The Office of Foreign Assets Control of the US Department of the Treasury has entered into a settlement with BitPay, Inc., a digital currency payment processing company based in Atlanta, Georgia. BitPay will pay $507,375 to settle its potential civil liability for 2,102 apparent violations of sanctions programs targeting Crimea, Cuba, Iran, Sudan, Syria and North Korea.
BitPay functions as a payment processing service for merchants, receiving payments on behalf of the merchants in the form of digital currency, and converting the digital coin into fiat currency with which to pay the merchants. According to OFAC, between June 2013 and September 2018, BitPay processed 2,102 transactions worth approximately $129,000 for persons who were located in sanctioned countries or regions based on the individuals’ IP addresses and information available in invoices.
BitPay’s sanctions compliance program involved screening the merchants (who were BitPay’s direct customers) against OFAC’s List of Specially Designated Nationals and Blocked Persons, and conducting due diligence to ensure that the merchants were not located in sanctioned jurisdictions. However, as detailed in the enforcement release, BitPay did not screen the location data of the merchants’ customers who transferred their digital currency payments through BitPay.
OFAC found BitPay’s conduct to have resulted in apparent violations of Executive Order 13685, the Cuban Assets Control Regulations, The North Korea Sanctions Regulations, the Iranian Transactions and Sanctions Regulations, the Sudanese Sanctions Regulations, and the Syrian Sanctions Regulations. BitPay did not voluntarily self-disclose the apparent violations. OFAC viewed as aggravating factors BitPay’s failure to exercise due caution or care for its sanctions compliance obligations, and the company’s having conveyed over $128,000 in economic benefit to persons in sanctioned jurisdictions. At the same time, OFAC viewed as mitigating factors BitPay’s implementation of its sanctions compliance program in 2013 and 2014, including training for employees; the company’s violation-free record for the five years preceding these apparent violations; the company’s cooperation with OFAC’s investigation, and; BitPay’s representation that it had terminated the conduct in question, and taken additional measures such as blocking IP addresses that appear to originate in sanctioned jurisdictions, checking the street addresses and email addresses of merchants’ customers, and initiating a new mandatory customer identification tool for transactions larger than $3,000.