News

Monday’s settlement of sanctions violations by the second-largest cryptocurrency exchange in the U.S. highlights Treasury’s approach of holding virtual asset services to the same standards as banks, including by rewarding them for cooperating, sources told ACAMS moneylaundering.com.

Treasury’s Office of Foreign Assets Control, or OFAC, ordered the New York- and San Francisco-based exchange’s owner, Payward Inc. of Wilmington, Delaware, to pay $362,000 after determining that the platform illegally handled 826 transactions worth $1.7 million combined for parties in Iran from October 2015 to June 2019.

Kraken, which launched in 2011 and now serves more than 9 million customers, prevented individuals from opening accounts directly tied to Iran during the period in question but failed to prevent them from accessing the platform through other countries while still physically located in the Islamic Republic.

The company’s decision to self-disclose the illegal transactions and take corrective measures appears to have paid off Monday, with OFAC describing the breaches as “non-egregious” only and agreeing to settle for a fraction of the maximum statutory penalty of $272 million.

“I think this is good news for crypto … the fine could’ve been enormous,” said Peter Piatetsky, a former policy advisor at OFAC who investigated suspected violations of U.S. sanctions against Iran.

News of the settlement dropped amid an increasingly uncertain outlook for the cryptocurrency industry, which has suffered both reputationally and monetarily from this month’s collapse of FTX, previously the world’s second-largest exchange after Binance. The latest casualty, New Jersey-based BlockFi, filed for bankruptcy Monday.

Kraken separately paid $1.3 million to the Commodity Futures Trading Commission last year for failing to register and for offering to finance customers’ transactions in Bitcoin and other digital assets.

“The intent [of penalties] is to appropriately incentivize [businesses] and make sure people are complying with the law, not to destroy businesses,” said Peter Kucik, a former OFAC sanctions policy advisor now serving as managing director of Mercury Public Affairs in New York.

Kraken’s settlement contrasts sharply with the $24 million penalty OFAC handed out to Bittrex last month for processing payments tied to Iran, Cuba, Sudan, Syria and Russian-occupied Crimea.

The Seattle-area exchange handled a larger number of forbidden transactions than Kraken—roughly $264 million in cryptocurrency altogether—and failed to identify and report them to U.S. officials.

But both actions—Monday’s settlement with Kraken and last month’s penalty against Bittrex—underscore OFAC’s new emphasis on using geolocation technology to identify the origin of transactions—especially those constructed to evade sanctions.

Many bank transactions occur over closed, proprietary networks, but online transactions complicate efforts to verify user locations.

“Now, OFAC is saying, ‘You have the tools and ability to know where someone is that’s interacting with you,'” said Piatetsky, who currently heads Castellum.AI, a public benefit corporation focused on fighting financial crime.

Both actions also align OFAC’s instruction in guidance last year that exchanges use geolocation tools not only to identify and reject sanctions-prohibited accounts, but also to pinpoint individual transactions from off-limits jurisdictions and the use of fake IP addresses to disguise them.

Evaders can spoof IP addresses relatively easily by using proxy servers or virtual private networks, or VPNs, but geolocation software can now identify their true locations by factoring in their GPS coordinates, cell tower data and their local WiFi networks, said Isabella Edmonds, government relations representative for GeoComply in Vancouver, Canada.

“An IP address is one of the ways in which historically companies have been identifying where somebody is coming from,” said Edmonds. “Unfortunately, IP addresses are also very unreliable and inaccurate.”

Banks and other mainstream financial institutions now embed geolocation software on their mobile applications to prevent account takeovers and other fraud schemes. The applications operate similarly to rideshare and weather platforms by requiring access to users’ locational data.

Kraken appears to have arrived at the decision to settle with OFAC amid—or shortly after—the departure of outspoken founder Jesse Powell, who agreed to resign in September after publicly and vociferously objecting to U.S. sanctions policies.

“I don’t think it’s a coincidence,” Piatetsky said.

OFAC stayed silent on Kraken’s management, but the agency uses the quality of a company’s leaders and their commitment to compliance as factors when calculating penalties and settlements, he said.

Kraken also agreed Monday to invest $100,000 in additional compliance-related upgrades and training, strengthen verification of customer identities and nationalities, and exclude individuals who own only a minority or plurality of a corporate account holder’s shares from screening pursuant to OFAC’s “50 percent rule.”

Contact Fred Williams at fwilliams@acams.org