The U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) settled enforcement actions with Washington-based Bittrex. In the two settlements, Bittrex agreed to pay $29 million for enabling customers of its digital asset exchange – or cryptocurrency – to evade US sanctions in places like Syria, Iran and Cuba. .
FinCEN found that Bittrex failed to maintain an effective Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) program from 2014 to 2018. Over a three-year period, Bittrex manually monitored up to $100 million in transactions per day and failed. file any suspicious activity report. Bittrex also failed to screen transactions involving sanctioned countries and file SARs on very large suspicious transactions involving sanctioned countries. Additionally, FinCEN found that Bittrex’s AML program failed to mitigate the risks of anonymity-enhanced cryptocurrencies.
OFAC found 116,421 apparent violations of US sanctions programs by Bittrex from 2014 to 2017. While Bittrex searched for names on the OFAC List of Specially Designated Nationals and Blocked Persons (the “SDN List”), Bittrex did not had no internal controls in place until October 2017 – such as IP address filtering – to screen transactions involving sanctioned countries.
The two agencies found $263 million worth of virtual currency-related transactions from customers in sanctioned regions of the world. Bittrex agreed to a $29 million settlement with FinCEN and a $24 million settlement with OFAC – the largest enforcement action ever taken by OFAC against a cryptocurrency exchange. FinCEN agreed to count the $24 million settlement payment to OFAC as part of its $29 million settlement.
Compliance message to crypto companies
OFAC Director Andrea Gacki noted that ineffective compliance poses a threat to US national security and said, “Virtual currency exchanges operating around the world should understand both who – and where – their customers are. OFAC will continue to hold accountable companies, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls results in sanctions violations.
FinCEN Acting Director Himamauli Das said, “Virtual asset service providers are cautioned to implement strong risk-based compliance programs and adhere to their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.
Crypto Compliance Roadmap
Bittrex has taken steps to address the conditions that led to the apparent breaches, providing a roadmap for other digital asset – or cryptocurrency – companies to follow. Among the measures, Bittrex:
- blocked all IP addresses associated with sanctioned countries
- restricts the accounts of all account holders identified as being located in areas subject to OFAC sanctions
- started using new software for sanctions-related screening
- implementing blockchain tracing software to help identify and block virtual currency addresses associated with people potentially identified on OFAC’s SDN list
- hired a dedicated Chief Compliance Officer who reports directly to the CEO and Board of Directors and has also significantly increased its compliance staff
- implemented a stand-alone sanctions compliance policy and underwent additional independent audits of its sanctions compliance functions
- organized additional training on compliance with sanctions for all relevant staff
These actions provide a roadmap for all financial institutions required to have a BSA/AML compliance program, including banks and credit unions.
Increased application of cryptography
Bittrex settlement is another signal the federal government is increasingly scrutinizing companies operating in the digital currency space to ensure compliance with applicable laws and regulations. The settlement outlines that FinCEN and OFAC will be active in enforcement, in addition to the Securities and Exchange Commission, Commodities Futures Trading Commission and Department of Justice. In light of recent cryptocurrency exchange bankruptcies, exchanges should expect much more rigorous scrutiny and enforcement. Crypto-related businesses must ensure compliance with Bank Secrecy Act and OFAC requirements, among other requirements, as well as maintain vigilance against bad actors operating in darknet markets or deploying ransomware.