Matt Stankiewicz, Partner at The Volkov Law Group, provides an update on the latest OFAC action against CoinList.

On December 13, 2023, the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”) announced an enforcement action against CoinList Markets LLC (“CoinList”) for violations of the Ukraine-/Russia-Related sanctions.  Between April 2020 and May 2022, CoinList processed 989 transactions on behalf of users located in Crimea.  To resolve the potential civil liability stemming from these violations, CoinList agreed to pay $1,207,830. 

CoinList, founded in 2017, is a San Francisco-based cryptocurrency exchange that allows its users to invest in early access opportunities for various new and emerging cryptocurrencies.  New cryptocurrency companies can raise funds through the platform, essentially hosting their initial coin offerings (“ICOs”) through the platform.  If you’re familiar with AngelList, CoinList essentially offers a similar service for cryptocurrency companies and virtual assets. 

In its enforcement action, OFAC noted that CoinList maintained a relatively robust sanctions compliance program.  In order to begin trading on the platform, individual users had to undergo a know-your-customer (“KYC”) review by submitting information that included: country of residence, address, date of birth, and phone number, while also submitting a government-issued ID card and a selfie picture.  New entity users provided similar information, including incorporation documents, country of incorporation, company address, shareholders with 25-percent or more ownership, and information about the entity’s signatories.  This information would then be screened against relevant sanctions lists. Users could not create a digital wallet on the site without passing through this process.

In addition, CoinList maintained several other controls.  In addition to the screenings, CoinList maintained robust transaction monitoring systems by utilizing blockchain analytics tools.  We’ve championed these systems previously, as they provide cryptocurrency companies with a unique advantage over traditional finance businesses.  These tools allowed CoinList to identify potentially risky transactions, including those that may be linked to sanctions jurisdictions or parties.  Further, CoinList implemented IP blocking technology and developed enhanced due diligence procedures where necessary.  In spring 2021, CoinList was able to automate much of its KYC reviews—new users could be automatically rejected if they provided an ID card or a physical address from a sanctioned jurisdiction.

Despite these controls, a gap existed that allowed certain users from Crimea to access the platform.  Ultimately, CoinList’s KYC controls failed to identify certain users from this jurisdiction.  When creating an account, users from this area identified their country of origin as “Russia,” and used a physical address located within Crimea.  While many of these accounts entered an address that utilized a city in Crimea, some flat out provided the term “Crimea” in the address field.  Despite these obvious issues, CoinList’s controls failed to identify these users as problematic and instead allowed them to create accounts and actively trade on the platform.  OFAC suggested that the use of “Russia” in the country field was the likely culprit, as CoinList’s screening process was only tailored to identify blocked regions in that specific field.  These gaps are similar to those that previously earned Amazon an enforcement action. 

Due to the volume of these violations, the statutory maximum penalty amounted to $327,306,583.  However, and even though the violations were not self-disclosed, OFAC determined the violations were non-egregious, so the base monetary penalty amounted to $3,097,000.  The settlement was reduced to $1,207,830 due to the following factors:

OFAC determined the following to be aggravating factors:

1. CoinList failed to exercise due caution or care for its sanctions compliance obligations when it failed to institute internal controls able to flag accounts whose owners described themselves as resident of Crimea.
2. CoinList knew or had reason to know it was conducting transactions on behalf of persons who were likely to be ordinarily resident in Crimea. Each of the users in question self-reported addresses at account opening specifying a city in Crimea, the word “Crimea,” or both.
3. CoinList’s processing of transactions on behalf of users in Crimea harmed the integrity of the policy objectives of the URRSR. CoinList conferred economic benefits to Crimea by processing 989 transactions totaling $1,252,280 over two years. There is no indication the transactions would have been licensable or involved humanitarian activity.

OFAC determined the following to be mitigating factors:

1. OFAC has not issued a Penalty Notice or Finding of Violation to CoinList in the five years preceding the earliest date of the transactions giving rise to the Apparent Violations.
2. CoinList cooperated with OFAC’s investigation by responding to questions, providing transaction data, and entering into tolling agreements.
3. The volume of Apparent Violations represents a very small percentage of the total volume of transactions conducted by CoinList annually.
4. CoinList undertook a number of remedial measures, including:
   • Updating its filter settings to automatically reject potential users who report a residential address with a Crimean city, even if there is no mention of the Crimea region by name, and regardless of the country of residence provided (e.g., Ukraine or Russia);
   • Implementation of IP geo-blocking to detect IP addresses in sanctioned jurisdictions and preventing users from accessing their accounts from those IP addresses;
   • Investing in new vendors for review and verification of identity documents and restricted party screening as well as in tools to detect the use of VPNs that can obscure users’ location; and
   • Enhancing its training program and hiring additional experienced compliance personnel.

Notably, $300,000 of the settlement amount will be suspended once CoinList satisfactorily completes its compliance commitments.  Furthermore, as partial satisfaction of its penalty, CoinList has also agreed to invest $300,000 in additional sanctions compliance controls, which includes enhanced screening controls and additional compliance staff.