---- start quote
Enforcement Release: February 18, 2021
BitPay, Inc. (“BitPay”), a private company based in Atlanta, Georgia, that offers a payment processing solution for merchants to accept digital currency as payment for goods and services, has agreed to remit $507,375 to settle its potential civil liability for 2,102 apparent violations of multiple sanctions programs. BitPay allowed persons who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform even though BitPay had location information, including Internet Protocol (IP) addresses and other location data, about those persons prior to effecting the transactions. BitPay’s sanctions compliance program deficiencies enabled persons in these sanctioned jurisdictions to engage in approximately $129,000 worth of digital currency-related transactions with BitPay’s merchant customers. The settlement amount reflects OFAC’s determination that BitPay’s apparent violations were not voluntarily self-disclosed and were non-egregious.
This action emphasizes that OFAC obligations apply to all U.S. persons, including those involved in providing digital currency services. As part of a risk-based approach, OFAC encourages companies that provide digital currency services to implement sanctions compliance controls commensurate with their risk profile.
Description of the Conduct Leading to the Apparent Violations
Between approximately June 10, 2013 and September 16, 2018, BitPay processed 2,102 transactions on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions (the “Apparent Violations”). The Apparent Violations related to BitPay’s payment processing service, which enables merchants to accept digital currency as payment for goods and services. Specifically, BitPay received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then relayed that currency to its merchants.
While BitPay screened its direct customers—the merchants— against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and conducted due diligence on them to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ buyers. Specifically, BitPay at times would receive information about those merchants’ buyers at the time of the transaction, including a buyer’s name, address, email address, and phone number. Beginning in November 2017, BitPay also obtained buyers’ IP addresses. However, BitPay’s transaction review process failed to analyze fully this identification and location data. As a result, buyers who, based on those information indicators, were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from merchants in the United States and elsewhere using digital currency on BitPay’s platform.
---- end quote
Enforcement Release: February 18, 2021
BitPay, Inc. (“BitPay”), a private company based in Atlanta, Georgia, that offers a payment processing solution for merchants to accept digital currency as payment for goods and services, has agreed to remit $507,375 to settle its potential civil liability for 2,102 apparent violations of multiple sanctions programs. BitPay allowed persons who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform even though BitPay had location information, including Internet Protocol (IP) addresses and other location data, about those persons prior to effecting the transactions. BitPay’s sanctions compliance program deficiencies enabled persons in these sanctioned jurisdictions to engage in approximately $129,000 worth of digital currency-related transactions with BitPay’s merchant customers. The settlement amount reflects OFAC’s determination that BitPay’s apparent violations were not voluntarily self-disclosed and were non-egregious.
This action emphasizes that OFAC obligations apply to all U.S. persons, including those involved in providing digital currency services. As part of a risk-based approach, OFAC encourages companies that provide digital currency services to implement sanctions compliance controls commensurate with their risk profile.
Description of the Conduct Leading to the Apparent Violations
Between approximately June 10, 2013 and September 16, 2018, BitPay processed 2,102 transactions on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions (the “Apparent Violations”). The Apparent Violations related to BitPay’s payment processing service, which enables merchants to accept digital currency as payment for goods and services. Specifically, BitPay received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then relayed that currency to its merchants.
While BitPay screened its direct customers—the merchants— against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and conducted due diligence on them to ensure they were not located in sanctioned jurisdictions, BitPay failed to screen location data that it obtained about its merchants’ buyers. Specifically, BitPay at times would receive information about those merchants’ buyers at the time of the transaction, including a buyer’s name, address, email address, and phone number. Beginning in November 2017, BitPay also obtained buyers’ IP addresses. However, BitPay’s transaction review process failed to analyze fully this identification and location data. As a result, buyers who, based on those information indicators, were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from merchants in the United States and elsewhere using digital currency on BitPay’s platform.
---- end quote
