The U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) settled enforcement actions with Washington state-based Bittrex. In the two settlements, Bittrex agreed to pay $29 million for allowing clients of its digital asset – or cryptocurrency – exchange to evade U.S. sanctions in places such as Syria, Iran, and Cuba.
FinCEN found that Bittrex failed to maintain an effective Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) program from 2014 to 2018. Over a three-year period, Bittrex manually monitored up to $100 million in transactions per day and failed to file any suspicious activity reports. Bittrex also failed to screen for transactions involving sanctioned countries and file SARs on very large suspicious transactions involving sanctioned countries. In addition, FinCEN found that Bittrex’s AML program failed to mitigate risks of anonymity-enhanced cryptocurrencies.
OFAC found 116,421 apparent violations of U.S. sanctions programs by Bittrex from 2014 through 2017. While Bittrex screened for names on OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), Bittrex had no internal controls in place until October 2017 – such as IP address screening – to screen for transactions involving sanctioned countries.
The two agencies found $263 million worth of virtual currency-related transactions from customers in sanctioned parts of the world. Bittrex agreed to a $29 million settlement with FinCEN and a $24 million settlement with OFAC – the largest ever enforcement action by OFAC against a cryptocurrency exchange. FinCEN agreed to count the $24 million settlement payment to OFAC toward its $29 million settlement.
Compliance Message to Crypto Companies
OFAC Director Andrea Gacki noted that ineffective compliance is a threat to U.S national security and stated, “Virtual currency exchanges operating worldwide should understand both who — and where — their customers are. OFAC will continue to hold accountable firms, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls leads to sanctions violations.”
FinCEN Acting Director Himamauli Das said, “Virtual asset service providers are on notice that they must implement robust risk-based compliance programs and meet their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.”
Roadmap For Crypto Compliance
Bittrex took action to remediate conditions that led to the apparent violations, providing a roadmap for other digital asset – or cryptocurrency – companies to follow. Among the measures, Bittrex:
- blocked all IP addresses associated with sanctioned countries
- restricted the accounts of all account holders identified as being located in areas subject to OFAC sanctions
- began using a new software program for sanctions-related screening
- implemented blockchain tracing software to assist in identifying and blocking virtual currency addresses associated with persons potentially identified on OFAC’s SDN List
- hired a dedicated Chief Compliance Officer who reports directly to the Chief Executive Officer and the Board of Directors and otherwise substantially increased its compliance staff
- implemented a standalone Sanctions Compliance Policy and has undergone additional independent audits of its sanctions compliance functions
- conducted additional sanctions compliance training for all relevant personnel
These actions are a roadmap for all financial institutions required to have a BSA/AML compliance program, including banks and credit unions.
Increasing Crypto Enforcement
The Bittrex settlement is another signal the federal government is increasingly scrutinizing companies operating in the digital currency space to ensure compliance with existing laws and regulations. The settlement highlights that FinCEN and OFAC will be active in enforcement, in addition to the Securities and Exchange Commission, the Commodities Futures Trading Commission, and the Department of Justice. In light of recent cryptocurrency exchange bankruptcies, exchanges should expect significantly greater scrutiny and enforcement. Crypto-related companies must ensure compliance with the Bank Secrecy Act and OFAC requirements, among other requirements, as well as maintain vigilance against bad actors operating in darknet markets or deploying ransomware.