Poloniex, virtual currency, and the need for strong sanctions compliance regimes

Serious shortcomings in compliance and internal controls meant that customers in sanctioned jurisdictions were permitted to use the platform to trade.

In the ever-active sanctions enforcement space comes a new development: Cryptocurrency exchange Poloniex LLC agreed to pay about $7.59m to settle allegations it allowed users in sanctioned regions to trade digital assets on its platform.

The US Treasury Department’s Office of Foreign Asset Control (OFAC) announced its settlement agreement on Monday.

Failure of due caution or care

OFAC said that between January 2014 and November 2019, the Poloniex trading platform allowed customers located in sanctioned jurisdictions to engage in online digital asset-related transactions despite having reason to know their location based on both Know Your Customer information and internet protocol address data.

The 232 customers conducting those trades, deposits, and withdrawals with a combined value of $15,335,349 were located predominantly in Crimea, which Russian forces seized from Ukraine in 2014, as well as in Cuba, Iran, Sudan and Syria, regions that currently have or previously have faced comprehensive US sanctions barring US companies and individuals from doing business there, OFAC said. 

Specifically, as a result of its compliance deficiencies, Poloniex processed 65,942 online digital asset-related transactions for customers in sanctioned jurisdictions between approximately July 28, 2015 and September 2, 2019, OFAC said.

Even when it implemented a sanctions compliance program, Poloniex did not apply it consistently across sanctioned jurisdictions nor to pre-existing accounts.

Poloniex failed to exercise due caution or care for its sanctions compliance obligations when it operated with no sanctions compliance program for more than a year after beginning to offer digital asset services worldwide, OFAC said. Even when it implemented a sanctions compliance program, Poloniex did not apply it consistently across sanctioned jurisdictions nor to pre-existing accounts, the agency noted.

Poloniex was acquired by cryptocurrency operator Circle Internet Financial for $400m in 2018.

OFAC said that although Circle implemented additional sanctions compliance controls that significantly reduced the rate of additional similar sanctions violations, some violations, particularly those related to a number of accounts opened by people in Crimea, continued in 2018 and 2019.

Poloniex was later spun out of Circle and became a new company in 2019 known as Polo Digital Assets, backed by an Asian investment group. Circle’s divestment of the company did not include US customers; Circle wound down the operations for those Poloniex customers in late 2019.

The OFAC settlement agreement said Poloniex no longer has any business operations or employees. 

Mitigating factors and best practices

OFAC credited Circle for its improved sanctions compliance program and internal controls, which, although not perfect, constituted a measurable improvement when implemented in early 2018, soon after Circle acquired the Poloniex Trading Platform and before OFAC began its investigation.

These improvements could serve as best practices for many sanctions-related cases.

The measures included:

  • Freezing users’ accounts until KYC verification was completed.
  • Implementing an automated review and verification tool for identity documents.
  • Implementing a protocol that prevented users from activating an account if the profile information matched a sanctioned country.
  • Implementing geolocation restrictions with respect to Syria, Iran, Cuba, Sudan, and North Korea.
  • Closing any accounts that listed “Crimea” in the profile information, along with the identification and blocking of IP ranges associated with certain internet service providers operating in Crimea.
  • Creating a “Crimea IP blacklist” and “Crimean city/region keywords list” against which all account information was screened.
  • Enhancing its training program and hiring additional experienced compliance personnel.

Compliance considerations

Interestingly, OFAC added a section to its enforcement release as a specific message to businesses and digital asset firms in particular (see their October 2021 guidance focused on this industry) pointing out the need to develop a risk-based sanctions compliance program that suits the type of business involved, its size and sophistication, products and services, customers and counterparties, and geographic locations served.

It advised those entities involved in emerging technologies to incorporate sanctions compliance into their business functions at the outset, and make sure that they apply to existing customers as well as new ones, especially when they seek to offer financial services to a global customer base.

Sanctions cases and virtual currency

The cryptocurrency sector is certainly not the only one to be getting a lot of attention in terms of sanctions violations. But since 2021 when Virgil Griffith, an Ethereum developer, was arrested for speaking at a North Korea blockchain conference and pleaded guilty for helping that nation evade sanctions, a number of virtual currency businesses (or affiliated persons) have seen enforcement actions in this arena.

For example, in August 2022, OFAC penalized virtual currency mixer Tornado Cash, which OFAC said had been used to launder more than $7bn worth of virtual currency since its creation in 2019. This included over $455m stolen by the Lazarus Group, a North Korean, state-sponsored hacking group that was sanctioned by the US in 2019, thereby bringing both money-laundering and sanctions violations into the mix.

And in October, OFAC and the US Treasury’s Financial Crimes Enforcement Network (FinCEN) announced settlements for over $24m and $29m, respectively, with Bittrex, Inc. a virtual currency exchange – the first parallel enforcement actions by FinCEN and OFAC in the sanctions space.

Then, in November, crypto exchange Kraken agreed to pay a fine to settle civil liability related to apparent violations of sanctions on Iran, paying about $362,000 and investing an additional $100,000 “in certain sanctions compliance controls”.