In keeping with its recent focus on the crypto asset industry, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced an agreement last week with crypto asset trading platform Poloniex, LLC (Poloniex). Poloniex agreed to pay over $7.5 million to settle its potential liability for 65,942 individual sanctions violations that occurred between January 2014 and November 2019. Such violations seem unlikely to occur again anytime soon: as stated in the announcement, “Poloniex currently has no business operations and no employees.”
For crypto asset companies, this enforcement action underscores the importance of “incorporat[ing] sanctions compliance into business functions at the outset” and retroactively applying any new sanctions compliance controls to existing customers. According to the announcement, Poloniex opened its crypto asset trading platform (Poloniex Trading Platform) in January 2014 but did not establish its sanctions compliance program until May 2015. At that time, Poloniex began monitoring IP address data and reviewing the personal information of new users who self-identified as located in certain comprehensively sanctioned jurisdictions. However, Poloniex reportedly did not retroactively screen or block users who signed up before May 2015. While Poloniex conducted additional diligence and closed some accounts based on its screening and additional diligence of its new users, Poloniex did not begin implementing a block on sanctioned jurisdiction IP addresses until June 2017, and only began implementing sanctions controls related to customers in the Crimea region of Ukraine in August 2017.
OFAC concluded that Poloniex’s initial sanctions compliance attempts “made efforts to identify and restrict accounts with a nexus to Iran, Cuba, Sudan, Crimea, and Syria”; however, “certain customers apparently located in these jurisdictions continued to use Poloniex’s platform to engage in online digital asset-related transactions.” Poloniex’s sanctions program allegedly became significantly more effective in 2018, but even its new controls failed to adequately curb sanctions violations. OFAC stated that a relatively small number of violations occurred in 2018 and 2019 before the Poloniex Trading Platform was sold to a third party in November 2019.
OFAC acknowledged that Poloniex was a “small start-up” when most of the violations occurred and that its compliance policies improved substantially from January 2014 to November 2019. These improvements were a “mitigating factor” in the settlement and were likely part of the reason Poloniex was able to settle for approximately $7.5 million rather than $99 million, which was the base civil monetary penalty amount for Poloniex’s violations.
The key takeaways from this settlement agreement are:
- When establishing or enhancing a sanctions compliance program, be sure to review all active customers using the new processes.
- The mere existence of a sanctions compliance program is not sufficient to shield a company from civil liability.
As this settlement shows, OFAC will i) scrutinize the effectiveness of the company’s sanctions compliance program throughout the five-year lookback period, ii) penalize a company for violations allowed by gaps in the program, and iii) hold companies liable for violations that occurred prior to the introduction of a sufficient compliance program.
As we have discussed in recent alerts, other agencies have also made it clear that they intend to ramp up their sanctions enforcement efforts. In remarks given on March 2, 2023, Deputy Attorney General Lisa Monaco stated that the U.S. Department of Justice’s (DOJ’s) National Security Division will be “elevating its attention to corporate crime through an infusion of personnel and expertise.” This will include hiring over 25 new prosecutors to investigate and prosecute sanctions evasion, one of which will be the National Security Division’s first Chief Counsel for Corporate Enforcement. Additionally, state regulators may penalize companies for sanctions violations pursuant to state law, as demonstrated by a recent settlement between crypto asset exchange Coinbase and the New York State Department of Financial Services.
When a violation of U.S. sanctions is detected, it is often in a company’s best interest to file a voluntary disclosure (VSD) with relevant enforcement agencies. In its National Security Division (NSD) Enforcement Policy for Business Organizations, the DOJ asserts that when companies voluntarily disclose a violation, fully cooperate, and remediate the violation in a timely manner, “NSD generally will not seek a guilty plea, and there is a presumption that the company will receive a non-prosecution agreement and will not pay a fine.” OFAC’s Economic Sanctions Enforcement Guidelines state that the base monetary penalty for violations that are disclosed voluntarily is typically 50 percent of the fine that a company would have incurred had it not submitted a disclosure.
Maintaining an effective sanctions compliance program is a crucial part of avoiding missteps that could expose firms to legal crises. Compliance programs should be tailored to the size and scope of a company’s operations to ensure that all transactions are conducted legally, and they should be able to rapidly adapt to new and changing regulations.
