For the first time, OFAC publicly attributed two digital currency addresses to the designated individuals. Learn how to properly assess risk with bitcoin and other cryptocurrency accounts and stay compliant with AML and KYC regulations.
2. Copyright 2018 IdentityMind
Panelist Introductions
David Murray, VP of Products and Services at FIN
Neal Reiter, Director of Product, Virtual Currencies, IdentityMind
Jose Caldera, Chief of Product and Marketing, IdentityMind
3. Copyright 2018 IdentityMind
Agenda
● Background
● Regulations and cryptocurrencies
● OFAC and cryptocurrencies
● Impact
○ Banks
○ Financial Institutions
○ Auditors + examiners
● Use-Cases
○ Direct Transactions
○ Indirect Transactions
○ Digital Identities
4. Copyright 2018 IdentityMind
A Recording of This Webinar is Available
Click below for a recording of the full discussion & panelist insights:
5. Copyright 2018 IdentityMind
OFAC and Sanctioned Addresses
● On November 28, OFAC designated two Iran-based individuals who helped exchange ransom
payments from bitcoin into Iranian rial.
○ Ali Khorashadizadeh and Mohammad Ghorbaniyan used two digital currency addresses to process over 7,000
transactions and interacted with over 40 exchangers—including some U.S.-based exchangers—and to send
approximately 6,000 bitcoin worth millions of U.S. dollars, some of which involved bitcoin derived from SamSam
ransomware.
○ The SamSam scheme has over 200 known victims; it has targeted corporations, hospitals, universities, and government
agencies, demanding ransom in exchange for restored administrator access to networks.
● For the first time, OFAC publicly attributed two digital currency addresses to the designated
individuals.
○ Traditional identifiers associated with OFAC listings have included, e.g., street addresses, email addresses, DOB
○ Treasury: “We are publishing digital currency addresses to identify illicit actors operating in the digital currency space.
Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses
in cyber and AML/CFT safeguards to further their nefarious objectives.”
6. Copyright 2018 IdentityMind
Iran Sanctions Background
● U.S. primary sanctions on Iran are comprehensive, with few exceptions. This means that almost all
dealings by U.S. persons involving Iran are prohibited.
○ These restrictions also cover non-U.S. entities owned or controlled by U.S. persons such as foreign subsidiaries of American
companies.
● Using secondary sanctions, the United States threatens non-U.S. persons with penalties if they engage in
certain Iran-related dealings—even if those dealings do not touch the United States or U.S. persons. Iran-
related dealings targeted by secondary sanctions fall into two general categories:
○ Dealings with certain persons: Most Iranian persons on the SDN List as well as persons on the SDN List for Iran-related
reasons.
○ Dealings in certain activities: Iranian energy (crude oil as well as petroleum products and petrochemicals, rial transactions;
issuance of Iranian sovereign debt; and gold and precious metals.
7. Copyright 2018 IdentityMind
Challenges for Financial Institutions
● It can be difficult for financial organizations to differentiate between businesses in the cryptocurrency
ecosystem and to understand the specific risks posed by each.
○ Business types in the ecosystem include, among others, exchangers,
ATMs, wallet providers, and payment processors. Not all of these
businesses are MSBs, and not all MSBs have identical risk profiles.
○ It is critical for financial organizations to identify customers who may be
exposed to tumblers, mixers, dynamic exchanges, or cryptocurrencies
designed to shield the identities of users (e.g., Monero, Zcash, Dash).
8. Copyright 2018 IdentityMind
Challenges for Banks
● Financial institutions banking cryptocurrency exchangers need to follow core customer due diligence (CDD)
measures.
○ However, enhanced due diligence (EDD) measures for correspondent banking
relationships should also be applied to cryptocurrency exchangers because these
exchangers present intermediated risks similar to those associated with
correspondent banking.
● Independent audit of the exchanger’s AML/CFT and sanctions compliance functions will be necessary.
● Banking such exchangers may require a hands-on approach by the financial institution (e.g., seconding
personnel in the exchange to better understand risks and mitigation measures).
● Note that banks may be exposed to virtual currency risks through customers who participate in peer-to-peer
services such as Paxful which match buyers and sellers to facilitate exchange. Those who are selling bitcoin
through Paxful are effectively operating as unlicensed MSBs.
9. Copyright 2018 IdentityMind
What this Means for Auditors and Examiners
● Are the AML controls reasonably designed to prevent the exchanger from being used to facilitate
money laundering and terrorist financing?
● Is the filtering program reasonably designed for the purpose of interdicting transactions that are
prohibited by OFAC?
● Have the board and senior management taken ownership of the financial crimes compliance program?
● Has the exchanger established a strong culture of compliance?
● Is the financial crimes compliance adequately resourced with a prominent role in the institution?
10. Copyright 2018 IdentityMind
Use Case #1 – Direct Transactions
● Use Case #1 - Direct Transactions
○ A client receives bitcoin directly from a sanctioned address
○ A client sends bitcoin directly from a sanctioned address
11. Copyright 2018 IdentityMind
Use-Case #2 – Indirect Transactions
● Use Case #2 - Indirect Transactions
○ A client receives bitcoin from an address who received those bitcoin from
a sanctioned address
○ A client sends bitcoin to a non-sanctioned address who sends them to a
sanctioned address
12. Copyright 2018 IdentityMind
Use-Case #3 – Digital Identities
● Use Case #3 - Digital Identity
○ A client sends bitcoin to a sanctioned address via their wallet, then tries
to onboard at your exchange
○ A client receives bitcoin from a sanctioned address via their account a
virtual currency exchange, then tries to onboard at your bank