From last week’s blog, it became clear that using sophisticated screening software that utilizes fuzzy logic is now a necessity to be compliant. Please see: https://thesanctionsgeek.com/is-fuzzy-logic-now-clear/
Two recent OFAC enforcement actions underscore the importance of screening the IP address of a customer to ensure an embargoed country is not at issue. If such a country is implicated, a simple block with a notice, such as “We regret we are unable to provide service for your jurisdiction”, is all that is needed. This was a capability I witnessed while working at HP, Inc. back in 2015 through 2017, but, it turns out, not every company is sophisticated enough to think of this when providing online services/tech support.
The two recent cases are the BitGo and BitPay cases from December 2020 and February 2021 respectively. I will review each case below for conclusions on best practices on IP address screening.
I. The BitGo IP Address Screening Failure
Please see this URL for additional information on this case: https://home.treasury.gov/system/files/126/20201230_bitgo.pdf
BitGo, Inc. (“BitGo”) is a technology company based in Palo Alto, California that implements security and scalability platforms for digital assets and offers non-custodial secure digital wallet management services. BitGo agreed in December 2020 to remit $98,830 to settle its potential civil liability for 183 apparent violations of multiple sanctions programs.
As a result of deficiencies related to BitGo’s sanctions compliance procedures, BitGo failed to prevent persons apparently located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using its non-custodial secure digital wallet management service. All of these countries are under comprehensive U.S. embargo.
Between approximately March 10, 2015 and December 11, 2019, BitGo processed 183 digital currency transactions, totaling $9,127.79, on behalf of individuals who, based on their IP addresses, were located in these sanctioned jurisdictions.
BitGo had reason to know that these users were located in sanctioned jurisdictions based on Internet Protocol (IP) address data associated with devices used to log in to the BitGo platform. BitGo’s reason to know was based on BitGo’s practice of tracking its users’ IP addresses for security purposes related to account logins. BitGo, however, did not use this IP address information for sanctions compliance purposes.
At the time of the transactions, however, BitGo failed to implement controls designed to prevent such users from accessing its services. OFAC determined that BitGo did not voluntarily self-disclose the violations and that the violations constituted a non-egregious case.
II. The BitPay IP Address Screening Failure
Please see this URL for additional information on this case: https://home.treasury.gov/system/files/126/20210218_bp.pdf
BitPay, Inc. (“BitPay”) is a private company based in Atlanta, Georgia that offers a payment processing solution for merchants to accept digital currency as payment for goods and services. BitPay agreed to remit $507,375 to settle its potential civil liability for 2,102 apparent violations of multiple sanctions programs.
BitPay allowed persons who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform. This happened even though BitPay had location information, including IP addresses and other location data, about those persons prior to consummating the transactions.
BitPay’s sanctions compliance program deficiencies enabled persons in these sanctioned jurisdictions to engage in approximately $129,000 worth of digital currency-related transactions with BitPay’s merchant customers. The settlement amount reflects OFAC’s determination that BitPay’s apparent violations were not voluntarily self-disclosed and were non-egregious.
III. Conclusion on IP Address Screening
If a business offers a service online (be it digital currency services, tech support services or other services), it will be necessary to screen the IP addresses of customers prior to providing services. If such customers are from one of the comprehensively embargoed countries (currently, the Crimea region, Cuba, Iran, North Korea and Syria), it will be necessary to impose a transaction block.
The Crimea region of the Ukraine presents a bit of a challenge as one does not want to block all business with the Ukraine. The way we overcame this issue at HP, Inc. is we requested from the U.S. Postal Service all zip codes associated with the Crimea region. Hence, the initial IP address for the Ukraine was flagged, and then, the decision on whether to impose a transaction block was then subject to a secondary flag based on the zip code. If the code was within the Crimea, the transaction block message would be sent and the IP address would be blocked accordingly.
While the BitGo and BitPay penalties may seem relatively low, their cases have been made public, and it is likely that other U.S. person intermediaries (banks in particular) will impose additional due diligence vetting on both of these companies. That, in turn, can cause cash flow delays and outright disruptions. It is therefore well worth undertaking the proper compliance these cases illustrate.