Please note that Bittrex is a crypto exchange / trading platform. Crypto exchanges are like merchants that sell and trade cryptocurrencies, while cryptocurrencies (like Monero, Bitcoin, ZCash, etc.) are the ‘products’ sold by the merchants. The failure of a merchant does not entail that there is a failure in the product.
On October 11, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) announced enforcement actions against Bittrex, Inc. (Bittrex), a privately-owned digital asset trading platform based in Bellevue, Washington, for apparent violations of anti-money laundering (AML) laws and of multiple sanctions programs. A settlement of over $24 million was announced by OFAC and a $29 million fine was announced by FinCEN. FinCEN will credit payment of the OFAC settlement amount toward Bittrex’s potential liability with FinCEN, meaning Bittrex will pay just over $29 million in total. Joint enforcement action between OFAC and FinCEN is uncommon-the settlements mark the first instance of parallel enforcement actions by OFAC and FinCEN in the digital asset sector.
The parallel settlements provide insight into certain sanctions and AML risks in the digital asset sector and illustrate how OFAC and FinCEN rules intersect and overlap in part: for example, that OFAC violations can trigger suspicious activity report filing obligations.
The actions follow a 2019 decision by the New York Department of Financial Services to reject Bittrex’s BitLicense application due in large part to an “inadequate” AML and OFAC compliance program.
In its settlement with OFAC, Bittrex agreed to pay $24,280,829.20 to settle its potential liability for 116,421 alleged violations of multiple U.S. sanctions programs. Following a civil enforcement investigation, OFAC alleged that Bittrex failed to prevent users in Cuba, Iran, Sudan, Syria, and the Crimea region of Ukraine from using its digital asset exchange platform to engage in transactions totaling over $260 million between 2014 and 2017. The relevant sanctions programs broadly prohibited persons in the United States and U.S. persons located abroad from transacting with or providing services to individuals in those jurisdictions.
OFAC alleged that Bittrex had reason to know the users in question were located in jurisdictions subject to sanctions, based on available internet protocol (IP) address information and information on customers’ physical addresses. OFAC found that Bittrex was not screening customers or transactions for association with sanctioned jurisdictions until October 2017, after OFAC issued a subpoena to investigate potential sanctions violations. While Bittrex opened its digital asset platform to users in March 2014, OFAC found that Bittrex implemented a sanctions compliance program only in December 2015, and did not hire a third-party vendor to carry out its sanctions screening program until February 2016. This screening program initially involved only looking for matches against OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List), not sanctioned jurisdiction matches. The OFAC enforcement action illustrates the importance of using all available data for economic sanctions compliance purposes, including data that is likely to be of particular relevance such as physical address and IP address information.
Notably, OFAC’s two other actions against major digital asset companies, BitPay and BitGo, also included apparent violations related to the company’s failure to screen IP address geolocation information. Geolocation tools, including IP address blocking tools, are also discussed in a number of places in OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry.
The Treasury Enforcement Release on the OFAC settlement noted as mitigating factors Bittrex’s “substantial cooperation in connection with OFAC’s investigation,” and the fact that Bittrex “swiftly took a series of subsequent remedial measures,” including implementing blockchain tracing software, that “significantly curtailed” the alleged violations, among other measures. Such factors resulted in a significantly lower penalty than OFAC might otherwise have imposed.
Following a civil enforcement investigation, FinCEN found willful violations of the Bank Secrecy Act (BSA) and its implementing regulations by Bittrex. FinCEN imposed a penalty of $29,280,829.20 for these violations, though, as noted above, the agency will credit payment of the OFAC settlement amount to partly satisfy the FinCEN penalty. The FinCEN Consent Order (Consent Order) identified the “Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures” as a key factor in its evaluation of the matter. The Consent Order noted that Bittrex began taking corrective actions to address its compliance failures beginning in late 2017, including updating its monitoring systems and verification processes, undergoing independent audits (as required under FinCEN rules), and significantly improving its suspicious activity reporting quality and timeliness. In light of the “substantial investments and improvements to [Bittrex’s] compliance program” following the time period of the violations, the Consent Order did not require additional remedial measures by Bittrex. Notably, the FinCEN investigation found that Bittrex acted willfully, but there has been no concurrent criminal enforcement action.
Under the BSA, Bittrex was required “to develop, implement, and maintain an effective Anti-Money Laundering (AML) program that is reasonably designed to prevent the [exchange platform] from being used to facilitate money laundering.”1 Additionally, under the BSA Bittrex was required to report transactions that Bittrex knew, suspected, or had reason to suspect were “suspicious,” as defined under BSA implementing regulations.2 According to the Consent Order, between 2014 and 2018 Bittrex failed to adequately maintain an AML program and “failed to develop and implement internal controls that were reasonably designed to assure compliance with the BSA’s suspicious activity reporting obligations.”
Specifically, FinCEN found that Bittrex utilized an inadequate transaction monitoring process, including relying “on two employees with minimal AML training and experience to manually review all of the transactions for suspicious activity,” rather than implementing widely available monitoring software tools. Bittrex also did not file any suspicious activity reports (SARs) between its founding in 2014 and May 2017, and filed only one SAR between May 2017 and November 2017. During this time, according to the Consent Order, a significant number of transactions associated with sanctioned jurisdictions occurred on Bittrex’s platform.
Additionally, FinCEN found that Bittrex failed to fully address risks associated with its services and products, including anonymity-enhanced cryptocurrencies (AECs). The Consent Order emphasizes the risks of AECs, indicating that FinCEN believes AML programs should address the unique risks presented by particular AECs. FinCEN specifically cites monero, zcash, pivx, and dash as examples of AECs, although a number of other digital assets may also fall into that category. According to FinCEN, “While Bittrex disabled privacy-enhancing features for most of the AECs it transacted in, Bittrex did not implement any other controls to manage the risks presented by AECs for which it was impossible to disable privacy-enhancing features ..” The Consent Order goes on to note that Bittrex did not have appropriate policies, procedures, and controls for “particularly challenging AECs, such as monero.” AECs have been a particular focus of FinCEN for a number of years. Among other features, AECs typically limit the amount of data on publicly available blockchains, impairing the effectiveness of blockchain analytics tools and similar compliance measures.
The Consent Order also found that Bittrex’s designation of its Chief Executive Officer as its AML compliance officer during the early stages of the company’s growth was inappropriate. The Consent Order was strongly critical of compliance resourcing and implementation, including Bittrex’s initial failure to implement automated transaction monitoring. One notable difference between the FinCEN Consent Order and the OFAC settlement is that, under the Consent Order, Bittrex agreed to waive any defense related to the statute of limitations. The OFAC settlement announcement is silent on whether Bittrex entered into a tolling agreement or waived its statute of limitations defenses.
The OFAC and FinCEN enforcement actions against Bittrex are the latest indications of an increased focus by the U.S. government on the sanctions and money laundering risks posed by digital assets. Companies operating in the virtual currency sector, whether startups or more established companies, should ensure that they comply with any applicable BSA requirements, including the establishment of an AML program and the filing of SARs. These companies should also ensure that they develop and implement risk-based controls to address OFAC sanctions compliance risks.
1. See 31 U.S.C. § 5318(h); 31 C.F.R. § 1022.210(a)).
2. See 31 U.S.C. § 5318(g)(1); 31 C.F.R. 1022.320(a)(2)).