Office of Foreign Assets Control (OFAC)

The Office of Foreign Assets Control (“OFAC”) announced (here and here) yesterday that virtual currency exchange Payward, Inc. – better known as Kraken – has agreed to pay $362,158.70 in order to settle its potential civil liability for apparent violations of the sanctions against Iran. Kraken also has agreed to invest an additional $100,000 in certain sanctions compliance controls.  According to OFAC, “[d]ue to Kraken’s failure to timely implement appropriate geolocation tools, including an automated internet protocol (IP) address blocking system, Kraken exported services to users who appeared to be in Iran when they engaged in virtual currency transactions on Kraken’s platform.” 

Compared to OFAC’s recent settlement with Bittrex, which agreed to pay a total of $29,280,829.20 to OFAC and the Financial Crimes Enforcement Network (“FinCEN”) in order to resolve allegations of sanctions and Bank Secrecy Act violations, the settlement amount is relatively low – and, as OFAC noted in its announcement, Kraken faced an astronomical statutory maximum civil monetary penalty of $272,228,964.  OFAC has stated that “[t]he settlement amount reflects OFAC’s determination that Kraken’s apparent violations were non-egregious and voluntarily self-disclosed.”

Continue Reading  Kraken Settlement Demonstrates Importance of Sanctions Monitoring for Transactions — Not Just When Onboarding Customers

The “Highlights” — To Russia, With Crypto

The Financial Crimes Enforcement Network (“FinCEN”) issued on November 1 a Financial Trend Analysis regarding ransomware-related Bank Secrecy Act (“BSA”) filings during the second half of 2021 (the “Report”).  This publication follows up on a similar ransomware trend analysis issued by FinCEN regarding the first half of 2021, on which we blogged here.  

In the most recent analysis, FinCEN found that both the number of ransomware-related Suspicious Activity Reports (“SAR”) filed, and the dollar amounts at issue, nearly tripled from 2020 to 2021.  The notable takeaways from the Report include:

  • Ransomware-related SARs were the highest ever in 2021 (both in number of SARs and in dollar amounts of activity reported).
  • Ransomware-related SARs reported amounts totaling almost $1.2 billion in 2021.
  • Approximately 75% of ransomware-related incidents between June 2021 and December 2021 were connected to Russia-related ransomware variants.

The Report, which stated that the majority of these ransomware payments were made in Bitcoin, serves as a particular reminder to cryptocurrency exchanges of their role in both identifying and reporting ransomware-related transactions facilitated through their platforms.  The Report stresses that SAR filings play an essential role in helping FinCEN identify ransomware trends.

Continue Reading  FinCEN Reports Staggering Increase in Reported Ransomware Attacks

Actions Highlight Risky Mix of Sanctions Law, Inadequate Transaction Monitoring and Dealing with Anonymity-Enhanced Cryptocurrencies

The Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”) announced on October 11 simultaneous settlements with Bittrex, Inc. (“Bittrex”), a virtual currency exchange and hosted wallet provider. Under the OFAC settlement, Bittrex has agreed to pay $24,280,829.20 to settle its potential civil liability for 116,421 alleged violations of multiple sanctions programs. Under the FinCEN consent order, Bittrex agreed to pay a civil penalty of $29,280,829.20 for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”). FinCEN has agreed to credit Bittrex’s payment to OFAC against its penalty because it found that the alleged BSA violations “stem from some of the same underlying conduct”; thus, Bittrex’s total payments to the two regulators come to $29,280,829.20. 

According to the Department of the Treasury dual press release, the two settlements represent the first parallel enforcement actions by FinCEN and OFAC in the virtual currency and sanctions space. Also, it is OFAC’s largest virtual currency enforcement action to date. To further highlight the importance of the settlements, the press release quotes the OFAC Director Andrea Gacki and FinCEN Acting Director Himamauli Das, both sternly warning operators in the same environment as Bittrex to implement effective AML compliance and sanction screening programs.

It is conceivable that Bittrex, for years now, has been on notice that federal and state regulators are closely watching and expecting more comprehensive risk assessment programs and procedures from businesses transacting with virtual currency. As we previously blogged here, in 2019 the New York Department of Financial Services (“NYDFS”) denied Bittrex’s application for a Bitlicense, citing: “deficiencies in Bittrex’s BSA/AML/OFAC compliance program; a deficiency in meeting the Department’s capital requirement; and deficient due diligence and control over Bittrex’s token and product launches.”  In its letter denying Bittrex’s application, NYDFS set forth in detail the deficiencies it found in Bittrex’s BSA/AML/OFAC compliance program, noting that Bittrex’s compliance policies and procedures “are either non-existent or inadequate.”

As we will discuss, the FinCEN consent order highlights Bittrex’s alleged failure to address adequately the overall risk environment in which it operated, including transactions involving anonymity-enhanced cryptocurrencies, or AECs.  The consent order also highlights two repeated themes in enforcement actions: lack of adequate compliance staff, and a seemingly robust written compliance policy that was not matched by an effective day-to-day transaction monitoring system.

Continue Reading  OFAC and FinCEN Settle with Bittrex in Parallel Virtual Currency Enforcements

With Guest Speaker Matthew Haslinger of M&T Bank

We are extremely pleased to offer a podcast (here) on the legal and logistical issues facing financial institutions as they implement the regulations issued by the Financial Crimes Enforcement Network (FinCEN) pursuant to the Anti-Money Laundering Act of 2020 (AMLA) and the Corporate Transparency Act

Complaint Illustrates Existential Fight Over OFAC’s Ability to Sanction Open-Source Code – and OFAC Responds (?) By Issuing FAQs on Tornado Cash Use

Last month, the Office of Foreign Assets Control (“OFAC”) sanctioned Tornado Cash, a virtual currency “mixer” operating on the Ethereum blockchain which allegedly has been used to launder the virtual currency equivalent of more than $7 billion since its creation in 2019, by adding it to the Specially Designated Nationals and Blocked Persons List (the “SDN List”). The initial response from certain elements of the crypto community was, not surprisingly, negative: for example, an 8/15 Coin Center whitepaper and an 8/23 letter from Congressman Tom Emmer to Treasury Secretary Janet Yellen argued that OFAC lacked the legal authority.

In the intervening month, things have heated up considerably. Last week, six plaintiffs filed a complaint against OFAC and the Treasury Department, as well as Secretary Yellen and OFAC Director Andrea Gacki in their respective official capacities, in the Western District of Texas (Waco Division), seeking declaratory and injunctive relief – specifically, that the court declare OFAC’s addition of Tornado Cash to the SDN List as unlawful, and permanently enjoin the enforcement of the designation and any sanctions stemming therefrom.  Plaintiffs allege that venue is proper due to Plaintiff Joseph Van Loon’s residence in Cedar Park, TX, within the Western District.  Plaintiffs’ decision to opt for the Waco Division, rather than the Austin Division, may be intentional, because the Waco Division has only one judge, who until recently has been the go-to choice for patent litigation plaintiffs.

The complaint has and will continue to draw considerable attention.  It lays out the framework for a fascinating question:  under existing law, can OFAC act directly against a piece of technology such as open-source code?  Or, must OFAC pursue enforcement, through a more difficult, piece meal and time-consuming process, only against specific individuals and specific legal entities? Presumably, both sides will invoke broad policy-related and equity-related arguments regarding “privacy,” “transparency,” and the need to fight crime.  However, the key issue may come down to a more traditional and rather dry legal issue of parsing the meaning of statutory language.

Continue Reading  Civil Complaint Challenges OFAC’s Tornado Cash Sanctions

On August 8, the U.S. Department of the Office of Foreign Assets Control (“OFAC”) sanctioned “notorious” virtual currency “mixer” Tornado Cash, which allegedly has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.  Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain.  Tornado Cash receives a variety of transactions and mixes them together before transmitting them to their individual recipients.  The stated purpose of such mixing is to increase privacy, but mixers are often used by illicit actors to launder funds because the process enhances anonymity and makes it very hard to track the flow of funds.  According to the Treasury Department press release, “[d]espite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risk.”  This statement seems to imply that Tornado Cash is run by actual people – an implication that is at the heart of the controversy over these sanctions, as we will discuss.

The sanctions against Tornado Cash have elicited enormous controversy in the crypto world because, some argue, (1) Tornado Cash is not an entity run by actual people, but is merely code; and (2) although OFAC has the legal authority to sanction people and entities, it lacks such authority to sanction code or a technology – or at the very least, such sanctions create many practical problems for innocent actors, including in ways which no one has foreseen fully.  As we discuss,  even a member of the U.S. House of Representatives has waded into the controversy this week, questioning the ability of OFAC to issue the sanctions and demanding answers.  The controversy also reflects that, once again, whether one chooses to focus on the word “privacy” or on the word “anonymity” typically reflects an a priori value judgment predicting one’s conclusion as to whether something in the crypto world is good or bad. 

Indisputably, the Tornado Cash sanctions are, to date, unique and unprecedented.  Although they may turn out to be an outlier experiment by OFAC, public pronouncements by the U.S. Treasury Department strongly suggest that, to the contrary, they represent part of the future of crypto regulation, in which the enormous power of the U.S. government to issue broad sanctions obliterates legal and practical hurdles which could stymie other agencies, such as the Financial Crimes Enforcement Network (FinCEN).  This may be because, ultimately, the government actually agrees that no person is in control of a powerful technology that has easy application for malicious uses, and that is precisely the problem.

Continue Reading  OFAC Sanctions Virtual Currency “Mixer” Tornado Cash and Faces Crypto Backlash

The Financial Crimes Enforcement Network (FinCEN) and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) issued a joint alert on June 28, 2022, warning of evasion attempts by individuals or entities to circumvent BIS export controls implemented in response to the Russian Federation’s renewed invasion of Ukraine. Both agencies urged financial institutions to remain vigilant against bad actors’ attempts to evade BIS export controls. The alert provided an overview of current BIS export restrictions, listed particular commodities of concern for export control evasion, and outlined transactional and behavioral red flags that could indicate attempts to avoid sanctions.

This is FinCEN’s third alert in relation to sanctions imposed on Russian in response to the war in Ukraine.  As we previously blogged, on March 7, 2022, FinCEN urged vigilance by financial institutions against potential Russian Federation attempts to evade sanctions. On March 16, 2022, FinCEN reiterated the need for increased vigilance by financial institutions in detecting suspicious transactions involving real estate, luxury goods, and other high-value assets.

The joint alert comes on the heels of the June 27, 2022 announcement by the United States and the other G7 nations to intensify their coordinated sanction measures in response to Russia’s war of aggression.  A day later, on June 28, 2022, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued determinations pursuant to prior Executive Orders implementing the new measures.  These include prohibiting the importation of Russian gold (EO 14068), as well as new sanctions and export restrictions on entities like Rostec, a key Russian state owned conglomerate, which forms the foundation of Russia’s defense industry (EO 14024).

Continue Reading  FinCEN and BIS Issue Joint Alert on Potential Russian and Belarusian Export Control Evasion

On June 23, 2022, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (SRP) for spring 2022.  In the SRP, the OCC opines on its current safety and soundness concerns for banks under its regulatory umbrella, focusing on Russia sanctions, climate-related risk, and rising inflation.  Despite these challenges, the OCC believes that “[b]anks’ financial condition remains strong and positioned to deal with the economic headwinds.”

Of special note, the OCC also believes compliance risk is “heightened” for Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance because of world events and compliance staffing concerns.  In addition, the OCC warns that banks face an “elevated” risk of cyber attacks and fraud or cybersecurity risks related to digital assets.

Continue Reading  OCC Highlights Risks Associated with Compliance Staffing Concerns, Russia Sanctions, Environmental Crimes, Cyber Attacks and Digital Assets

Enforcement Trends, Crypto, the AML Act — and More

We are very pleased to be moderating, once again, the Practising Law Institute’s 2022 Anti-Money Laundering Conference on May 17, 2022, starting at 9 a.m. This year’s conference will be both live and virtual — and it will be as informative, interesting and timely as always. 

On April 28, 2022, the Acting Director of the Financial Crimes Enforcement Network (“FinCEN”), Himamauli Das (“Das”), appeared before the U.S. House Committee on Financial Services to provide an update on FinCEN’s implementation of the Anti-Money Laundering Act of 2020 (“AML Act”), including the Corporate Transparency Act (“CTA”).  You can find his prepared statement here.

In his opening remarks, Das walked through FinCEN’s activities for the year, and applauded the AML Act for putting FinCEN in a position to address today’s challenges, such as illicit use of digital assets, corruption, and kleptocrats hiding their ill-gotten gains in the U.S. financial system.  The speech focused on financial sanctions on Russia, FinCEN’s continued efforts to fight corruption, and effective AML programs.   Das also indicated that FinCEN is examining whether to issue proposed AML regulations for investment advisers – an effort that stalled in 2015.
Continue Reading  FinCEN Acting Director Das Focuses on Corruption and Transparency During U.S. House Committee on Financial Services Testimony