FinCEN Probe Into Crypto Company Exposes AML, Sanctions Compliance Deficencies

FinCEN said BitMEX “willfully failed” to implement internal compliance and due-diligence controls designed to prevent it from “being used for money laundering or the financing of terrorist activities.” The company also never designated a person responsible for implementing AML compliance procedures, didn’t conduct “ongoing training” for “appropriate persons” and didn’t “establish appropriate risk-based procedures for conducting ongoing customer due diligence.”

This included sanctions compliance. In an email to another U.S. financial institution, BitMEX’s CEO and co-founder said the company didn’t conduct sanctions screening. “No we don’t do any [Office of Foreign Assets Control] screening,” the CEO said, according to FinCEN. “[F]or non-US persons we require only a verified email address.”

“BitMEX’s failure to conduct due diligence and transaction monitoring allowed thousands of transactions with suspicious counterparties, including numerous transactions with darknet markets” and “high-risk jurisdictions,” FinCEN said. “Significantly, BitMEX failed to conduct proactive suspicious activity screening to determine whether transactions involved possible terrorist financing.” When FinCEN asked BitMEX if it conducted “any transaction monitoring or reporting to detect or report potential terrorist financing,” the CEO said: “if alerted to something from law enforcement we will assist.”

BitMEX justified its lack of compliance procedures by saying that it “only did business outside the U.S.” and that “the U.S. was the only jurisdiction where transactions were prohibited,” FinCEN said. But the agency said BitMEX “actively ignored signs that U.S. Customers traded on the platform and chose to overlook or alter data indicating that customers were located in the U.S.” The company also “altered customer information” to hide the true location of its U.S. customers, and in one instance falsified data for a “prominent” U.S. investor to change his location to Canada.

These location compliance failures extended to potentially sanctioned jurisdictions, especially for users who used a virtual private network to circumvent internet protocol monitoring. FinCEN said BitMEX identified more than 43,000 accounts in 2018 whose country of registration “was set to the U.S., one of its territories, or a U.S. or [United Nations] sanctioned country, such as Cuba, Iran, Syria, North Korea, and Sudan.” FinCEN also said the company completed transactions with other cryptocurrency exchanges located in jurisdictions with money laundering and sanctions concerns, including Iran. BitMEX failed to file suspicious transactions reports for those transactions, FinCEN said.

When it calculated the $100 million penalty, FinCEN specifically said it considered that BitMEX “conducted numerous potentially suspicious transactions” with people sanctioned by OFAC. “BitMEX’s poor policies, procedures, and internal controls … prevented BitMEX from even identifying these potentially suspicious transactions,” the agency said. “The systemic and long-running nature of the violations weighs in favor of requiring robust undertakings and a significant monetary penalty.”

Since its “engagement” with the U.S., BitMEX has “accelerated the implementation” of internal compliance controls, implemented remedial measures and appointed a chief compliance officer. BitMEX CEO Alexander Hoptner said the company is “very glad to put this behind us” and the company has introduced “robust compliance” procedures. “We take our responsibilities extremely seriously, and will continue to actively engage with regulators around the world to ensure that we play a positive role in helping to shape the future of this extraordinary asset class.”