Shirin Emami is the executive deputy superintendent for banking at the New York State Department of Financial Services.

Bittrex purportedly aims to get the facts straight about the denial of its license applications by the New York State Department of Financial Services (DFS) in recent statements to the media (including CoinDesk). But, the cryptocurrency exchange leaves out the context necessary to understand its failures to comply with DFS’s licensing requirements, it continues to misstate the facts and it presents a misleading picture about the denial.

First, Bittrex claims that DFS did not provide guidance to the company and that the company’s applications sat on DFS’s desk “for years.” These statements are untrue.

Bittrex either misunderstands or misrepresents the meaning of guidance from a regulator in the context of a license application. DFS’s guidance consists of informing an applicant of the regulatory requirements for a license and pointing out deficiencies that need to be addressed before a license is granted. The corrective work to address deficiencies remains the applicant’s responsibility.

Throughout the application process, Bittrex was repeatedly informed of the regulatory requirements for the licenses it sought and provided with letters describing its deficiencies so the company could address them. Instead, the company spent many rounds of interaction with DFS either promising compliance and failing to deliver it, or trying to persuade DFS that, unlike our other regulated firms, it did not have to comply.

Bittrex’s initial application had many deficiencies, including weak customer due diligence, a lack of transaction monitoring, and an absence of experienced compliance staff. DFS staff repeatedly communicated to Bittrex the department’s concerns regarding these deficiencies. Bittrex repeatedly promised improvements and solutions, but ultimately failed to meet the requirements.

Transaction monitoring

Bittrex’s story of a commitment to compliance is wholly undermined by key omissions concerning its long-term transaction monitoring noncompliance. According to an American Banker article, “[the company’s chief compliance and ethics officer, John] Roth said the company has a suspicious transaction monitoring process that’s partially automated and partially manual. It had been taking steps to fully automate it.”

In fact, DFS repeatedly informed Bittrex that it needed a robust transaction monitoring system. After promising that a transaction monitoring system would be implemented well before 2018, Bittrex finally hired compliance staff to create one in early 2018. After nearly a year of work, Bittrex rolled out what turned out to be a manual transaction monitoring system in December 2018, only capable of handling a small volume of transactions, lacking the comprehensive and accurate risk assessment that must underlie any compliance program.

A transaction monitoring system that is not based on comprehensive risk assessment and uses only transaction size to select targets for scrutiny cannot be called a risk-based system. Attempting to pass off a wholly inadequate limited-capacity manual system, while Bittrex was using rapid fire electronic systems to process millions of trades, could only be bad faith or extremely bad judgment.

If Bittrex continues to tout this December 2018 system as in any way adequate after being clearly told of its shortcomings, it is either evidence of an intent to mislead regulators and markets, or evidence of genuine ignorance.

Customer ID

Moreover, Bittrex’s grossly inadequate transaction monitoring system is exacerbated by an additional deficiency: incomplete or missing customer identity data.

Without accurate customer names, any pretense at customer due diligence or other compliance, including compliance with Office of Foreign Assets Control (OFAC) sanctions, is a sham.

As to its customer due diligence failures, Bittrex claimed to media outlets that “the fake accounts cited by the regulator were not active ones.” But, in fact, more than 70 percent of the “fake name” accounts sampled by DFS had been active accounts at some point, and some still contained funds at the time of DFS’s on-site review in 2019 of Bittrex’s operations.

More troubling, in a further sample taken to test customer due diligence processes, 39 percent of sampled accounts had no name associated with the account, never had their identification checked, and could not possibly be checked for OFAC or other compliance. When Bittrex delivered its new transaction monitoring system in December 2018, it had solved nothing concerning the defective due diligence, nor did it address the scale of transaction monitoring needed.

Bittrex’s gross lack of compliance has consequences. When DFS examiners sampled accounts in 2019, their small sample identified two North Korean accounts. More may exist. At least one North Korean account was active into 2017. At least two Iranian accounts were still active in the Bittrex system when DFS examiners visited Bittrex in 2019, and potentially usable.

Listing criteria

Bittrex also attempts to shirk responsibility for the coins it decides to list on its exchange, stating that some coins are decentralized. This is irrelevant since it ignores the fact that listing decisions are made by Bittrex, which has an obligation to conduct appropriate due diligence on all types of assets, and then obtain approval for them from DFS, as required by the DFS Virtual Currency Regulation.

What’s more, Bittrex admitted to using an informal process for coin-listing decisions, without systematic documentation. This is just another example of the company’s lackadaisical approach to all aspects of compliance.

Bittrex also objected to DFS’s standard supervisory agreement, which contained provisions that have been applied to all prior applicants, and which are either required by the Virtual Currency Regulation or are an implementation of its provisions. These supervisory agreement provisions require pre-approval of new products, pre-approval of mergers and acquisition transactions, and set forth a capitalization formula that implements the regulation’s capitalization requirement.

DFS’s 2019 visit to Bittrex was intended to be primarily a review of Bittrex’s Bank Secrecy Act (BSA), anti-money-laundering (AML) and OFAC compliance program in the context of its pending applications. It was the final confirmation of the company’s inability to meet the regulatory requirements for the licenses it sought.

Bittrex made promises and representations to obtain virtual currency and money transmission licenses in New York, was given every reasonable opportunity by DFS to meet the required regulatory requirements and was denied because it failed to deliver.

New York skyline image via Shutterstock.