Kraken Coughs Up $362,158 to OFAC to Settle Iran Sanctions Violations
Cryptocurrency companies are in trouble. Regulators are bearing down on crypto companies with the Eye of Sauron – pulling the crypto companies into their jurisdiction, prosecuting fraud cases, and aggressively prosecuting companies for sanctions and anti-money laundering violations. One by one you can bet that crypto companies will be in the enforcement headlines. As they fall, policy makers can point to their continuing excesses as the basis for robust regulation.
Crypto companies, however, appear to be ignoring these trends somehow believing they will escape the enforcement knife. With all of the scandals piling up, investors are losing more money and complaints from investors will ultimately result in a comprehensive regulated framework. The only real question remaining is how quickly this regulatory regime will take to be implemented and how broad a scope will be imposed.
Kraken failed to implement basic compliance tools, including an automated internet protocol (IP) address blocking system. As a result, Kraken exported services to users who appeared to be in Iran when they completed virtual currency transactions. Kraken voluntarily disclosed the conduct to OFAC.
Kraken began operations in 2011 and initiated public trading in 2013. Users can buy, sell, trade or hold cryptocurrencies, and trade fiat currency for cryptocurrencies. Kraken maintained an AML and sanctions compliance program, which included basic screening of customers when onboarded and daily thereafter, as well as review of IP address information generated at the time of onboarding. Notwithstanding these controls, between October 2015 and June 2019, Kraken mistakenly processed 826 transactions, totaling $1,680,577 on behalf of individuals who appeared to be located in Iran at the time of the transactions.
Kraken had a large gap in its screening regime – they screen a customer when onboarded but they did not implement IP address blocking on transactional activity involving existing customers.
Kraken’s IP address data revealed that customers who set up accounts outside of sanctioned jurisdictions appear to have accessed their accounts and conducted transactions later from a sanctioned jurisdiction.
After identifying the problem, Kraken implemented automated blocking for IP addresses linked to sanctioned jurisdictions. To further its compliance efforts, Kraken also implemented multiple blockchain analytics tools to enhance its monitoring program.
As noted in its penalty calculations section, Kraken was credited for voluntarily disclosing the matter, and for agreeing to invest an additional $100,000 in its compliance program, including training and technical enhancements to improve sanctions screening.
OFAC stated that Kraken failed to exercise due caution or care for its sanctions compliance obligations, when knowing that its customer base was global, it limited its geolocation controls to the onboarding of customers and failed to apply these controls to subsequent transactions. Such a failure was compounded by the fact that Kraken had reason to know based on its IP address data that transactions were being conducted from Iran.
Kraken fully cooperated with the OFAC investigation of this matter and implemented significant remediation, including: (a) adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts on Kraken’s website; (b) implementing multiple blockchain analysis tools to assist with sanctions monitoring; (c) investing in additional compliance-related training for its staff, including in blockchain analytics; (d) hiring a dedicated head of sanctions to direct Kraken’s sanctions compliance program, in addition to hiring new sanctions compliance staff; (e) expanding its contract with its current screening provider to add additional screening capabilities to ensure compliance with OFAC’s “50 Percent Rule,” including detailed reports on beneficial ownership; (f) contracting with a vendor that assists with identification and nationality verification by using artificial intelligence tools to detect potential issues with supporting credentials provided by users; and (g) implementing an automated control to block accounts using cities and postal codes associated with the Crimea region and in the so-called Donetsk and Luhansk People’s Republics of Ukraine.
OFAC noted that under its Sanctions Compliance Guidance for the Virtual Currency Industry, OFAC strongly encourages a risk-based approach to sanctions compliance. An adequate sanctions compliance program for cryptocurrency companies will depend on a variety of factors, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served. It also should be predicated on and incorporate at least five essential components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
OFAC stated that this enforcement action underscored the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions. In particular, OFAC noted that limiting the use of such controls only to the time of account opening — and not throughout the lifetime of the account or with respect to subsequent transactions — could present sanctions risks to virtual currency-related companies. This case also demonstrates the value of a company implementing robust remedial measures after becoming aware of a potential sanctions issue, including the deployment of blockchain analysis tools and compliance-related training on blockchain analytics, as well as committing to future sanctions compliance investments.