The Office of Foreign Assets Control (“OFAC”) announced (here and here) yesterday that virtual currency exchange Payward, Inc. – better known as Kraken – has agreed to pay $362,158.70 in order to settle its potential civil liability for apparent violations of the sanctions against Iran. Kraken also has agreed to invest an additional $100,000 in certain sanctions compliance controls. According to OFAC, “[d]ue to Kraken’s failure to timely implement appropriate geolocation tools, including an automated internet protocol (IP) address blocking system, Kraken exported services to users who appeared to be in Iran when they engaged in virtual currency transactions on Kraken’s platform.”
Compared to OFAC’s recent settlement with Bittrex, which agreed to pay a total of $29,280,829.20 to OFAC and the Financial Crimes Enforcement Network (“FinCEN”) in order to resolve allegations of sanctions and Bank Secrecy Act violations, the settlement amount is relatively low – and, as OFAC noted in its announcement, Kraken faced an astronomical statutory maximum civil monetary penalty of $272,228,964. OFAC has stated that “[t]he settlement amount reflects OFAC’s determination that Kraken’s apparent violations were non-egregious and voluntarily self-disclosed.”
OFAC’s announcement succinctly describes the matter:
Kraken maintained an anti-money laundering and sanctions compliance program, which included screening customers at onboarding and daily thereafter, as well as review of IP address information generated at the time of onboarding to prevent users in sanctioned jurisdictions from opening accounts. However, despite these controls, between approximately October 14, 2015 and June 29, 2019, Kraken processed 826 transactions, totaling approximately $1,680,577.10, on behalf of individuals who appeared to have been located in Iran at the time of the transactions.
Although Kraken maintained controls intended to prevent users from initially opening an account while in a jurisdiction subject to sanctions, at the time of the apparent violations, Kraken did not implement IP address blocking on transactional activity across its platform. According to IP address data, account holders who established their accounts outside of sanctioned jurisdictions appear to have accessed their accounts and transacted on Kraken’s platform from a sanctioned jurisdiction.
As a result of the foregoing, Kraken engaged in 826 apparent violations of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. § 560.204 (the “Apparent Violations”). After identifying this problem, Kraken implemented automated blocking for IP addresses linked to sanctioned jurisdictions. Kraken also implemented multiple blockchain analytics tools to assist with its sanctions monitoring.
As the above reflects, the key here is Kraken’s alleged failure to maintain effective monitoring of transactions which occurred after customers were initially screened and onboarded. Indeed, when determining the penalty, OFAC regarded the following as an “aggravating” factor: “Kraken failed to exercise due caution or care for its sanctions compliance obligations when, knowing it had customers worldwide, it applied its geolocation controls only at the time of onboarding and not with respect to subsequent transactional activity, despite having reason to know based on available IP address information that transactions appear to have been conducted from Iran.”
Nonetheless, these allegations are considerably less severe than those levelled against Bittrex in October. According to OFAC, Bittrex waited about a year and half to implement its first sanctions compliance program and start verifying customer identity. When Bittrex finally retained a third-party vendor, the screening remained incomplete because the vendor screened transactions only for hits against OFAC’s List of Specially Designated Nationals and Blocked Persons and other lists, and did not closely review and examine customers or transactions for a nexus to sanctioned jurisdictions. According to OFAC, Bittrex did not realize that the vendor’s screening was limited until OFAC issued Bittrex a subpoena investigating potential sanctions violations. Consequently, Bittrex processed 116,421 virtual currency-related transactions totaling approximately $263 million in apparent violation of multiple sanctions programs.
Further, and as to Kraken, OFAC found that there were numerous mitigating factors, including the fact that Kraken had not received a penalty notice or Finding of Violation from OFAC in the five years preceding the transactions at issue, and the fact that Kraken voluntarily self-disclosed the Apparent Violations to OFAC and cooperated with OFAC’s investigation. Perhaps most importantly, Kraken responded to the Apparent Violations by undertaking “significant” remedial measures, including the following:
- adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts on Kraken’s website;
- implementing multiple blockchain analysis tools to assist with sanctions monitoring;
- investing in additional compliance-related training for its staff, including in blockchain analytics;
- hiring a dedicated head of sanctions to direct Kraken’s sanctions compliance program, in addition to hiring new sanctions compliance staff;
- expanding its contract with its current screening provider to add additional screening capabilities to ensure compliance with OFAC’s “50 Percent Rule,” including detailed reports on beneficial ownership;
- contracting with a vendor that assists with identification and nationality verification by using artificial intelligence tools to detect potential issues with supporting credentials provided by users; and
- implementing an automated control to block accounts using cities and postal codes associated with the Crimea region and in the so-called Donetsk and Luhansk People’s Republics of Ukraine.
OFAC’s announcement concludes by stressing “the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions.” As noted, such controls must be applied after the time of account opening to subsequent transactions. Finally, OFAC observed that Kraken’s settlement “demonstrates the value of a company implementing robust remedial measures after becoming aware of a potential sanctions issue, including the deployment of blockchain analysis tools and compliance-related training on blockchain analytics, as well as committing to future sanctions compliance investments.”