On November 28, 2022, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) announced that Payward, Inc. d/b/a Kraken, a U.S.-based cryptocurrency exchange, agreed to pay $362,158.70 to settle charges relating to its apparent violations of the Iranian Transactions and Sanctions Regulations that could have resulted in civil penalties up to almost $273 million. Kraken also agreed to spend an additional $100,000 to implement more extensive sanctions controls. These penalties are significant in light of the screening processes Kraken had implemented to prevent violations and reflect OFAC’s focus on the use of geolocation, IP blocking, and other electronic monitoring tools throughout the life of a customer relationship, and not just at onboarding.
Kraken voluntarily disclosed its apparent violations, stating that it failed to prevent users who appeared to be located in Iran from conducting transactions worth over $1.68 million. While Kraken maintained an anti-money laundering (AML) and sanctions compliance program, which “included screening customers at onboarding and daily thereafter, as well as a review of IP address information generated at the time of onboarding,”1 OFAC concluded that the company’s controls were not adequate because “Kraken did not implement IP address blocking on transactional activity across its platform.”2
Kraken reviewed IP address information to ensure that users were not in a sanctioned jurisdiction when users initially created an account, but Kraken did not continually monitor IP location on a transactional basis. As a result, Kraken processed transactions on behalf of customers who “established their accounts outside of sanctioned jurisdictions,”3 but “appear to have accessed their accounts and transacted on Kraken’s platform from a sanctioned jurisdiction.”4
After discovering the potential violations, Kraken took multiple steps to strengthen its sanctions compliance program, including implementing automated IP blocking, investing in more compliance training for staff, and hiring new sanctions compliance staff. OFAC found mitigating factors that included Kraken’s swift implementation of remedial measures, the non-egregious nature of the apparent violations, and Kraken’s voluntary disclosure of those apparent violations.
In its press release, OFAC noted that it “strongly encourages a risk-based approach to sanctions compliance.”5 Virtual currency industry participants should consider their “size and sophistication, products and services offered, customers and counterparties, and geographic locations served”6 when constructing and updating their sanctions and AML compliance programs. Additionally, OFAC reiterated its five essential components of a sanctions compliance program: i) management commitment; ii) risk assessment; iii) internal controls; iv) testing and auditing; and v) training.
The Kraken settlement highlights the importance of continuously monitoring customers even after they are onboarded, especially at the time of initiating a transaction. While technically there is no legal requirement to conduct OFAC sanctions screening or IP blocking, OFAC’s “strict liability” standard underscores the practical importance of maintaining an OFAC screening program and implementing IP blocking. For more information on OFAC’s guidance for the cryptocurrency industry, please review our previous publication, “New OFAC Guidance Raises the Stakes for Crypto Industry.”
For more insight into compliance with sanctions and anti-money laundering regulations, please contact any member of Wilson Sonsini's national security practice.