OFAC vs BitGo: Essential AML/KYC Compliance Lessons to Heed

Posted on Feb 2, 2021 | BLOG

Leading institutional digital asset platform BitGo settled on 30 December 2020 for a $98,000 fine with the U.S. federal regulator the Office of Foreign Assets Control (OFAC) for 183 apparent anti-money laundering (AML) violations relating to user transactions in U.S. blacklisted jurisdictions. 

However, it could have been far worse for BitGo, in fact, the digital asset an wallet services provider could have racked up $53 million in fines if it didn’t work closely with OFAC to rectify the situation by implementing better Know-Your-Customer (KYC) and Customer Due Diligence (CDD) procedures in short order. 

The OFAC enforcement against BitGo follows last year’s dramatic Treasury and FBI charges against BitMEX which resulted in arrests and a complete overhaul of the company’s executive structure and compliance controls

It is the latest and certainly not the last action against a cryptocurrency-related business that operates outside the sometimes vague lines drawn by regulatory bibles like the U.S. Bank Secrecy Act (BSA) and the FATF Standards (which includes last year’s controversial FATF Travel Rule guidance). 

In this article we’ll investigate the OFAC’s case and actions against BitGo and also look at what digital asset companies can do to ensure that they are in compliance with OFAC and other regulators. 

While AML/KYC compliance can be incredibly confusing based on the jurisdictions you operate in, there are some similarities and broadstroke recommended actions you can take to ensure that your digital asset service or company meets the expectation (and avoids the wrath) of relevant authorities. 

What is the OFAC?

The Office of Foreign Assets Control (OFAC)  is a financial intelligence and enforcement agency of the U.S. Treasury Department that issues and manages economic and trade sanctions to support domestic and global U.S. security and policy objectives.

The OFAC case against BitGo

The OFAC case against BitGo

According to OFAC, BitGo had failed to prevent persons apparently located in the Ukraine’s Crimea regions, Cuba, Iran, Sudan and Syria from using its non-custodial digital wallet management service due to weaknesses in BitGo’s penalty enforcement procedures. 

The charges only relate to BitGo’s “hot wallet” (online) services, not its custodial cold wallet services. As a result, these users were able to build and use cryptocurrency wallets on BitGo’s platform and transact. 

Between 2015 and 2019, BitGo processed 183 crypto transactions totalling $9,127.79 for these users. OFAC believes that BitGo knew about these Apparent Violations, i.e. that users based on their Internet Protocol (IP) address data which were recorded when they logged in to its network. 

Yet it neglected to enforce sanctions compliance controls to stop them. Even though BitGo had the necessary technical tools to identify that these users were in blacklisted locations, they did not shut down services to them. 

OFAC found that the Apparent Violations were not willingly self-disclosed by BitGo. 

Before April 2018, the digital asset services company allowed individuals using its secure wallet management services to open an account by offering only a name and email address.

BitGo changed its procedure in April 2018 to allow new account holders to validate where they are based, however BitGo didn’t actually follow up on their declarations and do further due diligence to verify their claims. 

Why OFAC’s BitGo fine was relatively small

However, in January 2020, after learning of the apparent violations, BitGo adopted an OFAC Sanctions Enforcement Policy (‘OFAC Policy’) and, as further mentioned below, initiated substantial corrective steps. 

OFAC found that it did take corrective measures. Therefore OFAC decided to find BitGo a  paltry USD 183 000,  a rather insignificant sum when one considers that the statutory maximum civil monetary penalty applicable in this case is more than 53 million US Dollars. 

Instead OFAC chose to use the base civil monetary penalty of  $183,000 under OFAC’s Economic Sanctions Compliance Guidelines (‘Enforcement Guidelines’). This was reduced to $90,000 after further special considerations.

OFAC Lessons for Digital Currency Service Providers

OFAC Lessons for Digital Currency Service Providers

How OFAC sanctions work (Source: atlanticcouncil.com)

The BitGo fine highlights that all U.S. individuals, including those who provide digital currency services, are subject to OFAC penalty enforcement obligations. 

The OFAC advises businesses that offer digital currency services, as part of a risk-based strategy, to implement penalty enforcement controls relative to their risk profile (risk-based approach). 

In May 2019 the OFAC published A Structure for OFAC Enforcement Commitments to provide U.S. jurisdiction organisations, and overseas companies that do U.S.-related businesses, with OFAC’s standpoint on the essential components of a penalty compliance program. 

OFAC’s Enforcement Structure

OFAC’s Enforcement Structure

The Enforcement Structure says risk-based compliance programs can vary depending on a number of factors, including:

  •  organization size and complexity,
  • goods and services,
  • clients and counterparties
  • and geographic locations 

Five Critical Points of Risk-based Compliance

However OFAC strongly encourages companies to create, implement and maintain a Sanctions Compliance Program that have at least these 5 key integrated compliance components:

  • management commitment (includes technological controls to reduce risk, such as IP blocking mechanisms)
  • risk assessment, 
  • internal controls, 
  • testing and 
  • auditing and training

Based on these guidelines, let’s see how OFAC assessed BitGo’s case and decided on the right punishment. 

OFAC’s Assessment of BitGo’s violations

Aggravating factors for BitGo

The following variables were assessed by OFAC to be aggravating:

  • BitGo “failed to exercise proper customer due diligence or care over its penalty compliance obligations”, by allowing people located in blacklisted jurisdictions from creating accounts and using its platform to send cryptocurrencies
  • BitGo had “reason to know” based on user IP address data it collects for security purposes that some of its users were based in sanctioned countries, yet failed to act on it. 

Mitigating factors for BitGo

The OFAC decided that the mitigating factors were as follows:

  • BitGo is a relatively small enterprise without a previous history of transgressions.
  • BitGo cooperated with the OFAC investigation
  • It confirmed that in response it had undertaken substantial corrective steps to remedy the situation and avoid any future occurrence.

BitGo’s Corrective Steps

Here are the “substantial” corrective steps BitGo took in 2020 after it became aware of the charges. It:

  1. appointed a Chief Enforcement Officer to ensure compliance
  2. applied the latest OFAC regulations to its business
  3. adopted a new OFAC strategy that includes a comprehensive summary of its laws

Duties of BitGo’s new compliance chief:

BitGo’s Enforcement Officer now carries out the following duties:

  • enforcing and providing advice and analysis on U.S. penalty law issues; 
  • Blocking of IP addresses for sanctioned jurisdictions, 
  • Enabling email-related restrictions; 
  • Periodic batch screening: BitGo screens all accounts, including “hot wallet” accounts, against the Specially Allocated Nationals and Blocked People List of OFAC, including blocked addresses. 
  • Conducting a retroactive batch screen of all users
  • Periodic reviewing of OFAC Policy and procedural update as necessary 
  • Ensuring that employees must declare that they understand OFAC Policy of BitGo and, as appropriate
  • Ensuring that employees attend training programs as required. 

Additional OFAC guidelines on the provision of digital currency services can be found here.


Essential AML/KYC Compliance Conclusions

Since the FATF adopted Recommendation 16’s so-called FATF Travel Rule guidance, crypto exchanges, custodial services and other VASPs have been under increasing strain to comply with more stringent AML obligations.

The OFAC vs BitGo, Treasury vs BitMEX and FinCEN unhosted wallet NPRM cases can also serve as excellent guides on how to incorporate best practice compliance essentials into your business before regulators come knocking on your door.

It is clear that BitGo’s mea culpa and prompt corrective measures to ensure history doesn’t repeat itself really helped its case. 

So as a takeaway, consider the following recommendations when developing your compliance controls:

  • First off, understand the crypto regulations in your area and your AML compliance obligations, based on your risk. To do this, hire a capable compliance officer if possible. 
  • Next, ensure that you have proper KYC protocols in place and onboard customers properly.
  • Make sure you conduct adequate customer due diligence (CDD) on your clients and screen them effectively for global AML purposes.
  • Where certain customers raise a red flag, be sure to conduct enhanced due diligence (EDD) on them or file the necessary suspicious behaviour reports.
  • Finally invest the time and money in preparing and training your staff. Your clients will thank you and it will ensure that you stay one step ahead of regulators.