22 azbankers.org Roger Morris serves C/A as a Associate General Counsel Roger brings a combination of unique experiences to C/A that he uses to provide guidance on a wide variety of regulatory and compliance issues. Prior to C/A, he worked for one of the largest law firms in the south-central United States based in its Lexington, KY office where he was a member of the firm’s Real Estate and Lending Team. In that role he concentrated his practice on commercial lending transactions and the sale, acquisition, leasing, and development of commercial property. Roger also counseled clients on banking law, estate planning, estate and trust administration, and general business matters. Risk Assessment Regular and ongoing risk assessments should be conducted to identify risks associated with sanctions compliance. Activities and relationships associated with foreign jurisdictions or foreign persons should be assessed for their potential to expose a company to sanctioned persons or places. A virtual currency company’s risk assessment process should be tailored to the types of products and services offered and the locations in which such products and services are offered. Appropriately customized risk assessments should reflect a company’s customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations, and may also include evaluating whether counterparties and partners have adequate compliance procedures. Internal Controls Internal controls should be able to “identify, interdict, escalate, report (as appropriate), and maintain records for” prohibited activities. Useful internal controls include sanctions screening, geolocation tools, know your customer (“KYC”) procedures, and transaction monitoring and investigation to identify virtual currency addresses and other data associated with sanctioned individuals, entities, or jurisdictions. OFAC includes virtual currency addresses as identifying information for designated persons, so these should be used in screening as well. While OFAC does not require the virtual currency industry to use any particular in-house or third-party software, OFAC states that such software can be a helpful tool for an effective sanctions compliance program. Testing and Auditing Testing and auditing procedures can include ensuring that screening and IP blocking are working effectively. Companies that incorporate a comprehensive, independent, and objective testing or audit function within their sanctions compliance program are equipped to ensure that they are aware of how their programs are performing and what aspects need to be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment. The size and sophistication of a company may determine whether it conducts internal and external audits of its sanctions compliance program. Some best practices for testing and audit procedures in sanctions compliance programs for the virtual currency industry include: sanctions list screening, keyword screening, IP blocking, and investigation and reporting. Training Companies should conduct training for relevant employees at least annually. The best practices for the virtual currency industry are not new, nor are they unique to the industry. However, the recent guidance from OFAC indicates that the industry will be a particular focus for enforcement. Companies in the industry should implement these measures as soon as possible to the extent they have not already done so. The scope of a company’s training will be informed by the size, sophistication, and risk profile of the company. OFAC training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted periodically and, at a minimum, annually. A well-developed OFAC training program will provide job-specific knowledge based on need, communicate the sanctions compliance responsibilities for each employee, and hold employees accountable for meeting training requirements through the use of assessments. Remedial Measures Where a sanctions violation has occurred, OFAC can consider the remedial measures a company has taken as a mitigating factor in a penalty determination. Remedial measures can include adding and/or strengthening the tools listed above to fill gaps and repair weaknesses in the compliance program. Conclusion OFAC is placing much greater scrutiny on the virtual currency industry. Industry members should be mindful of implementing and maintaining robust compliance measures early and often. w Continued from page 21 Companies should conduct training for relevant employees at least annually. The best practices for the virtual currency industry are not new, nor are they unique to the industry.
RkJQdWJsaXNoZXIy MTIyNDg2OA==