U.S. Treasury reaches settlement with Kraken for Iran sanctions violations

On Monday, the United States Department of Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement with cryptocurrency exchange Kraken for violations of Iran sanctions.

Kraken agreed to pay $362,158.70 and invest $100,000 in sanctions compliance for apparent violations of sanctions against Iran. According to OFAC’s release, Kraken failed to implement appropriate geolocation tools in a timely fashion, thus allowing access to users who appeared to be in Iran when they engaged in virtual currency transactions on Kraken’s platform.

Specifically, the settlement letter explains that, while Kraken maintained an anti-money laundering and sanctions compliance program, “between approximately October 14, 2015 and June 29, 2019, Kraken processed 826 transactions, totalling approximately $1,680,577.10, on behalf of individuals who appeared to have been located in Iran at the time of the transactions...as a result, Kraken engaged in 826 apparent violations of the Iranian sanctions program."

In the settlement, OFAC lists both aggravating and mitigating factors it considered in reaching the agreement with Kraken. Enforcement actions, arguably even more so than guidance, are a window into regulatory expectations. For example, OFAC, in the settlement letter, cites Kraken’s failure to exercise care when applied geolocation controls only at the time of client onboarding, “despite having reason to know based on available IP address information that transactions appear to have been conducted from Iran.”

OFAC also provides a list of mitigating factors. For example, “Kraken voluntarily self-disclosed the Apparent Violations to OFAC and cooperated with OFAC’s investigation into the Apparent Violations.”

In addition, “Kraken undertook significant remedial measures, including:

• Adding geolocation blocking to prevent clients in prohibited locations from accessing their accounts on Kraken’s website;
• Implementing multiple blockchain analysis tools to assist with sanctions monitoring; investing in additional compliance-related training for its staff, including in blockchain analytics;
• Hiring a dedicated head of sanctions to direct Kraken’s sanctions compliance program, in addition to hiring new sanctions compliance staff;
• Expanding its contract with its current screening provider to add additional screening capabilities to ensure compliance with OFAC’s “50 Percent Rule,” including detailed reports on beneficial ownership;
• Contracting with a vendor that assists with identification and nationality verification by using artificial intelligence tools to detect potential issues with supporting credentials provided by users; and
• Implementing an automated control to block accounts using cities and postal codes associated with the Crimea region and in the so-called Donetsk and Luhansk People’s Republics of Ukraine.

According to OFAC, the Kraken case, like enforcement actions against crypto businesses Bitpay, Bitgo and Bittrex before it, “highlights the importance of using geolocation tools, including IP blocking and other location verification tools, to identify and prevent users located in sanctioned jurisdictions from engaging in prohibited virtual currency-related transactions,” throughout the lifetime of the account rather than just at onboarding.

OFAC, sending a message to other crypto firms, highlights “the value of a company implementing robust remedial measures after becoming aware of a potential sanctions issue, including the deployment of blockchain analysis tools and compliance-related training on blockchain analytics, as well as committing to future sanctions compliance investments.”

OFAC sanctions compliance for crypto

In October 2021, OFAC issued its Sanctions Compliance Guidance for the Virtual Currency Industry, advising crypto businesses to take a risk-based approach to sanctions compliance including the use of geolocation and blockchain intelligence tools. According to OFAC an effective sanctions compliance program should incorporate at least five essential components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Just last month, TRM Talks was joined by a panel of experts from OFAC, Geocomply and PWC to discuss sanctions compliance and the need to implement geolocation and blockchain intelligence tools. In this session, Dallas Woodrum, Section Chief of OFAC’s Enforcement Division, explained that it is no longer simply acceptable to know who your customer is, but also where your customer is from explaining, “As the guidance states, getting this right requires at a minimum the use of domain name and IP address data to better hone in on where entities are, combined with the use of blockchain intelligence to understand what sanction evasion typologies might look like.”

💡 Check out the full TRM Talks on OFAC sanctions compliance and a recap here.

💡 Also, read a piece by TRM Labs & Geocomply on using blockchain intelligence and geolocation for sanctions compliance in ACAMS Today here.

‍