On August 8, 2022, the U.S. Department of the Treasury added Tornado Cash addresses on Ethereum to the U.S. Office of Foreign Asset Management (OFAC) U.S. Special Purpose List of Nationals (SDN). 。 A few days later, Tornado Cash developer Alexey Pertsev was arrested and imprisoned in the Netherlands, the first time in history that an on-chain smart contract was directly sanctioned by the OFAC, and the incident quickly triggered a new round of extensive discussion on the compliance of crypto companies. As a result of this incident, many crypto companies, especially DeFi companies and employees, began to worry about their own security and business compliance.
This article will discuss the current compliance issues in the crypto market from four perspectives: crypto regulatory framework, Tornado Cash sanctions, OFAC, and compliance guidance and practice of crypto enterprises.
Crypto governance structure
1.1 Overview of encryption regulation by country
As cryptocurrencies become more widely accepted, so do the number of cryptocurrency-related laws and regulations being developed around the world for regulation. As the boundaries of the crypto field continue to expand, it is not easy for regulators in different parts of the world to keep up with the development of the crypto market and formulate relevant regulations, the following is a brief introduction to the regulation of the crypto field in the United States, Singapore, China, the European Union, and Latin America.
Image source: ComplyAdvantage
As a common law country, the United States has a comprehensive and complex legal system. While it is difficult to find consistent legal provisions at the state level, the United States has made some progress in developing federal cryptocurrency legislation, and cryptocurrency transactions in the United States are legal. The Financial Crimes Enforcement Agency (FinCEN) does not consider cryptocurrencies to be legal tender, but rather “other substitutes for the value of money.” The Internal Revenue Service (IRS) likewise does not consider cryptocurrencies to be legal tender, but defines them as “digital representations as a medium of exchange, unit of account, and/or store of value” and has set appropriate tax guidance. Cryptocurrency exchanges are also legal in the United States and fall under the scope of the Bank Secrecy Act (BSA). In practice, this means that cryptocurrency trading service providers must register with FinCEN, implement AML/CFT programs, maintain proper records, and file reports with authorities. Meanwhile, the U.S. Securities and Exchange Commission (SEC) said it treats cryptocurrencies as securities and applies securities laws across the board to digital wallets and exchanges. In contrast, the Commodity Futures Trading Commission (CFTC) has adopted a friendlier approach, describing Bitcoin as a commodity and allowing cryptocurrency derivatives to be traded publicly.
In Singapore, cryptocurrency exchanges and exchanges are legal, and the country’s stance on the issue is friendlier than some of its regional neighbors. Although cryptocurrencies are not considered legal tender, the Singapore tax authorities treat Bitcoin as a “commodity” and therefore levy the Goods and Services Tax (Singapore’s version of VAT). In 2017, the Monetary Authority of Singapore (MAS) clarified that while its position is not to regulate cryptocurrencies, it will regulate the issuance of tokens if they are classified as “securities.”
The Singapore Payment Services Act (PSA) 2019 places exchanges and other cryptocurrency businesses under the regulation of MAS from January 2020 and requires them to obtain an operating license from MAS. Since then, MAS has issued licenses to several well-known crypto service providers, including DBS Vickers, the brokerage arm of DBS Bank, and Australian cryptocurrency exchange Independent Reserve.
People’s Bank of China (PBOC) banned financial institutions from processing bitcoin transactions in 2013 and further banned ICOs and domestic cryptocurrency exchanges in 2017. To justify the ban, People’s Bank of China define ICO financing (through illegal sale and circulation of tokens) as unapproved public financing, which is illegal under Chinese law.
China’s cryptocurrency regulation imposed a near-total ban on cryptocurrency trading and related services, and in 2021 it launched a sweeping crackdown on cryptocurrency mining in the country. But at the same time, as far as cryptocurrencies themselves are concerned, according to the 2020 amendments to the Chinese Civil Code, cryptocurrencies have a property status when determining inheritance. In current judicial practice, cryptocurrencies such as BTC/USDT are generally not considered to have monetary attributes but may have property attributes, and there are still differences in the award of penalties in some contract disputes involving cryptocurrencies.
Cryptocurrencies are widely recognized as legal throughout the European Union, but regulations for cryptocurrency trading vary from member state to member state. Cryptocurrency taxes vary from country to country, with many member states imposing a capital gains tax of 0 – 50% on profits derived from cryptocurrencies. In 2015, the Court of Justice of the European Union ruled that traditional currency for cryptocurrencies should be exempt from VAT.
In January 2020, the EU’s Fifth Anti-Money Laundering Directive (5AMLD) incorporated cryptocurrency-fiat currency exchanges into EU anti-money laundering legislation, requiring exchanges to enforce KYC/CDD on customers and meet standard reporting requirements. In December 2020, 6AMLD went into effect: This directive makes cryptocurrency compliance more stringent by adding cybercrime to the list of predicate crimes for money laundering.
Cryptocurrency exchanges are currently not regulated at the regional level. In some member countries, exchanges must register with their respective regulators, such as the German Financial Supervisory Authority (BaFin), the French Financial Market Supervisory Authority (AMF) or the Italian Ministry of Finance. The authorizations and licenses of these regulators can be exchanged, allowing them to operate under the EU system.
In Latin America, countries have different regulatory attitudes towards cryptocurrencies. Countries with stricter regulations include Bolivia, which has a total ban on cryptocurrencies and exchanges, and Ecuador, which has banned the circulation of all cryptocurrencies except government-issued SDE tokens. In contrast, in Mexico, Argentina, Brazil, Venezuela and Chile, retail stores and merchants generally accept cryptocurrencies as a payment method.
For tax purposes, cryptocurrencies are often treated as assets in Latin America. They generally pay capital gains taxes throughout the region, while transactions in Brazil, Argentina and Chile are also subject to income tax in some cases.
In September 2021, El Salvador became the first country in Latin America to adopt Bitcoin as legal tender, issuing a government digital wallet app and allowing consumers to use cryptocurrency (as well as pay in dollars) in all transactions. Despite the criticism at home and abroad, the Salvadoran government has since announced plans to build a “Bitcoin City.”
1.2 The US Troika of Crypto Regulation
Although regulatory policies vary from country to country and region around the world, the jurisdiction of each national regulatory authority is geographically limited. In this regard, since the jurisdiction of US regulators can cover the widest range of global crypto users, its enforcement influence on crypto companies/individuals will be much greater than that of other countries. Therefore, the trend of crypto regulatory policy in the United States deserves more attention from global crypto companies and practitioners.
In the United States, cryptocurrencies have been the focus of the federal and state governments, and at the federal level, much of the focus has been at the level of administrative agencies, including the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the U.S. Treasury, which can be briefly classified as the three carriages of US crypto regulation.
In the “troika” of crypto regulation in the United States, the SEC and CFTC mainly determine the attributes of assets (commodities or securities?). and regulate tokens that they consider to be securities or commodities accordingly; The U.S. Treasury Department is more diverse, the IRS mainly looks at whether crypto transactions are taxed, FinCEN mainly focuses on money laundering and counter-terrorism in the United States, and OFAC is mainly responsible for implementing financial sanctions against overseas blacklisted institutions or individuals, all three of which require long-term tracking of on-chain transaction data, analysis and judgment, and accurate law enforcement.
1.2.1 U.S. Securities and Exchange Commission (SEC)
The SEC generally has regulatory authority over the issuance or resale of any token or other digital asset that constitutes a security, primarily for ICOs as well as token properties. In 2021, SEC Chairman Gary Gensler stated in his speech that the SEC is working on various areas of crypto, and there are at least seven topics that the SEC is currently closely watching, including: custody, stablecoins, trading platforms, lending platforms, ICOs, decentralized finance (DeFi), ETFs (not limited to Bitcoin).
Under U.S. securities laws, if a digital asset is determined to be a security, the issuer must register the securities with the SEC or satisfy a registration exemption based on registration requirements. On the whole, the SEC is the most active among various departments, and it is also the department with the most existing regulatory examples, and its regulatory core is the keyword “securities”, so in the study of whether blockchain tokens are securities, it is necessary to judge whether they are subject to SEC supervision on a case-by-case basis according to the principle of substance over form. However, from the current situation, most assets except BTC and ETH will be difficult to escape the definition of securities, especially some newly issued assets, which will definitely face the full process and all-round regulatory requirements of the SEC.
1.2.2 Commodity Futures Trading Commission (CFTC)
The U.S. Commodity Futures Trading Commission is one of the financial regulators in the United States, and the CFTC is an independent agency of the U.S. government that regulates commodity futures, options, and financial futures and options markets. It can be understood that if a digital asset has not been defined as a security, the trading scope of its derivatives is mainly regulated by the CFTC, and this is also the place where the CFTC and the SEC have the most crossover in the discussion of regulatory authority at present and in the future, and also determines the dominance of subsequent supervision to a certain extent.
1.2.3 U.S. Treasury
a. Internal Revenue Service (IRS)
In March 2014, the IRS announced that “cryptocurrencies,” such as Bitcoin and other cryptocurrencies, would be taxed by the IRS as “property” rather than currency.
For individuals filing federal income tax returns, gains or losses from the sale of cryptocurrencies held as “capital assets” (i.e., for investment purposes) should be reported in (i) Schedule D of IRS Form 1040, and (ii) IRS Form 8949 (Sale and Other Dispositions of Capital Assets), and any realized gains on cryptocurrencies held by the individual as capital assets for more than one year are subject to capital gains tax; Any realized gains on cryptocurrencies held by an individual as capital assets for a year or less are subject to ordinary income tax.
b. Financial Crimes Enforcement Agency (FinCEN)
The Financial Crimes Enforcement Agency (FinCEN) is a government agency operated domestically and internationally by the U.S. Department of the Treasury, consisting of law enforcement agencies, regulators, and financial services agencies.
Key points of concern include:
(1) to prevent and punish money laundering and related financial crimes;
(2) tracking suspicious persons and activities by studying mandatory disclosures of financial institutions;
Overall, FinCEN is currently mainly involved in the exchange sector, and opening an exchange business in the United States, or a similar crypto Treasury business, requires more attention to the regulatory guidance of this department. The anti-money laundering law in the Bank Secrecy Act (“BSA”) is the most important part, especially when it comes to the cross-border transfer of funds, including the exchange of stablecoins, different cryptocurrencies, and stablecoins and fiat currencies. In addition, as permissionless decentralization, DeFi products focused on exchanging assets, lending, and creating synthetic assets will also become a top regulatory priority for the foreseeable future.
c. Office of Foreign Assets Control (OFAC)
OFAC, the U.S. Department of the Treasury’s Office of Foreign Assets Control, is mission to administer and enforce all economic and trade sanctions based on U.S. national security and foreign policy, including financial sanctions for all terrorism, transnational drug and narcotics trade, and weapons of mass destruction proliferation. OFAC is authorized by special legislation to control and freeze all foreign assets in the United States and is responsible for working closely with U.S. European allies on foreign economic and trade sanctions. Its main jurisdiction is in the fields of transnational and terrorism, and it is also the protagonist of the Tornardo Cash sanctions.
OFAC focuses on illegal financial activities that affect U.S. national security, and all protocols, networks, and applications that can be potentially exploited by these criminal actors will be of long-term concern to it. OFAC’s sanctions list SDN (US Special List of Nationals) is a very strong regulatory tool, and if sanctioned the consequences are serious. For many DeFi products, the regulatory guidance issued by OFAC should be the first compliance document to be studied and followed.
The United States issued its first sanctions against smart contracts – Tornado Cash
On August 8, 2022, the official website of the US Treasury’s OFAC showed that some addresses that interact with the Tornado Cash protocol or related Ethereum addresses will be put into the SDN List for sanctions, which is the first time in history that on-chain smart contracts have been directly sanctioned by OFAC.
Unlike earlier OFAC sanctions Blender.io this year, sanctions against Tornado Cash are not considered “entities”. When sanctioning Blender, OFAC detailed several websites and dozens of Bitcoin wallet addresses related to Blender, which is a centralized entity. But Tornado Cash is not a centralized mixer, so this makes the OFAC’s source of power to sanction “non-entities” be scrutinized, and it also makes it very difficult to sanction decentralized smart contracts like Tornado Cash. After the sanctions, U.S. citizens will not be able to use Tornado Cash.
CREDIT: U.S. DEPARTMENT OF THE TREASURY
2.1 Reasons why Tornado Cash is subject to OFAC sanctions
According to the reasons for sanctions disclosed on the official website of the US Treasury Department, Tornado Cash has been used to launder more than $7 billion worth of cryptocurrencies since its creation in 2019. Among them was more than $455 million stolen by the state-backed hacking group Lazarus Group in the Democratic People’s Republic of Korea (DPRK), which was sanctioned by the United States in 2019 in the largest known cryptocurrency heist to date. Tornado Cash was subsequently used to launder over $96 million in malicious network participant funds from Harmony Bridge Heist on June 24, 2022, and at least $7.8 million from Nomad Heist on August 2, 2022.
In its official website disclosure, OFAC believes that Tornado Cash (Tornado) is a cryptocurrency mixer that runs on the Ethereum blockchain and promotes anonymous transactions indiscriminately without determining its source by confusing its source, destination and counterparty. Tornado receives various transactions and mixes them together before transmitting them to their respective recipients. While purportedly intended to increase privacy, mixers like Tornado are often used by illegal actors to launder money, especially those stolen in major robberies. Tornado is sanctioned by the OFAC for allegedly providing substantial assistance to illegal cyber activities that could pose a significant threat to U.S. national security, economic health, or financial stability.
2.2 Impact on Tornado Cash
So far, Tornado has been affected in two main parts:
- Some of the Ethereum and USDC addresses and USDC assets that interact with Tornado Cash are listed in the SDN
- Tornado Cash’s Github codebase and front-end website have restricted access
According to OFAC sanctions, the assets of SDN list subjects in the United States will be frozen, and no U.S. person (including U.S. citizens, U.S. green cards, institutions or legal entities registered under U.S. law, and persons located in the United States) will not be allowed to trade with them, which also means that SDN entities will not be able to carry out dollar clearing and transactions. That is, “Americans” will forbid to have relations with them, otherwise they may even be criminally liable in addition to fines.
For Ethereum and USDC addresses listed in SDN, according to the results of OFAC sanctions, USDC issuer Circle officially blacklisted Ethereum addresses on the US Treasury Department’s sanctions list after the sanctions were issued. Uniswap blocked 253 encrypted addresses related to stolen funds or sanctions, and the lending protocol Aave also blocked many of the addresses that had exchanged money transfers with Tornado Cash. ( The sanctioned address disclosed on the official website of the US Treasury Department SDN List Cyber-related Designation: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20220808)
For Tornado itself, the sanctions have led to restrictions on access to Tornado Cash, and not only will users not be able to access the Tornado Cash official website, but third-party node operators like Infura and Alchemy will also stop supporting Tornado Cash-related services. In addition, users of the most widely used Ethereum wallet, MetaMask, are now banned from interacting with Tornado Cash (because MetaMask relies on Infura to interact with Ethereum, and users who still want to use Tornado Cash can ensure that MetaMask can interact with Tornado Cash unless they manually set up MetaMask’s node configuration and do not use Infura), severely limiting Tornado Number of Cash users.
The sanctions against Tornado Cash have affected a large number of users’ access to the protocol, collaborative development of code, and some protocol features, such as the Distributed Relayer Network. This will make it more difficult for the average user to participate in these activities. However, since Tornado Cash is a decentralized application deployed on Ethereum (which cannot be tampered with on the blockchain), the application itself will continue to run unaffected on the network and will barely stop functioning.
2.3 Procedural compliance disputes over the Tornado Cash sanctions themselves
Because of the decentralized nature of Tornado Cash, OFAC’s list of sanctioned cryptocurrency wallets does not indicate that there are entities, legal persons, and natural persons behind these sanctioned wallets that can be sanctioned, because wallets installed on Ethereum smart contracts can be automatically mixed according to the code without being controlled. There is no evidence that the natural person or legal entity team that deployed Tornado Cash now controls the program. In Tornado Cash’s logic, users of mixed coins can come from all over the world, but there is no central review team or mechanism to screen these customers, but this is not necessarily intentional, but the system and algorithms automatically decentralized matching and processing. In this case, some lawyers believe that OFAC can include an automatic agreement in the SDN, and is this situation unconstitutional?
If the sanctioned Tornado Cash is an entity, the entity can defend itself through legal means and file a lawsuit in federal court if it believes that the OFAC sanctions were unfair. Since only entities can file a lawsuit, and a petition to move off the SDN list can only be done by entities, is it unfair to sanction entities without a center? At the same time, sanctioning the relevant wallet does not change the automatic transaction behavior of the automatic algorithm, so whether the sanction goes against the original purpose of OFAC, which is to prompt an organization or individual to change its behavior.
Coin Center, a cryptocurrency think tank, argues that OFAC’s sanctions against Tornado Cash are beyond the organization’s purview, as the sanctions do not push for “entities” and do not effectively change behavior. Finally, it does not fall within the scope of the “property” blockade under the IEEPA (International Emergency Economic Rights Act) and does not provide the procedural due process requirements required by the U.S. Constitution, so the OFAC is beyond its own executive power.
After the Dutch government detained Tornado Cash founder Alex Pertsev, more than 50 people rallied in Amstan on August 20 to protest the detention and demand Alek Pertsev’s release. At present, lawyers who are suspicious of the OFAC sanctions are organizing forces to contact the OFAC and try to promote protests and litigation at the legal level.
Overview of the Office of Foreign Assets Control (OFAC).
3.1 Origin of OFAC
Founded in 1950, the Office of Foreign Assets Control (OFAC) is an agency under the U.S. Department of the Treasury, mainly to carry out economic or trade sanctions against foreigners and organizations opposed to U.S. interests.
OFAC was created by the International Emergency Economic Powers Act (IEEPA), a bill passed by Congress in 1977, which was first and foremost subject to the U.S. Constitution, so the exercise of the powers associated with the Act must also be consistent with the U.S. Constitution. IEEPA gives the President (the executive arm of the state) the power to declare a state of emergency, thereby preventing persons and organizations subject to U.S. jurisdiction from engaging in any activity involving foreign forces that harm U.S. interests. IEEPA gives the OFAC the power to block property, the core of which is “property”. After 911, in order to better combat terrorist organizations financially, then-President George W. Bush pushed Congress to pass another bill, the USA Patriot Act, which essentially expanded the executive power proposed by IEEPA and gave OFAC great powers. The bill allows the OFAC to block property “under investigation” without having to provide an explanation or conclusive evidence.
OFAC’s mission is to administer and enforce all economic and trade sanctions based on U.S. national security and foreign policy, including financial sanctions against all terrorism, transnational drug and narcotics trade, and proliferation of weapons of mass destruction, and the current OFAC remains the most important U.S. government agency for economic and trade sanctions against specific countries, regions, and individuals. In recent years, with the deepening of the world’s anti-corruption and anti-money laundering campaigns, OFAC’s policies and directives have become operating principles that cannot be ignored by the world financial industry, especially the United States and financial institutions closely related to the US financial industry.
3.2 Main types of OFAC penalties
Before the OFAC began wielding the stick of sanctions at the cryptocurrency and blockchain industries, the OFAC had traditionally targeted individuals and organizations associated with sovereign states that ideologically challenged the United States. In October 2021, the OFAC issued the Sanctions Compliance Guide for the Virtual Currency Industry, which reiterates the types of sanctions imposed by the OFAC in four categories:
i) Extensive commercial sanctions and blockades, currently targeting Iran, North Korea, Cuba, Syria, Crimea;
ii) sanctions against governments or regimes;
iii) List system (many cryptocurrency industry sanctions are currently on the list system, including the current Tornado Cash sanctions);
iv) industry system, which is specific to a specific industry in certain foreign countries;
3.3 The main reasons for being subject to OFAC sanctions
According to the A Framework for OFAC Compliance Commitments issued by the U.S. Treasury Department, the reasons for being punished by OFAC are worth noting for crypto companies:
Lack of a formal OFAC Sanctions Compliance Program (SCP)
The OFAC does not mandate that businesses have a formal Sanctions Compliance Program (SCP), but OFAC encourages organizations subject to U.S. jurisdiction, particularly those engaged in international trade, or to trade or have any customers or counterparties located outside the United States to adopt a formal SCP. As can be seen from the multiple civil fines that the OFAC has finalized, the absence of SCPs is one of the main reasons for sanctions violations discovered during the OFAC investigation. In addition, OFAC often identifies this factor as an aggravating factor when making sanctions judgments.
B. Transactions with sanctioned non-U.S. personnel (including through overseas subsidiaries or affiliates)
Organizations subject to U.S. jurisdiction—particularly those with overseas operations and subsidiaries outside the U.S.—engage in transactions or activities that violate OFAC regulations by transferring business opportunities to overseas subsidiaries to deal with countries, regions, or individuals sanctioned by OFAC in non-U.S. locations.
C. The sanctions screening software is not updated or the filter is malfunctioning
Many organizations screen their customers, supply chains, intermediaries, counterparties, business and financial documents, and transactions to identify and avoid transactions with the regions and parties sanctioned by OFAC. Sometimes, organizations fail to update their sanctions screening software to include updated sanctions list entities in their organization’s SDN list or SSI list.
D. Improper due diligence on customers
One of the essential components of an effective OFAC risk assessment and SCP is due diligence on an organization’s customers, supply chains, intermediaries, and counterparties. The various sanctions taken by OFAC involve reasons including improper or incomplete due diligence of the organization to its customers, such as their actual controller, geographic location, related parties and the transaction itself, as well as their knowledge and awareness of OFAC sanctions.
E. Individual Liability
In some cases, individual employees, especially in positions at the supervisory, managerial, or administrative levels, have become the main cause in causing or contributing to violations of OFAC-administered regulations. Specifically, in some of these cases, employees of foreign entities also strive to conceal and conceal their activities from others within the company’s organization, including compliance officers, as well as regulators or law enforcement. In such cases, OFAC will consider using its law enforcement agencies not only against offending entities, but also against individuals.
3.4 Impact of OFAC sanctions
Failure to comply with OFAC sanctions requirements could cause significant damage to the integrity and effectiveness of the U.S. sanctions program and its associated policy objectives. As a result, civil and criminal penalties for violations can be severe, and the specific penalties will vary depending on the sanction program.
How to do the compliance strategy of crypto companies
Since the birth of BTC, crimes related to the Crypto industry have been concentrated in the financial sector, especially DeFi, which has developed rapidly in recent years. Compared with other types of crimes, crimes in the economic and financial fields often affect a wide range of people and involve huge amounts of money (such as the amount of money involved in the sanctioned Tornado Cash), so it is also the most important area of concern and regulatory focus of regulators in various countries.
Compared to DeFi, the demand for Crypto compliance in other areas is relatively small or there is already a more mature standardization process. For example, in the case of blue-chip NFT IP infringement such as BAYC/Clonex, even if the infringer uses the aforementioned IP image for commercial purposes without permission, the IP holder often only allows the other party to remove the IP image after spending time and money, and it is difficult to obtain high compensation. And due to the decentralized and global nature of NFTs themselves, cross-border execution will also become a difficulty. In addition, in practice, another market demand that meets the needs of regulatory compliance is the matter of exchange licenses, which already have relatively mature standardization processes, and there are many intermediaries in the market that can do business in this field, so I will not discuss too much here. Therefore, this article mainly focuses on the DeFi field, and discusses compliance strategies from the perspective of project parties based on the regulatory penalties existing in practice.
4.1 First, DeFi projects can be divided into two levels in terms of compliance: (1) the smart contract itself; (2) Project companies that provide various front-end services.
The composition of a DeFi project, in addition to its own decentralized and automatic smart contracts, also needs some human support to facilitate users. Uniswap, for example, not only implements the attribute function of decentralized exchanges through smart contracts, but also requires Uniswap Labs to hire staff to run front-end websites such as front-end websites or use Twitter for marketing purposes. For Uniswap Labs, the compliance requirements are closer to those of an ordinary company.
A. The smart contract itself
As discussed in the previous section, “Procedural Compliance Disputes over the Tornado Cash Sanctions Themselves”, the current legal framework does not consider smart contracts themselves as a legal entity that can itself be subject to sanctions. From a practical point of view, OFAC imposes sanctions in indirect ways, such as by prohibiting other institutions or individuals from interacting with the sanctioned smart contract. At present, this method can still have a greater impact on the user of the smart contract.
Image credit: TRM Labs
B. Project companies that provide various front-end services
As a company that provides front-end services behind smart contracts, it will be more directly affected by sanctions. For example, after Tornado Cash was sanctioned, its own front-end website could not be connected to the Metamask wallet for use, its Twitter account was also suspended from being updated, and access to the Github codebase was also restricted.
For the project company, as a legal entity providing DeFi-related financial services, it should complete relevant requirements in accordance with local laws and regulations, such as the application for registration of an operation license or the compliance requirements of Internet information services.
4.2 Internal Compliance Settings – Sanctions Compliance Program (SCP)
For the understanding of the two levels of DeFi compliance, as a project party, it can still meet the regulatory compliance requirements through the internal arrangements of the project company. According to the Sanctions Compliance Guidance for the Virtual Currency Industry issued by the U.S. Treasury Department OFAC in October 2021, DeFi project parties can arrange the following five parts for internal compliance:
Senior management’s strict adherence to the Company’s sanctions compliance program is one of the most important factors determining the success of the program, and senior management’s support is critical to ensuring that sanctions compliance efforts are adequately resourced and fully integrated into the company’s day-to-day operations. The appropriate tone from the top also helps legitimize the program, empower companies to sanction compliance officers, and foster a culture of compliance throughout the company.
The importance of management’s strict implementation of the company’s risk-based sanctions compliance program is as important in the cryptocurrency industry as it is in any other industry. In many cases, the OFAC has observed that members of the cryptocurrency industry do not begin to comply with OFAC sanctions policies and procedures until months or even years after they begin operations. Delays in the development and implementation of sanctions compliance programs can expose cryptocurrency companies to a variety of potential sanctions risks.
In practice, senior management of the project side may consider taking the following steps to demonstrate their support for sanctions compliance:
- Review and approve sanctions compliance policies and procedures
- Ensure adequate resources, including human capital, expertise, information technology, and other resources, to support the compliance function
- Grant sufficient autonomy and authority to the compliance department
- Appoint at least one dedicated sanctions compliance officer with the necessary technical expertise and technical knowledge and expertise in OFAC regulations, processes, and actions; These individuals understand complex financial and business activities, apply their knowledge of OFAC to these projects, and have the ability to identify OFAC-related issues, risks, and prohibited activities
Sanctions risks, if ignored or mishandled, can lead to violations of OFAC regulations and subsequent enforcement actions, harm U.S. foreign policy and national security interests, and negatively impact a company’s reputation and business. OFAC recommends that companies in the cryptocurrency industry with sanctions compliance programs conduct routine and, where appropriate, ongoing risk assessments to avoid sanctions issues that companies may encounter.
While there is no “one-size-fits-all” approach to risk assessment, it should generally include a comprehensive review of the company to assess the potential risk of the company’s engagement with individuals, countries or regions sanctioned by OFAC. Through regular risk assessments, project parties can adjust internal compliance screening criteria in real time to meet the latest regulatory requirements.
Case study: Diagnosing a risky relationship
In 2021, OFAC entered into a settlement agreement with a U.S. cryptocurrency payment service provider to handle virtual currency transactions between the company’s customers and individuals located in sanctioned jurisdictions. While the company’s sanctions compliance controls include screening its direct customers (to B merchants in the U.S. and elsewhere) for potential links to sanctions, the company failed to screen out information about individual sanctions regarding the use of its payment processing platform and the purchase of products from platform merchants. Specifically, before making a transaction, the Company receives some information about the buyer, such as name, address, phone number, email address, and sometimes Internet Protocol (IP) address. A comprehensive risk assessment, including understanding who is accessing a company’s platform or services, can help project owners determine the appropriate screening criteria to set for each of their products and services.
C. Internal controls
An effective sanctions compliance program will include policies and procedures designed to address the risks identified in the company’s risk assessment. These may include identifying, blocking, escalating, reporting (where applicable) and maintaining records of transactions or activities prohibited by sanctions imposed by OFAC. An effective sanctions compliance program will enable companies to conduct adequate due diligence on customers, business partners and transactions, and identify “red flags.” Red flags indicate that illegal activity or compliance barriers may be occurring, prompting companies to investigate and take appropriate action. The Company shall enforce policies and procedures and identify weaknesses (including through root cause analysis of any violations) and remediate to prevent activities that may violate sanctions.
In the crypto industry, a company’s implementation of internal controls will depend on the products and services the company provides, where the company operates, the location of users, and the specific sanctions risks identified by the company during the risk assessment process. While OFAC does not require the cryptocurrency industry to use any specific in-house or third-party software, these can be useful tools for an effective sanctions compliance program.
Case: Double censorship
One of the sanctions risks faced by members of the cryptocurrency industry stems from the use of their products and services by users located in sanctioned jurisdictions. In 2020, a U.S. company that provides custody, trading, and financing services for digital assets internationally entered into a settlement agreement with OFAC for processing cryptocurrency transactions for individuals located in sanctioned jurisdictions. Although the company tracks the IP addresses of its users when they log in for security purposes, the company does not use the IP address information it collects to screen for and prevent potential sanctions violations. Therefore, despite the sanctions imposed as jurisdictions in the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria at the time, the company failed to prohibit individuals in the aforementioned regions from using its non-custodial secure digital wallet management services, implementing internal controls to filter available data and block activity involving certain IP addresses could prevent sanctions violations.
OFAC recommends that project companies adopt the following options to strengthen internal controls as part of an effective sanctions compliance program:
a) Know Your Customer (KYC) Procedures
Know Your Customer (KYC) Procedures – Obtain information about customers early in engagement with customers and throughout the lifecycle of the customer relationship and conduct adequate due diligence on this information to mitigate potential sanctions-related risks. This information can be used in the sanction screening process to prevent violations. For example, information collection may include the following elements during the initial period of cooperation, periodic review and processing of customer transactions:
Individuals: Legal name, date of birth, physical and email address, nationality, IP address associated with transactions and logins, bank information, and government identification and residency documents.
Entity: Entity name (including business and legal name), business scope, ownership information, physical address and email address, location information, IP address associated with transactions and logins, information about the entity’s conduct of business, banking information, and any relevant government documents.
High-risk customers may require additional due diligence. This may include, for example, checking customer transaction histories for connections to sanctioned jurisdictions or transactions with cryptocurrency addresses that have been associated with sanctioned actors. In addition, information gathered under existing anti-money laundering (AML) obligations, as applicable, may also be helpful in assessing and mitigating sanctions risks.
b) Sanctions Screening
Sanctions screening is probably the most important component of Crypto’s internal controls and may include geographic location, customer identification, transaction screening, etc. Crypto companies should consider implementing the following in their sanctions compliance programs:
- Filter customer information against OFAC-managed sanctions lists, including SDN lists
- Filter transactions to identify addresses associated with sanctioned persons or jurisdictions, including physical, digital wallet, and IP addresses, and other relevant information
- Use the screening tool’s fuzzy logic feature to retrieve common name changes and misspellings, such as spelling mistakes or alternative spellings associated with sanctioned jurisdictions (e.g., “Yalta, Krimea”) and changes in capitalization, spaces, or punctuation of names on OFAC sanctions lists (e.g., “Krayinvestbank” may appear on the SDN list, but “Krajinvestbank” or “Kray Invest” Bank” may appear in the Crypto company’s transaction information)
- Continuous sanctions screening and risk-based repetitive screening to retrieve changed customer information, updated OFAC sanctions lists, or changes in regulatory requirements
c) Identify risk indicators or red flags
Risk indicators or red flags: In addition to KYC information identification and sanctions screening, Crypto companies should also consider monitoring transactions and users to identify risks, as well as “red flags” that may indicate a sanction relationship. Examples of risk indicators might include the following individual or entity behaviors:
- Provide inaccurate or incomplete customer identity or KYC information when attempting to open an account
- Access cryptocurrency exchanges through IP addresses or VPNs associated with sanctioned jurisdictions
- Failure to respond or refuse to provide updated customer identity or KYC information
- Requests from Crypto companies were not responded to or additional transaction information was refused
- Try to trade using a cryptocurrency address associated with a sanctioned individual or jurisdiction
In addition, where appropriate, “red flags” indicating money laundering or other illicit financial activities may also indicate potential sanctions evasion
d) Transaction monitoring and investigation
Transaction monitoring and investigation software can be used to identify cryptocurrency addresses listed on the SDN that are associated with sanctioned individuals and entities or located in sanctioned jurisdictions. This internal control helps enable the project company to prevent the transfer of assets to addresses associated with sanctioned persons and avoid violations of U.S. sanctions. Those in the crypto industry can also use transaction monitoring and investigation tools to continuously review historical or other identifying information about such addresses to better understand the sanctions risks they face and identify deficiencies in sanctions compliance programs.
In 2018, OFAC began using certain known cryptocurrency addresses as identifying information for people on the SDN list. These cryptocurrency addresses can be searched using the “ID#” field in the OFAC sanctions list search tool. As a form of compliance practice, companies operating in the cryptocurrency industry should use transaction monitoring and investigation software like this to identify cryptocurrency addresses and sanctioned persons on the SDN list. In addition, OFAC’s inclusion of cryptocurrency addresses on the SDN list may help the industry identify other cryptocurrency addresses that may be related to sanctioned parties or otherwise pose a sanctions risk, even if these other addresses are not explicitly listed on the SDN list.
e) Remedial measures available
In response to OFAC enforcement actions, project companies can take action to correct the apparent causes of their violations, identify weaknesses in their internal controls, and implement new controls to prevent future violations.
Some of these remedies include:
- Enforce IP address blocking and email-related restrictions in sanctioned jurisdictions
- Create a keyword list of cities and regions in sanctioned jurisdictions to filter KYC information
- Review and update End User Agreements to include information required by U.S. sanctions
- Retrospective bulk filtering of all users
- Implement OFAC-related training programs for all employees
- Additional sanctions compliance training for personnel related to compliance work
- Hire additional compliance personnel and dedicated supervisors or sanction compliance officers
Testing and Auditing
The best way to ensure that a sanctions compliance program works as expected is to test its effectiveness. Companies that incorporate a comprehensive, independent and objective testing or audit function into their sanctions compliance program can understand how their programs are performing and what needs to be updated, enhanced or recalibrated in response to changes in the risk assessment or sanctions environment.
Depending on the size and maturity of the company, it can decide whether to conduct an internal or external audit of its sanctions compliance program. Some of the ways in which testing and auditing procedures are tested in the cryptocurrency industry’s sanctions compliance program include:
- Sanctions List Screening – Ensure that screening of SDN lists and other sanctions lists works effectively and flag transactions appropriately for further review
- Keyword filtering – Ensure that the screening tool appropriately flags keywords related to KYC-related screening or other screening
- IP Blocking – Ensure that IP address software properly blocks users from accessing its products and services from sanctioned jurisdictions
- Investigation and Reporting – Review procedures for investigating transactions identified as potentially sanctioned during the screening process (e.g., transactions involving sanctioned persons or related to sanctioned jurisdictions), and procedures for reporting blocked property or denied transactions to the OFAC
E. Compliance Training
Finally, project companies should develop sanctions compliance programs for their internal employees. The scope of company training will depend on the size, complexity and risk profile of the company, and OFAC training should be provided to all appropriate employees, including compliance, management and customer service personnel, and should be conducted on a regular basis, and at least once a year. A well-established OFAC training program will provide job-specific knowledge as needed, communicate to each employee sanctions compliance approach, and enable employees to meet training requirements through the use of an evaluation system. In addition, OFAC training should be constantly updated and adjusted to the changing and emerging technologies of the cryptocurrency industry.
In the context of the current expanding crypto market, more and more compliance requirements have become a topic that entrepreneurs in the crypto field cannot ignore. At the same time, many companies that traditionally based on contract security audits, such as Certik, have also begun to introduce compliance audit services. In the foreseeable future, both exchanges and DeFi companies will present a lot of demand in the compliance market.
“Code is law.” Although this phrase is widely circulated in the crypto community. But as Craig As Dr. Wright has repeatedly emphasized, “code is not law, and governments will not tolerate people trying to circumvent their laws for long”.
CRYPTO LAW EXPERTS DEBATE WEB3 REGULATION: Compliance or Decentralization?
After the US government sanctioned Tornado Cash, how can we better respond to the threat of censorship?
Long article: Virtual currency regulation and friction attacked by the history of cryptocurrency regulation in the United States
From a U.S. regulatory perspective, why Tornado Cash ushered in sanctions and subsequent speculation
Full text of US Treasury Secretary Yellen’s speech: Take the status of the US dollar as the core to view the regulation of digital assets
TRM Labs: How DeFi platforms are responding to Tornado Cash sanctions
Full Interpretation: The Impact of the U.S. Treasury Department’s sanctions on Tornado Cash
OFAC announced industry impact interpretation and risk compliance plan for sanctioning Tornado Cash
The Tornado sanctions will be a watershed moment for DeFi regulation
Tornado Cash was sanctioned and CertiK KYC joined the privacy war
TRM Labs: The “detective company” that helped DeFi projects champion sanctions
Is it reasonable and compliant to interpret the OFAC sanctions against Tornado Cash from a legal perspective?
Senior crypto lawyer: New regulatory challenges coming after Tornado Cash sanctions? Cryptocurrency Regulations Around The World
Appendix A to Part 501 Economics Sanction
A preliminary understanding of the overall framework and existing regulatory situation in the United States – Leo
Jun Legal Comment丨Talking about global stablecoin supervision
US Cryptocurrency Regulation: Policies, Regimes & More
How DeFi platforms are using data from TRM Labs to respond to Tornado Cash sanctions
Industry Impact Interpretation and Risk Compliance Plan – OFAC Announces Sanctions Against Tornado Cash
U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash
Sanctions Compliance Guidance for the Virtual Currency Industry
A Framework for OFAC Compliance Commitments
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/ten-thousand-words-on-crypto-compliance-the-post-tornado-cash-sanctions-era/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.