In July this year, crypto exchange Kraken was placed under investigation by the US Treasury Department for alleged violations of sanctions imposed on Iran.
A couple of days ago OFAC officially announced that it had reached an agreement with Kraken to end this matter.
For some time now, the US Treasury Department has imposed sanctions against Iran, including sanctions prohibiting the transfer of digital currencies from the US to the Middle Eastern country.
Overall, these are economic, trade, scientific and military sanctions imposed on Iran through the UN Security Council in 2015, although some of them have been in place since 1979 by the United States alone. It is the Office of Foreign Assets Control (OFAC) of the US Treasury Department that oversees compliance with these regulations.
In terms of prohibited financial transactions, Iranian financial institutions are prohibited from directly accessing the US financial system, but at first were allowed to do so indirectly through banks in other countries. However, the US government has since convinced even European banks and financial institutions not to deal with Iran.
In 2013, a new executive order extended sanctions to anyone making transactions to or from Iran of significant amounts, which is why Kraken was also involved in the affair this year.
The charges against crypto exchange Kraken
Kraken was accused of circumventing these sanctions because it had allowed the transfer of digital currencies into Iran.
Kraken at first had denied the charges, but since they have now been forced to settle with OFAC, it is possible that they may have had to admit something.
OFAC revealed that the agreement made with Payward, the exchange’s parent company, includes a payment of more than $362,000 to:
“settle its potential civil liability for apparent violations of sanctions against Iran.”
In addition, the exchange has agreed to invest $100,000 in additional compliance checks for the rules governing those sanctions.
OFAC explains that the problem arose because of the exchange’s failure to implement appropriate geolocation tools, such as its automatic IP address blocking system, in a timely manner. In this way, Kraken allowed users who appeared to be in Iran to operate on its platform.
Hence, this would not be a case of conscious and active involvement, but merely a failure to take timely action to restrict or block transactions to Iranian users. On the other hand, once made, cryptocurrency transactions can no longer be cancelled or refunded.
Indeed, OFAC’s official statement explicitly says that Kraken’s apparent violations were not serious, and were voluntarily disclosed.
Interestingly, it was the exchange itself that reported the violations to OFAC.
Kraken’s violations: unauthorized crypto transfers
Kraken actually has long had its own anti-money laundering and sanctions compliance program, which includes customer screening. However, despite these checks, between 14 October 2015 and 29 June 2019 Kraken processed 826 transactions on behalf of individuals who appeared to be in Iran, totaling more than $1.6 million.
This is thus not a single breach, but a series of breaches that occurred over nearly four years.
The problem is that Kraken was preventing Iranian users from opening new accounts, but had not implemented IP address blocking on transactional activities. Therefore, a user who had registered elsewhere could, however, later log in from Iran and operate from there.
By the time such users transacted to or from the exchange by being in Iran the sanctions were violated.
The exchange then independently detected the 826 violations and reported this to OFAC. It then also later implemented the automatic blocking of IP addresses of sanctioned jurisdictions on all transactions. In addition, OFAC reports that it also implemented various blockchain analysis tools to monitor any other violations.
The government agency says that Kraken self-reported apparent violations, and that these apparent violations constituted a non-serious case, so the fine imposed was only half the value of the transactions made in violation of the rules.
Aggravating and mitigating factors
The only aggravating factor noted is that Kraken failed to exercise due care for its penalty compliance obligations by applying geolocation checks only at the time of registration.
Among the various mitigating factors is that it voluntarily disclosed the violations to OFAC, and cooperated with the agency. In addition, it has already introduced corrective measures that should solve the problem related to aggravation.
It is worth noting that Kraken is actually based in the US, so it is more required to comply with its country’s rules.
The fact that it is a centralized exchange means that it cannot escape these kinds of controls, which are completely absent on decentralized platforms such as those of DeFi, and DEXs.
Moreover, Kraken has been around for a long time, because it was founded as far back as 2011, two years after Bitcoin was born. It is by far one of the most widely used US crypto exchanges with the most history behind it. This affair only confirms its soundness, and especially its compliance with US laws.