The United States Department of the Treasury has continued to signal that it will focus policy, regulatory, and enforcement attention on the financial crime and sanctions risk in the crypto and digital asset ecosystem. The Treasury recently released the “Action Plan to Address Illicit Financing Risks of Digital Assets” updating the illicit finance risks it sees in the digital asset domain.1 The United States and international regulators have continued to focus on these risks as a predominant theme for regulation of the sector.
Prior client alerts have illuminated the growing attention from regulators and treatment of the crypto and digital asset ecosystem (see U.S. Policy Objectives on Digital Assets; Risks Due to Virtual Currency Abuses by Russian Actors; Virtual Currency Industry Guidance). The Treasury Department—as a part of a broader effort by the U.S. government—has signaled to actors in the digital asset industry that there are financial crime compliance risks associated with new methods of transferring value and new types of assets and that the industry should be proactively mitigating such risks. Recent actions of the Treasury Department remind the digital asset and FinTech industry that the Treasury Department is imposing sanctions and financial crime compliance expectations analogous to those required of the traditional finance industry.
On 11 October 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) announced the first parallel enforcement action in the virtual currency industry against Bittrex, Inc. (Bittrex), a U.S.-based company that provides online virtual currency exchange and hosted wallet services.2 Authorities concluded that (i) Bittrex did not maintain an appropriate compliance program for the first 18 months of its operation; (ii) it did not report suspicious activities as required by relevant laws in the United States; and (iii) it provided services to customers in sanctioned jurisdictions.
The total amount of fines imposed—$53,561,658.40—was the largest to date for a company in the virtual currency space. The OFAC and FinCEN settlement amounts were $24,280,829.20 and $29,280,829.20, respectively. FinCEN credited the Bittrex’s settlement amount with OFAC against its own settlement which meant Bittrex would need to pay $5 million in addition to what it pays to OFAC as part of the FinCEN Consent Order.
Separately, on 30 September 2022, OFAC announced a settlement in the amount of $116,048.60 with Tango Card, Inc. (Tango Card), a U.S.-based company that supplies and distributes customer and employee incentive awards such as stored value cards. OFAC concluded that Tango Card was in apparent violation of a number of U.S. sanctions programs by issuing value cards for individuals located in sanctioned countries as a result of its deficient geolocation identification controls.
These actions come on the heels of OFAC’s action to impose sanctions on a cryptocurrency mixer, Tornado Cash.3 In August 2022, OFAC imposed blocking sanctions on Tornado Cash. As a result, no one over whom OFAC has jurisdiction, may deal with Tornado Cash. OFAC sanctioned the mixer because it was used by malicious actors including Lazarus Group, a Democratic People’s Republic of Korea state-sponsored hacking group, to break the traceability of the stolen digital assets obtained via series of hacks. The move by OFAC triggered some disagreements about whether OFAC had the authority to impose sanctions on a decentralized autonomous organization,4 otherwise known as DAO, and whether OFAC has infringed constitutional rights of the U.S. persons who were barred from using the mixer following the imposition of sanctions on Tornado Cash.5
OFAC Settlement with Bittrex
Bittrex and OFAC entered into an agreement to settle its potential civil liability for 116,421 apparent violations of U.S. comprehensive sanctions programs against Ukraine’s Crimea region, Cuba, Iran, Sudan, and Syria.6 For over three years—from March 2014 to December 2017—Bittrex processed transactions for customers located in those jurisdictions while having information in its possession that indicated apparent connection to sanctioned jurisdictions. Bittrex operated without a sanctions compliance program for more than 18 months after they offered their services. Subsequently, while Bittrex hired an outside vendor to implement sanctions screening controls, the company failed to realize that the vendor screened transactions only against OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) and that it did not screen for physical or IP addresses associated with sanctioned jurisdictions. OFAC’s action highlights the importance of incorporating sanctions compliance into business functions at the origin of the company or product when serving a global customer base.
FinCEN Consent Order Regarding Bittrex
Bittrex and FinCEN entered into a separate agreement to settle Bittrex’s violations of the United States Bank Secrecy Act (BSA).7 According to the Consent Order, Bittrex facilitated over 500 million trades during the time for which it was investigated by FinCEN. Bittrex started its operation in February 2014, without a written anti-money laundering (AML) compliance program, and it continued to operate as such until August 2015. Bittrex had only two employees with minimal AML training tasked with manually monitoring thousands of transactions a day, among other duties. Bittrex did not file a single Suspicious Activity Report (SAR) from its founding in 2014 through May 2017, despite the fact that it processed transactions that FinCEN determined to be reportable.
FinCEN specifically noted that Bittrex failed to file SARs for transactions that were in violation of sanctions, which were likewise reportable to FinCEN. FinCEN referred to guidance it had issued stating that “to the extent that the financial institution is in possession of information not included on the blocking report filed with OFAC, a separate [SAR] should be filed with FinCEN including that information.”8 The settlement also noted that for more than three years into its operation as a Money Service Transmitter, Bittrex had designated its Chief Executive Officer, who was not an experienced AML professional, as the AML compliance officer.
OFAC Settlement with Tango Card
Tango Card and OFAC entered into a settlement agreement to settle its potential civil liability for transmitting 27,720 gift cards and promotional debit cards in apparent violation of sanctions programs against Cuba, Iran, Syria, North Korea, and the Crimea Region of Ukraine.9 In February 2021, upon a tip from its customer, Tango Card discovered that it had issued rewards cards for the benefit of its customers’ customers or employees with IP and email addresses associated with sanctioned jurisdictions. Tango Card initiated a lookback and subsequently identified that over the course of five years it had issued more than 27,000 gift cards to such recipients. While Tango Card had controls in place to screen its direct customers for nexus to sanctioned jurisdictions, it did not do so for the gift card recipients.
Similar to the Bittrex case and previous OFAC settlements, this case demonstrates the importance of leveraging relevant geographic information in a company’s possession to identify transactions potentially involving sanctioned jurisdictions. The Tango Card case also reminds industry that while inserting provisions in agreements with customers to comply with sanctions can be helpful to mitigate the risk of potential sanctions violations, it does not substitute for the company’s own responsibility or replace other sanctions compliance controls maintained by the company to prevent prohibited activity.
The OFAC and FinCEN actions reiterate that crypto and digital asset and payment companies have similar sanctions and financial crime compliance obligations as traditional financial institutions, even if they offer novel or yet-to-be regulated products or services. AML and sanctions compliance programs require controls and processes commensurate with the risk profile of the institution and its products or services. Thus, any crypto, digital asset, or payments company or platform should ensure it allocates appropriate resources from its inception to build compliant products; establishes an independent compliance function; verifies the robustness of its AML and sanctions controls; and hires experienced personnel tasked with administering the program.
It is clear from these enforcement actions that launching a new business without an appropriate financial crimes compliance program in place is almost certain to lead to subsequent discovery of regulatory violations, requiring substantial remediation efforts, extensive lookbacks, and disclosure to regulators.
In addition to having systems and controls, leveraging data available to company or platform is critical to demonstrating the purposeful management of sanctions and financial crime risk. Several companies that offer online and e-commerce services gather various data points from their customers and users, but they often fail to leverage that data for implementing strong controls around financial crimes risks. If the data points are available within an institution, OFAC expects that information will be considered, even if that creates additional compliance costs or requires establishment of new processes.
Some specific compliance best practices are suggested by these enforcement actions:
- Sanctions compliance requires screening not only against applicable lists of sanctions targets, but also maintaining controls to prevent activity with comprehensively sanctioned jurisdictions. This includes instances where a company is exposed to third party risks, such as customers of its customers. To the extent a company obtains personal identifiable data of its customers’ customers, such as Internet Protocol (IP) addresses, email addresses with geographic references (e.g., .ir, .cu, etc.), or physical addresses located in sanctioned jurisdictions, OFAC’s expectation is that the company will screen such data to prevent persons located in those jurisdictions from obtaining services from the United States.
- High-risk offerings—such as dealings in Anonymity Enhanced Coins or transactions valued significantly above average amounts—should have appropriate, risk-based controls in place to ensure compliance with OFAC and FinCEN regulations.
The joint announcement of penalties against Bittrex demonstrate the seriousness with which the U.S. government takes compliance with countering the financing of terrorism, AML, and OFAC sanctions regulations. Enforcement actions take time, and it is reasonable to expect similar settlements in the coming months. However, given signaling by various U.S. government entities of the importance of compliance programs and controls, it is crucial to have such programs in place and a proper understanding of whether those systems, controls, and personnel are able to identify, manage, and mitigate sanctions and financial crime risks.
1 “Action Plan to Address Illicit Financing Risks of Digital Assets,” U.S. Department of the Treasury, delivered on 12 September 2022, https://home.treasury.gov/system/files/136/Digital-Asset-Action-Plan.pdf. To see some examples of illicit financing risk of digital assets, refer to the North Korean Crypto Threat white paper written by Juan Zarate: The North Korean Crypto Threat, published by Crypto Council for Innovation, September 2022, https://cryptoforinnovation.org/the-north-korean-crypto-threat/.
2 “Treasury Announces Two Enforcement Actions for Over $24M and $29M Against Virtual Currency Exchange Bittrex, Inc.,” U.S. Department of the Treasury Press Releases, October 11, 2022, https://home.treasury.gov/news/press-releases/jy1006.
3 “U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash,” U.S. Department of the Treasury Press Release, August 8, 2022, https://home.treasury.gov/news/press-releases/jy0916.
4 Coin Center, et al. v. Yellen et al., 3:2022cv20375 (N.D. Fla., October 12, 2022).
5 Joseph Van Loon, et al. v. U.S. Department of the Treasury, et al., 6:2022cv00920t (W.D. Tex., September 8, 2022), https://dockets.justia.com/docket/texas/txwdce/6:2022cv00920/1188185.
6 “OFAC Settles with Bittrex, Inc. for $24,280,829.20 Related to Apparent Violations of Multiple Sanctions Programs,” U.S. Department of the Treasury Enforcement Release, October 11, 2022, https://home.treasury.gov/system/files/126/20221011_bittrex.pdf.
7 In the Matter of Bittrex, Inc., October 11, 2022, https://www.fincen.gov/sites/default/files/enforcement_action/2022-10-11/Bittrex%20Consent%20Order%2010.11.2022.pdf.
8 FinCEN, Interpretive Release 2004-02—Unitary Filing of Suspicious Activity and Blocking Reports, 69 Fed. Reg. 76,847, 76, 848 (Dec. 23, 2004), https://www.fincen.gov/sites/default/files/federal_register_notice/31cfr12232004.pdf.
9 “OFAC Settles with Tango Card, Inc. for $116,048.60 Related to Apparent Violations of Multiple Sanctions Programs,” U.S. Department of the Treasury Enforcement Release, September 30, 2022, https://home.treasury.gov/system/files/126/20220930_tango_card.pdf.