OFAC: Lack of Compliance Program Led to Crypto Exchange’s Sanctions Violations

OFAC said ShapeShift didn’t voluntarily disclose the violations, which the agency determined weren’t egregious. OFAC said it could’ve levied a larger fine but noted that the exchange has “limited assets” and “no longer provides digital asset services that could lead to apparent violations.”

Although ShapeShift was incorporated in Switzerland, OFAC said it did most of its business out of Denver and the majority of its employees were U.S. people. Despite being subject to U.S. sanctions laws, the exchange had no compliance procedures in place to screen users or transactions against sanctions lists.

“As a result, ShapeShift did not screen for designated or blocked users for some time, despite possessing at all relevant times at least some Internet Protocol (IP) address information and conceding that the IP addresses were the ‘only available indicator’ that ShapeShift collected regarding a party’s location,” OFAC said.

The agency said ShapeShift only created a sanctions compliance program after receiving an OFAC subpoena about the breaches. That compliance program established mandatory screening of new customers against OFAC’s Specially Designated Nationals and Blocked Persons List along with “procedures for identifying and denying access to users with IP addresses associated with sanctioned jurisdictions.”

In total, ShapeShift exchanged digital assets in 17,183 instances worth $12,570,956 with users located in Cuba, Iran, Sudan and Syria between December 2016 and October 2018. This led to 39 violations of the Cuban Assets Control Regulations, 16,839 violations of the Iranian Transactions and Sanctions Regulations, 33 violations of the Sudanese Sanctions Regulations, and 272 violations of the Syrian Sanctions Regulations.

OFAC pointed to several aggravating factors that led to the fine, including ShapeShift’s failure to “exercise a minimal degree of caution or care for its sanctions compliance obligations” by not having internal compliance controls in place. OFAC said the exchange had “reason to know” that some of its users were in sanctioned jurisdictions, adding that it “conveyed economic benefit to persons in several jurisdictions subject to OFAC sanctions and thereby harmed the integrity of multiple OFAC sanctions programs.”

The agency also pointed to multiple mitigating factors, including the fact that ShapeShift was a “relatively small” company, is in a “highly constrained financial condition,” hadn’t received a penalty notice in the previous five years, and the volume of violations represented a small percentage of the total volume of ShapeShift’s annual transactions. OFAC also noted that the company cooperated with OFAC’s investigation and carried out “remedial” compliance measures, including by requiring mandatory sanctions screening and putting in place sanctions compliance training.

OFAC said the case highlights that digital asset companies are responsible for making sure they aren’t providing services to sanctioned users and shows the importance of pulling together all available user information into a company’s screening process.

“As demonstrated in previous cases, certain firms providing digital asset services have failed to ensure that their screening processes and broader compliance programs adequately incorporate customer information gathered from the onboarding process or through transactional information (such as IP location information),” OFAC said. “Ensuring that such data is gathered and employed using a risk-based approach is important to mitigate the risk of providing services to persons in sanctioned jurisdictions.”

ShapeShift couldn't be reached for comment.