red 
The Financial Crimes Enforcement Network (FinCEN) has issued guidance, warning against Iran’s use of cryptocurrencies to evade sanctions, and reminding cryptocurrency exchanges of their compliance obligations. Elliptic’s head of community and former US Treasury sanctions expert David Carlisle discusses these requirements and how cryptocurrency exchanges can take steps to address them.
There has been a lot of news recently indicating that fraudulent actors are seeking to exploit cryptocurrencies to avoid international sanctions.
Whether its North Korea engaging in cryptocurrency-enabled cybercrime, Venezuela launching the “petro” or Russia expressing its intention to launch a “cryptoruble” – there is no doubt that sanctioned countries are interested in both near and far. long term the prospect that cryptocurrencies could help them circumvent financial and economic constraints.
The exact extent of evasion of cryptocurrency-related sanctions is unclear. A recent Bithumb hack attributed to North Korea involved the theft of as much as $30 million worth of cryptocurrency alone. Regardless of the exact numbers, certain features of the technology are undoubtedly attractive to sanctioned countries, entities and individuals. The decentralized, borderless and censorship-resistant nature of cryptocurrencies allows a sanctioned actor to access cryptocurrencies from anywhere in the world without having to worry about going through a major banking system.
Compliance with sanctions remains a significant challenge for exchanges and other service providers in the cryptocurrency industry, as well as for banks and other financial institutions that may even have only indirect exposure to cryptocurrency users. While financial institutions can check their customers against sanctions lists maintained by the US, EU, UK and other jurisdictions, ensuring that cryptocurrency transactions comply with sanctions is far more difficult.
For example, when a bank sends fiat currency via wire transfer from one of its customers to someone at another bank, it will generally know the identity of the recipient’s bank, where that bank is located, and the names of the related parties involved in the transaction.
But when cryptocurrencies are sent from one pseudonymous or anonymous cryptocurrency address to another, it’s not immediately clear where those parties are or who might be behind those addresses. While certain transaction details are available and traceable on many public blockchains, the names and locations of the entities behind those cryptocurrency transactions are not readily available. This creates a risk that a financial institution could process a cryptocurrency transaction that violates sanctions without even knowing it.
FinCEN’s Advisory on Iranian Financial Activities
Fortunately, on Friday, the US Treasury’s Financial Crimes Enforcement Network (FinCEN) issued timely guidance on illicit Iranian financial activity that provides some clarity on regulatory expectations in this challenging environment.
FinCEN’s advisory — which discusses a wide range of Iran’s sanctions evasion techniques beyond those involving cryptocurrencies — suggests that since 2013, Iran has engaged in $3.8 million worth of bitcoin transactions annually. While this would represent only a small amount of Iran’s overall sanctions evasion activity, it suggests that Iran is integrating new payment technologies into its sanctions evasion techniques, a trend that is likely to only accelerate.
But even more important than FinCEN’s confirmation that Iran is using cryptocurrencies is what FinCEN suggests private sector companies should do to ensure they don’t enable this behavior.
According to FinCEN, “institutions should consider auditing blockchain ledgers for activities that may originate or end in Iran.”
Elliptic’s AML software is designed to do just that. By tagging otherwise pseudonymous cryptocurrency addresses with real-world identities, Elliptic’s software enables a financial institution to determine whether a user’s transactions involve interactions with known cryptocurrency exchanges located in Iran or other sanctioned countries.
FinCEN notes an additional challenge when it comes to monitoring cryptocurrency-denominated activity, noting that “new virtual currency companies could incorporate or operate in Iran with little notice or footprint.”
For example, a cryptocurrency exchange company located outside of Iran may still provide services to customers located in Iran. Alternatively, an exchange firm operating in Iran could use virtual private networks (VPNs) or other obfuscation techniques to disguise its presence there. Individuals or entities located in Iran may also use VPNs to access exchange services in Europe, the US, Asia or elsewhere to disguise their location.
Moreover, individuals or businesses acting as peer-to-peer (P2P) cryptocurrency exchanges can broker transactions on behalf of others by advertising their services on sites such as LocalBitcoins. Although there are legitimate P2P exchangers operating on these sites, some are known to operate without licenses and even launder money on behalf of criminals.
Iranian rial trading has surged on sites like LocalBitcoins in recent months as the value of the rial has plummeted and Iranians are looking to alternative payment methods like bitcoin to store value and transfer funds across the border. P2P cryptocurrency markets could also become attractive if, as reported, the Iranian government succeeds in cracking down on domestic cryptocurrency exchanges to prevent capital flight. A financial institution would face significant regulatory risk if it processed transactions on behalf of a P2P exchanger located in Iran or another sanctioned country or that facilitates cryptocurrency trading for counterparties in sanctioned countries.
Such behaviors present additional challenges to monitoring transactions as they are more difficult to identify than simple transactions involving a large cryptocurrency exchange openly operating in Iran or other sanctioned jurisdictions.
Easing compliance with sanctions for banks and stock exchanges
As FinCEN notes in its advisory, it is possible to overcome these challenges by using “technology created to monitor open blockchains and investigate transactions.”
This is where Elliptic can help.
Elliptic’s AML software enables detection of high-risk cryptocurrency addresses associated with unregistered or unlicensed exchanges, as well as P2P exchange platforms, enabling financial institutions to have better information about the source and destination of funds.
Elliptic AML software can also be customized to include sanctions rules specific to the requirements of any business, ensuring detection of additional high-risk entities according to unique circumstances.
Regulators’ preoccupation with cryptocurrencies not becoming a major financial lifeline for sanctioned countries is sure to intensify. US regulators are imposing increasingly significant fines and penalties for sanctions violations, and the cryptocurrency industry is now firmly in their sights. FinCEN’s guidance is just the latest action in an increased effort by U.S. regulators to highlight and enforce sanctions obligations related to cryptocurrencies.
In March 2018, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) clarified that all sanctions it enforces apply to all U.S. cryptocurrency companies, including those located outside the U.S. that provide cryptocurrency services to U.S. persons. OFAC also noted that it may begin publicly releasing cryptocurrency addresses belonging to individuals and entities on its sanctions blacklist.
Also in March 2018, US President Donald Trump signed an executive order prohibiting US persons from trading in any digital currency issued by or on behalf of the Venezuelan government.
While these actions are focused on the US, this week the Financial Action Task Force, a global standard-setting body to combat illicit financing, is meeting in Paris and undertaking a review of the risks associated with cryptocurrencies. Therefore, it is likely that other countries will soon join the US in monitoring cryptocurrencies due to the risk of sanctions evasion, and in warning of the consequences of non-compliance.
In such a challenging and careful landscape, there is little room for error and too much at stake to be complacent.
—
About the author
David Carlisle is Head of Community at Elliptic, where he leads engagement with policymakers and other external stakeholders on regulatory issues related to cryptocurrencies.
David has over a decade of experience working in both the public and private sectors, focusing on anti-money laundering and countering the financing of terrorism (AML/CFT) regulation. David previously worked in the United States Department of the Treasury’s Office of Terrorism and Financial Intelligence. This included work at the Treasury Department’s Office of Foreign Assets Control (OFAC), where David was involved in the design and implementation of US financial and economic sanctions programs involving countries such as Myanmar and Iran.
In subsequent roles, David advised senior Treasury officials on a wide range of topics related to sanctions, money laundering and terrorist financing, and acted as Treasury liaison when engaging governments in the Asia Pacific region on these topics.
David is a fellow at the Center for Financial Crime and Security Studies at the Royal United Services Institute, a think tank based in London, where he co-authored a report on virtual currencies and terrorist financing commissioned by the European Parliament’s TERR in June 2018. Committee.
Articles of the Regulation on Sanctions
