Recent OFAC Settlement Highlights Need to Consider IP Address Geolocation Data
On December 30, 2020, the Office of Foreign Assets Control (“OFAC”) announced a settlement agreement with BitGo, Inc. (“BitGo”) for providing digital wallet services to users located in sanctioned jurisdictions, including Crimea, Cuba, Iran, Sudan, and Syria. The case is notable because OFAC makes clear its expectation that companies consider Internet Protocol (“IP”) address geolocation data when assessing whether online customers are located in sanctioned jurisdictions.
BitGo processes digital currency transactions on behalf of users with “hot wallet” accounts, the company’s secure digital wallet service. Prior to 2018, users could open a BitGo digital wallet account by providing only a name and an email address. In April 2018, BitGo began requiring new accountholders to self-report their location to the company. Throughout this period, BitGo also tracked users’ IP addresses and related geolocation data for account security purposes, but did not use that information to identify users who may be located in sanctioned jurisdictions.
OFAC concluded that BitGo had reason to know that users were located in sanctioned jurisdictions based on the collected IP address data, even though the data was not actively screened by the company for sanctions compliance purposes. Based on the IP address data, OFAC found that BitGo failed to prevent users in Crimea, Cuba, Iran, Sudan, and Syria from accessing its services in 183 instances and facilitated transactions with those users worth $9,127.79.
The maximum penalty in this case, which was not voluntarily self-disclosed to the agency, was over $53 million. However, OFAC determined that the violations were “non-egregious” in nature (e.g., they did not involve willful or reckless conduct and did not present serious harm to sanctions program objectives) and that substantial mitigating factors, including the adoption of a robust compliance program, warranted a settlement amount of $93,380. OFAC specifically cited BitGo’s implementation of IP address blocking, email-related restrictions, and batch screening of users against the SDN List as sanctions compliance measures adopted by the company.
The BitGo settlement is another example in an emerging pattern of enforcement actions against companies – like Amazon – that fail to use all collected data, like IP addresses, as part of their sanctions compliance programs. Fintech and other companies that conduct transactions online are on notice that reliance on self-reported location is not sufficient to identify users subject to sanctions.
Please contact our export control and sanctions team if you have any questions about developing a sanctions compliance program for online transactions.