TRM Talks: Implementing a Sanctions Compliance Program for Digital Assets

Just over a year ago, OFAC issued its first guidance paper on implementing sanctions for the virtual asset industry. In the year that has followed, we have seen several high profile enforcement actions against crypto-firms and protocols which have led to many asking– how do we get sanctions compliance for crypto right?

In our latest TRM Talks, we were joined by industry experts to discuss where OFAC currently stands with their expectations for the industry, and how exactly firms should be operationalizing sanctions.

OFAC and crypto sanctions

A year on from OFAC’s virtual asset guidance, the message being conveyed by OFAC is a clear reminder that crypto firms have the same obligations as any other regulated entity to implement US sanctions. To do so, they should learn from best practices from across the industry and be thinking about sanctions compliance from the earliest phases of the product design process.

For OFAC, a particular area where crypto firms can meet and exceed the expectations of supervisors is by ensuring that they not only know who their customers are, but where. For this, geo-locating customers and transactions is key. As the guidance states, getting this right requires at a minimum the use of domain name and IP address data to better hone in on where entities are, combined with the use of blockchain intelligence to understand what sanction evasion typologies might look like.  

What else can the industry do to improve sanctions compliance?

Taking this further, our panelists gave a range of views on what more the industry can do to improve compliance with sanctions.

The first was recognising where the industry is in terms of maturity of sanctions compliance. It’s important for firms to first prioritize the basics– having effective screening in place coupled with strong internal governance and training on sanctions. As firms pick up the pace and become more mature in their compliance capabilities, it is then that they should start internal testing and audits and consider some of the latest technology to complement these basic compliance building blocks.

Of course, sanctions compliance is going to look differently across firms in the crypto ecosystem. At traditional financial institutions, where the institution is the custodian of client funds, there will be a greater emphasis on risk rating clients and performing source of wealth checks. For cryptocurrency exchanges, defining a risk appetite that acknowledges the inevitably of sanctions risk exposure, but with clear controls on how many ‘hops away’ that activity can be, is going to be the priority.

For the complex cases that are unique to the crypto world and don’t sit comfortably in the sanction status quo, such as the sanctions placed on Tornado Cash, it was recommended that all firms document everything they do in relation to that entity - especially if firms think something has sanctions exposure but is not a violation.

For example, when deciding how to treat wallets that were victims of dusting attacks, it is crucial for a crypto firm to document their risk appetite, the data used to establish the attack and the final decision taken. In a situation like this, using blockchain intelligence to display these points is critical.

A Deep Dive into Geolocation

Geolocating transactions and entities was the big theme of this TRM Talks episode. In addition to the initial comments made by OFAC, our panel dove into what crypto firms should be thinking about when dealing with comprehensively sanctioned jurisdictions. The panel gave several best practices on how to geo-locate clients, including making sure that firms are not relying too heavily on ‘spoofable’ data points such as IP addresses. These should be enhanced with other data points like GPS and cellular data, in order to provide firms with the confidence needed to be sure of where an entity is. One key takeaway from the panel was to use ‘geofencing’ of comprehensively sanctioned countries such as North Korea and Iran in order to significantly reduce the firm’s chance of interacting with said country through the usage of the firm’s services.

What’s next?

As the sanctions and crypto spaces continue to evolve at equally fast paces, what can we expect from the year ahead? It is clear that across the industry that the creation of geolocation best practices will become essential– this will be especially important for complying with the US sanctions regime on Russia.

Equally important will be strengthening collaboration between the government and the private sector to overcome challenges in implementing sanctions as both crypto products and sanctions develop. Here, firms should look out for new guidance on Tornado Cash which will explore some of the challenges posed by this case, and continued updates to the OFAC Frequently Asked Questions.

Finally, to get ahead of future enforcement actions, firms should look to the past and understand what went wrong from past events so that they can build robust controls for the future.  

Want more content like this?

• Follow us on social: LinkedIn | Twitter‍
• Subscribe to our newsletter
• Subscribe to our YouTube channel
• Sign up for future virtual events

‍About TRM Labs

TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.

Learn how TRM Labs is helping crypto businesses of all shapes and sizes manage their risk exposure to the rapidly evolving sanctions landscape, learn more about our free sanctions screening tool and request your API today.