Fintechs Take Note: Lessons Learned from Treasury's Recent Bittrex Enforcement Actions
On October 11, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) announced settlements with Bittrex, Inc., an online virtual currency exchange and hosted wallet services provider based in the United States. Bittrex entered a $24,280,829 settlement with OFAC to resolve "116,421 apparent violations of multiple sanctions programs." In parallel, FinCEN issued a Consent Order imposing a $29,280,829 civil penalty, crediting the OFAC settlement for a total civil penalty of $5,000,000 for willful violations of the U.S. Bank Secrecy Act (BSA) and its implementing regulations in connection with FinCEN's anti-money laundering (AML) program and reporting of suspicious transactions. According to the press release, this is OFAC's largest virtual currency enforcement action to date and represents the first parallel enforcement by FinCEN and OFAC involving the virtual currency industry.
OFAC found that from March 2014 to December 2017, Bittrex had engaged in 116,421 violations of multiple sanctions programs for failing to prevent persons located in Crimea, Cuba, Iran, Sudan, and Syria from using the company's platform to engage in transactions valued at approximately $263.5 million. According to OFAC, from March 2014 to December 2015, Bittrex had no sanctions compliance program. Although Bittrex began to verify customer identities in December 2015 and retained a third-party vendor to conduct sanctions screening in February 2016, OFAC found that the violations continued beyond that date. In particular, OFAC noted that the screening was incomplete given that the vendor only screened transactions for hits against OFAC's List of Specially Designated Nationals and Blocked Persons (SDN List) and other lists but did not screen customers or transactions for a nexus to sanctioned jurisdictions. According to OFAC, Bittrex did not realize that its vendor failed to screen transactions and customers for a nexus to sanctioned jurisdictions until it received a subpoena from OFAC in October 2017. Since then, OFAC noted that Bittrex began to conduct such screenings and implemented other remedial measures.
According to FinCEN's Consent Order, Bittrex, a money services business (MSB) as defined by the BSA and its implementing regulations, willfully violated the BSA's AML program and suspicious activity report reporting requirements from February 2014 through December 2018. FinCEN noted that Bittrex's AML program had various deficiencies including ineffective transaction monitoring, a failure to appropriately address risks associated with the products and services it offered, and a failure to file suspicious activity reports (SARs) on a significant number of transactions involving sanctioned jurisdictions, direct transactions with darknet marketplaces such as AlphaBay, Agora, and Silk Road 2, and transactions connected to ransomware attacks against U.S. individuals and small businesses. With respect to Bittrex's reporting failures, FinCEN noted that instead of employing "widely available transaction monitoring software tools to screen the transactions for suspicious activity, the company relied on two employees with minimal AML training and experience to manually review all of the transactions for suspicious activity." FinCEN added that even as Bittrex's transaction volume increased to an average of 23,800 transactions per day, with a daily value of approximately $97.9 million, the company continued to rely on the two employees' manual review. FinCEN also highlighted that Bittrex did not file a SAR until after May 2017, filed only one SAR until October 2017 when Bittrex received a subpoena from the Internal Revenue Service (IRS) regarding its compliance with the BSA, then subsequently filed 119 SARs in November 2017. Although FinCEN acknowledged that Bittrex took steps to improve its AML program in late 2017, including hiring its first BSA officer and additional compliance staff and improving the implementation of its AML policies and internal controls, the company continued to manually review its transactions for suspicious activity until December 2018. FinCEN also noted that Bittrex "failed to fully address the risks in practice or in the company's written AML compliance program" with respect to Anonymity-Enhanced Cryptocurrencies (AECs).
Lessons Learned for Fintechs
- Develop a Compliance Framework at the Outset. An aggravating factor OFAC highlighted was that Bittrex operated with no sanctions compliance program for nearly two years after beginning to offer virtual currency services worldwide. Similarly, FinCEN noted that Bittrex failed to adopt a written AML compliance program until almost a year and half after it began operations as an MSB and the program was not fully implemented until December 2018, nearly five years after it initiated operations. Given that virtual asset services providers and other fintechs often scale quickly, developing a risk-based compliance framework early on that can keep pace with the company as services and customer bases evolve is critical to avoid potential regulatory pitfalls.
- Leverage Your Data for Compliance Purposes. OFAC continues to require companies to leverage its data to facilitate sanctions compliance. As demonstrated by the Bittrex settlement and others involving fintechs (e.g., Payoneer), companies can face enforcement for failure to properly use its data, such as IP-related information that can show when a user is based in jurisdictions subject to sanctions, as well as billing, shipping, and identification data.
- Remediate Deficiencies Promptly and Thoroughly. Both FinCEN and OFAC highlighted the extensive remediation measures undertaken by Bittrex. OFAC noted that "Bittrex swiftly took a series of subsequent remedial measures that significantly curtailed" the apparent violations as a mitigating factor. OFAC's enforcement release includes remedial measures that can serve as a roadmap for what fintechs and other start-ups operating globally should be undertaking with respect to their own compliance programs. These include:
- Blocking all IP addresses associated with jurisdictions subject to sanctions programs
- Restricting accounts of all account holders located in jurisdictions subject to OFAC sanctions
- Implementing a software program for sanctions-related screening and blockchain tracing software to identify parties on OFAC's SDN List
- Hiring a Chief Compliance Officer with direct reporting lines to the Chief Executive Officer and Board of Directors
- Implementing a sanctions compliance policy and undergoing independent audits of sanctions compliance functions
- Conducting additional sanctions compliance training for relevant employees
- Deploy Sufficient Resources to Manage Particularly High-Risk Activities. FinCEN highlighted that to be effective, covered companies must adopt AML programs that are "reasonably designed to address the nature and volume" of the services they provide. By way of example, FinCEN noted that during the relevant period, Bittrex operated as an exchange of more than 250 different types of convertible virtual currencies (CVCs), including certain types of AECs. FinCEN indicated that certain AECs "present unique money laundering risks and challenges for MSBs" and although Bittrex disabled privacy-enhancing features for most AECs, it did not implement any other controls for the remaining AECs and took several years to implement appropriate policies, procedures, and internal controls to mitigate risks of "particularly challenging" AECs. In recent years, FinCEN has continuously discussed the heightened risks inherent with certain AEC transactions and the challenges that the lack of transparency poses to law enforcement (see, e.g., here, here, and here). Companies choosing to continue to transact in AECs should ensure that sufficient resources and controls are employed to effectively manage the heightened risks that transactions involving AECs may create.
For more information, please contact:
Jeffrey A. Lehtman, email@example.com, 202-626-1484
Timothy P. O'Toole, firstname.lastname@example.org, 202-626-5552
Leah Moushey, email@example.com, 202-626-5896
The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.