skip to main content

Our team advises U.S. and non-U.S. clients across industries on their most sensitive U.S. economic sanctions and Bank Secrecy Act/anti-money laundering (BSA/AML) issues. With our preeminent regulatory defense and white collar experience, we are uniquely positioned to assist clients in responding to regulator inquiries, examinations and subpoenas; conducting internal investigations; and handling matters that develop into multi-agency civil and criminal investigations. Our practice also encompasses regulatory advice, compliance counseling and transactional due diligence. 

OFAC Enforcement Action Targets U.S.-Incorporated Cryptocurrency Exchange for Apparent Violations of U.S. Sanctions

December 6, 2022 Download PDF

On November 28, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced an approximately $362,158 settlement with Payward, Inc. d/b/a Kraken (“Kraken”), a U.S.-incorporated cryptocurrency exchange.[1] OFAC noted that, as a part of the settlement, Kraken had also agreed to invest an additional $100,000 toward its sanctions compliance controls. According to OFAC, this settlement resolves 826 transactions that were processed by Kraken on behalf of individuals who appear to have been located in Iran at the time of the transactions, in apparent violation of U.S. sanctions. OFAC determined that despite the fact that Kraken maintained an anti-money laundering and sanctions compliance program, which included screening customers’ IP addresses at the time of onboarding to prevent users in comprehensively sanctioned jurisdictions from opening accounts, existing customers of Kraken were nonetheless able to engage in transactions through Kraken while they were located in Iran.

The Kraken settlement and the remedial measures highlighted by OFAC in this action shed further light on OFAC’s expectations with regard to sanctions compliance in the context of the blockchain and cryptocurrency space.[2] This enforcement action also emphasizes the importance of effective sanctions screening not only for designated persons (including those persons on the SDN List), but also for persons located in comprehensively sanctioned jurisdictions—importantly, not only during the onboarding process, but regularly thereafter during the full lifecycle of the commercial relationship with counterparties. This enforcement action is yet another in a number of recent OFAC enforcement actions in which OFAC has faulted companies in the cryptocurrency space[3], a payment processor[4], and an electronic rewards distributor[5] for similar deficiencies in their sanctions screening and IP blocking procedures.

The Apparent Violations

OFAC determined that during the relevant time the apparent violations occurred, Kraken maintained an anti-money laundering and sanctions compliance program, which included the screening of customers at onboarding and daily thereafter against U.S. sanctioned person lists as well as a review of IP address information generated at the time of onboarding of a customer, which was designed to prevent users located in comprehensively sanctioned jurisdictions from opening accounts with Kraken. However, despite these controls, OFAC determined that between approximately October 14, 2015 and June 29, 2019, Kraken processed 826 transactions totaling approximately $1,680,577 on behalf of individuals who appear to have been located in Iran at the time of the transactions. 

OFAC noted that although Kraken maintained controls intended to prevent users located in comprehensively sanctioned jurisdictions from opening an account, at the time the apparent violations occurred, Kraken did not maintain IP address blocking on transactional activity across its platform. According to OFAC, this gap in Kraken’s sanctions compliance procedures resulted in some customers who had established accounts while outside Iran engaging in transactional activity through those accounts while they were apparently located in Iran, despite the IP address data of such customers at the time of the transactions being available to Kraken.

Factors Affecting OFAC’s Penalty Determination

OFAC determined that Kraken voluntarily self-disclosed the apparent violations and that the apparent violations constituted a non-egregious case. According to OFAC, the statutory maximum civil monetary penalty amount for the apparent violations was approximately $272,228,964 and the base penalty amount was approximately $840,288.

OFAC noted as an aggravating factor that Kraken “failed to exercise due caution or care for its sanctions compliance obligations when, knowing it had customers worldwide, it applied its geolocation controls only at the time of onboarding and not with respect to subsequent transactional activity, despite having reason to know based on available IP address information” that these customers appeared to be located in Iran.

OFAC noted several mitigating factors, including that Kraken had not received an OFAC penalty notice or finding of violation in the last five years and that Kraken had voluntarily self-disclosed the apparent violations and cooperated with OFAC’s investigation. OFAC also praised Kraken for taking a number of remedial measures, including:

  • Adding geolocation blocking to prevent clients located in comprehensively sanctioned jurisdictions from accessing their accounts on Kraken’s website;
  • Implementing “multiple blockchain analysis tools” to assist with sanctions monitoring;
  • Investing in additional compliance-related training for its staff, including in blockchain analytics;
  • Hiring a dedicated head of sanctions compliance to direct Kraken’s sanctions compliance program, in addition to hiring other new sanctions compliance staff;
  • Expanding its contract with its existing sanctions screening vendor to add additional screening capabilities to ensure compliance with OFAC’s 50 Percent Rule, including detailed reports on beneficial ownership;
  • Contracting with a vendor that assists with identification and nationality verification by using artificial intelligence tools to detect potential issues with supporting credentials provided by users; and
  • Implementing an automated control to block accounts using cities and postal codes associated with the Crimea region and in the so-called Donetsk and Luhansk People’s Republics.

Implications

The Kraken settlement agreement is yet another in a line of OFAC enforcement actions involving sanctions screening and IP blocking deficiencies in recent years. These recent enforcement actions have made clear that OFAC expects companies doing business online to screen IP address information (both during the onboarding process as well as throughout the lifecycle of the relationship with the counterparty) as well as other information that they may receive during the normal course of business (including, e.g., physical address, email address suffix (e.g., “.ir” for Iran and “.cu” for Cuba), and phone number prefix) to identify potential indicia of the involvement of persons located in comprehensively sanctioned jurisdictions. The Kraken settlement is somewhat unusual, however, in that it also includes an explicit notation of Kraken’s agreement to invest an additional $100,000 in its sanctions compliance controls, which again speaks to OFAC’s focus on the importance of sufficient resources being dedicated to such controls.

The Kraken settlement agreement also is one of several recent enforcement actions where OFAC has praised companies for including place names associated with comprehensively sanctioned jurisdictions (such as the names of cities, regions, ports, and common alternative spellings of the same) in a sanctions filter as a useful means of further detecting the potential involvement of a comprehensively sanctioned jurisdiction.[6] As OFAC noted in the Kraken and other enforcement actions, the inclusion of such place names in a sanctions filter may be particularly helpful in identifying transactions potentially involving the so-called Donetsk and Luhansk People’s Republics in Ukraine as well as the Crimea region. Additionally, these recent settlements show the importance of not only implementing sanctions screening and IP blocking procedures, but also of testing and auditing the implementation of those procedures to ensure that they are working in practice to identify potentially problematic transactions.

We will continue to monitor enforcement actions taken by OFAC and provide further updates as appropriate.

                                                                                                      *              *              *

 

[1]       OFAC, “OFAC Settles with Virtual Currency Exchange Kraken for $362,158.70 Related to Apparent Violations of the Iranian Transactions and Sanctions Regulations,” (Nov. 28, 2022), available here.

[2]       See also Paul, Weiss, “New OFAC Guidance for the Cryptocurrency Industry Highlights Increased Regulatory Focus,” (Oct. 25, 2021), available here.

[3]       See OFAC, “OFAC Enters into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions,” (Dec. 30, 2020), available here; OFAC, “OFAC Enters into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions,” (Feb. 18, 2021), available here.  These actions were discussed in our year in review memorandum, available here.

[4]       See Paul, Weiss, “OFAC Enforcement Action against U.S. Payments Company Shows the Importance of Robust Sanctioned Person and Location Screening,” (Aug. 13, 2021), available here.

[5]       See Paul, Weiss, “OFAC Enforcement Action Again Highlights the Importance of IP Address Blocking; OFAC Also Issues Guidance for Instant Payments Industry,” (Oct. 6, 2022), available here.

[6]       See, e.g., OFAC, “OFAC Settles with Amazon.com, Inc. with Respect to Potential Civil Liability for Apparent Violations of Multiple Sanctions Programs,” (Jul. 8, 2020), available here (where OFAC determined a screening filter did not flag transactions involving, among other things, cities in Crimea or alternate spellings of Crimea such as “Krimea”).

© 2024 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy