California Tech Company Fined for Sanctions Violations
The Office of Foreign Assets Control fined a California technology company nearly $100,000 for sanctions violations, a Dec. 30 Treasury Department notice said. It said BitGo committed 183 violations of U.S. sanctions programs when it allowed people in Cuba, Iran, Sudan, Syria and Ukraine's Crimea region to use its “non-custodial secure digital wallet management service.” The company “had reason to know” the people sanctioned countries were using BitGo’s services, OFAC said, but “failed to implement controls” to prevent the violations.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
BitGo processed the illegal transactions between 2015 and 2019, totaling more than $9,000, the notice said. BitGo was able to track its users’ internet protocol (IP) addresses but did not use the information for sanctions compliance reasons, OFAC said. OFAC said the company “generally relied on each user’s attestation regarding their location” and did not verify the information.
BitGo did not voluntarily disclose the violations, which OFAC said constituted a non-egregious case. Aggravating factors included that BitGo “failed to exercise due caution or care for its sanctions compliance obligations” and “had reason to know” its users were accessing its services from sanctioned jurisdictions. Mitigating factors included that BitGo is a “relatively small company,” had not received a penalty notice in the previous five years, cooperated with OFAC’s investigation, and improved its compliance program. The company also introduced a new “OFAC Policy,” which includes a sanctions compliance officer, IP address blocking for sanctioned jurisdictions, “periodic batch screening,” record-keeping procedures for financial records pursuant to sanctions compliance efforts, a review and possible update of its end-user agreements, and periodic reviews of “screening configuration criteria.”
OFAC said the case highlights that digital currency services companies should be mindful of not providing services to sanctioned people. Those companies should develop a “tailored, risk-based sanctions compliance program” depending on their size and sophistication and their geographic locations, OFAC said, and should include a commitment on the part of management and regular training and auditing. The case emphasizes the importance “of implementing technical controls, such as sanctions list screening and IP blocking mechanisms, to mitigate sanctions risks,” the agency said.