Actions Highlight Risky Mix of Sanctions Law, Inadequate Transaction Monitoring and Dealing with Anonymity-Enhanced Cryptocurrencies
The Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”) announced on October 11 simultaneous settlements with Bittrex, Inc. (“Bittrex”), a virtual currency exchange and hosted wallet provider. Under the OFAC settlement, Bittrex has agreed to pay $24,280,829.20 to settle its potential civil liability for 116,421 alleged violations of multiple sanctions programs. Under the FinCEN consent order, Bittrex agreed to pay a civil penalty of $29,280,829.20 for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”). FinCEN has agreed to credit Bittrex’s payment to OFAC against its penalty because it found that the alleged BSA violations “stem from some of the same underlying conduct”; thus, Bittrex’s total payments to the two regulators come to $29,280,829.20.
According to the Department of the Treasury dual press release, the two settlements represent the first parallel enforcement actions by FinCEN and OFAC in the virtual currency and sanctions space. Also, it is OFAC’s largest virtual currency enforcement action to date. To further highlight the importance of the settlements, the press release quotes the OFAC Director Andrea Gacki and FinCEN Acting Director Himamauli Das, both sternly warning operators in the same environment as Bittrex to implement effective AML compliance and sanction screening programs.
It is conceivable that Bittrex, for years now, has been on notice that federal and state regulators are closely watching and expecting more comprehensive risk assessment programs and procedures from businesses transacting with virtual currency. As we previously blogged here, in 2019 the New York Department of Financial Services (“NYDFS”) denied Bittrex’s application for a Bitlicense, citing: “deficiencies in Bittrex’s BSA/AML/OFAC compliance program; a deficiency in meeting the Department’s capital requirement; and deficient due diligence and control over Bittrex’s token and product launches.” In its letter denying Bittrex’s application, NYDFS set forth in detail the deficiencies it found in Bittrex’s BSA/AML/OFAC compliance program, noting that Bittrex’s compliance policies and procedures “are either non-existent or inadequate.”
As we will discuss, the FinCEN consent order highlights Bittrex’s alleged failure to address adequately the overall risk environment in which it operated, including transactions involving anonymity-enhanced cryptocurrencies, or AECs. The consent order also highlights two repeated themes in enforcement actions: lack of adequate compliance staff, and a seemingly robust written compliance policy that was not matched by an effective day-to-day transaction monitoring system.
Bittrex’s Alleged Failure to Implement OFAC Screening
According to OFAC, Bittrex waited about a year and half to implement its first sanctions compliance program and start verifying customer identity. That means that no sanctions screening occurred from March 2014, when Bittrex first offered virtual currency services, until December 2015. In early 2016, it retained a third-party vendor, but the screening remained incomplete because the vendor screened transactions only for hits against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and other lists. The vendor did not closely review and examine customers or transactions for a nexus to sanctioned jurisdictions until late 2017. According to OFAC, Bittrex did not realize that the vendor’s screening was limited until October 2017, when OFAC issued Bittrex a subpoena investigating potential sanctions violations.
OFAC refers to the relevant conduct as the “Apparent Violations.” In total, between predominantly March 28, 2014 and December 31, 2017, Bittrex operated 1,730 accounts that processed 116,421 virtual currency-related transactions totaling approximately $263 million in “apparent” violation of multiple OFAC-administered sanctions programs. These included 13,245 violations related to the Crimea region of Ukraine and 321 violations related to Cuba. The vast majority of Apparent Violations – 94,634 – related to Iran. OFAC found that Bittrex had reason to know that users were located in jurisdictions subject to sanctions based on internet protocol (“IP”) address information and physical address information collected about each customer at onboarding.
In response to the OFAC subpoena and upon discovery of the insufficiencies in its sanctions screening program, Bittrex undertook comprehensive remedial action. For example, it implemented blockchain tracing software to assist in identifying and blocking virtual currency addresses associated with persons potentially identified on OFAC’s SDN List and, further, a standalone sanctions compliance policy (which has undergone additional independent audits).
The Reduced OFAC Penalty
The OFAC enforcement release states that the statutory maximum civil monetary penalty here is an astronomical $35,773,364,108.57. Instead, the agency determined to impose a penalty using its Economic Sanctions Enforcement Guidelines, resulting in a base penalty of $486 million. Taking into consideration aggravating and mitigation factors, OFAC reduced the penalty to “just” $24 million. Despite the government fanfare regarding this matter, OFAC describes the Apparent Violations as “non-egregious.”
Among the aggravating factors, OFAC found that Bittrex conferred benefits to “thousands of persons” in sanctioned jurisdictions and that Bittrex’s failed to exercise due caution and care for its sanctions and compliance obligations. On the other hand, OFAC found among the mitigating factors that (1) Bittrex was a “small and new company” at the time of most of the Apparent Violations, (2) Bittrex substantially cooperated with OFAC’s investigation, (3) the volume of the Apparent Violations represents a small percentage of Bittrex’s total transaction volume, and (4) Bittrex “swiftly” and comprehensively remediated its sanctions monitoring program. Among other steps, Bittrex “implemented blockchain tracing software to assist in identifying and blocking virtual currency addresses associated with persons potentially identified on OFAC’s SDN List[.]”
Bittrex’s Alleged Failure to Implement a Risk-Based AML Program – Particularly as to Anonymity-Enhanced Cryptocurrencies
Bittrex is a money services business, or MSB, covered by the BSA. The FinCEN consent order repeats some of the allegations in OFAC’s enforcement release, but is generally more detailed. It alleges that from February 2014 to December 2018, Bittrex averaged 20,000 transactions (deposits and withdrawals) through its hosted wallets daily and facilitated almost 546 million trades on its exchange platform. According to FinCEN, although Bittrex knew in 2014 it needed to implement an effective AML program and otherwise comply with the BSA, it fundamentally failed to do. One failure highlighted by FinCEN as particularly egregious is the fact that in 2016 Bittrex relied on only two employees with minimal AML training to manually review all transactions for suspicious activity. At that time, Bittrex averaged 11,000 exchange transactions daily (valued at approximately $1.54 million). Bittrex continued to rely on the two employees and did not implement any type of monitoring software through 2017, when its average daily transactions had more than doubled to 23,800 (valued at $98 million). FinCEN described the transaction review process as “demonstrably ineffective” – particularly because Bittrex did not file a single Suspicious Activity Report (“SAR”) from its founding in 2014 through May 2017 even though it was facilitating thousands of transactions daily.
Similar to the events described in the OFAC enforcement release, Bittrex began improving its AML program in 2017 by hiring additional employees. Nonetheless, the program allegedly remained ineffective because its employees were overwhelmed. Bittrex appears to have significantly changed its approach in October 2017 – the same time when it received the OFAC subpoena – and hired additional compliance staff and developed and implemented more robust AML policies, procedures and internal controls. Although it filed only one SAR from May to October 2017, it filed 119 SARs by or around November 2017. However, the consent order suggests that these SAR filings occurred because – in addition to the OFAC subpoena – the IRS notified Bittrex in October 2017 that it intended to examine the company for BSA compliance.
Among the more specific allegations of failures by Bittrex’s AML program, the FinCEN consent order notes that Bittrex knew that it was required to ensure that it did not process transactions that violated OFAC sanctions, but failed to do so. Although an effective AML program must be risk-based and reasonably designed to address the nature and volume of the financial services provided, Bittrex allegedly failed to acknowledge the risk posed by certain AECs. For FinCEN, AECs present unique money laundering risks and challenges for regulated businesses to comply with the BSA. Yet, Bittrex did not implement any other controls to manage the risks presented by AECs, particularly those AECs for which it was impossible to disable privacy-enhancing features. The FinCEN consent order zeros in on monero, described as including “features that prevent tracking by using advanced programming to purposefully insert false information into every transaction on its private blockchain.”
The FinCEN consent order contains some key language: “The written AML program, while thorough and rigorous in many ways, did not adequately address Bittrex’s overall risk environment, including the unique risks presented by some of the over 250 [convertible virtual currencies] traded on its platform.” Message: a gold-plated paper policy must be backed up by the practical execution of an effective transaction monitoring system on a day-to-day basis.
Message: a gold-plated paper policy must be backed up by the practical execution of an effective transaction monitoring system on a day-to-day basis.
Bittrex’s alleged failure to implement an effective transaction monitoring system also caused it to open accounts it should not have opened, and then fail to file SARs as required, including for transactions involving jurisdictions sanctioned under OFAC. Bittrex allegedly opened hundreds of accounts on behalf of individuals located in jurisdictions subject to comprehensive OFAC sanctions programs including Iran, Syria and the Crimea region of Ukraine. Importantly, the FinCEN consent order notes that some of the transactions conducted through these accounts were suspicious for other reasons than mere geography (filing a blocking report with OFAC does not necessarily relieve a financial institution of its duty to file a related SAR). The FinCEN consent order selects the following example of unfiled SARs depriving law enforcement of critical financial intelligence: Bittrex processed more than 200 transactions through such accounts that involved $140,000 worth of virtual currency (100 times larger than its platform average) and 22 transactions involving over $1 million worth of virtual currency each.
Enforcement Factors Relevant to the FinCEN Penalty
The FinCEN consent order explains that it considers “all facts and circumstances” and, like the OFAC settlement, weights factors in determining the final penalty amount. Unlike the OFAC settlement (which described the violations as “non-egregious”), FinCEN seems to view Bittrex’s conduct as harmful and pervasive. The consent order notes that its violations “were serious and exposed the public to a significant risk of possible harm” and, as noted above, deprived law enforcement of vital information by failing to file timely SARs. Further, Bittrex’s efforts to implement an effective AML program, including sufficient and well-trained compliance staff, were seemingly not commensurate with the volume and nature of the transactions passing through the exchange platform and wallets. Further, FinCEN finds that Bittrex gained an “unfair competitive advantage” in the marketplace because it was able to increase revenue and grow without investing in appropriate resources, technology and personnel to adequately comply with the BSA.
However, and similar to the OFAC settlement, Bittrex’s “cooperation and significant investment and efforts to design and build an effective AML compliance program  led FinCEN to impose a significantly lower Civil Money Penalty that it would have otherwise imposed for Bittrex’s serious and systemic violations.” The FinCEN consent order alludes to the enormous potential penalties, noting that willful failures to maintain an effective AML program – as well as willful failures to file required SARs – can produce civil penalties of $25,000 per day for violations occurring on or before November 2, 2015, and $62,689 per day for violations occurring after that date.