Friction

From the perspective of US regulation, why Tornado Cash will usher in sanctions and subsequent conjectures

Full text of U.S. Treasury Secretary Yellen's speech: View digital asset regulation with the status of the US dollar as the core

TRM Labs: How DeFi Platforms Are Responding to Tornado Cash Sanctions

Full Reading: Impact of U.S. Treasury Sanction on Tornado Cash

OFAC Announces Industry Impact Interpretation and Risk Compliance Plan of Sanctioning Tornado Cash

The sanction of Tornado will be a watershed in DeFi regulation

Tornado Cash Sanctioned, CertiK KYC Joins Privacy Battle

TRM Labs: A "detective company" that helps DeFi projects support sanctions