The cryptocurrency mixer and decentralized application (DApp), Tornado Cash, made headlines this month after being sanctioned by the US Office of Foreign Assets Control (OFAC). This move has riled up crypto industry members, as well as free speech and privacy advocates.
Given these recent events, and the questions they raise for Compliance leaders, here are four practical pieces of guidance for organizations to focus on today.
Watch for OFAC FAQ guidance or further clarification
Crypto industry members predict OFAC will issue FAQ guidance on compliance issues and questions under the Tornado Cash sanctions. OFAC’s FAQs are here – keep an eye out for potential future clarification on the sanctions.
Industry groups often highlight issues to OFAC that make sanctions compliance difficult or complex – for example, in the recent case of US sanctions on Russia, and before that, US sanctions on Chinese military-industrial complex companies. OFAC commonly issues sanctions and subsequently clarifies its interpretation about prohibited and non-prohibited activities (e.g., non-prohibited services, scenarios, transactions, or dealings) through its FAQs.
Update on 9/13/2022: OFAC issued 4 FAQs addressing the Tornado Cash sanctions, which can be found here. OFAC's guidance covers non-prohibited interactions with open-source code and the Tornado Cash website, its non-enforcement posture for "dusting" transactions, and its favorable licensing policy for Tornado Cash transactions initiated before sanctions were imposed.
Virtual currency mixers are seen as higher risk by regulators
US regulators’ focus on virtual currency mixers’ AML risks should be apparent at this point. Earlier this year, OFAC issued its first sanctions on a virtual currency mixer, Blender.io, for similar reasons as the Tornado Cash sanctions. Almost two years ago, the US Financial Crimes Enforcement Network (FinCEN) issued its first fine to a virtual currency mixer to the tune of $60m for failing to comply with AML obligations.
In sanctioning Tornado Cash, OFAC says, “mixers should in general be considered as high-risk by virtual currency firms.” Firms’ AML programs should address possible risks from mixers.
DApps don’t get a “Get Out of Jail Free” card from regulators
Much of the Tornado Cash sanctions debate revolves around the DApp’s decentralized nature. But since 2019, FinCEN has said virtual currency mixers, DApps, DApp developers, and DApp owners/operators or investors may all be “money transmitters” required to comply with US AML obligations – including having an AML compliance program – if doing business in the US. In short, US regulators have already said they’re willing to regulate DApps for AML purposes.
In short, US regulators have already said they’re willing to regulate DApps for AML purposes.
Tornado Cash’s lack of AML controls was clearly a focus for OFAC, which criticized the mixer for “repeatedly fail[ing] to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”
With the rise of AML tools for DeFi projects, and other DeFi platforms taking more proactive compliance approaches, it’s unlikely that regulators will turn a blind eye or lower regulatory expectations because of decentralization.
Both OFAC and FinCEN need to be considered for AML compliance
Technically, OFAC implements US sanctions and FinCEN implements the US AML regime (though both are part of the US Treasury Department). But compliance officers need to make sure their AML compliance program addresses information from both OFAC and FinCEN. If someone is sanctioned for AML reasons, that information can’t be kept solely in the sanctions functions and AML controls need to take it into account.
Sanctions can be relatively fast and effective measures. The US appears to be increasingly willing to go after AML issues through OFAC’s sanctions, instead of slower AML measures available to FinCEN. (Sanctions are also overlapping with other areas, like anti-bribery and corruption or human rights abuses, in the US and other countries.) Make sure your AML program inputs include sanctions and other relevant sources that may not be strictly AML-related.