OFAC Announces Record Fine Against Cryptocurrency Exchange for Sanctions Violations
Cryptocurrency exchange Bittrex was fined more than $24 million by the Office of Foreign Assets Control this week for violating U.S. sanctions. OFAC announced the fine alongside a similar penalty by the Financial Crimes Enforcement Network, which fined the company more than $29 million for violating the Bank Secrecy Act. The OFAC and FinCEN settlements are the two agencies’ first parallel enforcement actions, OFAC’s largest-ever virtual currency enforcement action and the agency's largest fine since April 2019.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
OFAC said Bittrex committed more than 116,000 violations of multiple sanctions programs -- which were not voluntarily self-disclosed -- stemming from “deficiencies” in its sanctions compliance procedures. The company failed to stop more than $263 million worth of virtual currency-related transactions from people located in Crimea, Cuba, Iran, Sudan and Syria, the agency said. Even though it collected both internet protocol address information and physical address information, Bittrex didn’t screen for “terms associated with sanctioned jurisdictions,” OFAC said.
Bittrex has “strived to comply with all government requirements diligently and in good faith," the company said in a statement, adding that it "fully resolved th[e] matter ... on mutually agreeable terms.” The company also noted that none of the alleged violations occurred after 2018. As part of its settlement agreement, FinCEN will credit its $29 million fine imposed on Bittrex with the $24 million the company owes to OFAC.
The violations stemmed from transactions between March 2014 and December 2017, when Bittrex operated 1,730 accounts that processed more than $260 million worth of virtual currency-related transactions in violation of U.S. sanctions. Although the company's policies and procedures dating back to 2015 showed that it had “some understanding of OFAC sanctions regulations,” Bittrex “had no internal controls” to screen customers or transactions for their nexus to a sanctioned region until October 2017, OFAC said.
The agency said Bittrex didn’t have a sanctions compliance program until December 2015, even though it began offering virtual currency services in 2014. The company in 2016 hired a third-party sanctions screening vendor, but OFAC said the vendor initially only screened transactions for hits against OFAC’s Specially Designated Nationals and Blocked Persons List and other government lists. The vendor didn’t “scrutinize customers or transactions for a nexus to sanctioned jurisdictions,” the agency said.
Bittrex didn’t realize the vendor was only screening against government lists until it was subpoenaed by OFAC in 2017 in relation to a sanctions investigation. OFAC said Bittrex began “restricting accounts and screening IP and other addresses associated with sanctioned locations” after receiving the subpoena.
The agency said Bittrex also implemented a new sanctions screening and blockchain tracing software, conducted more sanctions compliance training and hired additional compliance staff. “Once implemented, these remedial measures substantially curtailed the number of Apparent Violations,” OFAC said.
The agency said the maximum civil monetary penalty was $35 billion, but OFAC settled on a lower fine after determining the violations were non-egregious. Mitigating factors included the fact that Bittrex had not received a penalty notice in the previous five years; it was a “small and new company” during most of the violations; and it cooperated substantially with OFAC’s investigation. OFAC also said most of the violations “were for a relatively small amount” and the number of transactions was a “relatively small percentage” compared to the total number of transactions conducted by Bittrex annually. OFAC also pointed to the company’s range of remedial compliance measures, including its hiring of a dedicated chief compliance officer and the fact that it has undergone independent sanctions compliance audits.
OFAC also pointed to several aggravating factors, including Bittrex’s failure to “exercise due caution or care for its sanctions compliance obligations” for nearly two years after beginning to offer global virtual currency services. The agency also said Bittrex “had reason to know” that some of its customers were in sanctioned jurisdictions based on their IP addresses and physical addresses, and said the company “conveyed economic benefit to thousands of persons” subject to U.S. sanctions.
OFAC said the case highlights that virtual currency companies are subject to the same compliance expectations as other financial service providers. The agency said virtual exchanges “should develop a tailored, risk-based sanctions compliance program,” which will “depend on a variety of factors, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served.”
The case also demonstrates the importance of sanctions compliance among newer companies involved in emerging technologies, OFAC said. “As part of these controls,” the agency said, “companies should ensure that their sanctions compliance service providers are providing services commensurate with the institution’s sanctions compliance risk.”
“Virtual currency exchanges operating worldwide should understand both who -- and where -- their customers are,” OFAC Director Andrea Gacki said. “OFAC will continue to hold accountable firms, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls leads to sanctions violations.”
In a separate consent order, FinCEN said Bittrex failed to maintain an effective anti-money laundering system between February 2014 to at least December 2018, which included "inadequate and ineffective" transaction monitoring on its platform. The program also failed to address the risks associated with the products and services it offered, including anonymity-enhanced cryptocurrencies. Bittrex failed to file any suspicious activity reports for over three years between February 2014 and May 2017 and processed a significant number of transactions involving sanctioned jurisdictions.
“For years, Bittrex’s anti-money laundering program and suspicious activity reporting failures unnecessarily exposed the U.S. financial system to threat actors,” FinCEN Acting Director Himamauli Das said. “Bittrex’s failures created exposure to high-risk counterparties including sanctioned jurisdictions, darknet markets, and ransomware attackers. Virtual asset service providers are on notice that they must implement robust risk-based compliance programs and meet their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.”