Kraken settles alleged Iran sanctions violations

The crypto exchange Kraken has agreed to pay a fine to settle apparent violations of sanctions imposed on Iran.

The US Treasury Department's Office of Foreign Assets Control (OFAC) has announced that the settlement will involve Kraken paying approximately $362,000 and investing an additional $100,000 in sanctions compliance controls.

In a statement, Kraken’s Chief Legal Officer Marco Santori said: "Kraken is pleased to have resolved this matter, which we discovered, voluntarily self-reported and swiftly corrected.

"Even before entering into this resolution, Kraken had taken a series of steps to bolster our compliance measures."

According to OFAC, Kraken had processed 826 transactions between 2015 and 2019 for users based in Iran. During this period, Kraken had in place controls that were designed to prevent users from opening an account if they were in a jurisdiction that was subject to sanctions. But OFAC said that the exchange did not implement IP address blocking based on geolocation across its platform.

The US Treasury Department has also recently fined crypto exchange Bittrex Inc $29 million for what it calls "apparent violations" of sanctions on certain countries and anti-money laundering law.

Issues

Digital assets are beginning to play an increasingly prominent role in the global economy, thereby creating a challenge for the authorities. They are faced with the task of assessing and monitoring the risks involved in the sector, which has very little regulation.

But this situation also presents challenges for crypto exchanges. Kraken is a US-based exchange. But exchanges need to be aware that, even if they are not based in the US, they need to ensure they do not violate US primary sanctions.

Primary sanctions can be applied to US persons or in situations where there is a US connection (often referred to as a nexus), such as involvement by a US person, goods originating from the US or transactions that take place within the US financial system or use the dollar. As a result, there is the potential for a crypto exchange that is not based in the US to face civil or criminal penalties if it violates primary sanctions.

Non-US crypto exchanges also need to know about US secondary sanctions. These target business activities and force foreign persons and entities to forgo otherwise legal transactions with sanctioned persons occurring outside the US jurisdiction The imposition of secondary sanctions is meant to require companies, banks and individuals to make a tough choice: continue doing business with the sanctioned entity or with the US, but not both.

OFAC and crypto-related sanctions

OFAC has sent a clear signal over the past year that crypto firms have the same obligations as any other regulated entity and must comply with the sanctions regime. There has been a series of enforcement actions. The law is quickly developing and investigations are becoming more frequent.

Just over a year ago (October 2021), OFAC issued sanctions compliance guidance for the virtual currency industry. The guidance focuses on:

How to evaluate sanctions-related risks.
Building a risk-based sanctions compliance programme.
Protecting a business from sanctions violations and the international misuse of virtual currencies by wrong doers.
Understanding OFAC’s recordkeeping, reporting and enforcement processes.

Kraken’s sanctions violation is an example of the action that will be taken if best practices and procedures are not implemented. Regulators would like to see crypto firms ensuring that they know who their customers are and where they are based. This is the reason why geolocating customers and transactions is imperative. Knowing the domain name and IP address data, combined with the use of blockchain intelligence, will help ensure better understanding of sanctions evasion typologies. Crypto firms should not rely too heavily on “spoofable” data. There are various tools available to ensure this does not happen.

As the industry evolves, there should be collaboration between the public and private sector in order to strengthen compliance systems, which would be welcomed by regulators. Crypto firms will need to look at their history and understand what had gone wrong previously.

Compliance is extremely important. As such, it should be “baked in” at the development phase of any new project as opposed to being an afterthought. Risk appetite is something that should be considered, examined and analysed at the product development phase.

Better practices going forward

With this in mind, it will be imperative that crypto firms ensure effective screening is in place, along with strong internal training on sanctions. Internal tests and audits will help improve whether systems are effective or not and will help address risks relating to documents.

Having such procedures in place will help mitigate the risks of being in breach of sanctions. Sanctions and cryptocurrency are both sectors that are developing fast, due to the ever-changing geo-political landscape. The creation of a best-practice compliance model is more essential now than ever before.