• Bittrex’s AML programme and Suspicious Activity Report (SAR) reporting failures exposed the US financial system to threat actors
• According to FinCEN’s investigation, Bittrex failed to maintain an effective AML programme from February 2014 to December 2018

Earlier this month, the Financial Crimes Enforcement Network (FinCEN) announced  a $29 million enforcement action against Bittrex for violations of the Bank Secrecy Act (BSA).

Bittrex’s AML programme and Suspicious Activity Report (SAR) reporting failures exposed the US financial system to threat actors. Failures at Bittrex exposed users to high-risk counterparties such as sanctioned jurisdictions, darknet markets, and ransomware attackers. Virtual asset service providers must implement robust risk-based compliance programmes and meet their BSA reporting requirements.

Bittrex owned and operated the “Bittrex” convertible virtual currency (CVC) trading platform. The platform, which included a hosted digital wallet service for storing and transferring CVCs, was primarily operated from offices in Bellevue, Washington.

Bittrex also functioned as a “exchanger” for over 250 different CVCs4 such as bitcoin, ether, monero, zcash, and dash.  During the Relevant Time Period, Bittrex facilitated nearly 546 million trades on its platform in the United States and at times averaged over 20,000 transactions (deposits and withdrawals) through its hosted wallets daily, including transactions involving over $17 billion in bitcoin.

According to FinCEN’s investigation, Bittrex failed to maintain an effective AML programme from February 2014 to December 2018. The Bittrex programme failed to address the risks associated with the products and services it provided, including anonymity-enhanced cryptocurrencies.

Bittrex opened hundreds of accounts on behalf of individuals in countries subject to comprehensive OFAC sanctions programmes, including Iran, Syria, and Ukraine’s Crimea region including transactions with entities and individuals operating openly from OFAC-sanctioned jurisdictions such as Iran, Cuba, Sudan, Syria, and Ukraine’s Crimea region.

The suspicious transactions involved a variety of illegal activities, including direct transactions with online darknet marketplaces such as AlphaBay, Agora, and Silk Road 2. These markets are used to buy and sell illegal drugs, stolen identification data, and child pornography. During the relevant time period, the company also failed to detect, investigate, and report transactions related to ransomware attacks against individuals and small businesses in the United States.

Bittrex failed to implement effective transaction monitoring on its trading platform, relying on as few as two employees with limited anti-money laundering training and experience to manually review all transactions, which at times exceeded 20,000 per day.

Bittrex failed to file any SARs between February 2014 and May 2017, a three-year period. In addition, the company failed to file SARs on a significant number of transactions involving sanctioned jurisdictions, including the processing of over 200 transactions involving $140,000 in virtual assets—nearly 100 times the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving more than $1 million in virtual assets.

Bittrex has agreed to and consents to the issuance of this Consent Order and agrees to pay $5,000,000 to the United States Department of Treasury in accordance with the payment instructions that will be transmitted to Bittrex upon execution of this Consent Order. If Bittrex does not pay the $24,280,829.20 settlement due to apparent OFAC violations, it will pay the entire $29,280,829.20 penalty imposed by this Consent Order within thirty days of default.

Bittrex case will act as a cornerstone for Crypto Exchange players and ecosystem to be more prudent.

Galactik Views