OFAC Announces Its First Ever Enforcement Action Against a Cryptocurrency Company in Coordination With FinCEN: Bittrex, Inc. to Pay a $29 Million Penalty to the US Government

On October 11, 2022, the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury announced an enforcement action and settlement with a Washington-based cryptocurrency trading platform, Bittrex, Inc., for apparent violations of multiple sanctions programs, including those prohibiting US companies from doing business with Iran, Sudan, Syria, Cuba, and the Crimea region of Ukraine. It also marks the first parallel civil enforcement action by OFAC and the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). The latter found that Bittrex violated the Bank Secrecy Act (BSA) and its implementing regulations.

This latest action against a cryptocurrency exchange company is not unexpected. As we cautioned in 2021, OFAC signaled then its increased enforcement focus on cryptocurrency companies and put those companies on notice of OFAC’s expectations for how the virtual currency industry should manage sanctions risks. In addition, on October 4, 2022, we provided our analysis of OFAC’s recent “Sanctions Compliance Guidance for Instant Payment Systems,” which the agency issued—again—to highlight the sanctions-related risks in this industry, as well as to help cryptocurrency companies determine how to allocate their compliance resources consistent with their particular sanctions risks. The FinCEN enforcement action and OFAC settlement, which follows OFAC’s Instant Payment Systems and Virtual Currency Guidance, serve as an important reminder for individuals and companies operating in the virtual currency industry to implement preemptive compliance measures (e.g., using relevant geographic information as part of a risk-based sanctions compliance program and maintaining robust transaction monitoring and suspicious activity reporting procedures), voluntarily self-disclose apparent violations, promptly implement remedial sanctions compliance measures, and provide early and thorough cooperation with OFAC or FinCEN should either initiate an investigation.

Bittrex Provided Its Cryptocurrency Platform to Individuals in Sanctioned Jurisdictions

Bittrex is a private company based in Bellevue, Washington, that provides an online virtual currency exchange and hosts wallet services. Between 2014 and 2017, Bittrex allowed approximately 1,800 people in the sanctioned jurisdictions—including Iran, Cuba, Sudan, Syria, and Crimea—to conduct more than 116,000 transactions worth roughly $260 million through its platform. Importantly, according to OFAC, Bittrex knew or should have known that its customers were located in the sanctioned parts of the world based on their physical address information collected at customer onboarding and their IP addresses. At the time of the transactions, however, Bittrex failed to screen this customer information for terms associated with the sanctioned jurisdictions and thus committed multiple violations.

Bittrex’s sanctions compliance deficiencies resulted in more than 13,000 apparent violations of Executive Order 13685 prohibiting transactions in the Crimea Region of Ukraine; more than 300 apparent violations of the Cuban Assets Control Regulations, 31 CFR §515.201; more than 94,000 apparent violations of the Iranian Transactions and Sanctions Regulations, 31 CFR §560.204; more than 200 apparent violations of the now-repealed Sudanese Sanctions Regulations, 31 CFR §538.205; and almost 8,000 apparent violations of the Syrian Sanctions Regulations, 31 CFR §542.207.

Bittrex’s Sanctions Compliance Measures Were Deficient

Bittrex’s policies, dating back as far as August 2015, demonstrated that the company had some understanding of OFAC sanctions regulations, including that OFAC generally prohibits US persons from engaging in activity with sanctioned jurisdictions. Although OFAC often considers compliance measures to be a mitigating factor in its enforcement decisions, Bittrex’s compliance measures were so deficient, including not having a compliance program at all for nearly two years, that OFAC ultimately treated this as an aggravating factor. Similarly, and as discussed in more detail below, FinCEN determined that Bittrex had failed to implement and maintain an effective anti-money laundering (AML) program.

Bittrex started offering its virtual currency services in March 2014, but it had no sanctions compliance program in place until December 2015, when it began verifying customer identity. In February 2016, Bittrex went a step further and retained a third-party vendor for sanctions screening purposes, but the screening was incomplete. Until October 2017, the vendor screened transactions only for hits against OFAC’s List of Specially Designated Nationals and Blocked Persons (the SDN List) and other lists but did not scrutinize customers or transactions for a nexus to sanctioned jurisdictions. Those compliance measures were not enough to count as a mitigating factor in the enforcement action against Bittrex.

It was not until October 2017, when OFAC issued a subpoena to investigate potential sanctions violations, that Bittrex even realized that its vendor was not scrutinizing whether customers were in a sanctioned jurisdiction. It was at that point that Bittrex began restricting accounts and screening IP and other addresses associated with the sanctioned locations.

Bittrex Failed to Develop and Maintain Effective AML Program

In a parallel enforcement action, FinCEN found that Bittrex violated the BSA and its implementing regulations. From 2014 through 2018, Bittrex facilitated almost 546 million trades on its platform in the United States and at times averaged over 20,000 transactions through its hosted wallets daily, including transactions involving over $17 billion worth of bitcoin during that period. Bittrex, however, failed to develop and maintain an effective AML program designed to prevent Bittrex’s platform from being used to facilitate money laundering and financing of terrorist activities.

In 2016, Bittrex averaged 11,000 transactions per day on its platform, with a daily value of approximately $1.54 million. Instead of utilizing widely available transaction monitoring software tools to screen the transactions for suspicious activity, the company relied on two employees with minimal AML training and experience to manually review all the transactions for suspicious activity. When activity on Bittrex’s platform grew to an average of 23,800 daily transactions with a per day value of approximately $98 million, the company continued to rely on the same two employees to conduct manual transaction reviews. FinCEN determined that this manual process, which Bittrex failed to enhance as it rapidly grew, was “demonstrably ineffective.” Bittrex failed to file a single suspicious activity report (SAR) from its founding in 2014 through May 2017 and failed to detect various types of illicit activity, including direct transactions with online darknet marketplaces such as AlphaBay, Agora and the Silk Road 2. These markets are often used to buy and sell contraband, such as stolen identification data, illegal narcotics and child pornography. Bittrex also failed to detect, investigate and report transactions connected to ransomware attacks against individuals and small US businesses during the relevant time period.

Penalty Assessment

As noted above, this matter represents OFAC’s first parallel enforcement action with FinCEN against a cryptocurrency company. OFAC and FinCEN levied fines of $24 million and $29 million dollars, respectively, but FinCEN agreed to credit the OFAC fine to settle Bittrex’s potential liability with the agency because some of the violations stemmed from the “same underlying conduct.” Thus, the total sum Bittrex will have to pay to the US Government is $29 million.

Regarding the OFAC penalty, the statutory maximum was determined to be approximately $35 billion. However, based on certain mitigating factors, OFAC ultimately imposed a significantly lower penalty. And the penalty could have been even lower, had Bittrex voluntarily self-disclosed. Among the mitigating factors were: (1) lack of previous violations; (2) relatively small size of the company; (3) substantial cooperation with OFAC; and (4) relatively small transactions in question.

In addition, OFAC noted that Bittrex had undertaken swift remedial measures that significantly curtailed the apparent violations. For instance, Bittrex blocked all IP addresses associated with the sanctioned jurisdictions; restricted the accounts of all account holders identified as being located in jurisdictions subject to OFAC sanctions; began using a new software program for sanctions-related screening; implemented blockchain tracing software to assist in identifying and blocking virtual currency addresses associated with persons potentially identified on OFAC’s SDN List; hired a dedicated Chief Compliance Officer who reports directly to the Chief Executive Officer and the Board of Directors and otherwise substantially increased its compliance staff; implemented a standalone Sanctions Compliance Policy and has undergone additional independent audits of its sanctions compliance functions; and conducted additional sanctions compliance training for all relevant personnel.

OFAC also found at least three aggravating factors: (1) Bittrex failed to exercise due caution or care for its sanctions compliance obligations when it operated with no sanctions compliance program for nearly two years; (2) Bittrex had reason to know that some of its users were in sanctioned jurisdictions based on those users’ IP addresses and physical address data; and (3) Bittrex conveyed economic benefit to thousands of persons in several jurisdictions subject to OFAC sanctions and thereby harmed the integrity of multiple OFAC sanctions programs.

FinCEN, like OFAC, considers mitigating and aggravating factors in evaluating the appropriate resolution of its enforcement investigations. Of note in this action, FinCEN cited Bittrex’s failure to voluntarily disclose its compliance failures to FinCEN as an aggravating factor, and cited the company’s AML compliance remediation and cooperation with the investigation—including agreeing to waive any statute of limitations defense—as mitigating factors. The Bittrex action therefore serves as an important lesson for financial institutions that self-identify material AML compliance deficiencies. Such institutions are encouraged to promptly remediate and give serious consideration to self-reporting to FinCEN (as well as to its regulators and, if applicable, to OFAC). A financial institution that self-reports, remediates and cooperates with FinCEN investigations may substantially decrease any potential penalties FinCEN is authorized to impose.

US Government Emphasizes Compliance for Cryptocurrency Companies

According to OFAC, this action highlights that virtual currency companies—like all financial institutions—are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as engaging in prohibited transactions with sanctioned jurisdictions. The action follows several other steps the US government has taken to signal its increasing focus on regulating the virtual currency industry, including by taking aggressive enforcement measures for violations of US sanctions laws and AML laws, among others.

FinCEN Acting Director Himamauli Das also emphasized that the parallel enforcement actions by OFAC and FinCEN are consistent with the US Government’s “longstanding stance on responsible innovation.” As Acting Director Das noted when commenting on the Bittrex settlement, “[r]egardless of the industry, companies need to implement compliance programs commensurate with the risks of their business and need to grow their compliance programs in real-time. Responsible innovation means not prioritizing growth over compliance.” Compliance programs remain a cornerstone of the US Government’s effort to combat financial crime, and although government enforcement agencies have stated their intent not to stand in the way of certain innovation in the financial services industry, they will not be lenient with companies that allow innovation to outpace corresponding compliance enhancements.

As we stated earlier this month in our analysis of OFAC’s “Sanctions Compliance Guidance for Instant Payment Systems,” to mitigate the risk of virtual currency technological advancements outpacing the development of adequate compliance systems, virtual currency companies should develop a tailored, risk-based sanctions compliance program. An adequate compliance solution for members of the virtual currency industry will depend on a variety of factors, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served, and should also be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Cryptocurrency companies seeking advice on sanctions and AML compliance requirements and processes, or seeking assistance in responding to OFAC and FinCEN investigations, are encouraged to contact any of the authors of this Advisory or their usual Arnold & Porter contact.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.