On October 11, 2022, the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) announced settlements with Bittrex Inc. (Bittrex). The settlements arise from violations of the Bank Secrecy Act—the federal law that imposes anti-money laundering (AML) requirements on financial institutions—and violations of OFAC's sanctions regimes.
This matter represents the first time that FinCEN and OFAC jointly have penalized a money services business (MSB) for inadequately monitoring virtual currency transactions for suspicious and illegal activity. As part of the settlement, Bittrex agreed to pay FinCEN and OFAC over $29 million and $24 million, respectively. In light of the U.S. government's concerns about the illicit use of virtual currency, there likely will be similar enforcement actions brought against MSBs in the future.
Bittrex operates a convertible virtual currency (CVC) trading platform that includes digital wallet custody services for storing, transferring, and exchanging CVCs. Bittrex registered with FinCEN as an MSB in February 2021, but the violations took place between 2014 and 2018. According to the FinCEN consent order, Bittrex failed to "develop, implement, and maintain an effective AML program," which MSBs are required to maintain. Bittrex allegedly failed to identify suspicious transactions initiated through its platform and failed to block thousands of transactions prohibited by OFAC sanctions. According to the FinCEN press release, "Bittrex's failures created exposure to high-risk counterparties including sanctioned jurisdictions, darknet markets, and ransomware attackers."
Based on the FinCEN consent order, Bittrex's core failure was its lack of transaction monitoring. Allegedly, Bittrex initially relied on two individuals with minimal training and expertise to screen tens of thousands of transactions daily, which resulted in failures to file suspicious activity reports (SARs). According to the FinCEN consent order, the Internal Revenue Service (IRS) notified Bittrex in 2017 that it would be examined for Bank Secrecy Act compliance, at which point Bittrex began to improve its AML program, but it remained deficient in FinCEN's view.
Bittrex allegedly failed to prevent persons located in sanctioned jurisdictions from using the Bittrex platform to engage in over $200 million worth of virtual currency transactions. While Bittrex used third-party software to screen transactions for sanctioned parties, Bittrex allegedly did not have compliance controls in place to stop transactions involving comprehensively sanctioned jurisdictions. As a result, Bittrex allowed more than 116,000 transactions with entities and individuals in those jurisdictions (e.g., Iran and Cuba). OFAC alleged that based on the IP address and physical address information collected by Bittrex at onboarding, Bittrex had reason to know that the parties to the transactions were located in sanctioned jurisdictions. According to FinCEN, Bittrex's compliance issues were exacerbated by the fact that Bittrex had few controls in place to address built-in anonymity features of certain virtual currencies.
In October 2021, OFAC issued its Sanctions Compliance Guidance for the Virtual Currency Industry to assist the industry in mitigating the risk that sanctioned persons will exploit virtual currencies "to evade sanctions and undermine U.S. foreign policy and national security interests." That guidance explained that the virtual currency industry is playing "an increasingly critical role in preventing sanctioned persons from exploiting virtual currencies to evade sanctions and undermine U.S. foreign policy and national security interests." (See our prior alert on the OFAC guidance for additional information.)
The Bittrex settlements serve as a reminder that both FinCEN and OFAC will scrutinize compliance programs and penalize MSBs that fail to address sanctions and money laundering risks, even if the failures are attributable to the privacy features of virtual currencies. MSBs engaged in a virtual currency business must create and maintain a robust AML and sanctions compliance program tailored to its size, risks, and scope of operation. The fact that virtual currency transactions might make MSBs' compliance obligations more challenging will not excuse the MSB from its obligations to comply with applicable AML and sanctions laws. As OFAC noted in its press release, "this action highlights that virtual currency companies—like all financial service providers—are responsible for ensuring that they do not engage in unauthorized transactions."
For more information about AML and sanctions issues, please contact any member of Wilson Sonsini's national security practice.