US EO on the EU’s Data Protection, Bittrex Fines and Coin Center’s Lawsuit


Coinfirm’s Regulatory Affairs overviews the US’ most recent regulatory happenings, including:

  • Biden’s EO on EU Data Protection
  • FinCEN and OFAC Bittrex Enforcement Action
  • Coin Center’s Lawsuit Against OFAC (Tornado .cash Sanction Designation)

Biden’s EO on EU Data Protection

On the 7th of October President Biden signed an Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities implementing commitments made by the US in the agreement in principle announced in March 2022 which in part addresses European citizens whose personal data is reaches US entities.

Through the EO, it is ensured that:

1. US intelligence authorities must review their policies and procedures in a way that grants them limited access to European nationals’ data, restricting it to only “what is necessary and proportionate to protect [US] national security”. Additionally, it states that an independent and impartial authority will be established to ensure these safeguards are upheld and to “investigate and resolve [European’s] complaints regarding access to their data by US national security authorities” named Data Protection Review Court (DPRC).

The members of the DPRC cannot be a part of the US government, must meet specific qualifications and will not abide by government instructions. Their dismissal may be caused by serious health issues rendering them unable to perform their duties or being convicted of a crime.

Their duties will cover investigations of complaints made by EU citizens, obtain and review relevant information to the investigation from intelligence agencies and take binding remedial measures.

Each investigation will have an advocate appointed to assist the Court by providing factual and legal circumstances of the case and ensure the plaintiffs are duly represented and receive a fair trial.

2. US companies who process EU residents’ data comply with the changes.

As a result of the EO, EU citizens who have been made aware of their data being misused, may file a complaint with the Civil Liberties Protection Officer of the US intelligence community, which is responsible for „ensuring compliance by US intelligence agencies with privacy and fundamental rights”. Should the EU individuals find the authority’s ruling inadequate, they have the option to appeal the decision before the Data Protection Review Court.

FinCEN and OFAC Bittrex Enforcement Actions

On October 11th, FinCEN and OFAC announced enforcement actions for over USD 53m cumulated against the cryptocurrency exchange Bittrex, rendering this the largest virtual currency enforcement action to date, as well as “the first parallel enforcement actions by FinCEN and OFAC” in the crypto space.

The investigation concluded that the company was in violation of sanctions programs and had AML failings between 2014 and 2018.

OFAC’s findings reveal that 116,421 violations of multiple sanctions programs were found, primarily in respect to allowing persons located in jurisdictions with comprehensive sanctions (Crimea, Cuba, Iran, Sudan, and Syria) to use its services resulting in over $263m worth of virtual currency-related transactions.

According to the reports: Bittrex began operations in March 2014, and in 2015 started verifying the identity of their clients and abided by sanctions regulations to a degree, in 2016 it contracted a third-party to conduct sanctions screening of their clients by ensuring they were not designated individuals by OFAC and other jurisdictions. In 2017 OFAC issued Bittrex a subpoena to investigate potential sanctions violations, which is when Bittrex was made aware that the vendor did not conduct verifications for nexus to sanctioned countries. Following this investigation, Bittrex “begin restricting accounts and screening IP and other addresses associated with sanctioned locations” alongside implementing a set of additional measures “including implementing new sanctions screening and blockchain tracing software, conducting additional sanctions compliance training, and hiring additional compliance staff. Once implemented, these remedial measures substantially curtailed the number of Apparent Violations” reducing them to 13,245.

FinCEN discovered that Bittrex was in violation of the Bank Secrecy Act (BSA) between 2014 -2018 upon conducting a civil enforcement investigation. “As of May 14, 2014, Bittrex was required to develop, implement and maintain an effective, written AML program that, at a minimum: (a) incorporates policies, procedures and internal controls reasonably designed to assure ongoing compliance with the BSA and its implementing regulations; (b) designates an individual responsible to assure day-to-day compliance with the MSB’s AML program and all BSA regulations; (c) provides education and/or training for appropriate personnel, including training in the detection of suspicious transactions; and (d) provides for independent review to monitor and maintain an adequate program.”

According to the reports, the exchange, however, failed to develop, implement, and maintain an effective AML program. The ongoing monitoring of its clients’ transactions was performed manually by two employees instead of relying on software when they faced over 23,000 deposits and withdrawals daily with an average value of USD 97.9m.

Part of the allowed transactions “involved various types of illicit activity, including direct transactions with online darknet marketplaces such as AlphaBay, Agora, and the Silk Road 2”. “The company also failed to detect, investigate and report transactions connected to ransomware attacks against individuals and small businesses in the United States during the relevant time period”. Additionally, between 2014 -2017 only one SAR was filed, according to the reports. 

According to the government bodies, although certain measures were taken to improve their AML program in 2017 following an IRS examination, the mitigating measures remained insufficient until end of 2018.

Coin Center’s Lawsuit Against OFAC (Tornado Cash Sanction Designation)

The designation of Tornado Cash continues to make waves, as yet another lawsuit was filed against the Treasury Department, on October 12th.

Coin Center, a cryptocurrency-focused nonprofit organisation, “along with a group of normal privacy-seeking workers, donors, activists, and public figures” sued OFAC in an attempt to “keep privacy normal, to delist Tornado Cash privacy tools from sanctions, and to enjoin Treasury from enforcing against ordinary Americans exercising their self-evident and basic rights to privacy.”

The claims brought forth echo U.S Congressman Tom Emmer, in his letter addressed to the Treasury, as well as those filed in the first lawsuit by Coinbase:

  1. The Tornado Cash sanction was made in excess of statutory authority. The blockchain addresses which comprise the Tornado Cash protocol are not a “person” and thus out of OFAC’s reach, rendering it unlawful to be sanctioned.
  2. The Treasury’s own regulations and past executive orders limit the applicability of sanction controls to transactions with persons, entities, or their property. Thus, it does not have the authority to sanction “an idea, a tool or a technology.” 
  3. The Treasury disregarded collateral consequences of this enforcement: natural and legal entities have had funds, obtained from legitimate sources and with no nexus to sanctions, trapped in smart contracts and were not offered a solution to recuperate their property. The plaintiffs accuse OFAC to have taken a relaxed approach to victims’ concerns following this designation.
  4. Plaintiffs relied on Tornado Cash to execute private donations to humanitarian causes, such as purchasing equipment for Ukrainian soldiers, or used Tornado Cash to make private their salary gains. The privacy of these transactions is now at peril, exposing the plaintiffs to unknown dangers, thus violating the US persons’ constitutional right to privacy.

Looking to comply with crypto AML compliance stipulations?

Contact Coinfirm or sign up/log in to the AML Platform to experience the most flexible crypto RegTech platform powered by more than 350 proprietary risk analysis algorithms.