Before we all rush into the weekend, compliance officers should take a look at that enforcement action against cryptocurrency platform Bittrex that was announced earlier this week. It offers some valuable lessons about building a sanctions compliance program on the fly and what regulators expect crypto firms to do for sanctions risk.
The enforcement action came from the Office of Foreign Assets Control and FinCEN on Tuesday. The two agencies fined Bittrex a total of $29 million for allowing people in Cuba, Crimea, Iran, and other sanctioned countries to conduct financial transactions on the Bittrex platform; and for failing to file suspicious activity reports (SARs) to regulators in a timely manner — as in, filing no reports at all for three years, while those people in sanctioned countries conducted 116,000 transactions worth a total of more than $263 million
The settlement orders against Bittrex make for painful reading. For example, as outlined in the OFAC order, Bittrex started offering its virtual currency services in March 2014, but had no sanctions compliance program in place at all until December 2015. In 2016 the company began screening customer names against OFAC sanctions lists (good), but did not scrutinize whether customers were in sanctioned countries for another 18 months (bad). Only when OFAC sent Bittrex a subpoena in October 2017 did the company understand it should do that, too.
The consent order from FinCEN is no better. It notes that in 2016, while Bittrex was averaging 11,000 deposits and withdrawals per day on its platform, the company had on only two employees — “with minimal AML training and experience” — reviewing suspicious transactions. Those employees used manual processes even though automated transaction monitoring software was widely available, and their AML compliance duties were in addition to their other, regular duties.
Keeping Up With Compliance Challenges
If Bittrex’ many shortcomings could trace back to one fundamental flaw, it would be this: a failure by management to give the compliance program the attention that it needed.
We’ve seen this time and again, especially relating to how financial firms handle suspicious activity reporting. They don’t hire enough personnel and don’t give those employees the necessary technology to manage the workload in an efficient manner. For example, earlier this year regulators hit USAA with a $140 million fine for persistent shortcomings in its AML compliance program, many of them related to inadequate staffing.
One statement from that USAA enforcement action (from FinCEN’s acting director) bears repeating here: “Today’s action signals that growth and compliance must be paired, and AML program deficiencies, especially deficiencies identified by federal regulators, must be promptly and effectively addressed.”
Growth and compliance must be paired. That’s the crucial message for senior management and the board to understand and embrace — even though plenty of financial firms (especially those in crypto world) have been ignoring that message in practice.
If we want to broaden the lens a bit, this is what the Justice Department and other regulators mean when they talk about “tone and the top” and “culture of compliance.” They want to see clear, compelling evidence that senior management understands the importance of an effective compliance program and supports that program in tangible ways.
What might that support look like? For starters, consider several of the principles in the COSO internal control framework meant to support the control environment:
- The organization demonstrates a commitment to integrity and ethical values.
- The organization demonstrates a commitment to attracting, developing, and retaining competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Now let’s circle back to some of the facts from Bittrex. When Bittrex first opened for crypto business in 2014, it designated its then-CEO Bill Shihara, a former security engineer at Amazon, as the company’s AML compliance officer. “This appointment was not commensurate with Bittrex’s risk profile based on the volume and scope of its activity,” as FinCEN drily put it. The company had only two employees performing suspicious activity reviews, using manual processes, for years.
When Bittrex did start using automated screening software in 2016, it misconfigured its sanctions procedures and missed many problematic transactions from sanctioned countries, and didn’t fix that error until late 2017 when regulators had begun an investigation.
Does any of the above strike you as in the spirit of the COSO principles for a strong control environment?
Credit Where It’s Due
FinCEN and OFAC did praise Bittrex for swiftly implementing remedial actions starting in late 2017, once the company grasped that it did have a serious compliance problem. Those measures included:
- Blocked all IP addresses associated with a sanctioned jurisdiction;
- Restricted the accounts of all account holders identified as being located in jurisdictions subject to OFAC sanctions;
- Began using a new software program for sanctions-related screening;
- Implemented blockchain tracing software to assist in identifying and blocking virtual currency addresses associated with persons on OFAC’s sanctions list;
- Hired a dedicated chief compliance officer who reports directly to the CEO and the board of directors, and otherwise substantially increased its compliance staff;
- Implemented a standalone sanctions compliance policy and has undergone additional independent audits of its sanctions compliance functions.
That’s all good. These are actions any company with significant sanctions risk should take, and it seems like Bittrex’ compliance posture is much stronger now — but these actions came many, many days too late.
The bigger enforcement questions here are two. First, will we see more such enforcement actions against crypto firms, where FinCEN and other regulators start imposing larger penalties for the bumbling sanctions programs these crypto firms operated in the mid- to late 2010s? Because I suspect Bittrex is not the only firm that made a mad dash for growth during crypto’s salad days (which really only ended at the start of this year), with compliance programs a distant afterthought.
Second, will we see enforcement against individual leaders of these crypto firms? After all, those senior executives were the ones deciding budgets and staffing levels, or the lack thereof. If the Justice Department is serious about holding individuals accountable for misconduct, how will that translate in the crypto space?
I don’t know that all these hyper-aggressive, under-prepared executives deliberately turned a blind eye to the misconduct happening thanks to their crypto platforms; but in the Bittrex case alone, customers were using the platform to conduct transactions on dark web markets such as AlphaBay, Agora, and the Silk Road 2. Those markets are used to buy and sell stolen identification data, illegal narcotics, and child pornography. That’s unsavory stuff. Rooting out and preventing it should have been a priority from the start.
So there are interesting questions here about how regulators will hold executives accountable for allowing a slap-dash culture of compliance. I’ll be curious to see what the answers are.