Corruption, Crime & Compliance
Corruption, Crime & Compliance

Episode 23 · 3 weeks ago

Matt Stankiewicz on the Bittrex OFAC and FinCEN Enforcement Action

ABOUT THIS EPISODE

In this episode, cryptocurrency expert Matt Stankiewicz discusses why sanctions and AML compliance need to be taken seriously in the cryptocurrency industry.

Matt Stankiewicz, a Partner at Volkov Law, is a leading industry expert on cryptocurrency. Bittrex, a leading cryptocurrency exchange, suffered twin enforcement actions for AML and Sanctions Compliance deficiencies. Matt takes a deep dive on the enforcement actions and outlines practical compliance steps that every cryptocurrency exchange should implement.

Join us as we discuss:

  • The enforcement action on Bittrex led by OFAC and FinCEN
  • Why compliance risks are increasing in the cryptocurrency industry
  • Practical steps that all cryptocurrency exchanges should implement 

To reach Matt email him at: mstankiewicz@volkovlaw.com

Well, I'm really happy to have Matt Stankwitz here from our firm. We call him Mr Cryptocurrency. Matt. Uh, glad you could join us. There's been a big enforcement action and there's nobody better to talk to than you about the Hi Tricks enforcement action. And the weird thing to me, Matt is there's Vincent did a consent order and O Fact did a settlement. But why don't you first off, welcome and always good to have you on the on the podcast because we get good numbers when you show up and start talking about cryptocurrency. But tell us about sort of outline the enforcement actions. Yeah, thanks for thanks for the introduction, and it's always good to be here. You know, I love my cryptocurrency and uh all industry. You must have lost some money in the recent tanking of the market, but who knows, it'll come back, right, market has been heard. That's why I haven't retired yet, So you should consider yourself forced. That's right. That keeps you working longer, that's what we need, right right. But yeah, this recent enforcement action has been pretty interesting and one of the things I find the most fascinating about is just the we were talking about this a little bit off line is how fast cryptocurrency industry moves. And at this point some of these activities and events seem ancient in the history of cryptocurrency. This is almost two market cycles ago at this point, but it does highlight the importance of Sanksman's compliance and you know how these regulators are now beginning to catch up. So thousand violations over a four year period, three year period, excuse me between March and Decemben. Basically, individuals from a variety of prohibited jurisdictions were using Vitrix to the transacting cryptocurrency and Batrix being based in Washington. To keep in mind and mL, it's funny because conduct is all the way back to seen But why don't you go ahead sort of summarize what what do they do? First? In the what did fins and do? And then what a fat Yeah, So these two investigations ran parallel to each other. A lot of the violations tended to overlap. So we'll start with oh fact first, So o FAC on the sanction side found that there were just over a hundred and sixteen the state of Washington in the US were subject to these sanctions programs. So these violations included violations of the Prime and Sanctions program, the Cuban Sanctus program, the Iranian one, the suit in these sanctions program, and the Syrian sanctions program. So these were, like I said, over a hundred and sixteen thousand transactions, the total value of which was over two hundred and sixty million dollars, and O fact determined that these were pretty pretty substantial, pretty pervasive, and just kind of a mess. We'll get into a little bit of what was going on there behind the scenes on how this could occur before we do that, just jumped to fince end real quick. So Finn Send found, you know, violations stemming from February through December. During this time period, the Beatrix had a very very weak m L program. Even that might be giving them a little a little more credit than they deserved during this time frame, but it was, you know, it's pretty ridiculous. Again, we'll get into some of what they were doing behind the scenes, but during this time period they had, you know, they were processing on average twenty thousand transactions per day, and they had a very barebone...

...skeleton compliance staff behind the scenes. And throughout the first three years of this time period here they did not file a single suspicious activity report, no stars during this entire thing currency, So you know that some people are going to try to use this, particularly if they're not you know, engaging in KYC, if they're not doing you know, compliance with their they don't have an mL program. Yeah, and then you back up one second match you don't explain like So Beatrix was like a marketplace, but they also, uh, I'm looking at it. They hosted digital wallet services for storing and transferring cvcs, but they also exchange currency, so I mean cryptocurrency, so I could sell my bitcoin on the exchange there or he sir or whatever. Yeah, they were a cryptocurrency exchange, so they're you know, the most well known competitor for them is coin based. They do a lot of similar things that coin based did at the time. So if you wanted to buy bitcoin that was bit Rex was one of the perfect places to do that, I believe. At the time. They did have an on ramp for fiat currency, meaning you could you know, connect your bank account and buy bitcoin with just you know, US dollars. One of the few exchanges that could do that at the time. So it was rather popular back in this time. Period they struggled a bit since the bit rex during this period was one of the most well known exchanges and extremely popular both in the US and and around the globe. Yeah, you could buy bitcoin, you could buy ether, you could buy I think there were two hundred and sixty different coins listed during this time period, which was pretty robust the most exchanges during this time period. The list a handful, But if you wanted some obscure coins, and especially some of the privacy focused coins, you would go to bit recks for that. And that's also partially how they got got into trouble. So more than did they have more currencies cryptocurrencies than nice at the time. Yes, And as you know, somewhat of a cryptocurrency veteran, I use bit tricks at the time to buy certain cryptocurrencies that I could not get anywhere else. So I wasn't pretty active user on it during the time frame, and that's why that's why I can say I know it was pretty popular back then, so it's not surprised to see that they did have some issues at that time. Keep in mind too, that you know, during this time frame the cryptocurrency and issue was basically the wild West. I mean, basically anything went and compliance was a complete afterthought. So again we will probably see more. But it was a money service business as defined under you know, b s A regulations, so they had to have an mL program, particularly when they're selling in the United States, we are operating, that's correct, They were required to have one, and it appears that they were not really aware of that until that October. At that time, at that time, the i r S reached out to them wanting information about their BSA program, and bit Rex apparently did not have much in place at that time. So we saw a Florida activity from them shortly after that. And in fact, again like we said, they had filed no stars up to that point, and then that first month after receiving that subpoena from the i r S, they filed a hundred nineteen Yeah that's immediate. Yeah, that's so. Wait, they paid oh fact, what twenty four million, and then they paid like around the same amount to Fincent and I don't know if they against the other they did. O Fax fines were twenty four million dollars. FINCNS fines twenty nine million, but credited against o Fax fine. So I believe in total they million...

...dollars, So what kind of going back, like, what kind of compliance program did they have? What kind of controls? I mean, like what did they do if you know? Yeah, so let's go back to the sanctions side of things first. At that point, again, very limited sanctions compliance program. They were aware of sanctions at that point O fact, didn't note that in one of their policies that they did note that they must comply with sanctions, but that was about the extended policy, just a quick reference one line or two and I may have been a code of conduct or whatever it may have been. They did have a screening vendor in place on February that's when they first implemented it. However, they only screened the customer names against the relevant sanctions list, the SDN lists. Essentially, what they failed to do, Yeah, what the big gap and was go ahead. What they failed to do, which is what got them into all this trouble, is that they did not screen for prohibited jurisdictions. So all of those sanctions programs that I mentioned earlier, the premium sanctions program, Cuban Iranian, all those basically prohibited transactions with any individual in that region, in that jurisdiction. So this is more than just the SDN list. These would be customers that would not pop up, that would not you know, return a match against the SDN list, but still otherwise prohibited under the sanctions regulations. And funny story, Yeah, we've helped clients with this issue where it's the screening the IP address as coming from specific countries and what do you call it, geo location or whatever, it's called geo blocking, GM blocking, and they did not have geo blocking. You're telling me none of the at none of that. And you know, looking back at the records, they were found that yes, several IP addresses came from these sanctioned jurisdictions, you know, which is which is kind of funny because yes, the o FAC is now highlighting geo blocking. For the last couple of years, is being a very integral tool for virtually any Internet company, which is now almost any company. Yet you know, in these days, one of the challenges that a lot of these companies have though is you know the use of VPNs in other ways to spoof IP addresses. That said customers didn't even need to use VPNs with pitch wrecks, that direct just wasn't checking at all. And then so there's an example in the in the settlement agreement or the settlement summary about what this led to and and tell our listeners what happened with that. Yeah, really funny story. And the settlement agreement did highlight one of the key areas where you know, there was a pretty significant compliance failure on Patrix is part. Unfortunately, one customer signed up noting that he was an Iranian citizen using an Iranian address on as an address verification and submitted an Iranian passport to confirm his identity. So Beatrix had both the knowledge that he was physically located in Iran and was a citizen of Iran based on his passport, and no one caught that, nothing picked that up in their systems, and he was verified and free to transact within you know, a couple of days, I imagined. So really, you know, it's kind of funny, kind of sad at the same time, because that should have been an obvious That should have been an obvious one, right screened them through the st He wasn't an SDN, but yeah, but he was from the country, a prohibited country, and they let him go through. Right, that's crazy, right, Yeah, you know, honestly during this time frame, this is not really too surprising.

Unfortunately for the cryptocurrency industry. We've seen this with you know, with other companies that you know, we've even worked with, where they just don't have the proper process in place, which is unfortunate because this industry especially has a lot of technical solutions that they can tap into that they've just not been using yet to the yet to this point. And this was so this is like BA to twice seventeen right. Then I noted some of the remedial measures they took included putting in you know, sanctions, screening, geolocation, you know, blocking there was one of them. If we could just if we could just shift to the m L side real quick, just some of the other problems that they had their um while we cover you know, both in parallel like this, Finn said, didn't note that some of the sanctions violations did overlap with their regulations. I mean those should have been since you know, they should have filed stars based on those alone. In many cases, sanctions violations can constitute suspicious activity as contemplated by the animal regulations. In addition to that, they also were known to have direct connections with various solicit activity, including Patricks was used rather substantially for access to darknet marketplaces. So this could be Silk Road or all those different hacker havens that you read about in the news where people are trading stolen data, private information, illegal drugs, child pornography, unfortunately, ransomware, and all these other kinds of illegal activities that you are otherwise prohibited. So these transactions were occurring with these marketplaces. Inventrix never did anything about those. Hard to know whether or not they were aware. It's possible they were not because they did not have those capabilities at the time, but if they were, they were, you know, at the very least, burying their heads in the sand over it. So big issue there, And they had a couple of things I wanted to note. In sixteen, apparently Patrick's averaged eleven thousand transactions per day with a daily value of approximately one point five four million. But the next year, hey, we're up to an average of twenty three thousand, eight hundred transactions per day with a daily value of close to a hundred million dollars ninety seven point nine. And during that time frame, their transaction monitoring consisted of two people reviewing spreadsheets manually each day. So if you think about this would be spreadsheets of transactions, right spreadsheets, Excel spreadsheets, and two people going through those per day. So you think of eleven thousand transactions at at its you know, at its trough, at its lowest point, eleven thousand transactions per day, and you have two people going through those trying to identify identify what right. They apparently had minimal training, it was only part their part time responsibility, so this wasn't even that they weren't even reviewing those spreadsheets full time. And it's easy to see why things things were missed, and it apparently it wasn't until April when they hired additional employees to help the two existing employees. But you know, Batrix must have been making really a lot of money at this point in time, and they couldn't hire you know, they couldn't have more resources available for compliance. I mean yeah, and and that's the thing. It's you know, it's pretty disappointing to see, but also not too surprising. Like I said, this was the wild West and cryptocurrency was the most it was. It was a past bull market We've seen these crazy cycles in cryptocurrency with the price of spike and the activity spikes in twenty seventeen was one of those time periods, so it was hard to predict when that was gonna come,...

...so they were not ready when it hit. But most disappointing is that even once it was you know, even once it was there and they were making money handed for FIST, they still did not prioritize compliance and Vincent noted that that it arguably gave them a competitive advantage because they were not investing their resources into the compliance, so they were able to keep doing transactions with RAN and you know these dark Knight marketplaces and you know, profiting all of those. Right. So then the other thing that's interesting to me is that they kept going even after Seen they started to build a program, but it doesn't even sound like their a mL program was fully remediated, you know eighteen. It just they still had weaknesses in the program. Yeah. Seen, they received a notice in the I r S I r S we're asking questions about their m l B s A program, and that's when Batrix really realized, we don't really have one. We've not really been focusing on this and you know. The funny example from there is that, you know, up to that point, they filed virtually no stars, no suspicious activity reports at all, and then they received that notice from the i r S and then that first month they filed nineteen. So yeah, clearly this is what had been going on for a while and they only just started to taking seriously at that point. How do you think, Matt, they didn't voluntarily disclosed. I know I noticed that, so they started they it was only after the I r S served the subpoena on them were they was Batrix, that well known in the marketplace. That and maybe the I r S noticed that they hadn't filed any stars and that they were a big player, and that's what got the I r S and liested in them. I think that's probably a piece of it. I imagine the other pieces that they probably begin to report some substantial earnings and at that point, I imagine the I r S noted, you know, truly noticed, like, hey, they're an MSP. They should have these programs in place, and we need to figure out, you know, whether or not they do. Um, they hadn't filed any stars, you know, up to the right so to me. You know, like if coin base was operating at this time, don't you think cor coin Base was probably filing stars at this time. I have to imagine they were. I don't know for certain, obviously, but coin Base has had a pretty good reputation for their compliance. You know, they've They've obviously not been perfect, and it's hard to expect any cryptocurrency company at this point would be, but they do have a pretty good reputation. Batrix here unfortunately, you know, felt below that. I imagine other exchanges did as well. And you know, we've seeing some high level you know, reports that investigations are occurring elsewhere. And I won't necessarily name any other companies yet, but it's not surprising that regular becus and now really starting to take us more seriously and are looking around to see, you know, see where their companies are already compliance with both sanctions and email regulations. You expect more enforcement actions on m L and sanctions against other cryptocurrency exchanges without a doubt. You know, like I mentioned earlier in the podcast, it's in our discussion we um these events go back to seventeen and even a little bit before that, and like I said, that was feels like that feels like generations ago in cryptocurrency. You know, the speed at which these which the industry moves is staggering, and all with compliance in the back seat. You know, no one's really been focusing on it as until you know, very until very very recently, so...

...regulators are only beginning to catch up. These investigations take time. You know. You can see that the I r S began sniffing around in and it took almost five years for this enforcement action to come out. So I would expect a significant number of enforcement actions to incur over the next couple of years. If you're in you know, well, there's two questions. One is I have a technical question in the remediation section for the oh fact, they've mentioned a blockchain tracing program, and do you know how that operates or what does that allow you to do when you're in the operating one of these marketplaces. Yeah. So, so first thing to that we should know, to give Bittrick some credit here is that they did receive it was a significant mitigating factor in their enforcement action. Is that, Yeah, they were very slow to implement things early on, but they have gone above and beyond what was expected of them, they have done a very good job of now implementing a substantially better compliance programs, so they do deserve credit for that. But yes, one of the reasons why they receive that credit is because they did implement a very robust transaction monitoring service, and if I recall, they implemented more than one. And that's the benefit of the cryptocurrency industry. And what more more companies should take a look at and should should rely on, is that they do have these The nature of the blockchain for most of these cryptocurrencies is that it is public right. The blockchain is usually known as a public ledger, So because of that, you can access that publicly available data and trace transactions several steps back and several steps forward. So at this point, a lot of these companies and I'll name one, though I'm not necessarily recommending one over another. Chainalysis has been one of the most famous ones. They also now have a database of different wallet addresses that even though they may be anonymous or pseudonymous, they still know those addresses are associated with interstanction individuals, darknet marketplaces, hackers or ransomware are the ransomware activity and they can alert you as these transactions are occurring saying hey, your customer here is engaging with one of these bad actors. You know, this is a major red flag for your compliance program. This could be a violation of you know, and all regulations take a look at this, so you can get that data in real time, and then further you can see if transactions are coming from one of these places. So if someone running a dark net marketplace or you know, selling drugs on over the internet on silk Road, is receiving funds from, you know, in bitcoin or some other cryptocurrency, they may try and wash those trades through different wallets for coming to your exchange. Now, if you're dealing with cash, you'd never be able to trace that. But because of the public ledger, you can see the full path of where these where these funds came from. And these transaction monitoring softwares can alert you to those kinds of risks. So they're actually is very robust and give give compliance officers a whole new set of tools to help comply with these regulations. Well, one of the things I was really surprised about in the Colonial pipeline case was how they were able to trace some of the ransom payment and recover it, and you know that was because they tracked it down. I think, as I recall, they recovered about eight million. I may be wrong on that, but I was surprised by that they did recover and I was surprised by that too because it is very hard to recover cryptocurrency. So I'm not sure if the reasons how the ways they were able to recover it ever became public, and I'd be curious to know, because well, I'm sure they don't want to...

...reveal their secrets, but that was an interesting wrinkle in that game. But yeah, that's yeah. So if you're let's say you're helping out, I mean you're and we do have situations where we have assisted cryptocurrency markets clients. What do you what do you recommend to them? How do they get started? And it's clear that they need to have a robust, effective a m L program and sanctions compliance program. Yeah, it's a nuanced issue for cryptocurrency companies, especially because on the one hand, they do have a lot of tools they can access that you know, other MSPs but not necessarily have access to. But they do have their own unique set of challenges though as well. You know, at the end of the day, you need to start up the top right. You need to make sure that the company, the CEO, of the board directors is embracing compliance because if they don't do that, the program screwed from the beginning. That's really that's really key piece from there. And then once you once you develop that, build out the compliance program. Hire a professional that understands what needs to be done in this area. Outside council can help. Certainly we've done that for several companies to this point, but a lot of them will hire their own dedicated and compliance officer, UM sanctions officer, chief compliance officer. You know, all these are contemplated by the best practices from government guidance. Make sure you have the staff in place, make sure you have resources and they're properly funded. Like we talked about, Bittrick's got into trouble because they had two people doing transaction monitoring monitoring part time and they were dealing with you know, ten thousand, twenty thousand transactions to day that just you know, wasn't enough manpower to do that manual process. Well, it seems to me like the biggest challenges, assuming you have the support the resources, is always going to be your risk assessment, and then it's gonna be monitoring this large number of transactions. And I mean those just seem like really difficult issues and you need technology and you need capable people who know what they're doing right right, that's okay. Some of the other things that the regulators gave it Tricks credit for developing the policies and procedures that they needed. Um, they got the transaction monitoring in place, which which we've already talked about. I mean that really is a key that can cover a lot of gaps in the program. Well, you don't want to have those gaps in the first place. You know, the transaction monitoring can save you if those if those are there while you work through some of those. You know, Bittricks went under several independent audits, so they were engaging outside experts to take a holistic, independent look at the program, which is key. Sometimes when you're so focused on your own program, you can lose sight of where some of your gaps may be. You're so focused on fixing things are certain issues you may be other issues may be going unaddressed. So having someone else step in and take a look, as you know, it's really key specialized compliance training. You know, you want to make sure your staff is properly trained. And that was one of the issues with deals. You know, for two STAPs that were doing the transaction on it right, never even got any training I want to look for. So you know, they're giving them, giving them these Excel spreadsheees to four through and you know, it didn't even seem like they you know, we're aware of what they needed to keep an eye out for. So um, all right, Matt, well, listen, thank you so much for spending time with us today. If somebody wants to reach you, to get in contact with you to clean up their cryptocurrency a situation, how do they get in touch with you, what's the best way to reach you. Yeah, and if you have any questions on this, please feel free to reach out. I love talking cryptocurrency and compliance, so I'm gotta gotta reach out. Yeah. Yeah,...

...and especially because like I said, I think these you're going to see more enforcement actions in the coming years. The industry is only beginning to catch up. Like I said, these events stemmed from before the prior cycle, and we just had a crazy cycle in one that you know we're going to see some major enforcement act on those from you know down the line as well. But yeah, please will free to reach out. You can email me at m Stankwitz at vull calf law dot com. We'll have my email in the show notes, but please feel free to reach out at any time. I'm happy to discuss all right, Thanks Matt, appreciate it. We'll get you back hopefully. You know, there's a lot of crypto issues going on and we need to get you back on to talk about some of the other issues going on with the crypto these days. That's a busy time, so thanks again for joining us. Yep, thanks Mike. Thanks again for listening to Corruption, Crime and Compliance. Please subscribe to the podcast series. The Volkov Law Group believes that every company should have a robust ethics and compliance program. Experience and research show that ethical companies are better performers in the global marketplace. You can learn more about the legal and compliance services we offer at our website www dot Volkov Law dot com. You can also follow our award winning blog, Corruption Crime and Compliance and our podcast series. You can contact Michael Volkov at his email address m Volkov at Volkov Law dot com.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (24)