The cryptocurrency industry has a target on its back – and perhaps justifiably so.  The SEC, CFTC and OFAC have been bringing a number of regulatory enforcement actions, including against Bittrex, Inc. ($24,280,829.20 in settlements with OFAC and FinCEN) and Payward, Inc. d/b/a Kraken ($362,158 settlement with OFAC).  Yet, the cryptocurrency has lots to worry about when it comes to compliance – fraud, cybersecurity, and a strong line up of regulators looking to exert increased control over the industry.  Crypto exchange companies better take heed or they could find themselves in the enforcement cross-hairs.

The latest to fall – Poloniex LLC, a Delaware company that operated an online trading and settlement platform, i.e. a crypto exchange, agreed to pay OFAC $7.591 million for 65,942 violations of multiple sanctions programs.  Between January 2014 and November 2019, Poloniex’s trading platform permitted customers from sanctioned jurisdictions to conduct crypto transactions (i.e. trades, deposits, withdrawals) worth a combined total of $15.335 million.  Poloniex had KYC information and internet protocol address data indicating that customers were located in prohibited jurisdictions for conducting business. Poloniex did not voluntarily disclose the conduct.  OFAC determined that the violations were non-egregious.

Compliance professionals from all industries should take note of the major defect that OFAC identified in Poloniex’s program. Despite implementing controls over the life of the company, Poloniex failed to apply its new controls retroactively.  While the exchange continued to make strides in improving its onboarding KYC program, it never screened old customers through the new procedures.  If they had done so, they would have likely uncovered some of the violations and would have been able to stop them from compounding or would have at least been able to file a voluntary disclosure with OFAC. 

Poloniex’s operations began in 2014 with the offering to customers of an online trading platform.  In May 2015, Poloniex implemented a sanctions compliance program, which provided for review of KYC information for new customers in jurisdictions subject to comprehensive sanctions.  Poloniex did not review its existing customer base.  As a consequence, customers who had self-identified from a residence in a sanctioned jurisdiction were generally able to continue using the Poloniex platform.

In May 2015, Poloniex began monitoring IP address data to detect logins from sanctioned jurisdictions, and conducted additional due diligence on such logins, including contacting the owner of the account and thereafter closed certain accounts.  Poloniex did not block any IP addresses until June 2017.  Poloniex implemented sanctions controls for Crimea only in August 2017.  A number of customers from prohibited jurisdictions continued to use the Poloniex service.

We’ve seen similar issues at other companies, including cryptocurrency businesses.  Specific to cryptocurrency, transaction monitoring and blockchain analytic software can often return a significant number of red flags when initially implemented and turned on.  Companies can often find it overwhelming to handle these retroactive warnings, and instead choose to ignore these warnings and simply focus on any red flags in the future.  However, doing so will likely lead to the same problems facing Poloniex.  Ultimately, receiving warnings and ignoring them, even if they are retroactive warnings, will be an aggravating factor in any potential enforcement action, as it was here.  OFAC will deem these warnings as a “reason to know” that the company is in violation of sanctions regulations. 

In February 2018, Poloniex was acquired by Circle Internet Financial Limited (“Circle”) and Circle implemented additional sanctions controls that significantly reduced the number of violations.  During 2018 and 2019, a number of violations continued to occur involving customers in Crimea.  Poloniex discontinued its operations in 2019  when the platform was sold to another party.

Poloniex’s violations involved 232 separate customers, most of whom were located in Crimea, but also included Cuba, Iran, Sudan and Syria.  OFAC found that Poloniex failed to exercise due caution for its sanctions compliance obligations when it started to operate in 2014 and continued without any compliance program until May 2015.  Even after starting its compliance program, Poloniex did not consistently apply it across the board.  According to OFAC, Ppoloniex had reason to know that customers involved in the violations were located in sanctions jurisdictions.

Also important in the settlement agreement is a reminder that sanctions are a strict liability offense.  OFAC noted that some of the offending transactions were for relatively small amounts, some for less than $1.  And while those small amounts were deemed a mitigating factor, they were still considered a violation regardless.  Therefore, companies should take care to ensure their compliance program is robust. 

As part of its remedial efforts, Poloniex froze various customer accounts until KYC verification was completed; implemented an automated review and verification tool for identity documents; implemented blocking protocol to prevent users from sanctions jurisdictions; closed any accounts that listed Crimea in the profile information; enhanced its identification and blocking of customers associated with Crimea; and enhanced its training program and hired additional compliance personnel. Poloniex provided substantial cooperation.

OFAC warned that the Poloniex enforcement action underscored the need for cryptocurrency firms, like financial service providers – must act to ensure compliance with OFAC sanctions, and implement a tailored, risk-based sanctions compliance program. OFAC has also issued sanctions compliance guidance specifically for cryptocurrency and digital asset companies.