OFAC Fines in the Digital Asset Space: Lessons Learned for Sanctions Compliance

Avoid costly sanctions violations! This article analyzes OFAC cases against crypto companies, revealing common compliance mistakes and how to fix them.

Compliance Contemplation. Image created using DALL-E.

The Office of Foreign Asset Control (OFAC) plays a crucial role in enforcing economic sanctions against designated countries, individuals, and entities. While the agency provides extensive guidance and resources for digital asset companies, navigating these regulations can still be challenging. Grey areas emerge when dealing with evolving sanctions lists, emerging technologies, and the ever-changing digital asset landscape. Analyzing past OFAC civil penalty settlements with digital asset providers offers many insights. By examining these cases, we can decipher evolving regulatory expectations, identify common compliance pitfalls, and develop proactive strategies for mitigating sanctions risks within the industry.

OFAC Settlement Case Studies

For a deeper dive, we strongly recommend reviewing the summaries of these major OFAC settlements with digital asset providers in the last decade. They offer valuable insights into the specific scenarios that led to violations and the mitigating factors considered by OFAC. However, if you’re short on time, you can skip ahead to the closing paragraphs for a concise overview of the key takeaways and best practices gleaned from these cases.

12/13/2023: CoinList Markets LLC OFAC Settlement Summary

CoinList Markets LLC (CLM), a San Francisco-based virtual currency exchange, settled with OFAC for $1,207,830 due to 989 transactions valued at $1,252,280 on behalf of users in Crimea between April 2020 and May 2022, in violation of the Ukraine-/Russia-Related Sanctions Regulations. These transactions were not self-disclosed and were considered non-egregious by OFAC. Despite implementing several sanctions compliance measures, CLM’s protocols failed to flag users who listed “Russia” as their country but provided a Crimean address, resulting in the opening of 89 accounts for such users. Aggravating factors included CLM’s failure to flag accounts linked to Crimea and the knowledge of conducting transactions for Crimean residents, which undermined the URRSR’s objectives. Mitigating factors were CLM’s lack of prior penalties, cooperation with the investigation, and the minimal volume of violations compared to its annual transaction volume. CLM’s immediate steps included updating filter settings to reject users with Crimean addresses, implementing IP geo-blocking, investing in new identity verification and screening vendors, and enhancing its compliance training program. Part of the settlement amount will be withheld until CLM meets the agreed-upon compliance improvements, including a $300,000 investment in additional sanctions compliance controls.

11/21/2023: Binance Holdings, Ltd. OFAC Settlement Summary

Binance Holdings, Ltd., a Cayman Islands-based virtual currency exchange, agreed to pay $968,618,825 to settle 1,667,153 apparent violations of multiple sanctions programs between August 2017 and October 2022. Despite efforts to project compliance, Binance management knowingly allowed U.S. and sanctioned jurisdiction users on its platform, engaging in transactions totaling approximately $706,068,127. The settlement reflects OFAC’s view of the violations as egregious and not self-disclosed, compounded by Binance’s misleading representations about its compliance controls and the encouragement of users to bypass these controls. The significant penalty also accounts for Binance’s concurrent settlements with the DOJ, FinCEN, and the CFTC and the agreement to retain an Independent Compliance Monitor for five years. Aggravating factors included Binance’s awareness of its conduct violating U.S. laws, misrepresenting its sanctions controls, and the economic benefits provided to users in sanctioned jurisdictions. Mitigating factors highlighted Binance’s cooperation with OFAC, implementation of substantial remedial measures, and its agreement to undertake compliance commitments. This settlement underscores the importance of genuine compliance efforts from the inception and integrating compliance controls into business operations to prevent sanctions violations.

05/01/2023: Poloniex, LLC OFAC Settlement Summary

Poloniex, LLC settled with OFAC for $7,591,630 for 65,942 violations related to transactions valued at $15,335,349 with individuals in sanctioned jurisdictions between January 2014 and November 2019. Initially lacking a sanctions compliance program, Poloniex allowed customers from Crimea, Cuba, Iran, Sudan, and Syria to use its digital asset platform. It wasn’t until May 2015 that Poloniex implemented a sanctions compliance program and began monitoring for sanction compliance, with significant improvements following its acquisition by Circle Internet Financial Limited in February 2018. Despite efforts, violations continued into 2018 and 2019, primarily with accounts in Crimea. Aggravating factors included Poloniex’s delayed implementation of compliance programs and its awareness of users’ locations in sanctioned areas. Mitigating factors included the absence of prior penalties, the company’s small size at the time, and subsequent improvements to its compliance program, such as account freezes until KYC verification and enhanced training. This case emphasizes the importance of immediate, comprehensive sanctions compliance programs for digital asset companies serving a global customer base.

03/31/2023: Uphold HQ Inc. OFAC Settlement Summary

Uphold HQ Inc., a California-based digital trading platform, settled with OFAC for $72,230.32 due to 152 transactions worth $180,575.80 that apparently violated sanctions against Iran, Cuba, and Venezuela from March 2017 to May 2022. Violations included processing transactions for customers in Iran or Cuba and for Venezuelan government employees. Uphold’s violations were deemed non-egregious and self-disclosed. The company failed to adequately screen customer information, leading to transactions with sanctioned entities. Mitigating factors included Uphold’s lack of prior penalties, cooperation with OFAC, and implementation of comprehensive remedial measures, such as improved screening and compliance training. This case highlights the critical need for robust sanctions screening, especially for financial institutions in the digital asset space.

10/11/2022: Bittrex, Inc. OFAC Settlement Summary

Bittrex, Inc., a Washington-based online virtual currency exchange, settled with OFAC for $24,280,829.20 due to 116,421 apparent violations of multiple sanctions programs involving transactions valued at approximately $263,451,600.13. The violations occurred because Bittrex did not initially screen user information for connections to sanctioned jurisdictions, allowing users from the Crimea region, Cuba, Iran, Sudan, and Syria to use its platform. The lack of initial screening protocols led to the processing of transactions for users based on IP and physical address information indicating their location in sanctioned areas. The settlement reflects the violations as non-egregious and not self-disclosed. Key remedial measures Bittrex took after identifying its compliance failures include implementing sanctions screening and blockchain tracing software, additional compliance training, and a significant increase in compliance staff. Bittrex also began using new software for sanctions-related screening. It blocked all IP addresses from sanctioned jurisdictions, restricted accounts of identified users in these areas, and underwent independent audits of its sanctions compliance functions. In this case, aggravating factors included Bittrex’s delay in establishing a sanctions compliance program and its failure to prevent transactions involving sanctioned jurisdictions despite having relevant customer location data. Mitigating factors acknowledged by OFAC included Bittrex’s lack of previous penalties, its status as a small and new company at the time of most violations, substantial cooperation with OFAC’s investigation, and the relatively small amount of most transactions involved.

02/18/2021: BitPay, Inc. OFAC Settlement Summary

BitPay, Inc., based in Atlanta, agreed to pay $507,375 to settle a potential civil liability for 2,102 transactions conducted by users in Crimea, Cuba, North Korea, Iran, Sudan, and Syria between June 2013 and September 2018, totaling about $129,000 in digital currency on its platform. Although they had IP addresses and other location data showing users in sanctioned areas, BitPay did not prevent these transactions due to deficiencies in its sanctions compliance program. This case underscores OFAC’s stance that digital currency services must implement appropriate compliance controls to prevent transactions with sanctioned jurisdictions. Despite knowing their locations, BitPay’s failure to screen its merchants’ buyers led to the violations. The settlement reflects the non-egregious nature of the violations and BitPay’s cooperative measures, including enhancing its compliance program by implementing new tools and training to prevent future violations.

12/30/2020: BitGo, Inc. OFAC Settlement Summary

BitGo, Inc., settled with OFAC for $98,830 for 183 transactions conducted by users in sanctioned regions like Crimea, Cuba, Iran, Sudan, and Syria between March 2015 and December 2019, totaling $9,127.79. Despite having IP address data indicating their locations, BitGo’s platform did not block users in these areas from using its digital wallet services. The case highlights the necessity for digital currency service providers to implement sanctions compliance measures that match their risk profile, including using IP address data for compliance purposes. After recognizing the violations, BitGo significantly revamped its compliance procedures, including IP blocking and stringent customer verification, underscoring the importance of technical controls and a robust compliance framework in the digital currency sector.

Sanctions Compliance in the Digital Asset Industry: Key Takeaways

A close examination of these OFAC settlement summaries reveals several recurring themes among the reasons for violations. The primary drivers behind these sanctions violations include:

• Inadequate IP geolocation: Many providers failed to effectively implement IP address screening, allowing users from sanctioned jurisdictions to access their platforms.
• Weak Know Your Customer (KYC): Insufficient customer identity verification led to transactions with individuals potentially connected to sanctioned entities.
• Delayed compliance programs: Some companies lacked robust sanctions compliance programs from the beginning, leading to prolonged periods where violations could occur.
• Insufficient blockchain analytics: Limited or non-existent use of blockchain tracing tools made tracking and flagging transactions linked to sanctioned addresses difficult.

How to Avoid Sanctions Missteps

Having reviewed these OFAC enforcement actions, some key themes emerge. Companies should prioritize the following measures to avoid similar missteps:

• Robust IP geolocation: Implement and consistently enforce IP address screening to block users from sanctioned jurisdictions. Pro Tip: While IP geolocation is essential, it’s important to note that it may not always be sufficient. Robust compliance programs now incorporate geofencing technologies for an additional layer of location-based controls.
• Comprehensive KYC procedures: Enhance identity verification processes, including collecting detailed customer information. Pro Tip: Fuzzy matching is your sanctions compliance friend. It helps you catch potential red flags even if a name or location is misspelled or formatted differently (e.g., “Hosni Mabarak” vs. “Hosni Mubarak” or “Tripoli, Libya” vs. “Tarabulus, Libya”).
• Proactive compliance: Establish dedicated sanctions compliance programs from the company’s earliest stages and regularly review and update them in light of evolving regulations. Pro tip: Don’t just screen once! Effective sanctions compliance goes beyond onboarding checks. Regularly rescreen customers, ensuring you stay compliant with evolving regulations.
• Blockchain analytics: Invest in blockchain tracing tools to identify potential connections to sanctioned entities and tainted funds.
• Ongoing staff training: Provide regular sanctions compliance training tailored for all relevant employees within the organization.

While no compliance program is foolproof, addressing these common pitfalls will significantly increase resilience against sanctions risks. By learning from these past cases, digital asset companies can proactively collaborate with regulators to maintain a secure and compliant environment.

OFAC Basics: Sanctions List Search. Source: U.S. Department of the Treasury on YouTube.

Essential OFAC Resources for Sanctions Compliance

1. OFAC Homepage: The Office of Foreign Assets Control (OFAC) ‘s official website provides an overview of its mission and activities.
2. OFAC Contacts Webpage: Lists contact information for various OFAC departments for inquiries or reporting concerns.
3. OFAC Reporting System: A web-based portal to submit reports on suspected sanctions violations or transactions with sanctioned entities.
4. OFAC Licensing Portal: This portal provides access to the application process for licenses authorizing specific activities that would otherwise be prohibited by sanctions.
5. Sanctions List Search Tool: This is a searchable database that identifies individuals, entities, and vessels included on OFAC sanctions lists.
6. SDN List: Specifically focuses on individuals and entities designated as Specially Designated Nationals (SDNs) by OFAC.
7. Consolidated Sanctions List (Non-SDN Lists): This is a compilation of sanctions lists targeting entities other than SDNs, such as foreign governments, terrorist organizations, and weapons proliferators.
8. Other OFAC Sanctions Lists: Provides access to additional sanctions lists maintained by OFAC beyond the SDN and Consolidated Sanctions List.
9. OFAC-Administered Sanctions Programs and Country Information: Offers details on specific sanctions programs implemented by OFAC and related information on targeted countries.
10. OFAC FAQs: A collection of frequently asked questions and answers regarding OFAC sanctions and compliance procedures.
11. OFAC Recent Actions: Provides updates on recent sanctions designations, enforcement actions, and other relevant activities by OFAC.
12. Economic Sanctions Enforcement Guidelines — Appendix A to Part 501: This detailed document outlines OFAC’s enforcement guidelines for interpreting and complying with economic sanctions regulations.
13. A Framework for OFAC Compliance Commitments: A guide for businesses to develop and implement effective sanctions compliance programs.
14. Office of Compliance and Enforcement (“OCE”) Data Delivery Standards Guidance: Provides preferred practices for submitting data and documents to OFAC during enforcement investigations.
15. Civil Penalties and Enforcement Information: A resource on OFAC’s civil penalty process and recent enforcement actions.
16. Guidance on the North Korean Cyber Threat: This advisory document outlines the risks associated with North Korean cyber activities and potential sanctions violations.

Explore Next

HSBC vs Binance: Juxtaposition of the Money Laundering Scandals

For more blockchain, cybersecurity, and cybercrime research, visit Blockchain Insights Hub.

Follow me on Twitter to get the latest articles and updates directly in your feed. Alternatively, you can subscribe to receive alerts via email whenever I publish new content.