The U.S. Department of the Treasury continued its enforcement of sanctions and anti-money laundering (AML) obligations on virtual asset service providers (VASPs), announcing settlements with the cryptocurrency exchange Bittrex, Inc.

On October 11, Treasury imposed penalties of over USD $29 million against Bittrex for compliance failures that included inadequately managing anonymity-enhanced cryptocurrencies, also called privacy coins. The penalty is the largest to date in a virtual currency enforcement action by the Treasury's Office of Foreign Assets Control (OFAC). The recent enforcement action reinforces Treasury’s earlier warnings that companies transacting in virtual currency must comply with the same sanctions obligations as those in traditional fiat currency (FAQ 560).

• OFAC communicated this message in its February 2021 settlement with digital currency payment processor BitPay, Inc., and the October 2021 Sanctions Compliance Guidance for the Virtual Currency Industry.

• Treasury actions addressing anonymity in cryptocurrency transactions related to illicit finance have included 2019 guidance discussing cryptocurrency mixing services and privacy coins, the 2020 designation of Monero privacy coin addresses linked to Russian cybercriminals, and the 2022 sanctioning of the cryptocurrency mixing services Blender.io and Tornado Cash.

Inadequate Compliance Led to Massive Violations

OFAC issued a statement on its settlement with Bittrex describing persistent failures to comply with sanctions regulations from the company’s opening in 2014 through 2017.

Bittrex had no sanctions compliance program for more than a year, then retained a third-party vendor that screened transactions only for hits against OFAC’s SDN List, Treasury noted. Bittrex had Internet protocol (IP) address and physical address information for its customers but did not scrutinize this information for indications that customers or transactions had a nexus to sanctioned jurisdictions until OFAC scrutiny of its sanctions compliance began in 2017.

Bittrex’s compliance deficiencies resulted in the exchange handling over 116,000 transactions valued at over $260 million with entities and individuals located in jurisdictions subject to sanctions, including Iran, Crimea, Syria, Cuba, and Sudan, OFAC noted.

Privacy Coin Transactions Require Risk Management

In a separate consent order, Treasury’s Financial Crimes Enforcement Network (FinCEN) described AML program deficiencies that included failure to implement appropriate policies, procedures, and internal controls to effectively mitigate the risks associated with privacy coins.

Bittrex was aware of the risks of privacy coins but did not fully address their risks, according to FinCEN. Bittrex managed the risks of most of the privacy coins traded on its platform by disabling their privacy-enhancing features, but the exchange did not take any actions to mitigate the risks of privacy coins that did not permit disabling these features.