FinCEN, OFAC fine crypto exchange Bittrex nearly $30 million on AML, sanctions failings, missed SARs, links to darknet markets, mixers, ransomware gangs

The Skinny:

• Two departments in the U.S. Treasury Tuesday levied a nearly $30 million fine against a midsize virtual currency exchange for a host of financial crime and sanctions compliance failings, including missed filings of aberrant activity and weak monitoring of activity tied to crypto mixers. 
• The Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC), the government agencies responsible for crafting the country’s anti-money laundering (AML) defenses and designating and blacklisting illicit entities and recalcitrant regions, censured crypto exchange Bittrex for a bevy of gaps across its countercrime program.
• The order echoes several regulatory pain points and investigative focal points in bank and MSB compliance penalties in recent years, including lack of adequate compliance staffing, transaction monitoring blindspots and not making the connections to higher-risk entities or their suspicious activities.

Two departments in the U.S. Treasury Tuesday levied a nearly $30 million penalty against a midsize virtual currency exchange for a host of financial crime and sanctions compliance failings, including missed filings of aberrant activity and weak monitoring of activity tied to crypto mixers.  

The Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC), the government agencies responsible for crafting the country’s anti-money laundering (AML) defenses and designating and blacklisting illicit entities and recalcitrant regions, censured crypto exchange Bittrex for a bevy of gaps across its countercrime program.

To read the full FinCEN settlement agreement, click here.

To read the full OFAC settlement, click here.

The order echoes several regulatory pain points and investigative focal points in bank and money services business (MSB) compliance penalties in recent years, including lack of adequate compliance staffing, transaction monitoring blindspots and not making the connections to higher-risk entities or their suspicious activities.

The action also builds on recent enforcement actions targeting the countercrime compliance programs of virtual service asset providers (VASPs), a technical term for crypto exchanges — and the building global pressure to rein in the rollicking sector.

“For years, Bittrex’s AML program and [suspicious activity report (SAR)] reporting failures unnecessarily exposed the U.S. financial system to threat actors,” said FinCEN Acting Director Himamauli Das, adding that the failings were willful and should serve as a warning for other exchanges to improve systems, controls and training.  

“Bittrex’s failures created exposure to high-risk counterparties including sanctioned jurisdictions, darknet markets, and ransomware attackers.”

FinCEN said its investigation found that from February 2014 through December 2018, Bittrex did not maintain an “effective” AML program.

The penalty orders detail two fines: OFAC at $24 million and FinCEN at $29 million, but as is common in many cases where two agencies engage in the investigation and because some of the foundational failings are interwoven between AML and sanctions snags, the larger payment to FinCEN will satisfy both agencies’ orders.

As to how and why OFAC became involved in the settlement, Bittrex failed to prevent entities located in sanctioned jurisdictions from operating on its platform between March 2014 and December 2017, according to settlement documents.

In all, the virtual exchange Bittrex engaged in more than 116,000 transactions totaling some $260 million with designated entities and blacklisted regions, including Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine.

Only human: how many transactions can an analyst get to in a day?

At the root of the problem for both AML and sanctions snags is a glaring lack of resources, including depth and adequacy of training and paucity of warm bodies to do the work.

Even small banks and credit unions use automated transaction monitoring systems to review transactions and produce alerts for human analysts to view, cognizant that even a few hundred or few thousand customers can produce a dizzying overall number of daily, weekly and monthly transactions.

As for Bittrex, it failed in the areas of both: systems and human decision-makers and investigators, according to FinCEN.

The exchange had an ineffective, chiefly manual monitoring system on its trading platform, relying on in some cases “as few as two employees” with minimal AML training and experience to manually review all of the transactions for suspicious activity, which at times were more than 20,000 per day.”  

The finial of this failing, not just late SARs – but no reports for an extended period of time.

Bittrex failed to file any SARs between February 2014 and May 2017, including when transactions touched OFAC-sanctioned regions.

The result: the exchange processed more than 200 transactions involving $140,000 worth of virtual assets—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of virtual assets.

Whether big or small, regional or international, all crypto exchanges must have an AML program – that isn’t an afterthought

The fincrime compliance failings at Bittrex also can’t be chalked up it being a diminutive exchange with little significant financial throughput in the real or virtual worlds.

Bittrex is among the top 50 largest crypto exchanges, coming in at No. 27 with a daily trading volume of more than $22.6 million, according to a ranking by Coin Market Cap.

The exchange has more than 100,000 weekly visits, operates in 800 markets and transacts in 400 coins and one fiat currency: the U.S. dollar.

While busy, those figures pale in comparison to the largest exchange, Binance, which has an average trading volume of nearly $18 billion per day and more than 16 million visits per week.

Binance operates in 1,681 markets, accepts 385 coins and nearly 50 world fiat currencies.

Even so, authorities at the highest levels of the fincrime compliance heavens have called on exchanges of all sizes to have stout AML programs, including the Paris-based Financial Action Task Force, the European Union and other major regional financial centers.

Or they could face enforcement actions – by regulators and investigators in all of the regions they operate.

Does FinCEN enforcement action signify more penalties to come – and from more regulators?

In the U.S., a panoply of government oversite bodies have claimed dominion of the nascent and volatile virtual value ecosystem.

In recent years, federal and state regulators – including the Securities and Exchange Commission and Commodities Futures Trading Commission – have increased their scrutiny of crypto exchanges related to fraud, trading and fincrime compliance failings, according to Katherine Lemire, a partner at Quinn Emanuel Urquhart & Sullivan LLP.

She previously served as Executive Deputy Superintendent at the New York State Department of Financial Services.

That may well be a glimpse of the present – and future of AML compliance tied to the virtual value world.

“Cryptocurrencies undoubtedly will be subject to increased regulation in the future,” she wrote in an analysis of crypto enforcement trends published last month. “Likewise, current trends point to increased AML regulation by multiple government agencies in the near future.”

Several recent actions by FinCEN drive home her point.

In October 2020, FinCEN announced a $60 million civil money penalty against Larry Dean Harmon, the founder, administrator, and primary operator of Helix and Coin Ninja, convertible virtual currency “mixers,” or “tumblers,” for violations of the BSA and its implementing regulations.

In April of 2019, FinCEN levied a penalty of more than $35,000 against Eric Powers for AML violations and failing to register as an MSB for operating as a peer-to-peer virtual currency exchanger between December 2012 and September 2014.

While the overall penalty seems paltry compared to fines in the hundreds of millions of dollars FinCEN has been a part of against banks, the penalty is more of an “attention getter” for the P2P crypto trading space.

In such an arena, localbitcoins would be an example of this, individuals trying to transact beyond themselves can easily, maybe even accidentally, turn themselves into a business – therefore tripping AML duties.

For Powers, according to FinCEN, his actions were not a mistake, nor innocent.

He engaged in 1,700 transactions as a money transmitter of a convertible virtual currency bitcoin, purchasing and selling bitcoin to and from others, according to FinCEN.

Powers was not simply a “user” of virtual currency – i.e., someone who obtains and uses convertible virtual currency to purchase real or virtual goods or services for his own benefit.

“Through postings made on web fora, such as bitcointalk.org and bitcoin-otc.com, Mr. Powers advertised his intent to purchase and sell bitcoin for others,” according to penalty documents.

He completed sales and purchases by either “physically delivering or receiving currency in person, sending or receiving currency through the mail, or coordinating transactions by wire through a depository institution.”

Ironically, he could also not claim he was unaware of the intersection of crypto and AML.  

“Internet postings Mr. Powers made also indicate that he would direct transactions at other virtual currency exchangers (such as Mt. Gox) on behalf of his customers,” according to FinCEN.

He also participated in online discussions “pertaining to AML compliance, including specific conversations about registering as an MSB, which demonstrate his awareness of the relevant BSA requirements.”

In short: busted.

Beyond federal fincrime fusillades, states may want pound of crypto enforcement flesh

AML fines against crypto firms are not just the sole realm of federal agencies.

On Aug. 2, 2022, the New York State Department of Financial Services (DFS) announced a $30 million settlement with the crypto trading division of Robinhood in connection with AML and cybersecurity compliance shortcomings.

In addition, although DFS has “not publicly announced any AML-related enforcement actions against Coinbase, in February 2022 Coinbase publicly reported a DFS investigation into the exchange’s AML practices,” Lemire said.

Overall, the DFS is one of the country’s leading crypto regulators, and New York’s regulatory framework “remains the most robust among the states,” she noted in her analysis.

New York State’s BitLicense regulation, enacted in 2015, requires companies engaging in virtual currency activities in New York to acquire a license from DFS and to implement a “robust” AML program, Lemire stated.

If these crypto exchanges tarry?

They face double-barreled penalties from state and federal regulatory and investigative authorities – as has happened over the last decade with high-profile sanctions cases against banks that have soared into the billions of dollars.

“While regulatory gray areas and safe harbors abound, regulators continue to establish oversight over this growing industry,” Lemire said.

“Regulated cryptocurrency business that fail to engage in basic AML compliance — such as conducting KYC on new customers, monitoring transactions, and investigating suspicious transactions — may find themselves in the crosshairs of federal and state regulators.”