Elvis, Donald Duck, Bittrex, and New York’s “Safe Harbor” for Crypto Exchanges

“… examiners found that a substantial number of aliases (e.g., Give Me My Money, Elvis Presley, abc-abc, Donald Duck, and other clearly false names) and obscene terms and phrases are used to identify accounts at Bittrex …”

Bittrex, Inc., a virtual currency exchange with almost 1.7 million users across the world, applied to the New York State Department of Financial Services for two licenses: a BitLicense to engage in “virtual currency business activity” in the state of New York (that application was filed in August 2015), and to engage in money transmission activity (that application was filed in July 2018).

Both applications were denied on April 10, 2019.

The denial letter reads like a criminal charging document. https://www.dfs.ny.gov/system/files/documents/2019/04/dfs-bittrex-letter-41019.pdf

The BitLicense application didn’t go well from the beginning. The NYSDFS “worked steadily with Bittrex to address continued deficiencies” and issued “several deficiency letters” relating to BSA, AML, and OFAC compliance. Things were going so badly, that in February 2019 the NYSDFS had a number of examiners do a four-week, onsite review of Bittrex’s policies, procedures, practices, and controls, including testing 100 million virtual currency transactions that Bittrex processed in 2017 and 2018. What they found is stunning, and led to their conclusion that Bittrex had an inadequate BSA/AML/OFAC compliance program. Among other things:

  • Bittrex had non-existent or inadequate policies and procedures
  • “a large number of transactions for customers domiciled in sanctioned countries (including Iran and North Korea) had passed through screening and were processed …”
  • Bittrex excludes “corporate and cash customers from its transaction monitoring”
  • the Compliance Officer was inadequate, there was a lack of training, and audit was inadequate

(I’m not an expert in New York licensing, but I haven’t seen anything in the bitlicense licensing requirements that specifically requires a dedicated transaction monitoring system).

I hope – but don’t expect – that New York takes a close look at its “safe harbor” approach for unlicensed crypto exchanges. The Department noted that Bittrex had been operating under the “safe harbor” provision that allowed Bittrex to engage in virtual currency business activity during the pendency of its crypto licensing application. Based on the denial letter, it looks like Bittrex allowed – even encouraged – transactions from its corporate and “cash” customers to go unmonitored, it had customers in North Korea and Iran, and flaunted know your customer controls. The New York harbor may have been a safe place for  Bittrex to safely flaunt AML and sanctions controls for more than two years and 100 million crypto transactions, but it wasn’t a safe place for all the New Yorkers, and others, who may have been, or eventually harmed by the unknown financial activity related to rogue states and actors.

We haven’t heard much from Bittrex. And the NYSDFS has a history of pushing very hard and over-reacting to certain matters and failing to appreciate all the perspectives that a case presents. I expect that there is much more to this matter than has been presented in the public realm. Let’s hope it comes out. One way or another.