Addressing Sanctions Risk Is Much More Than Namescreening
A couple of weeks ago, OFAC penalized the crypto exchange Bittrex with more than 25 Million USD for multiple sanctions violations. Among several issues with their Sanctions compliance program, transaction screening system, and compliance team - they also failed to screen against jurisdictions subject to OFAC sanctions. This case shows that it’s not sufficient to only perform name screening against sanctions lists but also to screen against sanctioned jurisdictions to comply with sanctions regulations.
The Bittrex case
Between 2014 and 2017, Bittrex operated 1,730 accounts that processed 116k cryptocurrency transactions with a value of more than 260M that violated OFAC Sanctions programs.
Bittrex had no sanctions compliance program in place until December 2015, when it began verifying customers’ identities. In February 2016, Bittrex went a step further and retained a third-party vendor for sanctions screening purposes, but the screening was incomplete. Until October 2017, the vendor screened transactions only for hits against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and other lists but did not scrutinize customers or transactions for a nexus to sanctioned jurisdictions.
Only after OFAC issued Bittrex a subpoena in October 2017 to investigate potential sanctions violations did Bittrex realize that the vendor was not scrutinizing whether customers were in a sanctioned jurisdiction and begin restricting accounts and screening IP and other addresses associated with sanctioned locations.
Bittrex subsequently implemented a number of other remedial measures, including implementing new sanctions screening and blockchain tracing software, conducting additional sanctions compliance training, and hiring additional compliance staff. Once implemented, these remedial measures substantially curtailed the number of Apparent Violations.
Bittrex’s compliance deficiencies resulted in 13,245 apparent violations of the Executive Order “Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine”; 321 apparent violations of the Cuban Assets Control Regulations; 94,634 apparent violations of the Iranian Transactions and Sanctions Regulations; 222 apparent violations of the now-repealed Sudanese Sanctions Regulations and 7,999 apparent violations of the Syrian Sanctions Regulations.
OFAC determined the following to be aggravating factors
(1) Bittrex failed to exercise due caution or care for its sanctions compliance obligations when it operated with no sanctions compliance program for nearly two years (from March 2014 until February 2016) after beginning to offer virtual currency services worldwide. Even when it did implement a sanctions compliance program, Bittrex screened only for hits against the SDN List and not for a nexus to a sanctioned location, allowing persons in jurisdictions subject to sanctions to use its platform for more than four years despite having sufficient location information to identify those customers as being in those locations.
(2) Bittrex had reason to know that some of its users were in sanctioned jurisdictions based on those users’ IP addresses and physical address data.
(3) Bittrex conveyed economic benefits to thousands of persons in several jurisdictions subject to OFAC sanctions and thereby harmed the integrity of multiple OFAC sanctions programs.
OFAC Compliance Recommendation
This enforcement action emphasizes the importance of new companies and those involved in emerging technologies incorporating sanctions compliance into their business functions at the outset, especially when companies seek to offer financial services, software or any other product and services to a global customer base.
As part of these controls, companies should ensure that their sanctions compliance service providers provide services commensurate with the institution’s sanctions compliance risk. More specifically, when providing services globally, screening for location information, especially when available through IP addresses and information provided by customers (such as passports or when a customer self-identifies as being from a particular country), is particularly important in mitigating the risk of providing services to individuals in jurisdictions subject to sanctions.”
How to Optimize Your Sanctions Screening Setup to Lower Your Sanctions Risk
One of the essential and critical takeaways of the Bittrix case is that it’s not sufficient to screen your customers' names against Sanctions Lists. Moreover, you should also ensure that your sanctions screening solution automatically screens against sanctioned jurisdictions.
Critical and sanctioned jurisdictions in the case were Cuba, Iran, Russia (Crimea region-related sanctions), Sudan, and Syria. Violations could have been easily prevented if the sanctions screening solution had covered the data and the functionality to also screen against those jurisdictions.
So as we can see, it’s essential that any sanctions screening solution excels in name screening as well as in screening against sanctioned jurisdictions.
Why Even Simple Name Screening Is a Challenge for Most Sanctions Screening Solutions
Name Matching is the "real hard nut to crack" in AML / Sanctions compliance. While Fuzzy Algorithms can help with some of the real-world challenges like typos, incomplete strings etc. some issues like transliteration issues, nicknames, and spelling differences can't be mitigated with any fuzzy algorithm. The results are either an overload of false positives or, even worse, false negatives.
sanctions.io's name-matching technology solves these challenges by blending machine learning with a set of traditional name-matching approaches, ensuring that no real match ‘slips through the cracks’ while keeping false positives on a manageable level. Learn more about our matching technology in this article.
How Can sanctions.io Help With Screening Against Sanctioned Jurisdictions
sanctions.io provides all the data and technology you need to screen your customers and business partners not only against name-based sanctions lists but also against sanctioned or high-risk jurisdictions.
In our API and our manual batch screening offering, it is possible to define that every name screening also includes a check against sanctioned (OFAC) or high-risk (FATF) jurisdictions based on the customers’ or business partners’ country of residency.
That way, you can ensure that you don’t do business with a customer who appears on any sanctions list or resides in any sanctioned jurisdiction. In sanctions.io's Ultimate Sanctions Screening Guide, you can learn more about it.
sanctions.io, Your Reliable Partner for Your Sanctions Screening Process
Learn more on our Documentation Hub or just schedule a call with our Customer Success Team to see how we can help you prevent and mitigate Sanctions risks in your organization.