This Week in AML

AML Compliance for Start-ups – Bittrex

This week the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) issued enforcement actions against Bittrex, Inc., a virtual currency exchange. John and Elliot discuss the details of the two actions, including the general AML program failures and ineffective sanctions compliance efforts. They also talk about how other financial service providers can use the orders to check the status of their own sanctions and AML compliance programs.



AML Compliance for Start-ups – Bittrex TRANSCRIPT


Elliot Berman: Hi, John. How are you today? 

John Byrne: I'm good, Elliot. How are you doing?

Elliot Berman: I'm good too. We're having a nice fall day here in Milwaukee. It rains, then it gets sunny, then it rains, and then it gets sunny, which is pretty much our normal weather. 

John Byrne: Yeah, that's true.

Elliot Berman: I'm assuming you saw that OFAC and FinCEN together issued enforcement actions against a company called Bittrex Inc. Which they run a virtual currency exchange and wallets and a trading platform. 

John Byrne: Yeah, and I did see it, and a couple of things come to mind. One is there's been a lot of coverage in the trade press and certainly the regular press about cryptocurrency and all the related risks and benefits and what have you. I think this particular enforcement action does a couple of things. It shows something that I think is changing, but we certainly saw it early on, which is the failure of some of these exchangers to hire people with AML experience. Again, I believe they're doing it now, and the activity that they looked at ended in December, I believe in December 2018. So it's been a few years, but I think early on there was certainly a reticence to deal with compliance in our space. You know, as opposed to the way it's handled in traditional banks. So I think some, some of the enforcement actions that were called out in the order certainly reflect that.

Elliot Berman: Yes. And I think there have been other, not necessarily exchanges, but other startup startups in the financial services area where it was reasonably clear that focus on compliance at the beginning of the business was totally missing. Sometimes I think there was a sort of surprise.

It's like, well, no, no, no we're just providing software. You know, we're not really operating a financial services business. So we're not subject to any of that. These orders make it clear that you need to be thinking about compliance from day one in the same way that a traditional bank would have to.

John Byrne: Right. I'm gonna see what you know about the OFAC part of this, but on the on the FinCEN part, a couple of things that are so dramatic. One is sort of the broader comment that they failed to maintain in an effective program. And if you look at who they put in the role and that sort of thing, that is not consistent, similar, or not always happening in the traditional banks.

We've had traditional banks called out for not putting the right people in roles, but the one that really jumped out at me was they failed to file any suspicious activity reports between February of 2014 and May of 2017, 3 years. And they also didn't file SARS on a significant number of transactions that they mentioned on sanction jurisdictions.

But the fact that there were no SARS filed at all, there's absolutely no way if you are an employee for that organization that you don't realize that.

And you and I talked before we started this conversation about the fact that there is a reference in the FinCEN order that the IRS being the examination agency for MSBs, gave notice of an onsite examination.

And before they were able to arrive at the scheduled meeting, suddenly 119 SARS got filed. And it's sort of like, I don't know whether they were running around going, "do we have some SARS around here?" Or whether, you know, they suddenly decided, oh, maybe we do have some transactions that we should report. But I don't mean to laugh about these things, but it was almost comedic, that timing. 

John Byrne: Oh, you mean, you mean the boxes of documents that we failed to give to the Justice Department. Where have I heard that before?  

Elliot Berman: You know, it's a theme. So as you mentioned, there were two orders. There was the FinCEN order, which was, I generally think, a civil money penalty order and a program failure challenge for the company. And there was also an OFAC order. Apparent violations of multiple sanction programs. So, early on, they were doing some basic screening against the SDN list, but they were doing no screening for sanctioned jurisdictions.

And so using IP addresses and related physical addresses. OFAC was able to identify many transactions that were done with counterparties in sanctioned countries. I tried to add up the number of specific transactional violations, and I think it's a hundred, about 120,000. But my arithmetic might have been wrong, or I might not have understood what OFAC was trying to say.

They were talking about the total fine, which I think is north of $24 million. Essentially, there was some crediting of one fine against the other and then a settlement to get to a net number. But it's, I mean, that's real money. Even, you know, unless you're making trillions of dollars, that's real money and way more than it would've cost to put good compliance in the beginning. 

John Byrne: No, that's true. And, if you're sitting here listening and you are a traditional bank and thinking, oh, I can't really learn anything from this. If you look at the enforcement factors in the consent order from FinCEN, they list the relevant factors to look at the dollar amount and the size of the penalty.

And I think those are always important to reference, and one is the nature and seriousness of the violations. We've already sort of referenced that, including the extent of possible harm to the public. So obviously, they believe it's important because of the high-risk nature of the transaction's pervasiveness of wrongdoing within the institution.

And as I already mentioned, they had put the, well, I didn't say whom, but the chief executive officer became the AML compliance officer, which in no world makes any sense. And they say the appointment was not commensurate with their risk profile, and they didn't do an adequate risk assessment. They also said financial gain or other benefit resulting for the violation.

This is interesting they increased their revenue and grew their business without investing in appropriate resources, tools, and personnel to maintain an effective program. The financial benefit resulting from the violations was more limited after the opening of new customer accounts in 2017, and dedicated more resources to their compliance.

Also, the presence or absence of prompt effective action to terminate the violations. They did hire in late 2017 a qualified AML compliance officer. But they did that fairly late in the game. And then the quality and extent of cooperation with FinCEN and other relevant agencies. This was sort of a positive, I suppose. They said they'd been responsive to requests for information throughout the course of the IRS FinCEN investigation. They waived any defense related to the statute of limitations. So I think this is a good point for anybody that's in a consent order situation, you have to cooperate, and if you don't, it's gonna be certainly correctly held against you. So those are all the items that went into the decision for FinCEN.

Part of this, and then obviously, you've already referenced what OFAC did. I think it's also important to note that the acting director said a few things in the statement released with this, that the key is that their failures created exposure to high-risk counterparties, including sanctions jurisdictions.

We've talked about dark net markets and ransomware attackers, which is interesting given the history of this organization. I think you mentioned to me the people were cybersecurity experts, at least in that field. Das also ends this statement by saying they won't hesitate to act when it identifies willful violations of the BSA, which I think it's pretty clear.

FinCEN does that for a whole host of financial institutions. But it's important to recognize this nascent industry. And it looks to me like I said, they did cooperate. They have put people in roles now. They have made those adjustments. They have added those resources. They still got the fine. But this, I think, is a good document to look at, to sort of figure out a map. Are you your institution or your client's institution doing the right things?  

Elliot Berman: Yeah, I agree with you. The OFAC order has aggravating and mitigating factors in terms of penalty calculation, and the mitigating factors are a nice roadmap for responding.

You've talked about some of them cooperating, but at, you know, actually once, once the problems are surfaced by the regulators to really start, take proactive efforts to correct. Improve not just standing with your hands on your hips and trying to hold your breath. That's never an effective strategy.

So I'm not gonna read them cuz they go on for most of a page. But if you take a look at the OFAC order, which you can find on the Treasury Department website on page three, there's a long list of mitigating factors of what the company did promptly. The last item in the OFAC order that caught my eye is that OFAC again encourages a risk-based approach, and we've talked about that in the industry for many years.

But they do enumerate five things that should be what they call at least five essential components of compliance. So this is the stuff you ought to be doing. Management commitment, we've certainly talked about that over the years. Risk assessment, internal controls, testing, and auditing and training.

Now, those are similar but not in any way identical to the requirements for an effective AML compliance program. If you're an FI or an MSB. But it's interesting to see OFAC enumerate, you know, here's the, at the highest level, here are the things you ought to be able to put in place and point to that are guiding how you're complying with or dealing with the challenge of complying with sanction programs.

John Byrne: All right. Well, Elliot, everybody should take a look at both orders and map them to your institution. Use it as a training tool. Just wanna remind folks October 27th at one o'clock Eastern Time, we are going to be doing the October AML voices, and this is gonna be on AMLA. 

Obviously, there's still a lot to be done with Amla, but the beneficial owner regulation is now out. The FinCEN acting director has talked about that and some of the other items that they're working on. We're gonna have a conversation with Megan Hodges from Ally and Daniel Stipano from Davis Polk. So if things are released between now and the 27th, we'll clearly cover those as well. Looking for people to join us then and send us your questions. 

Elliot Berman: Yes, and you can register at our website. And we'd encourage you to do that. And we will link to the OFAC order in the posting on our website of today's episode of This Week in AML. John, enjoy your time in Hilton Head and drive safely on your way home.

John Byrne: Take care, Elliot. Enjoy the rest of your week.

Elliot Berman: You too. Bye.