On November 28, 2022, the United States Department of Treasury’s Office of Foreign Assets Control (OFAC) released an enforcement action (the “Action”) against Payward, Inc. d/b/a Kraken (the “Company”) related to the Company’s non-compliance with regulations governing transactions made with persons and entities in countries sanctioned by the United States government. The Action gives providers of internet services another example of important takeaways for evaluating OFAC compliance protocols throughout the lifetime of an account and screening of IP addresses across all use cases and not limited to account opening. Sanctions compliance should be undertaken using a risk-based approach, one of which factors should include geographic locations served.
Providers of technologies that potentially enable transactions to occur globally must carefully consider whether they may be held responsible for compliance with OFAC’s regulations, and what steps they must take to ensure compliance.
The Company was originally founded in 2011, and is one of the earliest online exchanges for trading cryptographic tokens. In the early years of digital assets gaining prominence, the Company’s reputation grew rapidly after it was asked to partner with Bloomberg to provide Bitcoin market data to the terminal (being the first exchange to do so). Initially, the Company’s exchange supported only a small handful of digital assets (at launch, the service advertised supporting “bitcoin and XRB trading, with possible future additions of other digital and non-digital currencies plus commodities”). Now, the centralized exchange offers the ability to trade over 185 different digital assets.
Approximately in July 2019, the Company discovered that in spite of efforts to maintain compliance with OFAC guidance and sanctions regulations, between October 2015 and June 2019 approximately 826 transactions (the “Transactions”) totaling $1,680,577.10 were processed on behalf of individuals located in a sanctioned jurisdiction. The event was voluntarily self-disclosed to OFAC.
Per the Action, Kraken’s investigation identified the root cause of the Transactions being permitted to be processed. At the time of the Transactions, Kraken’s protocol for accepting users and creating user accounts involved screening each prospective user’s IP address to determine if the user was located in a sanctioned jurisdiction; an applicant attempting to create an account in a sanctioned jurisdiction would be blocked based upon the IP address. However, per the Action, Kraken did not perform IP blocking across its platform, whereby permitting what appears to be a gap in that users could create an account while in a non-sanctioned jurisdiction and later transact using the same account from a sanctioned jurisdiction.
As a result of the 826 violations of sanctions regulations, OFAC found that the maximum civil penalty that could be imposed was $272,228,964, and the base civil penalty was $840,288.55. However, due to a significant amount of mitigating factors weighing in favor of Kraken, Kraken and OFAC settled for less than half of the base penalty, $362,158.70. Additionally, Kraken agreed that it would spend an additional $100,000 “to invest in certain additional sanctions compliance controls, including training and technical measures to assist in sanctions screening.”
OFAC considered that the Company did not exercise the adequate level of caution or care to ensure sanctions compliance, specifically in ensuring that more regular screening is conducted on where users are accessing their accounts and transacting from to make sure that such activity is not occurring in a sanctioned jurisdiction as the sole aggravating factor in the assessment of the civil money penalty.
The remedial actions undertaken included (i) adding geolocation blocking, preventing users from accessing the services while using an IP address associated with a sanctioned jurisdiction, (ii) incorporating additional blockchain analysis tools to monitor activity on the platform, (iii) bringing on a head of sanctions to guide sanctions compliance efforts, (iv) contracting with third parties to provide more enhanced screening to investigate beneficial ownership, (v) utilizing AI tools to make more accurate determinations on the validity of users’ identification and nationality, and (vi) adding certain automated controls not previously in place in certain regions.
Is your OFAC Compliance Program effective in the mitigation of OFAC risk in regard to all services that may be provided? Consider the following:
- Do you scan IP addresses of counterparties of the transactions using the technology to determine the location of the parties involved?
- Have you considered implementing analytical tools built into the architecture of the technology deployed that can make preliminary assessments of the levels of risk associated with each separate and identifiable transaction?
- Have you designed a sanctions compliance program and do you have adequate personnel (both management and trained staff) to monitor said compliance program?
If you have any questions about whether your exchange or platform conforms to OFAC requirements, please contact the authors of this article or any member of Frost Brown Todd’s Blockchain and Electronic Payments & FinTech teams.
 Note that following this enforcement action by OFAC, on February 9, 2023 the U.S. Securities and Exchange Commission took action against the Company for failing to register the offer and sale of their crypto asset staking-as-a-service program, and permanently enjoined the Company and any entity the Company controls, directly or indirectly, from offering or selling securities through crypto asset staking services or staking programs.
 Shobhit, Seth. “What Is Kraken? How It Works, How It Stands Out, and Issues.” Investopedia, January 15, 2023, https://www.investopedia.com/tech/what-kraken/. Last accessed January 23, 2022.
 Finberg, Ron. “Sneak Peak: Rising From the Depths of the San Francisco Bay is Kraken.” Finance Magnates, arch 5, 2013, https://www.financemagnates.com/forex/technology/sneak-peak-rising-from-the-depths-of-the-san-francisco-bay-is-kraken/. Last accessed January 23, 2022.
 Enforcement Release dated November 28, 2022, in re Payward, Inc. d/b/a Kraken, United States Department of Treasury’s Office of Foreign Assets Control. At 1.
 Id. at 2.
 Id. at 2 and 3.