On October 11, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) announced settlements of over $24 million and $29 million, respectively, with Bittrex, Inc., a crypto trading platform based in Bellevue, Washington, for violations of the Bank Secrecy Act. The settlements represent the largest virtual currency enforcement action to date.
Findings of Failure to Maintain Effective Anti-Money Laundering Program
Investigations by OFAC and FinCEN found that Bittrex willfully violated the Bank Secrecy Act (BSA) and its implementing regulations from February 2014 through December 2018 by failing to maintain an effective anti-money laundering (AML) program. As alleged in the FinCEN consent order, Bittrex failed to appropriately address risks associated with anonymity-enhanced cryptocurrencies and other services it offered, exposing the U.S. financial systems to threat actors, including ransomware attackers and actors in OFAC-sanctioned jurisdictions.
Resulting in the settlement agreements, OFAC and FinCEN alleged that Bittrex conducted over 116,000 transactions valued at over $260 million with entities and individuals located in jurisdictions subject to OFAC sanctions, including transactions with entities and individuals operating in Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine. While Bittrex’s software screened transactions to identify potential matches on OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List), it did not adequately screen customers or transactions for a nexus to these sanctioned jurisdictions. The company also failed to file any Suspicious Activity Reports (SARs) during the relevant three-year period. As alleged by OFAC, based on internet protocol address information and physical address information collected about each customer at onboarding, Bittrex had reason to know that certain users were in jurisdictions subject to sanctions, but was not appropriately screening this customer information.
The investigation further found that Bittrex failed to detect suspicious transactions through its platform including illicit activities such as direct transactions with online darknet marketplaces such as AlphaBay, Agora, and the Silk Road 2—used to buy and sell contraband such as stolen identification data, illegal narcotics, and child pornography—and transactions connected to ransomware attacks.
Implications for AML Enforcement
These settlements represent the largest parallel enforcement action by FinCEN and OFAC in the crypto industry, signaling a new focus on enforcing money laundering regulations as they relate to virtual currency. Importantly, these settlements also show the U.S. Government’s efforts to ensure that any domestic financial institution—virtual currency or otherwise—is adequately screening for illicit activity in OFAC-sanctioned jurisdictions. In light of this new enforcement emphasis, financial institutions should ensure they are adhering to all the AML requirements for a “domestic financial institution” under 31 U.S.C. § 5312(b)(1), as well as FinCEN and OFAC regulations.
These enforcement actions also emphasize the importance of new companies and those involved in emerging technologies incorporating sanctions compliance into their business functions at the outset, particularly when they offer financial services to a global customer base. Virtual currency companies—like all financial service providers—are responsible for ensuring that they do not engage in prohibited transactions with jurisdictions subject to OFAC sanctions, and that their AML policies and procedures are robust and transparent.
To mitigate such risks, virtual currency companies should develop, implement, and monitor tailored, risk-based sanctions and AML compliance programs. Buchanan’s coordinated team of national security attorneys are prepared to assist.