On October 11, 2022, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) announced a $29 million civil penalty against Bittrex, a major US cryptocurrency exchange , as part of a global settlement. with FinCEN and OFAC regarding Bittrex’s alleged historical violations of the Bank Secrecy Act (BSA), FinCEN’s Anti-Money Laundering (AML) regulations, and “apparent violations of multiple sanctions programs”. Concurrent with the announcement, FinCEN issued a consent order and OFAC issued an enforcement statement outlining the alleged violations and settlement conditions.
Take away food
- According to the Consent Order, from or around February 13, 2014 to or around December 7, 2018 (relevant period), Bittrex violated the FinCEN AML Regulations by (1) failing to develop, implement and maintain an effective AML program that was reasonably designed to prevent its trading platform and hosted wallet service from being used to facilitate money laundering and terrorist financing; and (2) failing to accurately and timely report suspicious transactions.
- According to the Consent Order and Enforcement Authority, Bittrex has processed over 116,000 virtual currency-related transactions, valued at over $260 million, with entities and individuals located in sanctioned jurisdictions. ‘OFAC, including Iran, Cuba, Sudan, Syria and the Crimea region of Ukraine. .
- In its early years, Bittrex allegedly grew from a startup to a major US cryptocurrency exchange without taking appropriate steps to implement and expand its BSA and OFAC compliance programs accordingly, resulting in these violations.
Overview of BSA requirements
Under FinCEN regulations implementing the BSA, cryptocurrency exchanges such as Bittrex are considered a convertible virtual currency (CVC) exchanger. and therefore meet the definition of a money services business (MSB), which must fulfill certain obligations in terms of AML and the fight against the financing of terrorism (CFT). Accordingly, Bittrex needed to develop, implement and maintain an effective written AML/CFT program that, at a minimum:
(a) incorporates policies, procedures and internal controls reasonably designed to ensure continued compliance with BSA and FinCEN regulations;
(b) designate a person responsible for ensuring day-to-day compliance with the MSB AML program and all FinCEN regulations;
(c) provides education and/or training to appropriate personnel, including training in the detection of suspicious transactions; and
(d) provides for independent review to monitor and maintain an adequate program.
Alleged BSA and OFAC Violations
Among other things, the consent order cited the following BSA and OFAC violations:
Insufficient monitoring of transactions
The Consent Order notes that “in 2016, Bittrex conducted an average of 11,000 transactions (deposits and withdrawals) per day on its platform, with a daily value of approximately $1.54 million” and “in 2017, Bittrex’s trading volume and values increased to an average of 23,800 trades per day with a daily value of approximately $97.9 million, however, during the relevant period, Bittrex reportedly had on just two employees “with minimal anti-money laundering training and experience” to manually review all of its transactions for suspicious activity, resulting in a “grossly ineffective” transaction monitoring process “.
Failure to File Suspicious Activity Reports
The consent order stated that “Bittrex did not file any Suspicious Activity Reports (SARs) from its inception in 2014 until May 2017” and “filed only one SAR between May 2017 and November 2017. “. The consent order pointed out that Bittrex had failed to detect suspicious activity and file SARs related to “direct transactions with online darknet marketplaces such as AlphaBay, Agora and Silk Road 2″ and ” transactions related to ransomware attacks”.
Facilitation of OFAC Prohibited Transactions
According to the consent order, “[f]From February 2014 to February 2016, Bittrex knew it was required to ensure that it did not process transactions that violated OFAC sanctions, but the company failed to do so. The Consent Order and Enforcement Authorization indicate that Bittrex hired a software vendor in February 2016 for OFAC screening, but the screening was inadequate as it only sought to identify potential matches on the OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) and other lists but did not “review customers or transactions for connection to sanctioned jurisdictions” until October 2017. The version Enforcement notes that Bittrex only learned of the provider’s inadequate screening through an OFAC subpoena issued in October 2017.
The Consent Order further notes that “Bittrex processed transactions with parties located in sanctioned jurisdictions that were hundreds of times larger than typical transactions for certain clients.” Bittrex reportedly “processed over 200 trades involving $140,000 in CVC – nearly 100 times more than the average withdrawal or deposit on the Bittrex platform – and 22 trades involving over $1 million in CVC each” via accounts opened in the name of persons located in sanctioned jurisdictions.
High-Risk HVAC Use
According to the consent order, Bittrex was aware of the risks presented by certain anonymity-enhanced cryptocurrencies (AEC) that were traded on its platform, such as monero, zcash, pivx and dash, but “did not failed to fully address the risks in practice or in the company’s written AML compliance program” and “has failed to implement appropriate policies, procedures, and internal controls to effectively mitigate the risks associated with particularly difficult AECs , like monero”.
Enforcement Factors and Civil Monetary Penalty
According to the consent order, FinCEN “has considered all of the factors described in its Bank Secrecy Act Enforcement Statement issued August 18, 2020.” and found the following factors “particularly relevant” in determining Bittrex’s penalty:
- Nature and gravity of the violations, including the extent of possible harm to the public and the systemic nature of the violations;
- Pervasiveness of wrongdoing within the financial institution;
- History of similar violations or misconduct in general;
- Financial gain or other benefit resulting from the violations;
- Presence or absence of prompt and effective action to end violations upon discovery, including self-initiated corrective actions;
- Prompt and voluntary disclosure of violations to FinCEN;
- Quality and extent of cooperation with FinCEN and other relevant agencies; and
- If another agency has taken enforcement action for a related activity.
OFAC’s enforcement notice cited the following aggravating and mitigating factors:
- Aggravating factors: Bittrex: (1) operated without a sanctions compliance program for nearly two years, and implemented a program that only screened against the SDN list and allowed people in sanctioned jurisdictions to use exchange; (2) had reason to know that users were in sanctioned jurisdictions based on IP addresses and physical address data; and (3) provided economic benefits to thousands of people in OFAC-sanctioned jurisdictions.
- Mitigating factors: Bittrex: (1) has not received an OFAC sanction or finding of violation in the five years prior to the date of the first transaction giving rise to the apparent violations; (2) was a small and new business at the time of most of the apparent violations; (3) provided substantial cooperation with OFAC’s investigation; (4) was found to have apparent violations based on transactions that were relatively small and represented a small percentage of total annual transactions; and (5) in response to apparent violations, promptly took a series of corrective actions, including hiring an experienced compliance officer to oversee and implement an effective AML and OFAC compliance program.
The OFAC violations carried a statutory maximum of $35,773,364,108.57, and the basic civil penalty under OFAC’s economic sanctions enforcement guidelines is $485,616,584.00; however, based on the foregoing factors and the “not flagrant” violations, the final settlement amount was $24,280,829.20.
FinCEN imposed a civil penalty of $29,280,829.20. FinCEN credited $24,280,829.20 which Bittrex agreed to pay for the OFAC violations. Among other things, Bittrex has also agreed to “fully cooperate with FinCEN in all matters arising under or relating to the [Consent Order]including any investigation of its current or former directors, officers, employees, agents, consultants or any other party. »
Digital asset companies should ensure that their BSA and OFAC compliance programs grow in step with revenue growth, and they should never seek to cut costs by minimizing compliance staff and procedures. Those who do so face substantial fines and penalties. Digital asset businesses should also be aware of this consent order and its claims, which outline what FinCEN considers best practices for mature AML and OFAC programs, including (i) software tools transaction monitoring to automatically detect suspicious activity and sanctioned persons. , (ii) disabling the privacy-enhancing features of AECs, and (iii) using blockchain analytics as part of customer due diligence, transaction monitoring, and compliance obligations. statement. As U.S. regulators focus more on digital asset markets, companies must take proactive steps to ensure they comply with BSA, FinCEN regulations, and sanctions compliance guidelines. OFAC for the virtual currency industry.
 See FIN-2013-G001, “Application of FinCEN’s Regulations to Persons Administering, Exchange, or Using Virtual Currencies”, March 18, 2013. A CVC is defined as a type of virtual currency that either has equivalent value as currency or acts as a substitute for money, and is therefore a type of “value which substitutes for money”. FIN-2019-G001, “Guidance, application of FinCEN regulations to certain business models involving convertible virtual currencies”, § 1.3, 9 May 2019.
 31 USC § 5318(h); 31 CFR § 1022.210(a).
 31 USC § 5318(h)(1); 31 CFR § 1022.210(d) and (e).
 FinCEN, Statement on Enforcement of the Bank Secrecy Act (August 18, 2020), https://www.fincen.gov/sites/default/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf.