WIXLIB

Sanctions Complianceand CryptoassetsCurrent State of Regulatoryand Legal RequirementsThere is a common misconception that cryptoassetsprovide a ready-made avenue for sanctions evasionbecause they sit outside the regulatory and legalperimeter. In fact, sanctions authorities in manyjurisdictions have ensured that relevant legal andregulatory requirements apply comprehensively toactivity conducted in cryptoassets.Consequently, authorities are equipped with thenecessary enforcement powers to act against breachesof sanctions that may involve cryptoassets.Below is a summary of key requirements and actionsin select jurisdictions that illustrate the breadth ofsanctions measures with which cryptoasset businesses,and individuals or entities transacting in cryptoassets,must currently comply.United StatesIn the US, economic and financial sanctions areimplemented by the US Department of the Treasury’sOffice of Foreign Assets Control (OFAC). Since2018, OFAC has taken numerous steps to clarify howsanctions apply to cryptoassets, and to disrupt theability of sanctioned actors to leverage cryptoassets inevading restrictions.6CRYPTOASSETS AND SANCTIONS COMPLIANCEIn March 2018, OFAC updated its Frequently AskedQuestions to clarify that all of the sanctions itimplements apply to transactions in cryptoassets.This was followed in October 2021 by more extensiveguidance that OFAC issued, Sanctions Compliance Forthe Virtual Currency Industry. That guidance describescore components of a sanctions compliance frameworkOFAC expects of US businesses, and how these may beapplied in the context of cryptoassets.Similarly, OFAC has issued guidance on how itssanctions apply to transactions involving ransomware.This guidance - originally issued in October 2020and subsequently updated in September 2021 indicates that US persons effecting or facilitatingransomware payments, which are generally madeusing cryptoassets, may not do so where the paymentwould benefit a sanctioned person or otherwise violateexisting sanctions measures.Perhaps more significantly, OFAC has undertaken anumber of actions to curtail the ability of sanctionedpersons and countries to evade sanctions usingcryptoassets.To this end, OFAC now routinely includes cryptoassetaddresses controlled by sanctioned entities andindividuals as identifiers on its Specially DesignatedNationals and Blocked Persons List (SDN List). USpersons are prohibited from dealing with thoseaddresses, or any other addresses belonging to SDNs.For example, in April and May 2022, OFAC addedseveral ethereum addresses to the SDN List belongingto the Lazarus Group, the North Korean cybercrimegang that has been involved in large thefts ofcryptoassets, as well as a crypto mixing service,Blender.io, that facilitated the Lazarus Group’s moneylaundering. (Part II of this report describes how theseactions were used to disrupt North Korea’s sanctionsevasion activity in real time). Other actions OFAC hastaken to expose the cryptoasset wallets of sanctionedactors include designations of Chinese fentanyltraffickers, Iranian cybercriminals, and Russia-linkedcybercriminal actors and their support networks.These OFAC actions not only curtail the ability ofsanctioned actors to utilize their cryptoasset addresses;they also provide the private sector with essentialinformation about sanctioned actors’ cryptoassetwallets that enables more effective compliance. Asdescribed further below, the private sector can leveragethis information from the OFAC SDN List to screencryptoasset wallets and prevent prohibited transactionswith them.In addition to OFAC, the US Treasury’s Financial CrimesEnforcement Network (FinCEN), which administers USanti-money laundering and countering the financingof terrorism (AML/CFT) requirements and is the USfinancial intelligence unit (FIU), has also acted toSANCTIONS COMPLIANCE AND CRYPTOASSETS

address sanctions risks involving cryptoassetsand provide the private sector with guidance tofacilitate compliance.In March 2022, FinCEN issued an alert for financialinstitutions and money service businesses warning ofthe risks of Russian sanctions evasion. In order to assistregulated businesses in detecting evasion, the alert setsout six red flags of potential sanctions evasion involvingcryptoassets. The alert indicates that FinCEN expectsregulated businesses to file suspicious activity reports(SARs) with FinCEN where they identify instances ofsuspected sanctions evasion involving cryptoassets.Similarly, in May 2019, FinCEN issued an advisory onillicit activity involving convertible virtual currencies,which contains more than two dozen red flag indicatorsthat cryptoasset businesses and other financialinstitutions can utilize to identify potentially suspiciousactivity related to sanctions evasion and other crimes.European UnionThe EU imposes a broad range of sanctions throughmeasures adopted by the Council of Europe andgiven effect by the European Commission. Followingthe Russian invasion of Ukraine, in March 2022 theEuropean Commission clarified that EU sanctionsadopted to date apply to transactions and activityin cryptoassets.In April 2022, the Commission adopted specificmeasures aimed at restricting the ability of Russia toleverage crypto in sanctions evasion. Those measures7CRYPTOASSETS AND SANCTIONS COMPLIANCEprohibit the provision of crypto wallet, account,and custody services to Russian nationals or entitiesincorporated in Russia, where the total value ofcryptoassets exceeds 10,000. Switzerland: In April 2022, Switzerland issueda prohibition on providing cryptoasset wallet,account, or custody services to Russian nationalsor legal entities with a value of greater than CHF10,000. This measure aligns to similar EU measuresdescribed above. Japan: In April 2022, Japan’s Diet approvedamendments to the Foreign Exchange andForeign Exchange Act to extend the scope ofsanctions provisions targeting Russia to includeactivity in cryptoassets. Singapore: In March 2022, Singapore’s Ministryof Foreign Affairs imposed various sanctions onRussia, including prohibiting financial institutionsin Singapore from “entering into or facilitatingany transactions in cryptocurrencies” designed tocircumvent the sanctions.UKIn the UK, sanctions are administered by the Officeof Foreign Sanctions Implementation (OFSI) atHM Treasury.In March 2022, OFSI issued a joint statement withthe Financial Conduct Authority (FCA) and theBank of England (BoE) clarifying that existing UKsanctions apply to cryptoasset service providersand to transactions in cryptoassets. It states that,“Financial sanctions regulations do not differentiatebetween cryptoassets and other forms of assets. Theuse of cryptoassets to circumvent economic sanctionsis a criminal offence under the Money LaunderingRegulations 2017 and regulations made under theSanctions and Anti-Money Laundering Act 2018.”The UK government’s joint statement also includes alist of red flag indicators to assist the private sector inidentifying sanctions evasion through cryptoassets.Other RequirementsSince the Russian invasion of Ukraine in February2022, several other jurisdictions have implementednew measures, or have issued guidance, related toensuring that sanctions measures apply to activity incryptoassets. These include:Sanctions Compliance PracticesBy the IndustryCryptoasset businesses and financial institutionsemploy a number of controls to comply with the abovemeasures. These involve a combination of compliancepractices and systems employed across the financialsector historically, as well as newer, crypto-specificcompliance systems and capabilities. These systemsand controls enable the cryptoasset industry to remainresilient against attempted sanctions evasion.This section provides an overview of key sanctionscompliance practices utilized across the cryptoassetsector.SANCTIONS COMPLIANCE AND CRYPTOASSETS

Know Your Customer(KYC)/CustomerDue Diligence (CDD) PracticesTo ensure compliance with sanctions regulations,regulated businesses must take steps to determineif their customers are subject to sanctions or operatefrom sanctioned jurisdictions. These measurescan include: Identification and verification (ID&V) - Cryptoassetbusinesses, like other regulated financial servicesproviders, can take steps to verify the identity oftheir customers by collecting KYC information, suchas government-issued identification documents.Cryptoasset business are well placed to leveragetechnology solutions to verify the authenticity ofsuch documentation, and may also utilize othertechniques, such as biometric identification toverify who their customers are.Sanctions list screening - Cryptoasset serviceproviders also routinely use widely availablesanctions list screening software to determine if aprospective customer appears on the OFAC SDNList or on other sanctions lists, or if an existingcustomer becomes the target of sanctions.An example of cryptoasset businesses leveraginglist screening capabilities to disrupt potentialsanctions evasion occurred in April 2022, whenthe cryptoasset exchange Binance announcedthat it had blocked numerous accounts of familymembers of senior Russian officials subject tosanctions. Similarly, in March 2022, the cryptoassetexchange Coinbase announced that it had blocked1over 25,000 accounts associated with Russianusers that presented risks of illicit activity andsanctions evasion. Geolocation - As OFAC notes in its October 2021guidance on virtual currencies, “One sanctionsrisk that members of the virtual currency industryface is from users located in sanctioned jurisdictionswho try to access virtual currency products andservices.”1 A common technique employed byregulated cryptoasset businesses is to gathergeolocation data in the form of Internet Protocol(IP) addresses that their customers use whenlogging on to their online accounts. A cryptoassetbusiness can use this information to determinewhether their customers may be operating froma sanctioned jurisdiction. Additionally, thesetechniques can enable cryptoasset businessesto identify activity that may be indicative ofsanctions evasion, such as the use of VirtualPrivate Networks (VPNs) designed to obfuscatea customer’s location.transactions, information about those transactions isreadily available for analysis. Where this informationcan be attributed to actors such as cybercriminals,fraudsters, and sanctioned parties, it can enableregulated businesses to determine if their customersmay be engaging in illicit or prohibited transactions.(In Part II below we provide further detail describinghow the transparency of cryptoasset transactions canprevent sanctions evasion.)Most cryptoasset businesses rely on software providedby third party vendors specialised in the developmentof blockchain analytics capabilities. There are severalways in which these capabilities can be deployed toenable compliance with sanctions requirements. Blockchain AnalyticsIn addition to the above capabilities, cryptoassetbusinesses routinely utilise solutions that have beenspecifically designed to identify risks related to cryptowallets and transactions. These capabilities are referredto as “blockchain analytics.”Blockchain analytics involves leveraging data aboutcryptoasset wallets and transactions and attributingthat blockchain-native data to real world actors.Because blockchains are visible public records of cryptoWallet Screening - As noted previously, OFAC hasincluded on its SDN List cryptoassets belongingto sanctioned individuals and entities. Utilizingblockchain analytics software, cryptoasset businesscan screen wallets where their customers intend tosend funds prior to executing transactions.Where an address is identified as belonging to asanctioned party, the business can prevent thetransaction from being sent to that wallet. Transaction Screening - Cryptoasset businesses alsoutilize information from public sanctions lists toidentify ongoing transactions involving sanctionedentities or individuals. By screening transactions,a cryptoasset business can identify if funds itscustomers sent or received include exposure towallets belonging to entities or individuals onP.13 OFAC guidance8CRYPTOASSETS AND SANCTIONS COMPLIANCESANCTIONS COMPLIANCE AND CRYPTOASSETS

The image demonstrates the use of blockchain analyticscapabilities to identify cryptoasset transactionsundertaken by the North Korean cybercriminal gang theLazarus Group. The image demonstrates funds flowingfrom cryptoasset wallets controlled by the LazarusGroup, in the center of the image, to wallets belongingto other entities, such as cryptoasset exchange services.(Source: Elliptic)sanctions lists. Where they identify such activity,the business can block funds and report therelevant information to OFAC or other relevantsanctions authorities.Transaction screening can also provide indicatorsof other activity related to sanctions. For example,transaction screening using blockchain analyticscan identify transactions associated with commonred flag indicators of sanctions evasion, such astransactions related to ransomware and the use ofcryptoasset mixers/tumblers. (Part III of this reportdescribes these sanctions evasion techniques infurther detail).9CRYPTOASSETS AND SANCTIONS COMPLIANCE Investigations - In some cases, where a transactionis especially complex, or where a businesssuspects there may be a sanctions breach, it maybe necessary to conduct more extensive forensicanalysis. In these instances, cryptoasset businessesmay deploy investigations software to tracetransactions through the blockchain in detail.Investigative capabilities in cryptoassets allowusers to visually represent complex funds flowsand map events related to a transaction. Acryptoasset business can utilize this informationwhen submitting SARs related to sanctions evasionor otherwise liaising with law enforcement aboutsuspected cases. VASP Due Diligence - Blockchain analytics can alsoenable regulated businesses to identify high riskvirtual asset service providers (VASPs), such ascryptoasset exchange services and custodians, thatpresent high risks of facilitating sanctions evasion.For example, using proprietary software, a cryptobusiness or financial institution in the US or EUcan identify if its transactions include interactionswith VASPs located in jurisdictions such as Iran andRussia, and to analyze historical blockchain dataabout those VASPs’ transactions. This capabilitycan then be used to prevent future transactionswith those high risk or prohibited entities.SANCTIONS COMPLIANCE AND CRYPTOASSETS

The Travel RuleAnother core component of sanctions complianceis the application of the Travel Rule. The Travel Ruleis a longstanding requirement aimed at enhancingtransactional transparency by mandating that financialinstitutions obtain, hold, and securely transmitidentifying information about payment originators andbeneficiaries. Financial institutions must also screen thisidentifying information against applicable sanctions listsin order to prevent prohibited transactions.In 2019, the Financial Action Task Force (FATF), theglobal standard setter for AML/CFT matters, updatedits Standards to clarify that countries should requireVASPs to comply with the Travel Rule. Under the FATF’sguidelines, countries should ensure that VASPs gatherand transmit the following information during thecourse of cryptoasset transfers2 over USD/EUR 1,000:(a) the name of the originator;(b) the originator account number (or wallet address)where such an account is used to process thetransaction;(c) the originator’s address, or national identity number,or customer identification number, or date and placeof birth;(d) the name of the beneficiary; and(e) the beneficiary account number (or wallet address)where such an account is used to processthe transaction.2Applying the Travel Rule for cryptoasset transferspresents certain technical challenges. First andforemost, the pseudonymous nature of cryptoassetsmakes it difficult in certain circumstances for a VASPto identify with certitude that a wallet belongs toanother VASP that can receive the required originatorand beneficiary information. Secondly, identifyinginformation about originators and beneficiariesgenerally cannot be appended to transactions ondecentralized cryptoasset blockchains but must betransmitted through a separate mechanism. Finally, theapplication of the Travel Rule to cryptoasset transfershas raised privacy concerns because it requires VASPsto retain substantial amounts of personal identifyinginformation about customers and counterparties that,if compromised, can be associated with transactions onopen, public blockchains.pace at which countries are transposing the TravelRule into local law and regulation to align with theFATF Standards. Because not all jurisdictions haveimplemented the Travel Rule for VASPs, VASPs donot face the requirement to comply everywhere theyoperate, which disincentives compliance.As noted in Part IV below, a key policy objective shouldbe to ensure the full application of the FATF standardsto VASPs in countries that have failed to do so.Despite these challenges, the crypto industry hassucceeded in creating numerous technical solutions thatenable VASPs to comply with the Travel Rule. Theseinclude the Travel Rule Universal Solution Technology(TRUST), a solution developed by an alliance of UScryptoasset exchanges and custodians, as well as anumber of open source protocols and proprietarycompliance software.Some VASPs have implemented Travel Rule solutionsand are integrating these into their complianceprocesses. However, as the FATF has highlightedin its reviews of the status of implementation of itsStandards, industry adoption of Travel Rule solutionsremains incomplete. A key reason for this is what theFATF has termed the “sunrise problem” - the unevenSee FATF guidance, p. 57.10CRYPTOASSETS AND SANCTIONS COMPLIANCESANCTIONS COMPLIANCE AND CRYPTOASSETS

Leveraging Transparency toPrevent Sanctions EvasionThe nature of public blockchains enablesunprecedented visibility on financial flows. As discussedextensively above, blockchain analytics, also known as“blockchain intelligence,” is the practice of organizingand analyzing on-chain data — by timestamp, currency,address, or the service used to conduct the transaction,for example — to map trends or patterns of activity,detect links to off-chain data points, or surfaceother attributes that might indicate risk. Blockchainintelligence takes the raw, accessible public blockchaindata and layers it with threat intelligence.Blockchain intelligence allows law enforcement,regulators, and compliance professionals morevisibility on real-time financial flows then they ever hadbefore. The nature of the blockchain — the open anddistributed ledger upon which tokens can be sent —means that each transaction is verified and logged in ashared, immutable record, along with the timestamp ofthe transaction and the addresses involved. This datafrom the public bl

and "tech sprint" initiatives to identify opportunities alongside the private sector for enhancing responses to sanctions challenges. from the cryptoasset industry. 3) Public sector agencies should provide the industry with more robust and forward-looking regulatory guidance on crypto-specific compliance challenges related to sanctions.