Cryptocurrency Developments: Office of Foreign Assets Control’s Recent Enforcement Cases Against Digital Asset Firms

February 24, 2021

Click for PDF

On February 18, 2021, the U.S. Office of Foreign Assets Control (OFAC), an agency of the Treasury Department that administers and enforces U.S. economic and trade sanctions, issued an enforcement release of a settlement agreement with BitPay, Inc. (BitPay) for apparent violations relating to Bitpay’s payment processing solution that allows merchants to accept digital currency as payment for goods and services.[1]  OFAC found that BitPay allowed users apparently located in sanctioned countries and areas to transact with merchants in the United States and elsewhere using the BitPay platform, even though BitPay had Internet Protocol (IP) address data for those users.  The users in sanctioned countries were not BitPay’s direct customers, but rather its customer’s customers (in this case the merchants’ customers).

The BitPay action follows an OFAC December 30, 2020 enforcement release of a settlement agreement with BitGo, Inc. (BitGo), also for apparent violations related to digital currency transactions.[2]  BitGo offers, among other services, non-custodial secure digital wallet management services, and OFAC found that BitGo failed to prevent users located in the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria from using these services.  OFAC determined that BitGo had reason to know the location of these users based on IP address data associated with the devices used to log into its platform.

This Alert discusses these developments.

I. OFAC’s Enforcement Against BitGo

BitGo, which was founded in 2013 and is headquartered in Palo Alto, California, is self-described as “the leader in digital asset financial services, providing institutional investors with liquidity, custody, and security solutions.”[3]  As OFAC explained in its enforcement release, the company agreed to remit $98,830 to settle potential civil liability related to 183 apparent violations of multiple sanctions programs.  OFAC specifically claimed that between 2015 and 2019, deficiencies in BitGo’s sanctions compliance procedures led to BitGo’s failing to prevent individuals located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using BitGo’s non-custodial secure digital wallet management service despite having reason to know that these individuals were located in sanctioned jurisdictions.  Reason to know was based on BitGo’s having IP address data associated with the devices that these individuals used to log in to the BitGo platform.  According to OFAC, BitGo processed 183 digital currency transactions on behalf of these individuals, totaling $9,127.79.

According to the OFAC release, prior to April 2018, BitGo had allowed individual users of its digital wallet management services to open an account by providing only a name and email address.  In April 2018, BitGo supplemented this practice by requiring new users to verify the country in which they were located, with BitGo generally relying on the user’s attestation regarding his or her location rather than performing additional verification or diligence on the user’s location.  In January 2020, however, BitGo discovered the apparent violations of multiple sanctions compliance programs.  It thereupon implemented a new OFAC Sanctions Compliance Policy and undertook significant remedial measures.  This new policy included appointing a Chief Compliance Officer, blocking IP addresses for sanctioned jurisdictions, and keeping all financial records and documentation related to sanctions compliance efforts.

II. OFAC’s Enforcement Against BitPay

BitPay, which was founded in 2011 and is headquartered in Atlanta, Georgia, provides digital asset management and payment services that enable consumers “to turn digital assets into dollars for spending at tens of thousands of businesses.”[4]  As OFAC explained in its enforcement release, BitPay agreed to remit $507,375 to settle potential civil liability related to 2,102 apparent violations of multiple sanctions programs.  OFAC specifically claimed that between 2013 and 2018, deficiencies in BitPay’s sanctions compliance procedures led to BitPay’s allowing individuals who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform despite BitPay having location data, including IP addresses, about those individuals prior to effecting the transactions.

BitPay allegedly “received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then relayed that currency to its merchants.”  According to OFAC, BitPay processed 2,102 such transactions totaling $128,582.61.  Although BitPay had (i) screened its direct customers (i.e., its merchant customers) against OFAC’s List of Specially Designated Nationals and Blocked Persons and (ii) conducted due diligence on the merchants to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ buyers—BitPay had begun receiving buyers’ IP address data in November 2017, and prior to that received information that included buyers’ addresses and phone numbers.  BitPay had implemented sanctions compliance controls as early as 2013, including conducting due diligence and sanctions screening on its merchants, and formalized its sanctions compliance program in 2014.  However, following its apparent violations, BitPay supplemented its program with the following:

  • Blocking IP addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payment;
  • Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
  • Launching “BitPay ID,” a new customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of BitPay ID, the merchant’s customer must provide an email address, proof of identification/photo ID, and a selfie photo.

III. Conclusion

The major takeaway from these two enforcement cases is that OFAC expects digital asset companies to use IP address data or other location data—even for their customers’ customers—to screen that location information as part of their OFAC compliance function.  OFAC will undoubtedly be considering whether a company has screened such information in assessing whether to impose a penalty.  More guidance on OFAC’s perspective on the essential components of a sanctions compliance program is available in A Framework for OFAC Compliance Commitments, which OFAC published in May 2019.  In addition, we anticipate ongoing scrutiny by OFAC of digital asset companies, given that key Treasury Department policymakers continue to express concerns about digital assets being used to avoid economic sanctions and anti-money laundering compliance.[5]


   [1]   OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Feb. 18, 2021), available at

   [2]   OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Dec. 30, 2020), available at

   [3]   See BitGo Announces $16 Billion in Assets Under Custody (December 21, 2020), available at

   [4]   See For a Limited Time BitPay and Simplex Partner to Offer Zero Fees on Crypto Purchases for All of Europe (EEA) (February 15, 2021), available at

   [5]   U.S. Treasury Department Holds Financial Sector Innovation Policy Roundtable (February 10, 2021), available at

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long, Judith Alison Lee, Jeffrey Steiner and Rama Douglas.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Financial Institutions, Derivatives, or International Trade practice groups:

Financial Institutions and Derivatives Groups:
Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, [email protected])
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, [email protected])
M. Kendall Day – Washington, D.C. (+1 202-955-8220, [email protected])
Mylan L. Denerstein – New York (+1 212-351- 3850, [email protected])
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])

International Trade Group:
Judith Alison Lee – Washington, D.C. (+1 202-887-3591, [email protected])
Adam M. Smith – Washington, D.C. (+1 202-887-3547, [email protected])

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.