On October 11, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) and Financial Crimes Enforcement Network (“FinCEN”) announced related enforcement settlements with Bittrex, Inc., a U.S.-based digital asset exchange and hosted wallet services company (the “Company”), to settle violations of U.S. sanctions and the Bank Secrecy Act (“BSA”) and related regulations, respectively.[1]  The OFAC Settlement, the largest of OFAC’s digital asset-related enforcement actions to date, and the FinCEN Consent Order collectively result in the Company paying a civil penalty of approximately $30 million.  Following OFAC’s release of its “Sanctions Compliance Guidance for the Virtual Currency Industry” (which we wrote about here)[2] and recent revelations regarding prosecution by the U.S. Department of Justice of digital asset-related U.S. sanctions violations (which we wrote about here),[3] this joint OFAC-FinCEN enforcement action illustrates the U.S. government’s continued focus on the digital asset industry’s compliance with U.S. sanctions and the potentially significant penalties parties can face for U.S. sanctions and BSA violations.

The joint enforcement action also serves as a reminder of the overlapping jurisdictions of OFAC and FinCEN regarding matters such as customer due diligence and transaction monitoring.  In particular, this action highlights the importance for digital asset service providers of carefully evaluating the full scope of potential compliance-related data available to them, and implementing sanctions and anti-money laundering controls, during early-stage product development.

OFAC Settlement[4]

The OFAC Settlement explains that, as a result of the Company’s inadequate sanctions compliance program, between 2014 and 2017, the Company operated 1,730 accounts that processed over 116,000 digital asset-related transactions totaling approximately $263 million involving persons located in comprehensively sanctioned jurisdictions (specifically, the Crimea region of Ukraine, Cuba, Iran, Sudan (which was subject to comprehensive sanctions at the time of the relevant transactions), and Syria).  The OFAC Settlement states that the Company had no sanctions compliance program when it began offering services in 2014.  In 2015, the Company adopted preliminary customer identification/due diligence policies and procedures, pursuant to which the Company obtained internet protocol (“IP”) and physical address information on its users.  According to the OFAC Settlement, the policies and procedures also demonstrated that the Company was aware of U.S. sanctions requirements, including the general prohibition on dealings with comprehensively sanctioned jurisdictions.  The Company then engaged a third-party vendor in 2016 to screen its users against OFAC’s Specially Designated Nationals and Blocked Persons List, but did not scrutinize whether its customers were located in comprehensively sanctioned jurisdictions until it received an OFAC subpoena in 2017.

The OFAC Settlement cites several “aggravating factors” that informed its penalty calculation, including:  (1) the deficiencies of the Company’s sanctions compliance program; (2) the Company having reason to know it had users located in comprehensively sanctioned jurisdictions as a result of the IP and physical address information it collected; and (3) the economic benefits conferred on such users.  Even so, OFAC ultimately concluded that the Company’s violations were “non-egregious” (a classification relevant to OFAC’s penalty calculation) and the OFAC Settlement cites a number of “mitigating factors,” including:  (1) the Company was small and new at the time most of the violations occurred; (2) the Company substantially cooperated with OFAC’s  investigation; (3) most of the transactions at issue involved relatively small amounts; and (4) the Company agreed to undertake a variety of sanctions compliance measures, including blocking all IP addresses associated with comprehensively sanctioned jurisdictions, onboarding new sanctions-related monitoring software, hiring a Chief Compliance Officer, and implementing a dedicated sanctions compliance policy.

The approximately $24 million OFAC Settlement amount was significantly discounted from the Company’s statutory maximum civil penalty liability (which the OFAC Settlement says was over $35 billion) and OFAC’s base penalty calculation (which took into account the fact that the violations were not voluntarily disclosed by the Company but were found by OFAC to be non-egregious, and which the OFAC Settlement says was just under $500 million).

FinCEN Consent Order[5]

The FinCEN Consent Order explains that the Company, which was and is a “money services business” subject to the BSA and related anti-money laundering requirements, including suspicious activity report (“SAR”) filing obligations, failed to establish and maintain an effective, risk-based, written anti-money laundering program, as was required under the BSA, and failed to make required SAR filings between 2014 and 2018 (including for transactions that directly involved darknet marketplaces[6]).  Among other things, the FinCEN Consent Order notes that the Company did not have a written anti-money laundering policy until 2015, relied on two employees with limited anti-money laundering experience to conduct all transaction monitoring review through 2017 without the use of an automated monitoring system, and did not take meaningful action to strengthen its anti-money laundering program and hire additional compliance personnel until the Internal Revenue Service indicated in late 2017 that it intended to examine the Company’s BSA compliance.[7]

The FinCEN Consent Order identifies a number of aggravating enforcement factors, including:  (1) the serious nature of the Company’s BSA violations, which caused a significant risk of harm to the public; (2) the pervasiveness of the Company’s wrongdoing; (3) the Company’s considerable growth while failing to invest in appropriate compliance resources; and (4) the lack of a voluntary disclosure.  The FinCEN Consent Order also identifies several mitigating enforcement factors, including:  (1) the Company’s lack of prior criminal, civil, or enforcement violations; (2) the Company’s remedial response; (3) the Company’s cooperation with IRS and FinCEN; and (4) the Company’s related settlement with OFAC as mitigating enforcement factors.  Taking these factors into account, FinCEN imposed an approximately $29 million penalty on the Company, but credited the Company’s approximately $24 million OFAC settlement amount towards that penalty.

***

This joint enforcement action by OFAC and FinCEN underscores the U.S. government’s focus on the digital asset industry, indicates that OFAC, FinCEN, and other relevant U.S. regulatory agencies will pursue enforcement actions against even relatively small firms, and serves as a reminder of the benefits of even partial cooperation and remediation, as well as the need for digital asset service providers to have compliance policies and procedures in place as they scale their businesses.

[1] OFAC, “OFAC Settles with Bittrex, Inc. for or $24,280,829.20 Related to Apparent Violations of Multiple Sanctions Programs” (Oct. 11, 2022), available at https://home.treasury.gov/system/files/126/20221011_bittrex.pdf; FinCEN, Matter of Bittrex, Inc. (No 2022-03), “Consent Order Imposing Civil Money Penalty,” available at https://www.fincen.gov/sites/default/files/enforcement_action/2022-10-11/Bittrex Consent Order 10.11.2022.pdf.

[2] Cleary Foreign Investment and International Trade Watch, “OFAC Issues Sanctions Guidance to Virtual Currency Industry” (Oct. 22, 2021), available at https://www.clearytradewatch.com/2021/10/ofac-issues-sanctions-guidance-to-virtual-currency-industry/.

[3] Cleary Foreign Investment and International Trade Watch, “U.S. Federal Judge Finds Probable Cause for Conspiracy to Violate U.S. Sanctions and to Defraud the United States in First Published Opinion Discussing U.S. Sanctions Violations Involving Use of Cryptocurrency” (June 8, 2022), available at https://www.clearytradewatch.com/2022/06/u-s-federal-judge-finds-probable-cause-for-conspiracy-to-violate-u-s-sanctions-and-to-defraud-the-united-states-in-first-published-opinion-discussing-u-s-sanctions-violations-involving-use-of-crypt/.

[4] The OFAC Settlement describes the “Apparent Violations” that the Company agreed to settle, but the OFAC Settlement does not explicitly say that the Company admits to the “Apparent Violations.”

[5] The FinCEN Consent Order explicitly states that the Company admits to the FinCEN Consent Order’s “Statement of Facts” and “Violations.”

[6] Markets and exchanges located on the dark web that are associated with illicit transactions involving, for example, drugs, weapons, and stolen financial information.

[7] FinCEN has delegated the authority to examine money services businesses for BSA compliance to the IRS.  See 31 C.F.R. § 1010.810(b)(8).