There is a misconception about crypto and sanctions, mainly the thought that “it’s a wild west and bad actors can evade sanctions through the use of crypto.” Quite the contrary is true; sanctions authorities in many jurisdictions have ensured that relevant legal and regulatory requirements apply comprehensively to crypto assets. Sanctions equip authorities with the necessary enforcement powers to act against breaches of sanctions that may involve crypto assets.
Recent enforcement actions against crypto companies for breaching sanctions also helped bring this to light. Russian sanctions and the U.S. Treasury’s Office of Foreign Assets Control (OFAC) designations have shown that the crypto industry needs to rethink how they approach sanctions compliance. In 2022 alone, Blender.io, Tornado Cash, Hydra, Garantex, and many others helped criminals carry out ransomware attacks, scams, and money laundering through their services. Chainalysis reported that 44% of 2022’s illicit transaction volume came from activity associated with sanctioned entities–in a year when OFAC launched some of its most ambitious and difficult-to-enforce crypto sanctions yet.
So far, the topic of sanctions compliance has been primarily centered around crypto exchange users. Shall we cut ties with all Russian customers? Are Iranian nationals using our exchange? But, when facilitating transactions on behalf of their customers, another element needs to be considered: who are the counterparties receiving the funds? If virtual asset service providers (VASPs) do not comply with the Financial Action Task Force’s Travel Rule as it continues to be enforced across the globe in different jurisdictions, they are not screening counterparty customers for sanctions, leaving VASPs in the dark about whether they facilitate transactions with sanctioned individuals.
The Rise of Sanctions affecting the Crypto Industry
In April 2022, OFAC sanctioned the crypto exchange Garantex, which accounted for the majority of sanctions-related transaction volume last year. As a Russia-based business, the exchange has been able to operate with impunity. In August 2022, Tornado Cash, an Ethereum-based mixer, was blacklisted by the OFAC. The reason: The Lazarus hacker group linked to North Korea used the mixer to transfer funds. Although Tornado Cash was not the first mixer sanctioned last year, it provoked outrage in the crypto community because Tornado Cash is a noncustodial, open-source tool–a sign of things to come: protocol-level sanction action.
More recently, in January 2023, the United States Department of the Treasury Financial Crimes Enforcement Network (FinCEN) labeled crypto exchange Bizlatzo as a “primary money-laundering concern,” for failing to “effectively implement policies and procedures designed to combat money laundering and illicit finance” pursuant to section 9714(a) of the Combating Russian Money Laundering Act — passed as part of the 2020 National Defense Authorization Act. Five days later, The U.S. Justice Department charged Bitzlato with money laundering, and authorities in France, Spain, Portugal, and Cyprus reportedly seized control of crypto wallets containing more than $19 million in cryptocurrency as part of enforcement actions against crypto firm Bitzlato.
These examples present an obvious obstacle: VASPs can unknowingly facilitate transactions with sanctioned counterparties. Transactions associated with Garantex, Bizlatzo, or any other sanctioned crypto service represent substantial compliance risk for businesses subject to U.S. jurisdictional regulation and consequences, including fines and potential criminal charges.
VASPs must have the ability to determine if their clients are sending transactions to sanctioned entities, wallets, or jurisdictions by implementing Travel Rule compliance for transaction-level counterparty and sanction insight.
The missing piece of the puzzle: Travel Rule Compliance
Historically, VASPs have solely focused on performing sanction checks on their customers during the onboarding process. VASPs currently leverage blockchain analytics companies to screen and identify sanctioned wallet addresses. Further, VASPs use various geofencing companies and methods to uncover if any customers are in sanctioned jurisdictions through methods like device fingerprinting, IP and GPS location, etc. However, sanctions compliance should also include screening for counterparty crypto wallet addresses and the beneficiary VASP’s customers–which would enable the VASP to reject transactions from another VASP that may have a potentially sanctioned customer or wallet address– before it comes to your VASP. Major financial regulators worldwide are now addressing this blind spot to manage pre-transaction counterparty sanctions risk.
Regulators are turning their attention to counterparty sanction screening compliance, as noted by the recent developments in the European Union's Transfer of Funds Regulation (TFR). In April, the EU will vote to confirm its crypto-focused legislation, the Markets in Crypto-Assets (MiCA), and the TFR. VASPs registered in all 27 EU member states will have to comply with the Travel Rule once rectified.
The draft text of the TFR requires EU VASPs to have policies and controls in place to screen both their customers and counterparty customers for financial sanctions. This includes screening against national and EU lists of designated persons. The EBA will provide guidelines for these policies and controls.
What does the Travel Rule require VASPs to do?
Created by the United States’ FinCEN for fiat in 1996 and extended to crypto transactions by the Financial Action Task Force in 2019, the crypto Travel Rule requires VASPs and financial institutions to disclose specific customer data when transacting crypto assets. Additionally, the financial institutions must collect information about the counterparty customer, screen the counterparty customer against sanctions lists, and perform due diligence on the counterparty institution.
A missing piece of the puzzle, which has yet to make the headlines with eye-opening enforcement actions, is counterparty identification. With the exception of those implementing effective Travel Rule programs (and this number is exponentially increasing, especially this year), crypto companies can unknowingly facilitate transactions to sanctioned parties. Travel Rule compliance is a crucial element missing from VASP’s sanctions compliance frameworks.
An effective sanctions compliance program cannot focus only on customer sanction screening. It also needs to consider the specificities of crypto transactions, including the fact that blacklisting a blockchain address does not automatically mean freezing its money. A sanctioned individual can continue to create and operate through brand new addresses that OFAC cannot immediately tie to their identity. We will have to see the steps OFAC will take around peer-to-peer transactions in the future. Until then, crypto companies must leverage Travel Rule compliance solutions to solve counterparty risk.
Even during times of economic downturn VASPs are poised to spend more on compliance this year. In its recent Targeted Update on Implementation of Standards, the FATF reports that 29 jurisdictions have crypto Travel Rule legislation in place. In order to close the gap and mitigate risks from jurisdictional arbitrage, regulators are pushing out another wave of enforcement dates in 2023; Hong Kong will enforce the Travel Rule on June 1st, 2023, and the United Kingdom will follow suit on September 1st.
To protect themselves from potential legal and financial risks from noncompliance as the Travel Rule is rolled out to solve these problems, VASPs must integrate software that enables their compliance team to:
- Identify suspicious and/or regulated transactions
- Identify and verify the beneficiary customer and institution
- Verify wallet ownership / collect information about the Beneficiary (depending on local requirements)
- Screen the counterparty customer for sanctions
- Verify the counterparty company’s AML/CTF standards
- Apply relevant jurisdictional regulations
- Block transactions to sanctioned individuals
- Securely transmit customer identifying data (during a Travel Rule transaction routed to another VASP).
What can Notabene customers do today to block transactions with sanctioned parties?
Notabene customers can identify sanctioned counterparties and block ensuing transactions effectively by using the features noted in the image below.
To identify counterparty VASPs, perform VASP due diligence, identify counterparty customers, monitor wallet risk scores, and sanction screen at scale, customers can set risk-based rules in our Rule Engine to restrict incoming or outgoing Travel Rule data transfers with VASPs that do not meet their diligence criteria.
By defining these risk-based rules in our Rule Engine to prevent incoming or outgoing Travel Rule data transfers with VASPs that don't fulfill their diligence standards, Compliance Officers can effectively mitigate AML-related counterparty risk by tying this mechanism into the transaction flow.
Our Rule Engine allows you to set comprehensive controls to effectively perform AML-related counterparty risk mitigation. Click here to learn more.
The time to comply is now
In conclusion, counterparty sanctions screening compliance is a critical aspect of sanctions compliance and must be taken seriously. The recent enforcement actions against VASPs for breaching sanctions have highlighted the importance of a robust compliance framework.
It’s time for the crypto industry to recognize its impact on the world order. Suppose the sector’s scale and maturity allow it to be a de facto competitor to the traditional financial system. In that case, crypto could be instrumentalized as a means to evade sanctions, which would massively affect how the world runs its business. Only an effective sanctions compliance program that includes counterparty sanction screening through Travel Rule compliance can mitigate this looming risk. The time to prioritize Travel Rule compliance is now.
This article was first published on Law360.