Learn more about the 2025 Coin Center Annual Dinner

What is OFAC and how does it apply to Bitcoin?

“OFAC always applies.”

Enforcement agencies and compliance specialists alike have made this pithy phrase a common refrain when speaking to digital currency companies. Like any aphorism worth its salt, it is equal parts true and ominous and is effective at achieving its purpose:  to put people on notice.

Breaking Down the Refrain

The Department of the Treasury contains many distinct bureaus and offices responsible for laws and regulations designed to monitor and control the flow of currency and similar forms of value (digital currency included). Some of these pieces of Treasury have become household names – think IRS and the United States Mint, for example.

The lesser-known Office of Terrorism and Financial Intelligence oversees two parts of Treasury that have a direct connection to digital currency companies – Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC).

OFAC administers and enforces economic and trade sanctions. The traditional concept of such sanctions – as prohibitions on financial dealing – holds accurate here. This part of Treasury makes sure that when Congress or the President puts a sanction in place, it stays in place.

Over a half-dozen separate statutes provide OFAC with the source for its powers, and these laws deal with issues from Presidential national emergency powers to narcotrafficking to terrorist financing. The policy behind these statutes can be reduced to a single phrase: creation of a blacklist.

OFAC does not have the resources nor does the United States have the wherewithal to whitelist, or approve, every financial transaction in order to ensure that no money involved will head to enemies of the state, drug traffickers, or terrorists. But the federal government wants to ensure its approach is broad and effective. Thus, OFAC publishes a constantly-updated list of individuals and organizations with whom citizens and residents of the United States must not do business. This list is known as the Specially Designated Nationals, or SDN, List. If a citizen is found doing business with someone on this list, she may be subject to both civil fines and criminal penalties.

Because no United States person (companies included) may engage in financial dealings with individuals on the SDN List, “OFAC always applies.”

Sanctions and Digital Currencies

The laws granting OFAC its authority have broad enough language to capture novel ways of engaging in financial transactions. The drafters of these statutes did not want new technology to undercut the scope of OFAC’s authority based on mere technicalities. Thus, as written, there exists hardly any room for debate as to whether OFAC has authority over digital currency transfers by United States citizens to prohibited individuals or organizations. (It does.) Although numerous exceptions to OFAC’s rules apply, they tend to apply to very specific circumstances and none of them broadly exempt digital currency transactions.

Thus, in the invented scenarios below, it is possible that OFAC could step in and find a violation, notwithstanding that these transactions took place using bitcoin. These examples presume the companies are based in the United States:

  • A hosted wallet company permits its users to move bitcoin using a peer-to-peer service, and its users regularly transfer funds from the United States to known terrorist entities in Syria.
  • A bitcoin exchange permits users on the SDN List to make accounts, and those accounts then engage in bitcoin-USD trades using the exchange’s platform through the exchange’s hosted wallet.
  • A mining company sells its machines to organizations on the SDN List.
  • A company engaging in crowdfunding accepts funds from an individual on the SDN List and, in exchange, provides that person with a financial stake in the company.

What OFAC Requires

Simply put, OFAC requires that you do not break the laws it administers. That is, on the surface, all there is to it. Digging a little deeper, some regulations require companies to freeze funds that belong to blacklisted entities. Its dictate can be summarized by an infographic – imagine the universal no-smoking sign with, instead of a lit cigarette in the center, the letters “SDN.” Now imagine this sign in the executive boardroom of every business in the United States.

OFAC does not affirmatively require any business or person to undertake any compliance program, to have a policy manual for screening, or to check the SDN List prior to engaging in a financial transaction. However, if a company foregoes any of the above, then that company may find itself in violation of the law and subject to both hefty fines and criminal penalties.

Reducing a Potential Penalty

To encourage compliance and to ease the regulatory burden on some well-meaning businesses, OFAC takes more mercy on potential violators that fall into what it considers mitigating factors. The following types of businesses may receive lesser fines:

Businesses with lesser knowledge of the violation. Any business that willfully violates the law will likely find itself paying more to OFAC. Also, businesses that try to conceal their violation of the law will likely face stiffer penalties. However, a company with a rogue employee shuttling funds without the company’s knowledge may face a less severe penalty.

Businesses that lack commercial sophistication. OFAC will consider how long the business has been in operation, what the financial condition of the business is (bankrupt versus extremely solvent), how high the volume of its transactions are, and the company’s specific sanctions history, all when determining how heavy of a sanction to place on a company. Thus, a small player new to the scene with very small transaction volume may find itself paying a lesser amount than a legacy financial institution involved in billions of dollars worth of questionable transactions.

The existence, nature, and adequacy of an entity’s risk-based compliance program. Each company must decide for itself how risky its business model is. A company that deals with citizens of the United States might find itself not having to worry too much about doing business with someone on the SDN List. However, a startup engaging in international bitcoin remittance will certainly have a higher risk profile for OFAC violation, and would want a compliance program that reflects that risk.

Cooperation with OFAC. OFAC treats companies that self-report with more leniency (when it comes to penalty amounts) than companies that have violations discovered by OFAC.

These mitigating factors provide digital currency companies rough guidance for how to keep from experiencing the full force of a penalty. Thus, although OFAC only requires that you don’t break the law, the existence of mitigating factors has a palpable effect on companies. That is, companies will generally opt to create a risk-based OFAC compliance program, they will often self-report when there has been a violation, and they will rarely make efforts to conceal a potential violation.

The Ever-Changing SDN List

The SDN List can have people or organizations removed or added to it at any time. If you somehow (unfortunately) find yourself on it, you can petition to be removed. It has thousands of names on it and shifts as new terrorist organizations, threats to the United States, or drug traffickers enter the international fold. Because it is in perma-flux, OFAC publishes regular alerts and updates on its website, and as a matter of course, companies will download the new version of the list and incorporate it into their screening software.

Keeping Compliant

The average citizen likely does not know of the existence of the SDN List, although she certainly knows that she shouldn’t be sending bitcoins to terrorist organizations. That simple prohibition can be difficult to comply with, with absolute certainty, without any sort of screening procedure, as digital transaction protocols generally do not have an SDN List or similar identifiers built into it. Thus, without outside verification, it is usually not possible to say definitively if a person behind a digital currency wallet is someone who is okay to transact with or is on the SDN list.

To be clear, this risk is not unique to digital currencies or digital currency companies. Organizations on the SDN List can start fake bank accounts, individuals can form false identities, and both can use proxies or agents to engage in financial transactions on their behalf internationally. There is always at least a marginal risk that a financial institution is dealing with someone they shouldn’t. The risk of violating OFAC’s rules increases depending on a host of factors, and it is not yet clear how risky “use of digital currency” is on its own. For instance, it is ridiculous to assume a neighborhood lemonade stand will become more likely to violate any OFAC rule based on the singular fact that it only transacts in digital currency.

What companies, and policymakers, should keep in mind is that OFAC’s approach is extraordinarily comprehensive. It broadly prohibits transacting with a limited number of persons or organizations. Every company with a certain level of risk must be wary not to trip these prohibitions or it could face potentially stiff penalties. Determining this  “certain level of risk” is an individual exercise in introspection each company may have to take at some point. In some cases (a lemonade stand), it may take a few seconds, yet in others (a global remittance service) it may take a few months.

The bottom line is this:  OFAC will be a constant presence and consideration for any business dealing with financial transactions, especially those dealing with transactions potentially involving international persons or organizations. In simpler words, we’ll simply say, “OFAC always applies.”

Joshua Garcia is an attorney focusing on regulatory compliance for financial institutions.