On November 28, 2022, the Office of Foreign Assets Control (“OFAC”) announced a settlement agreement with Payward, Inc., known as Kraken (“Kraken”), a United States-based virtual currency exchange. Kraken agreed to pay $362,158.70 to resolve its potential civil liability for 826 apparent violations of the Iranian Transactions and Sanctions Regulations (“Apparent Violations”). The settlement amount is significantly less than the statutory maximum civil monetary penalty of $272,228,964, reflecting OFAC’s determination that the Apparent Violations were non-egregious and voluntarily self-disclosed, thereby lowering the base civil monetary penalty, and that the base amount warranted further adjustment based on several mitigating factors, including significant remedial measures. Kraken will also invest $100,000 in additional sanctions compliance controls. The settlement is part of recent efforts by the Department of the Treasury relating to virtual currency, including recent OFAC and Financial Crimes Enforcement Network enforcement actions, OFAC’s sanctioning of virtual currency mixer Tornado Cash, and Department of the Treasury reports on digital assets.
Before the Apparent Violations, Kraken had an anti-money laundering and a sanctions compliance program in which it screened users when opening an account and then on a daily basis. The program also reviewed a user’s IP address information during onboarding to prevent users in a jurisdiction subject to U.S. sanctions from using the virtual currency exchange. The program did not, however, implement IP address blocking on transactional activity, and it appeared that this allowed users to use their account while located in Iran.
The lack of geolocation controls after onboarding resulted in the Apparent Violations underlying the settlement agreement. In fact, OFAC noted this as the sole aggravating factor, explaining that “Kraken failed to exercise due caution or care for its sanctions compliance obligations when, knowing it had customers worldwide, it applied its geolocation controls only at the time of onboarding and not with respect to subsequent transactional activity.” OFAC also highlighted the fact that the available IP address information provided Kraken with reason to know some transactions were processed on behalf of users who appeared to be in Iran.
In response to this issue, Kraken implemented remedial measures. Critically, Kraken added geolocation blocking to prevent users in prohibited jurisdictions from accessing their accounts on the website and implemented multiple blockchain analytics tools for sanctions monitoring. OFAC identified other remedial measures taken by Kraken, including investing in additional compliance training for staff, hiring a dedicated head of sanctions in addition to hiring new sanctions compliance staff, adding additional screening capabilities to ensure compliance with OFAC’s 50 Percent Rule, and contracting with a vendor for identification and nationality verification to assist with detecting issues with users’ credentials.
OFAC noted in the enforcement release that the Kraken case highlights the importance of appropriate geolocation tools, including IP blocking. OFAC’s 2021 compliance guide for the virtual currency industry identified geolocation tools and IP address blocking controls as part of an effective sanctions compliance program. Kraken’s settlement demonstrates that screening of IP address information at onboarding may not be sufficient – companies may need to have in place measures that can block IP addresses on transactional activity. Indeed, OFAC noted in the enforcement release that not using such controls throughout the lifetime of an account or with respect to subsequent transactions presents sanctions risks. A sanctions compliance program should consider incorporating geolocation tools for each transaction, rather than just at onboarding, especially in the virtual currency industry. The settlement also reflects the importance of providing compliance training that is tailored for a company’s employees, business, and industry; here, Kraken’s additional compliance training includes blockchain analytics. OFAC’s described sanctions-specific training as “critical to the success of any company’s sanctions compliance program.” OFAC emphasized in that 2021 guidance that effective sanctions training for the virtual currency industry should account for new and emerging technologies in the virtual currency space.