Suex sanctions: the compliance implications

Written by Deepa Chandrasekhar on Monday October 11, 2021

“He who hunts two hares does not catch the one and let the other escape.”

- Italian proverb

It always puzzled me that while the US Department of Treasury regularly publishes the names of Specially Designated Nationals (SDNs)^[1], the cryptocurrency exchanges that were the conduit for nefarious transactions seem to have dodged this remit. That enigma ended on 21 September, when the Treasury’s Office of Foreign Assets Control (OFAC) announced its decision to sanction Suex, a cryptocurrency exchange incorporated in Prague with operations in the Czech Republic and Russia. Fourteen XBT bitcoin addresses, four ETH Ethereum addresses and seven USDT tether addresses associated with Suex were also added to the SDN list.^[2]

The sanctions are part of the US Government’s crackdown on criminal syndicates who extort ransomware payments through cryptocurrency, thereby obfuscating the money trail. Suex was charged with having “facilitated transactions from at least eight ransomware variants … as much as 40% of its transaction volume was associated with digital addresses linked to known malicious actors.”^[3] The OFAC’s enforcement will make it harder for Suex to access the US financial system, as financial institutions are prohibited from processing transactions for sanctioned entities.

A growing problem

Ransomware is a variant of software (malware) released by criminals, which embeds itself in vulnerable computer systems and encrypts data or programmes. The hapless victims are then contacted by perpetrators who demand ransoms in exchange for a key that decrypts the files and restores access to the systems and data. At times, criminals have also threatened to publicly disclose sensitive information.

Institutions that have fallen prey to ransomware gangsters include Canadian aircraft manufacturer Bombardier, the Washington D.C. Police Department, electronics company Acer, the University of Colorado, the Cities of Atlanta and Baltimore, Quanta Computers and the CNA financial group. Much of the extortion has been in the form of Bitcoin or Ethereum cryptocurrency. Chainanalysis’ Ransomware 2021 report shows the trend of exponential growth in the value of cryptocurrency received by tracked ransomware addresses (see Figure 1).

An ecosystem of criminals

Cryptocurrency has spawned an ecosystem of criminals who exploit the lack of regulation across jurisdictions.  Cryptocurrency exchanges act as the ‘layering’ stage in money laundering by facilitating the conversion of illegal crypto ransoms to fiat currency and vice versa. The problem is compounded when smaller exchanges are ‘nested’ within bigger cryptocurrency exchanges. This is similar to the concept of nested accounts which occur when customers of a foreign financial institution (Bank A) gain access to the US financial system by operating through a US correspondent account belonging to another foreign financial institution (Bank B).  Bank B often has no direct relationship with the underlying customers of Bank A – it therefore relies on the processes of Bank A to verify identity and implement Know Your Customer processes.

According to TRM Labs – a company involved in monitoring digital asset transactions – Suex operated a ‘nested’ exchange by using larger global cryptocurrency exchanges to conduct its transactions.[4] Similar to nested accounts, nested exchanges have the ability to access greater liquidity, provide lower transaction costs and faster turnaround times, through the infrastructure provided by the bigger crypto exchange houses. Suex’s Bitcoin deposit addresses hosted at large cryptocurrency exchanges received over $160m from ransomware actors, scammers, and darknet market operators.[5] It was also said to have received over $50m worth of Bitcoin sent from addresses hosted at illicit cryptocurrency exchange BTC-e that was shut down by US authorities for cybercrime-related money laundering.[6]

You may also like to read:

• Sanctions are constantly changing. Here’s what firms can do.
• UK sanctions – under new management
  
• The complicated relationship between sanctions and the UK transition period
  

Cause for concern

The misuse of cryptocurrencies and virtual assets is a cause for concern. OFAC’s sanctions on crypto exchanges are part of the US Treasury’s approach to combating attacks, which includes disrupting ransomware actors and infrastructure, limiting cryptocurrency payments, identifying and protecting target entities and building international cooperation to thwart future attacks. It is well known that sanctioned parties are increasingly turning to cryptocurrencies to hide their financial footprint. Intermediaries who facilitate ransom payments (including depository institutions and money services) thus run the risk of being cut off from the US financial system, if it is proven that the ransomware payment was made through them to a sanctioned person/entity/digital address.  

There is, however, the danger is that the criminals may move away from the public ledger operated by Bitcoin and Ethereum to privacy coins like Monero, Dash and z-cash that obscure customer identities and transaction amounts. For example, Monero assigns a one-time, unique wallet address/key to the sender and buyer to complete the transaction. Monero’s wallet users also have decoy addresses on top of a public address. This level of anonymity makes monitoring, tracking and the performance of due diligence extremely difficult.

Develop ​your knowledge in managing sanctions risk:

• Explore ICA Certificate in Managing Sanctions Risk
• Explore ICA Advanced Certificate in Managing Sanctions Risk
• Explore ICA Diploma in Managing Sanctions Risk

If you would like to give your knowledge a boost but don’t have the time, take a look at our newest online courses written by professionals for professionals:

• Sanctions Awareness 
• ICA Essentials – Managing Sanctions Risk

Compliance obligations

The OFAC has made it clear that compliance and AML obligations are the same irrespective of whether the transaction involves regular currency or digital assets. The case of BitPay, Inc. – an Atlanta based payment processing company – indicates the importance of not only implementing KYC, but KYCC (know your customer’s customers). Its BitSend programme bears the tagline “Pay out crypto to anyone, anywhere”.[7]  While the company screened merchants who were its customers and conducted due diligence on them, the OFAC stated that BitPay had failed to “screen location data that it obtained about merchants’ buyers.”[8]  Consequently, buyers from sanctioned geolocations in the Crimea, Cuba, North Korea, Iran, Sudan, and Syria were able to make purchases from US based sellers using digital currency on BitPay’s platform. It is hence extremely important for crypto processing players to:

• Ensure that all inward remittances have full details of the customer’s customer (i.e. buyers’ names, physical addresses, email addresses, phone numbers, websites and IP addresses). The identification and location data have to be analysed by the crypto exchange house before converting any currency, to ensure that the US sanction regime is not breached
• Block IP addresses that appear to originate in sanctioned countries from connecting to the processor’s website
• Have stringent terms and conditions that give the crypto payment processors the authority to demand underlying invoices and insist on the merchant’s personal identification.

While the OFAC has provided guidance, many jurisdictions have not released any regulations regarding digital assets and cryptocurrency. It would be extremely useful if regulators organised training sessions by digital crypto asset experts for their staff and for financial institutions in their domain, so that their financial systems are not unwittingly exploited by criminals and malicious actors alike.

About the author: Deepa Chandrasekhar is the Senior Vice President, Chief Compliance Officer and MLRO for United Gulf Bank B.S.C. (c). The views expressed in this article are hers alone and do not represent those of the organisation

References:

[1] SDNs comprise individuals, groups, entities, shipping vessels and cryptocurrency addresses

[2] https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210921

[3] https://www.coindesk.com/policy/2021/09/21/us-sanctions-enforcer-blacklists-a-crypto-exchange-for-first-time/

[4] https://www.trmlabs.com/post/behind-suex-io-the-first-sanctioned-cryptocurrency-exchange

[5] https://blog.chainalysis.com/reports/ofac-sanction-suex-september-2021

[6] https://blog.chainalysis.com/reports/ofac-sanction-suex-september-2021

[7] https://bitpay.com/send/

[8] https://home.treasury.gov/system/files/126/20210218_bp.pdf