BitGo, a cryptocurrency company based in California, was accused by OFAC of potential civil liability for 183 apparent violations of multiple sanctions program. According to OFAC, between 2015 and 2019, BitGo processed 183 digital currency transactions valued at approximately $9000 on behalf of individuals whose IP addresses revealed that they were located in sanctioned jurisdictions. These transactions were related to BitGo’s ‘hot wallet’ secure digital wallet management services signed by individuals located in Crimea, Cuban, Iran, Sudan and Syria. Using this service, they were able to access BitGo’s online platform and conduct digital currency transactions.
BitGo’s was aware of these users’ locations and tracked users’ IP addresses for security purposes related to account logins. However, they failed to use the IP address information for sanction compliance purposes. Users in these sanctioned jurisdictions could still open digital currency wallets on BitGo’s platform and engage in digital currency transactions despite BitGo’s ability to identify these users’ location. OFAC, therefore, concluded that BitGo failed to implement controls to prevent such users from accessing its services. Furthermore, OFAC determined that BitGo did not voluntarily self-disclose these apparent violations. These violations constitute a non-egregious case.
This sanction by OFAC reiterates the fact that OFAC sanctions compliance obligations apply to all US persons, including those involved in digital currency services. Therefore, companies which provide digital currency services are required to implement sanctions compliance controls which are commensurate with their risk assessment and risk appetite.
You can read the enforcement release here.