Bittrex Sanctions and AML Violations: The Importance of Compliance Checks for the Cryptocurrency Industry (Part II of II) | The Volkov Legal Group

Along with the Office of Foreign Assets Control (“OFAC”), the Financial Crimes Enforcement Network (“FinCEN”) has settled with Bittrex, Inc. (“Bittrex”), a cryptocurrency exchange that allows users to trade virtual assets, for willful violations of the Bank Secrecy Act (“BSA”) reporting requirements for anti-money laundering (“AML”) and suspicious activity reporting (” SAR”). As a result of these violations, Bittrex has agreed to return $29,280,829.20 in the settlement agreement, but will credit Bittrex’s nearly $24 million payment to OFAC in its settlement for the sanctions violations.

Following an investigation, FinCEN found that Bittrex had failed to maintain an effective AML program as required. Specifically, Bittrex maintained an “inadequate and ineffective” transaction monitoring system on its platform, which failed to identify suspicious transactions and exposed the platform to significant exposure to illicit finance. Specific to the nature of its virtual asset offerings, Bittrex failed to manage the risks associated with certain privacy- and anonymity-focused cryptocurrencies that were traded on the exchange.

For years, Bittrex’s AML program and SAR reporting failures have unnecessarily exposed the US financial system to threat actors,” said Acting FinCEN Director Himamauli Das. “Bittrex’s failures created exposure to high-risk counterparties, including sanctioned jurisdictions, darknet markets and ransomware attackers. Virtual asset service providers are cautioned to implement strong risk-based compliance programs and adhere to their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.

FinCEN determined that these breaches occurred between February 2014 and December 2018. During the period from February 2014 to May 2017, Bittrex did not file any HRH. A significant number of these SARs included a sanctioned jurisdiction, while others included suspicious conduct “beyond” simply including a sanctioned jurisdiction. For example, users of the exchange have made direct transactions with various darknet markets to buy and sell private data, illegal narcotics, and child pornography.

Although Bittrex has struggled more recently, during this time it was one of the largest exchanges in the United States. Thus, the company facilitated nearly 546,000,000 transactions during this period, averaging more than 20,000 transactions per day. Bittrex offered over 250 different cryptocurrencies for trading on its exchange and traded over $17,000,000,000 in bitcoin transactions during this time.

At a minimum, the BSA requires an effective AML program, which requires a company to:

  1. incorporates policies, procedures and internal controls reasonably designed to ensure continued compliance with the BSA and its regulations;
  2. appoints a person responsible for ensuring day-to-day compliance with the MSB AML program and all BSA regulations;
  3. provides education and/or training to appropriate personnel, including training in the detection of suspicious transactions; and
  4. provides for independent review to monitor and maintain an adequate program.

Bittrex’s AML program fell far short of any reasonable standard. For example, in 2017, when the company averaged nearly $98 million in daily transactions, the company did not maintain a formal transaction monitoring system. Instead, only two employees were loaded manually – manually! – monitoring operations, in addition to their other missions. These employees also had very little anti-money laundering training or experience. Even when hiring additional staff to continue manual – manual!! – process, and even the extended staff was overwhelmed with the task. The company had only filed a handful of SARs for most of the relevant period in this case. However, once the Internal Revenue Service (“IRS”) indicated that it intended to review the company’s BSA program, Bittrex suddenly filed 119 SARs with FinCEN within a month of that notification. from the IRS.

James V. Hayes