On October 11, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced that it reached a settlement with Bittrex, Inc., a Seattle-based private company that provides an online virtual currency exchange and hosted wallet services. Under the settlement, Bittrex agreed to pay more than $24 million to resolve its potential civil liability for 116,421 apparent violations of Ukraine-related sanctions and sanctions against Cuba, Iran, Sudan, and Syria. This settlement is part of a global resolution with the US Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) which, under a separate settlement, assessed a civil money penalty of more than $29 million against Bittrex for the company’s failure to implement an effective anti-money laundering (“AML”) program between February 2014 and December 2018 (“the Relevant Time Period”), in violation of the Bank Secrecy Act (“BSA”) and FinCEN’s implementing regulations. Under the terms of the FinCEN settlement, FinCEN will credit Bittrex for the $24 million that it agreed to pay for the OFAC violations, requiring Bittrex to pay an additional $5 million to resolve the BSA/AML violations.
According to OFAC, between March 2014 and December 2017, Bittrex failed to prevent approximately $263 million worth of virtual currency-related transactions on its platform by users located in the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria because the company had an inadequate sanctions compliance program. While Bittrex started offering virtual currency services in March 2014, the company allegedly had no sanctions program in place until December 2015, when it began verifying customer’s identity. Months later, in February 2016, Bittrex retained a third-party vendor to perform sanctions screening. However, in October 2017, when OFAC launched its investigation into potential sanctions violations, Bittrex discovered that the vendor’s screening was incomplete, and the vendor had only been checking transactions against persons who appeared on OFAC’s List of Specially Designated Nationals and Blocked Persons List (“SDN List”) and failed to determine if Bittrex customers or transactions were connected to sanctioned jurisdictions. Bittrex also failed to screen customer internet protocol (“IP”) addresses and physical addresses until October 2017, even though Bittrex had collected this information from customers at onboarding.
According to FinCEN, Bittrex is a money services business (“MSB”) subject to the BSA and its implementing regulations, and, as a result, was required, as of May 14, 2014, to develop, implement and maintain an effective, written AML program designed to assure its compliance with the BSA’s suspicious activity reporting (“SAR”) requirements. As a MSB, Bittrex was required to report all suspicious transactions that involved at least $2,000 in funds or assets. According to the FinCEN, Bittrex did not have an effective AML program during the Relevant Time Period and failed to file any SARs between February 2014 and May 2017. Bittrex also failed to file SARs for a significant number of transactions involving sanctioned jurisdictions, including more than 200 transactions that involved $140,000 worth of convertible virtual currency (“CVC”) – nearly 100 times larger than the average withdrawal or deposit on the platform – and 22 transactions involving over $1 million worth of CVC each. FinCEN also indicated that Bittrex failed to implement an effective transaction monitoring program which, for years, consisted of a manual review process that relied upon as few as two employees with minimal AML experience who were responsible for reviewing all transactions (sometimes in excess of 20,000 per day) for suspicious activity.
OFAC indicated that the $24 million settlement amount was based upon its determination that the apparent violations were not voluntarily self-disclosed by Bittrex and were not egregious in nature. Following its investigation, OFAC also determined that Bittrex implemented a number of remedial measures, including hiring additional compliance staff, conducting additional sanctions compliance training, and implementing new sanctions screening and blockchain tracing software, which, according to OFAC, had substantially curtailed the number of apparent violations.
As part of the settlement with FinCEN, Bittrex admitted to the Statement of Facts and Violations in the Consent Order and that it willfully violated the BSA and its implementing regulations. FinCEN also reported that, in December 2017, Bittrex began taking corrective actions to address the AML compliance failures such as hiring a qualified AML compliance officer with significant BSA/AML experience, purchasing and integrating several automated transaction monitoring systems into its compliance program, and contracting with a vendor to perform automated transaction monitoring for its fiat currency transactions – actions that have resulted in significant improvements its SAR filing quality and timeliness. As a result, FinCEN did not require additional remedial measures as part of its Consent Order.