red 
On October 11th, the United States Treasury Department took one of its most significant enforcement actions affecting the crypto industry.
In a coordinated statement, the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) announced civil fines totaling $24 million and $29 million, respectively, on US crypto asset exchange Bittrex.
The OFAC and FinCEN settlements relate to ongoing sanctions and anti-money laundering (AML) violations at Bittrex between 2014 and 2018. These violations were also highlighted in a cease and desist letter issued to exchanges in April 2019 by the New York Department of Financial Services (NYDFS).
Since then, Bittrex has taken a number of steps to improve its AML program and address identified historical deficiencies. As part of the settlement, FinCEN agreed to credit the company $24 million because some of its findings related to the same underlying conduct identified by OFAC. Consequently, Bittrex will pay a total of $29 million to settle the violations, despite the total value of the fines being estimated at $53 million.
The OFAC settlement represents the most significant U.S. enforcement action to date for violations of crypto-related sanctions — and by a large margin. Previously, OFAC imposed penalties on BitGo and Bitpay for $98,830 and $507,375, respectively, related to sanctions violations. The Bittrex settlement is thus nearly 40 times larger than OFAC’s two previous cryptocurrency-related fines combined.
FinCEN’s settlement with Bittrex is not its largest related to AML violations in the crypto space. The agency previously settled with BTC-e and BitMex for more than $100 million each. Still, FinCEN’s settlement with Bittrex holds important lessons for compliance teams working in the crypto space.
A comprehensive review of sanctions is critical
OFAC’s settlement highlights a number of sanctions compliance deficiencies, including the fundamental absence of a sanctions compliance program at Bittrex from March 2014 to December 2015. Importantly, the settlement also describes a series of sanctions screening failures that ultimately led to Bittrex processing more than 100,000 transactions totaling more than $263 million involving sanctioned jurisdictions – even after it implemented sanctions screening software in 2016.
Specifically, the settlement notes that the scope of the screening capabilities deployed was insufficient to detect many sanctions risks. It notes that: “Until October 2017, the seller reviewed transactions only for hits on OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN list) and other lists, but did not review customers or transactions for connections to sanctioned jurisdictions.”
This is a critical point for any cryptocurrency compliance team.
OFAC stated in previously issued guidance that it expects US persons to avoid any dealings with cryptoasset wallets controlled by sanctioned parties or associated with persons in sanctioned jurisdictions – even if OFAC has not included their wallets on the SDN list.
In an FAQ on its website, the agency notes that: “Ofac’s digital currency addresses are unlikely to be exhaustive. Parties that identify digital currency identifiers or wallets that they believe are owned or otherwise associated with SDN and hold such assets should take the necessary steps to block the relevant digital currency […].”
Having access to the analytical capability of blockchain backed by robust data is essential to achieving effective sanctions review for any cryptocurrency compliance team.
Users of Elliptic Lens – our crypto wallet verification solution – can identify not only addresses that exactly match the more than 300 addresses that OFAC has included on the SDN list; our industry-leading dataset enables compliance teams to identify additional addresses controlled by sanctioned individuals and entities. For example, we have identified several hundred thousand crypto addresses belonging to sanctioned Russian actors in addition to those included on the OFAC SDN list.
Similarly, our dataset includes information on entities located in sanctioned jurisdictions, but which do not necessarily appear on OFAC’s SDN list. This includes Virtual Asset Service Providers (VASPs) and other entities located in sanctioned jurisdictions such as Iran, Syria, Venezuela, and the Russian-occupied Donetsk and Lugansk regions of Ukraine. By verifying wallets and transactions using our block analysis solutions, compliance teams can identify and block activity involving these and other sanctioned jurisdictions.
In addition, our sanctions screening capabilities enable compliance teams to identify and manage sanctions risks that many other blockchain analytics capabilities fail to detect. Our holistic verification capabilities enable compliance teams to identify risks associated with crypto wallets and transactions, even when funds have passed through cross-chain services.
For example, if the compliance team reviews an Ethereum address using our holistic verification feature, they can identify whether the funds in question were first exchanged for other assets, such as Tether, on a decentralized exchange (DEX) or other decentralized finance (DeFI) service by a sanctioned actor. such as North Korea’s Lazarus Group.
By enabling our clients to detect exposure to cross-sanctions risks with real-time verification, Elliptic’s blockchain analytics solutions ensure that crypto exchanges are equipped with the comprehensive insights needed to satisfy regulators for end-to-end sanctions compliance.
Build an effective transaction tracking program
In addition to sanctions screening, the US Treasury’s actions also point to the importance of a well-tuned and effective transaction monitoring capability.
The FinCEN settlement shows that Bittrex failed to implement automated transaction tracking capabilities in 2016 despite processing more than 11,000 transactions per day. Instead, the company relied on highly manual transaction review processes, which proved ineffective, preventing Bittrex from identifying high-risk and suspicious activity related to the transactions it facilitated related to darknet markets and ransomware. In fact, the company did not file a single Suspicious Activity Report (SAR) with FincEN between 2014 and May 2017, and only filed one SAR between May and November 2017.
The FinCEN settlement also states that even when Bittrex established a company policy to identify certain risks – such as geographic – in transactions, its monitoring program remained deficient, and it continued to process transactions with sanctioned and high-risk jurisdictions.
This serves as an important reminder of the need for compliance teams to implement transaction monitoring capabilities that ensure efficient and effective verification, so a business can confidently identify suspicious activity as it escalates without having to manage large numbers of false positives.
Elliptic Navigator is our transaction verification solution used by many of the largest crypto exchanges in the world to detect suspicious transactions. Using our configurable risk scoring features, compliance teams can establish the monitoring parameters they need in Navigator to align with their business model and risk appetite. This allows them to accurately and efficiently detect high-risk transactions involving cybercrime, darknet markets, fraudsters and other illegal actors.
Privacy coins are a challenge
The FinCEN settlement marks an important milestone: It’s the first enforcement action taken by US regulators calling for AML failures related to privacy coins.
Privacy coins are notoriously controversial in the world of crypto regulation and compliance. The inability to apply blockchain analytics to many privacy coin transactions has led to debate over whether exchanges can offer privacy coin trading while remaining AML compliant. The FinCEN settlement offers an important judgment on this issue.
According to the settlement, Bittrex offered to trade a number of privacy coins and “was aware of the risks and challenges it presents [privacy coins] that were exchanged on its platform – such as Monero, Zcash, PIVX and Dash – but the company failed to fully address the risks in practice or in a written AML compliance program.”
It’s important to note that not all privacy coins are the same. Some of them – such as Monero – provide complete anonymity by default: that is, the details of all Monero transactions are completely protected, making them largely impervious to blockchain analytics. Meanwhile, other privacy coins such as Zcash have optional anonymity. Users can choose to undertake unprotected, transparent transactions, with information visible on the blockchain; or they can undertake secure and anonymous transactions.
Where users of privacy opt-in coins such as Zcash undertake unsecured transactions, blockchain analytics solutions can be applied to identify high-risk exposures and illicit wallets, just as is possible with Bitcoin, Ether and other transparent cryptoassets. Elliptic’s coverage of privacy-enabled coin features – including Zcash as well as MimbleWimble on Litecoin – has enabled our clients to offer these coins for trading with regulatory approval.
The FinCEN settlement points out these differences and features of privacy coins and notes their implications. It states that: “While Bittrex has disabled privacy-enhancing features for most [privacy coins] when executing the transaction, Bittrex did not implement any other controls to manage the risks it presents [privacy coins] for which it was impossible to disable privacy-enhancing features […]. Bittrex also failed to implement appropriate policies, procedures and internal controls to effectively mitigate the risks associated with the particularly challenging [privacy coins]such as Monero […].”
Importantly, FinCEN does not state that an exchange could never successfully offer trading of a coin like Monero in a compliant manner, but makes clear that it expects exchanges to have appropriate AML controls in place regarding privacy coins before offering them.
Compliance with AML and sanctions is never simple. But it can be made easier by using blockchain analytics solutions designed to ensure your compliance team can operate efficiently and effectively. Contact us to learn more about how your compliance team can leverage Elliptic’s blockchain analytics capabilities to successfully comply with anti-money laundering and sanctions laws.
Key takeaways
- Ensure your compliance team uses block analysis solutions that provide comprehensive coverage of sanctions risk exposures, including jurisdictional sanctions risks and cross-chain risk exposures.
- Make sure you use a transaction screening capability – such as Elliptic Navigator – that allows you to configure precise and scalable risk monitoring parameters.
- Ensure that if you offer privacy coins, you use blockchain analytics capabilities equipped to identify exposures among unprotected wallets and transactions.
Sanctions Law Enforcement Americas
