On Oct. 11, 2022, the U.S. Treasury Department announced that cryptocurrency exchange Bittrex Inc. had agreed to settle $53 million total in fines over allegations it violated sanctions and anti-money-laundering laws. The fines come after the Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) conducted parallel investigations into Bittrex’s activities. Bittrex settled with OFAC and FinCEN, respectively.

These actions, the largest against a crypto firm by OFAC and the first parallel action taken by OFAC and FinCEN, come as the virtual-currency sector faces increasing regulatory scrutiny. Both OFAC and FinCEN focus on risks in the virtual currency space generally, and specifically when companies do not implement adequate compliance programs and internal controls from the outset.

The Treasury Department noted that these actions highlight the importance of crypto firms maintaining risk-based sanctions and anti-money-laundering compliance programs. The FinCEN Consent Order imposing the penalties stated that Bittrex’s failure to implement proper internal controls “left its platform open to abuse by bad actors, including money launderers, terrorist financiers, and sanctions evaders.”

Overview Of OFAC Settlement With Bittrex

Bittrex has agreed to remit approximately $24 million to OFAC to settle its potential civil liability for approximately 116,000 apparent violations of multiple sanctions programs.

The settlement notes that Bittrex failed to prevent persons apparently located in the sanctioned jurisdictions of the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using its platform to engage in approximately $263 million worth of virtual-currency-related transactions between March 2014 and December 2017. Based on IP address information and physical address information collected about each customer at onboarding, Bittrex was found to have reason to know that these users were located in jurisdictions subject to sanctions. Bittrex was not screening this customer information for terms associated with sanctioned jurisdictions at the time of the transactions.

Overview Of FinCEN Settlement With Bittrex

Bittrex has agreed to remit approximately $29 million for its willful violations of the Bank Secrecy Act (BSA)’s anti-money laundering (AML) program and suspicious activity reporting (SAR) requirements. FinCEN will credit Bittrex’s payment of $24 million as part of its agreement to settle its potential liability with OFAC against the FinCEN levied penalties.

FinCEN’s investigation found that, from February 2014 through December 2018, Bittrex, although aware of its obligations under the BSA, failed to develop, implement and maintain an effective AML program. In particular, Bittrex failed to maintain adequate controls reasonably designed to assure compliance with SAR filing requirements. Instead of utilizing transaction monitoring software tools to screen transactions for suspicious activity, Bittrex relied on a small number of staff with minimal AML training and experience to manually review all transactions for suspicious activity. Further, Bittrex’s AML program failed to appropriately address the risks associated with the products and services it offered, including anonymity-enhanced cryptocurrencies. As a result of these gaps, Bittrex failed to file any SARs between February 2014 and May 2017, and to identify and block a significant number of transactions involving sanctioned jurisdictions. As is typical with FinCEN resolutions, Bittrex was required to admit the facts giving rise to the settlement.

Key Takeaways

The Treasury Department continues to remain focused on the virtual currency space. Last month it began seeking public comment on the possible illicit-finance and national-security risks posed by the use of digital assets, as part of the agency’s mandate under President Biden’s March executive order to study the development of cryptocurrency, further indicating that additional review and scrutiny of this space is forthcoming.

The enforcement actions coupled with OFAC guidance on compliance in the virtual currency space and for instant payment systems signal that companies must take responsibility for their OFAC compliance. This responsibility does not end even when the company is using a third-party vendor for its OFAC compliance program, as Bittrex did. Companies are responsible for monitoring and implementing the services their vendors provide and cannot solely rely on the vendor to ensure the company is compliant.

Companies should develop and implement risk-based compliance programs, especially when engaging in high-risk activities like cross border financial transactions in the virtual currency space. This applies to startups in the virtual currency space as well because, as these enforcement actions indicate, startups will not be provided leniency for failing to have compliance programs in place as they become operational. Additionally, crypto firms, and particularly exchanges and payment processors, should be reviewing their BSA/AML and sanctions programs to ensure they have implemented adequate controls to address the AML and sanctions risks presented by their operations.