Cryptocurrency companies are in trouble. Regulators are attacking crypto companies with the Eye of Sauron – luring crypto companies into their jurisdiction, pursuing cases of fraud, and aggressively pursuing companies for sanctions and anti-money laundering violations silver. One by one, you can bet crypto companies will make headlines. As they fall, policymakers can point to their continued excesses as the basis for strong regulation.
Crypto companies, however, seem to ignore these trends, somehow believing they will escape the enforcement knife. With all the scandals piling up, investors are losing more money and investor complaints will eventually result in a comprehensive regulatory framework. The only real question that remains is how quickly this regulatory regime will be implemented and how broad the scope of application will be imposed on it.
Payward, Inc. d/b/a Kraken (“Kraken”), a major virtual currency exchange has agreed to pay OFAC $362,158 to settle its violation of the Iran sanctions program. Kraken is a Delaware company that operates in the United States and elsewhere. As part of the settlement, Kraken agreed to invest an additional $100,000 in certain compliance checks.
Kraken has failed to implement basic compliance tools, including an automated Internet Protocol (IP) address blocking system. As a result, Kraken exported services to users who appeared to be in Iran when performing virtual currency transactions. Kraken voluntarily disclosed the conduct to OFAC.
Kraken began operations in 2011 and launched public trading in 2013. Users can buy, sell, trade, or hold cryptocurrencies, and exchange fiat currency for cryptocurrencies. Kraken maintained an AML and sanctions compliance program, which included basic customer verification upon onboarding and daily thereafter, as well as review of IP address information generated at the time of onboarding. Notwithstanding these checks, between October 2015 and June 2019, Kraken mistakenly processed 826 transactions, totaling $1,680,577 on behalf of people who appeared to be in Iran at the time of the transactions.
Kraken had a big loophole in its screening regime – they screen a customer on onboarding, but they didn’t implement IP address blocking on transactional activity involving existing customers.
Kraken’s IP address data revealed that customers who created accounts outside sanctioned jurisdictions appear to have accessed their accounts and later transacted from a sanctioned jurisdiction.
After identifying the problem, Kraken implemented an automated blocking of IP addresses linked to sanctioned jurisdictions. To further its compliance efforts, Kraken has also implemented several blockchain analytics tools to enhance its monitoring program.
As noted in its penalty calculation section, Kraken was credited with voluntarily disclosing the matter and agreeing to invest an additional $100,000 in its compliance program, including training and technical enhancements to improve sanction screening.
OFAC said Kraken failed to exercise caution or care for its sanctions compliance obligations, knowing that its customer base was global, it limited its geolocation checks to customer onboarding, and did not not apply these controls to subsequent transactions. Such a failure was compounded by the fact that Kraken had reason to know, based on its IP address data, that transactions were being made from Iran.
Kraken has fully cooperated with OFAC’s investigation of this matter and has implemented significant corrective measures, including: (a) adding geolocation blocking to prevent customers located in prohibited locations from access their accounts on the Kraken website; (b) implement multiple blockchain analytics tools to facilitate sanctions tracking; (c) invest in additional compliance-related training for its staff, including blockchain analytics; (d) hiring a dedicated sanctions manager to lead Kraken’s sanctions compliance program, in addition to hiring new sanctions compliance staff; (e) extend its contract with its current filtering provider to add additional filtering capabilities to ensure compliance with OFAC’s “50% Rule”, including detailed beneficial ownership reporting; (f) contract with a provider that assists with identification and nationality verification using artificial intelligence tools to detect potential issues with user-provided credentials; and (g) implementing an automated control to block accounts using cities and postal codes associated with the Crimea region and in the so-called Donetsk and Luhansk People’s Republics of Ukraine.
OFAC noted that under its Sanctions Compliance Tips for the Virtual Currency Industry, OFAC strongly encourages a risk-based approach to sanctions compliance. An adequate sanctions compliance program for cryptocurrency companies will depend on a variety of factors, including the type of business involved, its size and sophistication, the products and services offered, the customers and counterparties, and the geographic locations served. It must also be based on and incorporate at least five essential elements: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
OFAC said this enforcement action highlighted the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited transactions related to virtual currency. In particular, OFAC noted that limiting the use of these controls only at the time of account opening – and not for the lifetime of the account or with respect to subsequent transactions – could present risks of penalties for businesses related to virtual currency. This case also demonstrates the value of a company implementing robust remediation after becoming aware of a potential sanctions issue, including the deployment of blockchain analytics tools and compliance-related training on blockchain analysis, as well as engaging in future sanctions compliance investments.