February 24, 2021
On February 18, 2021, the U.S. Office of Foreign Assets Control (OFAC), an agency of the Treasury Department that administers and enforces U.S. economic and trade sanctions, issued an enforcement release of a settlement agreement with BitPay, Inc. (BitPay) for apparent violations relating to Bitpay’s payment processing solution that allows merchants to accept digital currency as payment for goods and services. OFAC found that BitPay allowed users apparently located in sanctioned countries and areas to transact with merchants in the United States and elsewhere using the BitPay platform, even though BitPay had Internet Protocol (IP) address data for those users. The users in sanctioned countries were not BitPay’s direct customers, but rather its customer’s customers (in this case the merchants’ customers).
The BitPay action follows an OFAC December 30, 2020 enforcement release of a settlement agreement with BitGo, Inc. (BitGo), also for apparent violations related to digital currency transactions. BitGo offers, among other services, non-custodial secure digital wallet management services, and OFAC found that BitGo failed to prevent users located in the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria from using these services. OFAC determined that BitGo had reason to know the location of these users based on IP address data associated with the devices used to log into its platform.
This Alert discusses these developments.
BitGo, which was founded in 2013 and is headquartered in Palo Alto, California, is self-described as “the leader in digital asset financial services, providing institutional investors with liquidity, custody, and security solutions.” As OFAC explained in its enforcement release, the company agreed to remit $98,830 to settle potential civil liability related to 183 apparent violations of multiple sanctions programs. OFAC specifically claimed that between 2015 and 2019, deficiencies in BitGo’s sanctions compliance procedures led to BitGo’s failing to prevent individuals located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using BitGo’s non-custodial secure digital wallet management service despite having reason to know that these individuals were located in sanctioned jurisdictions. Reason to know was based on BitGo’s having IP address data associated with the devices that these individuals used to log in to the BitGo platform. According to OFAC, BitGo processed 183 digital currency transactions on behalf of these individuals, totaling $9,127.79.
According to the OFAC release, prior to April 2018, BitGo had allowed individual users of its digital wallet management services to open an account by providing only a name and email address. In April 2018, BitGo supplemented this practice by requiring new users to verify the country in which they were located, with BitGo generally relying on the user’s attestation regarding his or her location rather than performing additional verification or diligence on the user’s location. In January 2020, however, BitGo discovered the apparent violations of multiple sanctions compliance programs. It thereupon implemented a new OFAC Sanctions Compliance Policy and undertook significant remedial measures. This new policy included appointing a Chief Compliance Officer, blocking IP addresses for sanctioned jurisdictions, and keeping all financial records and documentation related to sanctions compliance efforts.
BitPay, which was founded in 2011 and is headquartered in Atlanta, Georgia, provides digital asset management and payment services that enable consumers “to turn digital assets into dollars for spending at tens of thousands of businesses.” As OFAC explained in its enforcement release, BitPay agreed to remit $507,375 to settle potential civil liability related to 2,102 apparent violations of multiple sanctions programs. OFAC specifically claimed that between 2013 and 2018, deficiencies in BitPay’s sanctions compliance procedures led to BitPay’s allowing individuals who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform despite BitPay having location data, including IP addresses, about those individuals prior to effecting the transactions.
BitPay allegedly “received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then relayed that currency to its merchants.” According to OFAC, BitPay processed 2,102 such transactions totaling $128,582.61. Although BitPay had (i) screened its direct customers (i.e., its merchant customers) against OFAC’s List of Specially Designated Nationals and Blocked Persons and (ii) conducted due diligence on the merchants to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ buyers—BitPay had begun receiving buyers’ IP address data in November 2017, and prior to that received information that included buyers’ addresses and phone numbers. BitPay had implemented sanctions compliance controls as early as 2013, including conducting due diligence and sanctions screening on its merchants, and formalized its sanctions compliance program in 2014. However, following its apparent violations, BitPay supplemented its program with the following:
The major takeaway from these two enforcement cases is that OFAC expects digital asset companies to use IP address data or other location data—even for their customers’ customers—to screen that location information as part of their OFAC compliance function. OFAC will undoubtedly be considering whether a company has screened such information in assessing whether to impose a penalty. More guidance on OFAC’s perspective on the essential components of a sanctions compliance program is available in A Framework for OFAC Compliance Commitments, which OFAC published in May 2019. In addition, we anticipate ongoing scrutiny by OFAC of digital asset companies, given that key Treasury Department policymakers continue to express concerns about digital assets being used to avoid economic sanctions and anti-money laundering compliance.
 OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Feb. 18, 2021), available at https://home.treasury.gov/system/files/126/20210218_bp.pdf.
 OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Dec. 30, 2020), available at https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.
 See BitGo Announces $16 Billion in Assets Under Custody (December 21, 2020), available at https://www.bitgo.com/newsroom/press-releases/bitgo-announces-16-billion-in-assets-under-custody.
 See For a Limited Time BitPay and Simplex Partner to Offer Zero Fees on Crypto Purchases for All of Europe (EEA) (February 15, 2021), available at https://www.businesswire.com/news/home/20210215005244/en/For-a-Limited-Time-BitPay-and-Simplex-Partner-to-Offer-Zero-Fees-on-Crypto-Purchases-for-All-of-Europe-EEA.
 U.S. Treasury Department Holds Financial Sector Innovation Policy Roundtable (February 10, 2021), available at https://home.treasury.gov/news/press-releases/jy0023.
The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long, Judith Alison Lee, Jeffrey Steiner and Rama Douglas.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Financial Institutions, Derivatives, or International Trade practice groups:
Financial Institutions and Derivatives Groups:
Matthew L. Biben – New York (+1 212-351-6300, firstname.lastname@example.org)
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, email@example.com)
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, firstname.lastname@example.org)
M. Kendall Day – Washington, D.C. (+1 202-955-8220, email@example.com)
Mylan L. Denerstein – New York (+1 212-351- 3850, firstname.lastname@example.org)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, email@example.com)
Arthur S. Long – New York (+1 212-351-2426, firstname.lastname@example.org)
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, email@example.com)
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.