How Digital Asset Firms Can Avoid the Treasury’s Wrath

On Tuesday, the U.S. Treasury fined crypto exchange Bittrex around $53 million — the largest fine on a crypto business to date. The Office of Foreign Asset Controls (OFAC) stated that the company would pay two separate fines, of $24 million and $29 million, for “apparent violations” of multiple U.S. sanctions. They allege that Bittrex “unnecessarily exposed the U.S. financial system to threat actors,” in Crimea, Cuba, Iran, Sudan, and Syria, totaling crypto transactions over $263 million between 2014 and 2017.

Signage is seen at the United States Department of the Treasury headquarters in Washington, D.C., U.S., August 29, 2020. REUTERS/Andrew Kelly

This isn’t the first time the U.S. Treasury has flexed its muscles in the crypto space. In August, the Treasury placed Tornado Cash, a cryptocurrency mixer meant to conceal the public address cryptocurrency originated from, on the U.S. Sanctions list. They are currently in litigation with Tornado Cash users, bankrolled by Coinbase, to challenge the U.S. Treasury’s designation. Meanwhile, Tether stated publicly that they would not comply with the sanction of Tornado Cash unless explicitly requested by enforcement agencies, placing them in a sticky, incredibly ambiguous legal position.

This comes after the Financial Stability Oversight Committee (FSOC), whose members are leaders in almost every major U.S. financial regulatory agency, released a report on regulatory gaps relating to digital assets just last week. The FSOC encouraged and empowered enforcement agencies to take action against digital asset companies that they view in violation of current regulations.

So how do we avoid the Treasury’s wrath? Or more broadly, the wrath of regulatory agencies? The Treasury hasn’t been the only agency making waves: the Securities and Exchange Commission (SEC) is taking action against digital asset companies every other day.

The crackdown on digital asset firms is not random. Plenty of money has been lost in scams, dark web activity, and bear markets since 2016. So why now? Why has there been such a focus on enforcement action?

The Russian invasion of Ukraine.

After its invasion of Ukraine, Russia became the most heavily sanctioned country on Earth. Decentralized finance has been heavily criticized for the role it could play in helping Russia avoid sanctions. SWIFT’s removal of Russia from its network was heralded as a significant step in ramping up financial sanctions. However, in the absence of centralized intermediaries like SWIFT, what options do countries have to enforce international sanctions? Blockchain technology and cryptocurrencies allow rogue actors to transfer value in a similar way to SWIFT, but are more difficult to intercept. Regulators are fast-tracking legislation to address these problems.

While most FinTech companies are aware of Bank Secrecy Act (BSA), anti-money laundering (AML), and Office of Foreign Asset Control (OFAC) compliance, large-scale change to the regulatory environment demands a review of screening and compliance procedures. More importantly, FinTech companies should focus due-diligence efforts on their partners and service providers as well.

Take BitPay for example. On February 18, 2021, BitPay settled with OFAC for screening failures totalling $507,375 in fines. But BitPay screened its customers against the OFAC SDN list and conducted due diligence to confirm merchants were not sanctioned individuals. BitPay failed to screen its customers’ customers at the time of transaction. As a result, BitPay enabled those third-party customers, located in Crimea, Cuba, North Korea, and so on, to engage in digital currency transactions.

To avoid sanctions violations, BitPay should have 1) enabled IP address tracing to block website access and information in sanctioned states, 2) checked physical and email addresses of merchants’ buyers to prevent transaction completion if either of those addresses return as sanctioned, and 3) Implemented a Know-Your-Customer (KYC) tool that is mandatory for merchants’ buyers transacting over $3000.

Another big issue is allowing backlogged, pending, or flagged payments to be released without a thorough investigation. Take Payoneer, a money transmission and prepaid access service. On July 23, 2021, OFAC fined Payoneer for violating sanctions programs. In its investigation, the Treasury uncovered over 2,000 payments located in sanctioned nations, and 19 payments conducted on behalf of a sanctioned entity.

OFAC fined Payoneer for the following vulnerabilities:

1. Weak algorithms allowed close name matches to SDN entries to not be flagged;
2. There was failure to screen for Business Identifier Codes (BIC) even when SDN entries contained them;
3. Flagged and pending payments were automatically released without review during backlog periods; and,
4. Lack of IP address monitoring allowed for transactions to process in sanctioned locations.

This reinforced OFAC’s priority to crack down on FinTech companies, especially digital asset firms. At the end of 2021, OFAC released the Sanctions Compliance Guidance for the Virtual Currency Industry. This report placed an emphasis on the following practices:

1. Customer counterparty screening;
2. Strong KYC procedures;
3. Use of geolocation and IP tracing for location determination;
4. Screening for IP misattribution;
5. Advanced transaction monitoring;
6. Use of third-party transaction monitoring services, including blockchain analytics;
7. ‘Red Flag’ monitoring of OFAC-identified issues; and,
8. Active risk management that includes internal auditing, risk assessment, monitoring and testing.

In the world of cryptocurrency, Bitcoin is special because it is truly decentralized; its nodes exist everywhere, no one man sits at the helm, and by extension, no one person or group can control its direction and how it behaves. As much as crypto-evangelists may hope, it is likely that no other cryptocurrency will ever be as decentralized as Bitcoin. That means that, with the exception of Bitcoin, every other cryptocurrency will likely have to comply with the international regulatory environment.

It is better to make peace with the fact that there is no evading compliance with the Treasury, SEC, and OFAC. Doing so will allow FinTech firms to take the right steps towards avoiding their wrath in the future.

About Centuries Analytics

Investing in cryptocurrency doesn’t have to be risky — not anymore. We let data speak; not investors, “experts”, pundits, or tv show commentators. Centuries uses social media, financial, and macro-economic data to determine and predict cryptocurrency markets.

Centuries Analytics