We started the year with a tiny $12,150 settlement with Park Strategies, LLC and end with this…
183 apparent violations of the Crimea (E.O. 13685) part of the Ukraine/Russia-related sanctions, as well as the Cuba, Syria, Iran and Sudan sanctions – not voluntarily self-disclosed, but not egregious. That makes the base penalty amount out to $183,000.
The introductory section explains why they bothered with a fine here:
As a result of deficiencies related to BitGo’s sanctions compliance procedures, BitGo failed to prevent persons apparently located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using its non-custodial secure digital wallet management service. BitGo had reason to know that these users were located in sanctioned jurisdictions based on Internet Protocol (IP) address data associated with devices used to log in to the BitGo platform. At the time of the transactions, however, BitGo failed to implement controls designed to prevent such users from accessing its services.
And (something that would normally be in the Compliance Considerations “lessons learned” section):
This action emphasizes that OFAC sanctions compliance obligations apply to all U.S. persons, including those involved in providing digital currency services. As part of a risk-based approach, OFAC encourages companies that provide digital currency services to implement sanctions compliance controls commensurate with their risk profile.
What they did
Between approximately March 10, 2015 and December 11, 2019, BitGo processed 183 digital currency transactions, totaling $9,127.79, on behalf of individuals who, based on their IP addresses, were located in sanctioned jurisdictions. The Apparent Violations related to BitGo’s “hot wallet” secure digital wallet management service.1 Individuals located in Crimea, Cuba, Iran, Sudan, and Syria signed up for “hot wallet” accounts and accessed BitGo’s online platform to conduct digital currency transactions.
At the time of the Apparent Violations, BitGo tracked its users’ IP addresses for security purposes related to account logins. BitGo, however, did not use this IP address information for sanctions compliance purposes. As a result, users located in Crimea, Cuba, Iran, Sudan, and Syria were able to create and use digital currency wallets on BitGo’s platform and engage in digital currency transactions, despite BitGo’s ability to identify the location of these users.
Prior to April 2018, BitGo allowed individual users of its secure wallet management services to open an account by providing only a name and email address. In April 2018, BitGo amended its practices to require all new accountholders to also verify the country in which they are located, but BitGo generally relied on each user’s attestation regarding their location and did not perform additional verification or diligence on the location of its users. However, after learning of the Apparent Violations, in January 2020, BitGo implemented an OFAC Sanctions Compliance Policy (“OFAC Policy”) and undertook significant remedial measures, as further described below.
By failing to prevent users located in Crimea, Cuba, Iran, Sudan, and Syria to access and use its services to engage in digital currency transactions, BitGo apparently violated Executive Order 13685 of December 19, 2014, “Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine”, the Cuban Assets Control Regulations, 31 C.F.R. §515.201; the Iranian Transactions and Sanctions Regulations, 31 C.F.R. §560.204; the Sudanese Sanctions Regulations, 31 C.F.R. §538.205 (SSR)2; and the Syrian Sanctions Regulations, 31 C.F.R. §542.207.
The calculation: aggravating and mitigating factors
OFAC determined the following to be aggravating factors:
(1) BitGo failed to exercise due caution or care for its sanctions compliance obligations when it failed to prevent persons apparently located in sanctioned jurisdictions to open accounts and send digital currencies via its platform as a result of a failure to implement appropriate, risk-based sanctions compliance controls; and
(2) BitGo had reason to know that some of its users were located in sanctioned jurisdictions based on those users’ IP address data, which it had separately obtained for security purposes.
OFAC determined the following to be mitigating factors:
(1) BitGo is a relatively small company and has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the earliest transaction giving rise to the apparent violations;
(2) BitGo cooperated with OFAC’s investigation into these apparent violations; and
(3) BitGo represented that it has invested in significant remedial measures in response to the Apparent Violations and as part of its agreement with OFAC to implement compliance commitments intended to minimize the risk of recurrence of similar conduct in the future, including:
• BitGo hired a Chief Compliance Officer and implemented its new OFAC Policy, which now applies to all BitGo’s services;
• BitGo implemented a new OFAC Policy that includes:
oA detailed overview of OFAC and relevant sanctions laws;
oThe appointment of a compliance officer specifically responsible for implementing and providing guidance and interpretation on matters related to U.S. sanctions laws;
oIP address blocking, as well as email-related restrictions, for sanctioned jurisdictions;
oPeriodic batch screening;
oRecordkeeping procedures for all financial records and documentation related to sanctions compliance efforts;
oA review and, where appropriate, update of end-user agreements to ensure that customers are aware of, and comply with, U.S. sanctions requirements; and
oA review of screening configuration criteria on a periodic basis.
• BitGo screens all accounts, including “hot wallet” accounts, against OFAC’s Specially Designated Nationals and Blocked Persons List, including blocked cryptocurrency wallet addresses identified by OFAC. BitGo has also conducted a retroactive batch screen of all users;
• BitGo routinely reviews its OFAC Policy and updates its procedures, as appropriate; and
• BitGo employees are required to certify that they have reviewed and understand BitGo’s
OFAC Policy, and are required to attend training programs, as appropriate.
The lessons learned (with an extended pitch for the Framework document)
This action highlights that companies involved in providing digital currency services—like all financial service providers—should understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks. Companies that facilitate or engage in online commerce or process transactions using digital currency are responsible for ensuring that they do not engage in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.
To mitigate such risks, administrators, exchangers, and users of digital currencies should develop a tailored, risk-based sanctions compliance program. OFAC’s A Framework for OFAC Compliance Commitments notes that each risk-based sanctions compliance program will vary depending on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations, but should be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Within that framework, this enforcement action emphasizes the importance of implementing technical controls, such as sanctions list screening and IP blocking mechanisms, to mitigate sanctions risks in connection with digital currency services.
Additional guidance from OFAC related to the provision of digital currency services can be found here:
A little commentary
A couple of things spring to mind here. First, this is reminiscent of older actions like the Wells Fargo case, where the bank didn’t leverage the date of birth info it has on its internal database to identify two account holders on the SDN List. Firms which conduct business over the Internet (not just where account opening activities occur) are responsible for the available location data such as the IP address. Despite the meager size of the fine, it was still over 10 times the value of the underlying transactions – Mr. Watchlist would not be surprised to see overly large fines (in relation to the transaction value, much less the revenue) to drive home this point.
In a related point, I don’t think it’s a coincidence that 2020 was also the year FinCEN had an enforcement action against Larry Dean Harmon, who rain a pair of Bitcoin mixers. The cryptoasset world is still very much a Wild West; the number of countries who regulate the sector is still really low, and everyone sees dollar signs in every click. It will probably take a lot of these actions – concurrent with getting on stage at industry conferences to drive home the point that there is regulation for these businesses that has to be adhered to.