Piercing the bitcoin veil: Businesses should beware the risks of trading with a sanctioned entity
In January the EU and the US lifted economic and financial sanctions against Iran in a ground-breaking deal that unfroze billions of pounds of assets and opened up new markets for the first time since 2010.
Despite the fanfare surrounding the deal, in the small print a warning remains: some EU and US financial sanctions nevertheless remain in place against certain Iranian businesses and individuals.
In other words, screening of parties when dealing with Iran is still paramount and care needs to be taken when sending payments to, or receiving payments from, Iran. The same is true when dealing with other regions of course – there are fairly sophisticated EU and US sanctions regimes in place with respect to Russia and Syria, amongst other regions, for example.
From an EU perspective, if a person or entity appears on an asset freeze list, there is a prohibition on dealing with the funds or “economic resources” belonging to or controlled by that person/entity. Similarly, those in the EU can still run afoul of US sanctions if they deal with entities on the various US lists.
The due diligence exercise has been complicated somewhat in recent years following the development of the open-source, peer-to-peer digital currency, bitcoin, however.
Dealing in bitcoin belonging to a person or entity on an asset freeze list would breach EU and US sanctions laws in lieu of an appropriate licence. But the bitcoin system does not lend itself to traditional screening processes.
It is private: no traditional institutions are involved in transactions. Buyers and sellers of bitcoin interact directly, with their identities being encrypted, and no personal information is necessarily transferred between buyer and seller.
Read more: Banks are worryingly complacent about the coming digital currency storm
On one hand, these attributes present huge advantages, but all this makes it increasingly difficult to perform checks on counterparties trading in bitcoin and much more likely for those with only cursory controls in place to fall foul of the sanctions rules.
A regulatory nightmare, in other words. So where does this leave those concerned with compliance?
No matter the size of the transaction or whether it is in bitcoin (or cash or otherwise), it does not relieve a party caught by US or EU sanctions of the need to know who they are doing business with. Due diligence is therefore crucial to avoid hefty fines and potential prison terms.
Companies should be bitcoin-savvy and education on how the protocol works and how to protect themselves from risks posed by a decentralised system is crucial (such as asking counterparties to prove they own the bitcoin ID used on the network and to demonstrate a track record of using that ID, avoiding dealing with counterparties using “stealth addresses” which can mask the bitcoin payer or payee and so on).
In terms of help on the horizon, recent initiatives analysing the public traces left by every bitcoin transaction suggest it could soon become easier to identify users who transact using bitcoin. Any directories (or similar) produced could reduce headaches considerably for compliance and legal teams when considering the lawfulness of bitcoin trades, so watch this space.
In the meantime, there is no substitute for implementing robust processes to verify the identity of your counterparty and to check you are able to trade with them.