Issue 4. 2021 7 Companies should conduct training for relevant employees at least annually. The best practices for the virtual currency industry are not new, nor are they unique to the industry. However, the recent guidance from OFAC indicates that the industry will be a particular focus for enforcement. Companies in the industry should implement these measures as soon as possible if they have not already. organization from the company’s earliest days. OFAC recommends specific actions that management can take to set an appropriate tone from the top, including reviewing and endorsing compliance procedures, allocating adequate resources to compliance, delegating autonomy and authority to the compliance department, and appointing an experienced sanctions compliance officer. RISK ASSESSMENT Regular and ongoing risk assessments should be conducted to identify risks associated with sanctions compliance. Activities and relationships associated with foreign jurisdictions or foreign persons should be assessed for their potential to expose a company to sanctioned persons or places. A virtual currency company’s risk assessment process should be tailored to the types of products and services offered and the locations in which such products and services are offered. Appropriately customized risk assessments should ref lect a company’s customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations, and may also include evaluating whether counterparties and partners have adequate compliance procedures. INTERNAL CONTROLS Internal controls should be able to “identify, interdict, escalate, report (as appropriate), and maintain records for” prohibited activities. Useful internal controls include sanctions screening, geolocation tools, know your customer (“KYC”) procedures, and transaction monitoring and investigation to identify virtual currency addresses and other data associated with sanctioned individuals, entities, or jurisdictions. OFAC includes virtual currency addresses as identifying information for designated persons, so these should be used in screening as well. While OFAC does not require the virtual currency industry to use any particular inhouse or third-party software, OFAC states that such software can be a helpful tool for an effective sanctions compliance program. TESTING AND AUDITING Testing and auditing procedures can include ensuring that screening and IP blocking are working effectively. Companies that incorporate a comprehensive, independent, and Roger Morris serves Compliance Alliance as Associate General Counsel. He brings a combination of unique experiences to C/A that he uses to provide guidance on a wide variety of regulatory and compliance issues. Contact him at Bankers Alliance, (833) 683-0701 or info@bankersalliance.org. objective testing or audit function within their sanctions compliance program are equipped to ensure that they are aware of how their programs are performing and what aspects need to be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment. The size and sophistication of a company may determine whether it conducts internal and external audits of its sanctions compliance program. Some best practices for testing and audit procedures in sanctions compliance programs for the virtual currency industry include sanctions list screening, keyword screening, IP blocking, investigation and reporting. TRAINING Companies should conduct training for relevant employees at least annually. The best practices for the virtual currency industry are not new, nor are they unique to the industry. However, the recent guidance from OFAC indicates that the industry will be a particular focus for enforcement. Companies in the industry should implement these measures as soon as possible if they have not already. The scope of a company’s training will be informed by the size, sophistication, and risk profile. OFAC training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted periodically and, at a minimum, annually. A well-developed OFAC training program will provide job-specific knowledge based on need, communicate the sanctions compliance responsibilities for each employee, and hold employees accountable for meeting training requirements through the use of assessments. REMEDIAL MEASURES Where a sanctions violation has occurred, OFAC can consider the remedial measures a company has taken as a mitigating factor in a penalty determination. Remedial measures can include adding and/or strengthening the tools listed above to fill gaps and repair weaknesses in the compliance program. CONCLUSION OFAC is placing much greater scrutiny on the virtual currency industry. Industry members should be mindful of implementing and maintaining robust compliance measures early and often. n
RkJQdWJsaXNoZXIy ODQxMjUw