When You Got It, Flaunt It: Enforcement Authorities Expect Companies, Including Banks and Cryptocurrency Exchanges, That Collect Geolocation Data to Use It for Sanctions Compliance

Key Takeaways

• The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) recently announced two settlements that underscore OFAC’s continued emphasis on companies developing and implementing effective, risk-based compliance programs.
• Poloniex, LLC (“Poloniex”), a virtual currency exchange, and Swedbank Latvia AS (“Swedbank Latvia”), agreed to pay nearly $7.6 million and $3.5 million, respectively, to settle allegations that these entities violated multiple U.S. sanctions programs.
• In these separate settlements, OFAC made clear its expectations for companies that collect geolocation data: they should integrate such data in connection with their economic sanctions compliance programs.

OFAC Settlements Arising from Failure to Make Use of Geolocation Data in Compliance Programs

In connection with a recent settlement agreement between Swedbank Latvia and OFAC, Swedbank Latvia agreed to pay nearly $3.5 million to settle violations of OFAC’s Crimea sanctions. The charges involve alleged violations similar to those described in a recent settlement between OFAC and Poloniex in May 2023, under which Poloniex agreed to pay a penalty of approximately $7.6 million.

OFAC determined both cases merited a civil monetary penalty but, because the violations at issue were “not egregious,” was eligible for a reduced penalty under OFAC’s Economic Sanctions Enforcement Guidelines’ (the “Enforcement Guidelines”). 

Both enforcement actions underscore OFAC’s expectation for companies that collect geolocation data to make use of such data to comply with applicable sanctions laws. Additionally, OFAC’s enforcement action against Poloniex, a virtual currency exchange with aims to offer global financial services, emphasizes the importance for new companies involved in emerging financial technologies to incorporate sanctions compliance into their business functions just as much as more established financial institutions, like Swedbank Latvia and Swedbank AB (publ) ("Swedbank AB"), are expected to do.

Summary of Enforcement Actions

Swedbank Latvia

In its Enforcement Release, OFAC announced that Swedbank Latvia, a subsidiary of Swedbank AB, agreed to pay nearly $3.5 million to settle potential civil liability for 386 alleged violations of OFAC’s Crimea-specific sanctions. The allegations stemmed from a Swedbank Latvia customer sending payments to and from Crimea through U.S. correspondent banks. The transactions occurred between February 2015 and October 2016 and resulted in transactions with a total value of approximately $3.12 million. 

Beginning in 2014, Swedbank Latvia began engaging with a client in Crimea (the “Client” or “SPC Owner”) that owned three special purpose companies (“SPCs”). The SPC Owner attempted to send payments from a Crimean IP address using an e-banking platform in connection with a U.S. correspondent bank. However, the U.S. correspondent bank rejected the payments due to the Crimea location and alerted Swedbank Latvia (noting that OFAC imposed U.S. sanctions on the region in 2014). Swedbank Latvia requested additional information from both the U.S. correspondent bank and the SPC Owner, but the U.S. correspondent bank did not respond and the SPC Owner gave false assurances that none of the transactions involved Crimea. Relying on these assurances, a Swedbank Latvia relationship manager re-routed the previously rejected payments to a different U.S. correspondent bank, which ultimately processed the transactions. 

Under the circumstances, OFAC took the position that Swedbank Latvia had reason to know about the SPCs’ physical presence in Crimea. Specifically, OFAC pointed to Swedbank Latvia having the relevant Know Your Customer (“KYC”) information and customer IP data to determine the SPC Owner’s assurances were false. However, Swedbank Latvia failed to integrate certain KYC information and customer IP data into its sanctions screening process, thereby employing a compliance program that OFAC considers deficient. 

OFAC determined that even though Swedbank Latvia did not voluntarily disclose the alleged violations, they were non-egregious. More specifically, OFAC considered the Enforcement Guidelines’ General Factors and imposed an approximately $3.5 million penalty, reflecting a substantial discount off the bottom of the statutory penalty range of $6.2 to $112 million. OFAC cited a number of factors to reach this reduction, including the following:

• No violations in the past five years. OFAC has not previously imposed penalties on Swedbank AB and Swedbank Latvia in the five years preceding the earliest date of the transactions.
• Swedbank AB and Swedbank Latvia undertook significant remediation. OFAC considered the significant remediation procedures that Swedbank AB and Swedbank Latvia implemented into their compliance programs upon discovery of alleged violations.
• Swedbank AB and Swedbank Latvia substantially cooperated with OFAC. Both companies conducted extensive reviews for remediation purposes, provided well-organized responses to OFAC’s requests for information, and agreed to toll the statute of limitations.

Poloniex

In its Enforcement Release, OFAC announced that Poloniex, a Delaware virtual currency exchange company, agreed to pay approximately $7.6 million to settle potential civil liability for 65,942 alleged violations of multiple U.S. sanctions programs. OFAC alleged the violations occurred with trades, deposits, and withdrawals conducted by sanctioned persons in Crimea, Cuba, Iran, Sudan, and Syria. The transactions occurred between January 2014 and November 2019 and had a total combined value of approximately $15.3 million.

Poloniex began operating in January 2014 by offering an online digital assets trading and settlement platform (the Poloniex Trading Platform), but it did not implement its compliance program until over a year later in May 2015. While Poloniex’s compliance program introduced a process to collect and review KYC information for new customers and identify geolocation data for jurisdictions subject to comprehensive sanctions, OFAC took issue with Poloniex’s failure to retroactively screen its existing customers prior to the implementation of the compliance program. As a result, existing customers located in a sanctioned jurisdiction at the time they opened their account with Poloniex generally were allowed to continue using the company’s services. 

Poloniex began monitoring IP address data in May 2015 to detect customer logins in sanctioned jurisdictions, and it conducted additional diligence of, and subsequently closed, certain accounts connected to sanctioned jurisdictions. Poloniex did not, however, implement into its sanctions screening program a blocking mechanism on IP addresses from certain sanctioned jurisdictions until June 2017. Additionally, Poloniex also did not implement sanctions controls relating to its customers in the Crimea region of Ukraine until August 2017 (OFAC imposed sanctions on the region in 2014). Despite these supplemental controls, certain users in sanctioned jurisdictions continued to use Poloniex’s platform to engage in digital currency-related transactions in violation of U.S. sanctions. In February 2018, Circle Internet Financial Limited (“Circle”) acquired Poloniex and implemented additional sanctions compliance controls that continued to reduce the rate of additional alleged violations. Although Circle developed and implemented these internal controls, OFAC determined some violations nonetheless occurred between 2018 and 2019. 

In reaching a settlement with Poloniex, OFAC noted the alleged violations were not voluntarily disclosed and were non-egregious. More specifically, OFAC weighed a number of factors and imposed a penalty reflecting a substantial discount off the bottom of the statutory penalty range of $99.2 million to $19.7 billion. OFAC considered multiple mitigating factors, including: 

• New company with small volume. OFAC considered that neither Poloniex nor its newer owner, Circle, had received a penalty notice or findings of alleged violations in the last five years, and Poloniex was a small start-up at the time of most of the alleged violations. Additionally, many of the individual transactions were for a relatively small amount, and the volume of alleged violations represented a small percentage of the total volume of transactions annually.
• Proactive compliance implementation under Circle. After its acquisition of Poloniex, and prior to the OFAC investigation, Circle implemented its own compliance measures, improving Poloniex’s compliance program.
• Poloniex and Circle substantially cooperated with OFAC. Poloniex and Circle substantially cooperated with OFAC.

Lessons Learned

OFAC’s ongoing interest¹ in virtual currency exchange companies and the data they screen indicates the agency’s persistent scrutiny of compliance with sanctions regimes. The enforcement actions against Swedbank Latvia and Poloniex demonstrate just two examples of OFAC’s scrutiny of compliance programs, offering important lessons for companies operating in high-risk environments. Accordingly, it is critical that companies continue to assess the effectiveness of their compliance programs and consider the following lessons learned from these cases:

Improvements to compliance programs to enhance overall effectiveness may be considered a strong mitigating factor if violations arise

• Even though Swedbank AB’s and Swedbank Latvia’s compliance programs were initially lacking, OFAC considered their improvements to their compliance programs (e.g., improvements to KYC, Anti-Money Laundering, and financial sanctions controls) as mitigating factors for the resulting penalty amount.
• OFAC found Poloniex’s deficient compliance program an aggravating factor in its determination because it took over a year to establish and did not retroactively screen existing users, allowing persons in sanctioned countries to continue using the company’s services for many years. However, Poloniex’s and Circle’s combined efforts to improve the compliance program, prior to OFAC’s investigation, became a mitigating factor in OFAC’s determination.

Collecting and screening customer geolocation data must be incorporated into compliance programs

• OFAC considered Swedbank AB’s and Swedbank Latvia’s implementation of geofencing mechanisms as a mitigating factor in determining penalties. Specifically, Swedbank AB and Swedbank Latvia learned from their past re-routing mistakes and incorporated internal controls to prevent recurrence. They incorporated a geofencing mechanism that prevented transactions from IP addresses in sanctioned jurisdictions and maintained automated system controls within their transaction screening tools to identify potential transaction resubmissions (post-rejection).
• Circle and Poloniex took a similar approach in remedial action by implementing geolocation restrictions for accounts based in sanctioned jurisdictions including Syria, Iran, Cuba, Sudan, and North Korea, geofencing and creating an IP blacklist for accounts with connections to Crimea, and closing any accounts that listed “Crimea” in their profiles.

Implementing and improving risk-based due diligence procedures that are part of a broader compliance program demonstrate to OFAC a commitment to compliance

• OFAC considered Swedbank AB’s and Swedbank Latvia’s risk-based approach to their due diligence processes and compliance program, determining whether these institutions assessed and improved upon internal deficiencies. Both Swedbank AB and Swedbank Latvia established enhanced due diligence and screening procedures for high-risk customers, implemented transparency protocols for responses to correspondent banks, and hired additional compliance staff. Taken together, OFAC viewed these improvements as meaningful efforts to ensure compliance with applicable laws and thus considered these improvements a mitigating factor with respect to the penalty.
• Likewise, after Circle acquired Poloniex in 2018, Circle implemented several enhancements into Poloniex’s compliance program, which included improving Poloniex’s compliance program, implementing automated review and verification tools for identity documents, enhancing training, and hiring additional experienced compliance program. OFAC considered these actions to be a mitigating factor in determination of its penalty amount. 

Companies should make an effort to self-disclose and cooperate with OFAC

• OFAC made a point to articulate that neither Poloniex nor Swedbank Latvia voluntarily disclosed their alleged violations. Had they done so under the same facts, their overall penalty amounts may have been reduced further.
• Even though both Swedbank Latvia and Poloniex failed to voluntarily disclose their respective alleged violations, OFAC noted both companies’ “substantial cooperat[ion]” with the investigation as a mitigating factor in the penalty calculations.

Dechert regularly advises financial services entities and market participants in the virtual currency ecosystem, assisting with evaluating potential sanctions-related risks and building risk-based compliance programs to manage and mitigate such risks.

* The authors would like to thank Marston Li for his contributions to this OnPoint.