In 2022, the Office of Foreign Assets Control (OFAC) announced numerous settlements with cryptocurrency exchanges. These settlements serve as “fair warnings” to all cryptocurrency service providers who are “U.S. persons” or who offer services to U.S. persons. The term “U.S. persons” is defined in 31 C.F.R. §560.314 as “any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States.”
This article focuses on these “fair warnings” as they have accumulated from prior settlements and from OFAC’s published guidance on compliance requirements that have been public for some time.
This article uses two late 2022 OFAC settlement announcements—with West-Coast-based Bittrex, Inc. and Payward, Inc. d/b/a Kraken—to make clear that OFAC was adhering to a previously announced requirement on providers of financial services. Specifically, OFAC requires more than verification of identity at onboarding and periodic checking of customers against OFAC’s Specially Designated Nationals (SDN) list. Additionally, providers should employ lifetime-of-the-transaction and in-process geolocation checking in their interdiction screening. Geolocation screening in lifetime-of-the-relationship and in-process transactions raised the stakes for providers to block or reject transactions that would violate the sanctions regimes OFAC enforces.
The last part of this article walks through other fair warnings provided by settlements agreed to since March 2015 or other public guidance. Before discussing the two late 2022 settlements or the fair warnings, it may help to have the foundation of the March 2015 settlement OFAC made with PayPal, Inc.
1. OFAC’s Early Foray into In-Process Transactions in Newer Electronic Payments and Services: PayPal, Inc. (March 2015)
OFAC claimed new territory when it announced its settlement with PayPal, Inc. on March 25, 2015. OFAC maintained that PayPal “did not screen in-process transactions in order to block or reject prohibited transactions.” The settlement highlighted, among other things, two types of deficiencies in PayPal’s sanctions compliance program. In the first, PayPal’s automatic interdiction filter failed to identify at least one customer as a potential SDN when OFAC made the SDN designation because its automatic interdiction filter was not “working properly.” PayPal’s agents “dismissed” on at least five occasions one customer’s SDN match and proceeded with transactions. On one other occasion, the filter “flagged” this customer’s account, but a PayPal agent again dismissed the match despite receiving additional information that showed a date of birth and place of birth identical to the SDN. These failures resulted in 136 transactions with a single individual on the SDN list that violated the “Weapons of Mass Destruction Proliferators Sanctions Regulations.” The March 2015 settlement also addressed violations by PayPal of other U.S. sanctions regulations, and PayPal agreed to pay civil penalties totaling $7,658,300.
2. The Late 2022 Settlements
2.1. Bittrex, Inc.
Bittrex, Inc. is a private company based in Bellevue, Washington. Bittrex provides both virtual-currency-exchange and hosted-wallet services. OFAC’s settlement announcement explained that from March 2014 to December 31, 2017, Bittrex operated more than 1,700 accounts, processed 116,421 virtual-currency-related transactions, and transacted $263,451,600.13 in violation of law and OFAC regulations.
Bittrex apparently showed “some understanding” of OFAC regulations by August 2015, months after OFAC settled with PayPal. However, until October 2017, Bittrex had no internal controls to screen customers or transactions for connections to sanctioned jurisdictions. OFAC described other failings in Bittrex’s compliance efforts, including:
- not screening IP address or physical address information that customers were in sanctioned jurisdictions;
- not paying attention to customers providing Iranian passports or identifying themselves as being in Iran at account opening;
- not scrutinizing customers or transactions for nexus to sanctioned jurisdictions; and
- failing to have any sanctions compliance program from March 2014 to February 2016. Ouch!
OFAC cited the absence of any sanctions compliance program for two years as one of three aggravating factors in determining the civil monetary penalty of more than $24 million. Among the penalty-mitigating factors was the “swiftness” with which Bittrex responded to OFAC’s Apparent Violations notice.
2.2. Kraken
On November 28, 2022, OFAC announced a settlement with Kraken for violations of the Iranian Transactions and Sanctions Regulation. Kraken’s parent, Payward, Inc., is based in San Francisco.
Based on IP address data, Kraken continued to deal with customers who had opened accounts outside of sanctioned jurisdictions and subsequently transacted business with Kraken from Iran, a sanctioned jurisdiction. The violations occurred between October 14, 2015, and June 29, 2019. Kraken’s violations began six months after the PayPal settlement was announced.
OFAC cited Kraken’s failure to employ geolocational in-process and after-onboarding screening as an “aggravating factor” in its penalty calculations. OFAC had concluded that Kraken had “reason to know based on available IP addresses that transactions appear to be” emanating from Iran. Ouch.
The settlement confirms that it is not sufficient to screen customers at onboarding or account opening or to perform daily checks to identify new entries on OFAC’s SDN list. Because customers may transact from sanctioned jurisdictions after establishment of accounts, daily monitoring needs to track IP addresses that are the source of transaction requests and instructions to identify transactions coming from jurisdictions that are on the sanctioned lists.
In the settlement, Kraken also agreed to implement more analytical tools such as “multiple blockchain analytics tools” (MBAT). These tools are geolocation controls including Internet Protocol (IP) address-blocking systems. MBAT may be a term or service not familiar to everyone. Prominent providers of MBAT include brand-name commercial providers such as Chainalysis and CipherTrace. MBAT tools assist with the basic identification and nationality verification requirements OFAC has implemented. Kraken has agreed to do more, including screening for OFAC’s “50 Percent Rule,” which requires detailed reports on beneficial ownership of assets and blocking of clients’ access to accounts and assets.