Virtual-currency companies now have a set of Treasury Department guidelines on how to ensure they comply with U.S. sanctions, the latest salvo in an effort by the Biden administration to combat ransomware and other nefarious uses of cryptocurrencies.
“This is the beginning of a concerted effort, a shock-and-awe campaign around ransomware,” said
Ari Redbord,
a former senior Treasury adviser who now works as head of legal and government affairs at TRM Labs Inc., a company that helps organizations investigate cryptocurrency-related fraud.
The guidance and the designation of SUEX represent relatively recent steps by the Treasury’s sanctions unit into the cryptocurrency space. Another Treasury unit, the Financial Crimes Enforcement Network, has for a decade sought to clarify to cryptocurrency companies their obligations under U.S. anti-money-laundering laws, beginning with changes to rules related to money services businesses in 2011.
In creating guidance for cryptocurrency companies, the Treasury’s Office of Foreign Assets Control, or OFAC, has taken sanctions-compliance principles and practices that have long been the standard in other areas of business and tailored them to the virtual-currency sector, Mr. Redbord said.
The guidance applies to virtual-currency exchangers, administrators, miners, wallet providers and other financial institutions with ties to the industry. It contains a mix of principles that apply across industries and to more traditional currencies and specific tips for virtual-currency companies.
The guidance is helpful for the industry given the continual emergence of new companies and service providers, said Nirvana Patel, chief compliance officer of Prime Trust LLC, which makes tech tools for fintech companies including cryptocurrency exchanges.
“For some of the larger players in the space, this wasn’t really much of a blip on their radar,” Mr. Patel said. “It’s useful for new participants or even other players who are looking to get involved.”
The guidance highlights the importance of:
• Geolocation tools to identify and block IP addresses originating from sanctioned countries
• Transaction monitoring to identify and investigate virtual-currency transactions involving sanctioned entities and individuals
• Conducting periodic “look-backs” over transactions if the Treasury’s sanctions unit blacklists a new virtual-currency address
The guidance also clarifies how prohibited virtual-currency transactions are blocked. If a U.S. resident, citizen or company determines that they hold a virtual currency that OFAC requires to be blocked, they must deny all other individuals access to the currency and report the currency to the government within 10 business days, OFAC said.
The guidance was released alongside a report by Treasury’s FinCEN that identified recent ransomware trends in anti-money-laundering law data. Financial institutions are required to report suspicious transactions to FinCEN under the law, the Bank Secrecy Act.
Nearly $600 million in transactions linked to possible ransomware payments were reported by U.S. banks in the first six months of this year, with the total volume of suspected ransomware payments on pace to nearly double since last year, FinCEN said.
The report identified a number of money-laundering typologies associated with ransomware attacks. Those include individuals or organizations requesting payments in anonymity-enhanced cryptocurrencies; the repeated conversion of funds from one virtual currency to another, known as “chain-hopping”; and the use of mixing services and decentralized exchanges. A virtual currency “mixer” charges customers a fee to send cryptocurrencies to a designated address in a manner designed to conceal the source or owner of the currency.
Centralized exchanges remain the preferred cash-out point where cryptocurrency is converted to a traditional currency, FinCEN said.
“Having this information about [suspicious activity reports] that have been filed, distilling that information, and re-presenting it to those institutions that may have filed those—that is invaluable,” Mr. Patel said. “We need more of this direct feedback.”
Write to Dylan Tokar at dylan.tokar@wsj.com
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8