Experts say IP addresses are susceptible to manipulation and need supporting tools to help ensure sanctions compliance
In the latest effort to enforce sanctions, particularly those related to Russia’s invasion of Ukraine, the US Treasury Department has issued guidance for companies offering online services, highlighting the importance of companies’ using IP address monitoring as part of their sanctions compliance programs.
Last month the Treasury’s Financial Crimes Enforcement Network issued an alert warning financial institutions and cryptocurrency firms of attempts to evade sanctions, including through transactions coming from or sent to IP addresses located in Russia or Belarus, or from IP addresses already flagged as suspicious. US sanctions bar conducting transactions with individuals or entities in certain jurisdictions, including those in Ukraine’s Donetsk and Luhansk regions, which are both under embargo and controlled by Moscow-backed separatists.
The US on Thursday targeted Russian technology companies and networks that it said helped the Kremlin evade sanctions and procure Western technology.
An IP address, a string of numbers separated by periods, is a publicly available unique identifier for a device on the internet or a local network that contains location information. Although IP addresses in normal circumstances can indicate where online traffic derives from, they are susceptible to manipulation because virtual private networks can conceal the actual location of the user. The demand for VPNs has shot up since late February, particularly in Russia, where demand rose 2,692% between Feb. 24 and March 24, according to research from review website Top10VPN.com. Russia invaded Ukraine on Feb. 24.
Over the past six months, GeoComply Solutions Inc., which provides geolocation compliance data, saw more than 15 million attempted transactions on its clients’ platforms in which users from sanctioned jurisdictions manipulated the IP addresses to appear as if they were located in the US, according to Elizabeth Cronan, GeoComply’s vice president of government relations.
“Among the host of location data points [GeoComply looks at]IP addresses are the weakest and least reliable and most receptive to manipulation,” she said.
Another issue with using IP addresses to apply sanctions is that they aren’t precise enough because they display locations on a larger regional level rather than a territorial one, which can make it difficult to carve out specific areas such as the Russia-backed regions of Donetsk, Luhansk and Crimea in Ukraine, which all face targeted US sanctions.
Despite the fact that IP addresses are considered by many as unreliable indicators for the origin of online traffic, companies run risks of penalties when they don’t screen IP addresses for those in areas under sanction. Digital asset company BitGo Inc. in 2020 paid more than $98,800 to the US Treasury Department’s Office of Foreign Assets Control to settle it violated multiple sanctions programs, including those against Crimea The settlement, while relatively small, made it clear that OFAC expects companies to consider IP address geolocation data when assessing whether their online customers are located in sanctioned jurisdictions, Robert Slack, a partner at law firm Kelley Drye & Warren LLP, wrote.
“OFAC makes sure that an IP address is an important tool to detect where the customers are based at, but software engineers would say someone can mask an IP address to hide their location,” Jacob Osborn, a partner at law firm Goodwin Procter LLP who specializes in sanctions and technology, said.
Companies are using services that can provide more precise location information to bridge that gap. GeoComply, for example, determines where a person is truly located by taking and verifying the authenticity of a range of data points, including Wi-Fi data and signals, as well as Global Positioning System and cellular data, according to Ms. Cronan.
Mr. Osborn, who has been advising software firms on sanctions compliance issues, compiled a list of postal codes connected to the Donetsk and Luhansk regions from the Ukrainian postal office a day before the postal service’s website for these regions was taken down, he said. He advises companies to incorporate other tools into their know-your-customer onboarding process, such as asking for phone numbers, company names and email addresses.
Crypto exchange Bittrex Inc. added a list of location attribution data tied to the Donetsk and Luhansk regions to its database of areas it prohibits transactions from to ensure they are filtered and screened and blocked when required, according to Michael Carter, the firm’s chief compliance officer. The firm also added a compilation of the towns and cities, including their postal codes and the different spellings and translations of locales in the region, to their back-end screening.
Mr. Carter said the IP addresses in those areas are a bit more difficult to track and monitor, and that is why the firm uses other layers of protection to ensure locations aren’t on the sanctions blacklist, including asking for identification documents from customers.
“IP addresses alone are not a control that should exist on its own as a form of reliance for blocking or screening certain regions,” he said.
Write to Mengqi Sun at [email protected]
Credit: www.Businesshala.com /