On October 11, 2022, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) announced a $29 million civil monetary penalty against Bittrex, a major U.S. cryptocurrency exchange, as part of a global settlement with FinCEN and OFAC related to Bittrex’s alleged historic violations of the Bank Secrecy Act (BSA), FinCEN anti-money laundering (AML) regulations, and “apparent violations of multiple sanctions programs.” Simultaneous with the announcement, FinCEN published a Consent Order and OFAC published an Enforcement Release describing the alleged violations and terms of the settlements.
- According to the Consent Order, from on or about February 13, 2014, through on or about December 7, 2018 (Relevant Time Period) Bittrex violated FinCEN AML regulations by (1) failing to develop, implement and maintain an effective AML program that was reasonably designed to prevent its trading platform and hosted wallet service from being used to facilitate money laundering and the financing of terrorist activities; and (2) failing to accurately, and timely, report suspicious transactions.
- According to the Consent Order and Enforcement Release, Bittrex processed over 116,000 virtual currency-related transactions, valued at over $260 million, with entities and individuals located in OFAC-sanctioned jurisdictions including Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine.
- During its early years Bittrex allegedly grew from a startup to a major U.S. cryptocurrency exchange without taking appropriate steps to implement and expand its BSA and OFAC compliance programs accordingly, resulting in these violations.
Overview of BSA Requirements
Pursuant to FinCEN regulations implementing the BSA, cryptocurrency exchanges such as Bittrex are considered an exchanger of convertible virtual currencies (CVCs) and therefore meet the definition of a money services business (MSB), which must fulfill certain AML and countering the financing of terrorism (CFT) obligations. Accordingly, Bittrex was required to develop, implement, and maintain an effective written AML/CFT program that, at a minimum:
(a) incorporates policies, procedures and internal controls reasonably designed to assure ongoing compliance with the BSA and FinCEN regulations;
(b) designates an individual responsible to assure day-to-day compliance with the MSB’s AML program and all FinCEN regulations;
(c) provides education and/or training for appropriate personnel, including training in the detection of suspicious transactions; and
(d) provides for independent review to monitor and maintain an adequate program.
Alleged BSA and OFAC Violations
Among other things, the Consent Order cited the following BSA and OFAC violations:
Insufficient Transaction Monitoring
The Consent Order notes that “in 2016, Bittrex averaged 11,000 transactions (deposits and withdrawals) per day on its platform, with a daily value of approximately $1.54 million” and “in 2017, Bittrex’s transaction volume and values increased to an average of 23,800 transactions per day with a daily value of approximately $97.9 million. However, during the Relevant Time Period, Bittrex allegedly relied on only two employees “with minimal AML training and experience” to manually review all of its transactions for suspicious activity, resulting in a “demonstrably ineffective” transaction monitoring process.
Failure to File Suspicious Activity Reports
The Consent Order detailed that “Bittrex did not file a single suspicious activity report (SAR) from its founding in 2014 through May 2017” and “filed only one SAR between May 2017 and November 2017.” The Consent Order emphasized that Bittrex failed to detect suspicious activity and file SARs related to “direct transactions with online darknet marketplaces such as AlphaBay, Agora, and the Silk Road 2” and “transactions connected to ransomware attacks.”
Facilitation of OFAC Prohibited Transactions
According to the Consent Order, “[f]rom February 2014 through February 2016, Bittrex knew that it was required to ensure that it did not process transactions that violated OFAC sanctions, but the company failed to do so.” The Consent Order and Enforcement Release indicate that Bittrex hired a software vendor in February 2016 for OFAC screening, but the screening was inadequate because it only sought to identify potential matches on the OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List) and other lists but did not “scrutinize customers or transactions for a nexus to sanctioned jurisdictions” until October 2017. The Enforcement Release notes that Bittrex learned of the vendor’s inadequate screening only upon an OFAC subpoena issued in October 2017.
The Consent Order further notes that “Bittrex processed transactions with parties located in sanctioned jurisdictions that were hundreds of times larger than typical transactions for certain customers.” Bittrex allegedly “processed more than 200 transactions that involved $140,000 worth of CVC—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of CVC each” through accounts opened on behalf of individuals located in sanctioned jurisdictions.
Use of High-Risk CVCs
According to the Consent Order, Bittrex was aware of the risks presented by certain anonymity enhanced cryptocurrencies (AECs) that were exchanged on its platform, such as monero, zcash, pivx, and dash, but “failed to fully address the risks in practice or in the company’s written AML compliance program” and “failed to implement appropriate policies, procedures, and internal controls to effectively mitigate the risks associated with particularly challenging AECs, such as monero.”
Enforcement Factors and Civil Money Penalty
According to the Consent Order, FinCEN “considered all of the factors outlined in its Statement on Enforcement of the Bank Secrecy Act issued August 18, 2020” and found the following factors “particularly relevant” in determining Bittrex’s penalty:
- Nature and seriousness of the violations, including extent of possible harm to the public and systemic nature of the violations;
- Pervasiveness of wrongdoing within the financial institution;
- History of similar violations or misconduct in general;
- Financial gain or other benefit resulting from the violations;
- Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures;
- Timely and voluntary disclosure of the violations to FinCEN;
- Quality and extent of cooperation with FinCEN and other relevant agencies; and
- Whether another agency took enforcement action for related activity.
The OFAC Enforcement Release cited the following aggravating and mitigating factors:
- Aggravating Factors: Bittrex: (1) operated with no sanctions compliance program for nearly two years, and implemented a program that screened only against the SDN List and allowed persons in sanctioned jurisdictions to use the exchange; (2) had reason to know that users were in sanctioned jurisdictions based on IP addresses and physical address data; and (3) conveyed economic benefit to thousands of persons in OFAC sanctioned jurisdictions.
- Mitigating Factors: Bittrex: (1) has not received a penalty or violation finding by OFAC in the five years preceding the date of the earliest transaction giving rise to the apparent violations; (2) was a small and new company at the time of most of the apparent violations; (3) provided substantial cooperation in connection with OFAC’s investigation; (4) was found to have apparent violations based on transactions that were relatively small and that represented a small percentage of total annual transactions; and (5) in response to the apparent violations swiftly took a series of remedial measures, including hiring an experienced Chief Compliance Officer to oversee and implement an effective AML and OFAC compliance program.
The OFAC violations carried a statutory maximum of $35,773,364,108.57, and the base civil penalty under the OFAC’s Economic Sanctions Enforcement Guidelines is $485,616,584.00; however, based on the foregoing factors and the “non-egregious” violations, the ultimate settlement amount was $24,280,829.20.
FinCEN imposed a civil money penalty of $29,280,829.20. FinCEN credited $24,280,829.20 that Bittrex agreed to pay for the OFAC violations. Among other things, Bittrex also agreed to “fully cooperate with FinCEN in any and all matters within the scope of or related to the [Consent Order], including any investigation of its current or former directors, officers, employees, agents, consultants, or any other party.”
Digital asset businesses should take great care to ensure that their BSA and OFAC compliance programs expand at pace with revenue growth, and they should never seek to cut costs by minimizing compliance staff and procedures. Those that do risk facing substantial fines and penalties. Digital asset businesses should also be mindful of this Consent Order and its allegations, which provide insight into what FinCEN views to be best practices for mature AML and OFAC programs, including (i) transaction monitoring software tools to automatically screen for suspicious activity and sanctioned persons, (ii) disabling privacy-enhancing features of AECs, and (iii) utilizing blockchain analytics as part of customer due diligence, transaction monitoring, and reporting obligations. As U.S. regulatory agencies increase their focus on the digital asset markets, businesses should take proactive steps to ensure they are complying with the BSA, FinCEN regulations, and OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry.
 See FIN-2013-G001, “Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies,” March 18, 2013. A CVC is defined as a type of virtual currency that either has an equivalent value as currency, or acts as a substitute for currency, and is therefore a type of “value that substitutes for currency.” FIN-2019-G001, “Guidance, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” § 1.3, May 9, 2019.
 31 U.S.C. § 5318(h); 31 C.F.R. § 1022.210(a).
 31 U.S.C. § 5318(h)(1); 31 C.F.R. § 1022.210(d) and (e).
 FinCEN, Statement on Enforcement of the Bank Secrecy Act (Aug. 18, 2020), https://www.fincen.gov/ sites/default/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf.