UNITED STATES OF AMERICA
FINANCIAL CRIMES ENFORCEMENT NETWORK DEPARTMENT OF THE TREASURY
Number 2021-02
IN THE MATTER OF:
HDR Global Trading Limited,
100x Holdings Limited,
ABS Global Trading Limited,
Shine Effort Inc. Limited,
HDR Global Services (Bermuda) Limited d/b/a BITMEX
ASSESSMENT OF CIVIL MONEY PENALTY
I. INTRODUCTION
The Financial Crimes Enforcement Network (FinCEN) has determined that grounds exist to assess a civil money penalty against HDR Global Trading Limited, 100x Holdings Limited, ABS Global Trading Limited, Shine Effort Inc. Limited, and HDR Global Services (Bermuda) Limited, which operate as an integrated, common enterprise doing business as BitMEX (collectively, BitMEX or Respondents) pursuant to the Bank Secrecy Act (BSA) and regulations issued pursuant to that Act.1
[1]. The
BSA is codified at 12 U.S.C. §§ 1829b, 1951-1959 and 31 U.S.C. §§ 5311-5314, 5316-5336. Regulations implementing the BSA appear at 31 C.F.R. Chapter X.
Without admitting or denying any factual or legal findings or conclusions herein, BitMEX has consented to the assessment of a civil money penalty and entered into a CONSENT TO THE ASSESSMENT OF CIVIL MONEY PENALTY (CONSENT) with
FinCEN. Pursuant to the CONSENT, BitMEX agrees to pay a civil penalty in the amount of $100 million and to comply with the Undertakings set forth below. The CONSENT is incorporated into this ASSESSMENT OF CIVIL MONEY PENALTY (ASSESSMENT) as if fully set forth herein.
II. RESPONDENTS
BitMEX is a convertible virtual currency (CVC) derivatives exchange. BitMEX is part of the 100x Group, which includes 100x Holdings Limited, and is wholly owned and operated by HDR Global Trading Limited, a company incorporated in the Seychelles. As described in the Statement of Facts below, BitMEX employed personnel and conducted operations and trading through various subsidiaries and affiliates, including ABS Global Trading Limited; Shine Effort Inc. Limited; and HDR Global Services (Bermuda) Limited, in various locations and offices throughout the world, including, but not limited to, New York, San Francisco, Milwaukee, Hong Kong, Singapore, and Bermuda. Respondents operate and do business as an integrated, common enterprise, “BitMEX.”
III. JURISDICTION
FinCEN, a bureau of the United States Department of the Treasury, is the primary regulator and administrator of the BSA with overall authority for enforcement and compliance, including the assessment of civil money penalties on financial institutions that violate the BSA and implementing regulations and coordination and direction of other agencies exercising delegated authority under the BSA and its implementing regulations.2
[2].
31 U.S.C. § 5321(a); 31 C.F.R. §§
1010.810(a),
1010.810(d); Treasury Order 180-01 (July 1, 2014).
At all times relevant to this proceeding, FinCEN has had jurisdiction over BitMEX and the matters that are the subject of and related to the CONSENT and this ASSESSMENT because BitMEX was a “financial institution”3 within the meaning of the BSA and its implementing regulations and was required to meet the statutory and regulatory obligations under the BSA and implementing regulations. Specifically, beginning on or about November 1, 2014 through on or about December 12, 2020 (Relevant Time Period), BitMEX operated as a “futures commission merchant” (FCM) that was required to register with the Commodity Futures Trading Commission (CFTC) under the Commodity Exchange Act (CEA).4 During the Relevant Time Period, BitMEX conducted significant aspects of its business and maintained offices in the U.S., solicited and accepted orders from U.S. persons5 and other individuals and entities located in the United States(collectively, U.S. Customers) on commodity futures contracts and swaps, and in connection with these activities, accepted deposits and, otherwise, accepted money, securities, or property, including bitcoin, to margin, guarantee, or secure resulting trades on the BitMEX platform. In addition, while operating in substantial part in the United States, BitMEX provided money transmission services, transmitting funds for U.S. Customers by accepting currency, funds, or other value that substitutes for currency from one person and transmitting currency, funds, or other value that substitutes for currency to another location or person.6
[3]. See 31 CFR §§
1010.100(t)(3);
1010.100(t)(8),
1010.100(x),
1010.100(ff)(5);
1010.100(ff)(8)(ii).
[4]. 31 C.F.R. §§
1010.100(t)(8);
1010.100(x); see also 7 U.S.C. §§ 1-26 (2018).
[5]. 31 C.F.R. §
1010.100(iii).
[6] A person doing business wholly or in substantial part in the United States that provides money transmission services is not a money services business if the person is registered with, and functionally regulated or examined by, the
CFTC. 31 C.F.R. §
1010.100(ff)(8)(ii). However, BitMEX does not qualify for this exception because BitMEX was not registered with the CFTC and, therefore, BitMEX was also subject to FinCEN’s jurisdiction on this separate basis. See 31 CFR §§
1010.100(t)(3);
1010.100(ff)(8)(ii).
Accordingly, FinCEN has jurisdiction over BitMEX and the matters contained in and related to the CONSENT and this ASSESSMENT, and FinCEN has the authority to enter into and adopt the CONSENT. BitMEX agrees not to object to or contest FinCEN’s jurisdiction and authority to enter into and adopt the CONSENT in this proceeding or any related proceedings brought by or on behalf of FinCEN based on a violation of or to enforce the CONSENT.
IV. FINDINGS AND DETERMINATIONS
FinCEN has determined that during the Relevant Time Period, BitMEX willfully violated certain of its obligations under the BSA and its implementing regulations.7 Specifically, as described below, BitMEX willfully (a) failed to implement and maintain a compliant
AML program;8 (b) failed to implement and maintain a compliant customer identification program (CIP);9 and (c) failed to report certain suspicious activity.10
[7] In civil enforcement of the BSA under 31 U.S.C. §5321(a)(1), to establish that a financial institution or individual acted willfully, the government need only show that the financial institution or individual acted with either reckless disregard or willful blindness. The government need not show that the entity or individual had knowledge that the conduct violated the BSA, or that the entity or individual otherwise acted with an improper motive or bad purpose.
[8].
31 U.S.C. § 5318(h) and 31 C.F.R. §
1026.210.
[9].
31 U.S.C. § 5318(l) and 31 C.F.R. §
1026.220.
[10].
31 U.S.C. § 5318(g)(1) and 31 C.F.R. §
1026.320.
A. STATEMENT OF FACTS
The following facts took place during the Relevant Time Period.
Background
BitMEX is one of the oldest and largest CVC derivatives exchanges. With more than 1.3 million accounts, BitMEX has consistently ranked among the largest by trade volume, having facilitated over a trillion U.S. dollars’ worth of trades, accepted over $11 billion in convertible virtual currency deposits, and collected over $1 billion in fees. BitMEX offered leveraged trading of CVC derivatives to retail and institutional customers throughout the world, including to U.S. Customers, through BitMEX’s website, www.bitmex.com, the BitMEX mobile app, and by direct connection to its trading engine servers via the BitMEX application programming interface (API).
BitMEX specifically offered futures, options, and swaps on CVC assets such as bitcoin, ether, and litecoin, amongst others. All derivatives were settled in bitcoin, and all deposits and withdrawals were made exclusively in bitcoin.
Two U.S. citizens and one citizen of the United Kingdom founded BitMEX. The trading platform is wholly owned and operated by HDR Global Trading Limited (HDR), a company incorporated in the Seychelles. 100x Holdings Limited describes itself as, “the holding group for HDR Global Trading Limited and its assets, including the BitMEX platform.” BitMEX operates through ABS Global Trading Limited (ABS), a subsidiary incorporated in Wilmington, Delaware, and conducted proprietary trading through the Hong Kong subsidiary of HDR, Shine Effort Inc. Limited (Shine). Certain personnel performing duties for BitMEX operate out of HDR Global Services (Bermuda) Limited (HDR Global Services) as well. HDR, 100x, ABS, Shine, and HDR Global Services operate and do business as a single, common, integrated enterprise, BitMEX, with a global presence, and has maintained employees, including maintaining at least half of its workforce, at its headquarters in San Francisco, California, and New York,
and also operated out of Chicago, Illinois, Milwaukee, Wisconsin, Hong Kong, Bermuda, and Victoria, Seychelles.
BitMEX Willfully Failed to Implement an Anti-Money Laundering Program
FFCMs must have a written anti-money laundering (AML) program approved by senior management that satisfies all AML program requirements under the BSA and implementing regulations.11 The AML program must include, at a minimum: i) the establishment and implementation of policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorist activities and to achieve compliance with the BSA and implementing regulations; ii) independent testing for compliance; iii) designation of an individual or individuals responsible for implementing and monitoring the operations and internal controls of the program; iv) ongoing training of appropriate personnel; and v) appropriate risk-based procedures for conducting ongoing customer due diligence, including, but not limited to, understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and conducting ongoing monitoring to identify and report suspicious transactions.12 BitMEX willfully failed to implement an AML program that met these requirements.
[11]. 31 U.S.C. §§ 5318(h)(1), (2); 31 C.F.R. §
1026.210(b).
[12]. 31 C.F.R. §§
1026.210(b)(1)-(5).
1. Policies, Procedures, and Controls
Throughout its operations, BitMEX failed to (1) establish and implement policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorism; (2) conduct independent testing for compliance; (3) designate an individual responsible for implementing and monitoring operations and internal controls of an AML program; (4) conduct ongoing training for appropriate persons; and (5) establish appropriate risk- based procedures for conducting ongoing customer due diligence.
BitMEX represents that, since its engagement with U.S. regulators, it has accelerated the implementation of its enhanced internal controls designed to detect and prevent suspicious transactions. BitMEX also represents that it has engaged in remedial measures, including the development of an AML program and user verification program, and it has appointed a new Chief Compliance Officer.
BitMEX’s founders, executive officers, and additional senior leaders at the company were aware of their AML obligations at the beginning of its operations, including specifically how providing services to U.S. Customers could affect the company, as reflected in internal communications regarding licenses and other legal obligations. Yet throughout the Relevant Time Period, until at least late 2020, BitMEX continued to operate without establishing and implementing a written AML program approved by senior management with adequate AML policies, procedures, and internal controls.
For example, in an email dated October 28, 2014, just prior to the first bitcoin transactions occurring on the BitMEX platform, BitMEX’s co-founder and Chief Executive Officer (CEO) discussed with his co-founders the regulatory environment as it applies to BitMEX’s business model, demonstrating knowledge of both the CFTC (“this is the organization that policies [sic] derivatives in the states”) and FinCEN (“this most affects us currently”). Furthermore, in this email, BitMEX’s co-founder and CEO recognized the obligations financial institutions have under the different regulatory frameworks when providing services to U.S. Customers and evaluated options that “might allow us not to have to ban US customers.” Despite this, BitMEX did not implement any of the requirements of an AML program when it first launched on or about November 2014.
Similarly, almost a year after it began operating, in an email dated September 20, 2015, BitMEX’s co-founder and CEO stated, “CFTC rules Bitcoin is a commodity this will have an impact on our business, and our legal will advise,” and “[t]he CFTC ruled through a cease and desist enforcement letter against a small Bitcoin options operator in California that Bitcoin is a commodity. This complicates the regulatory landscape because different U.S. agencies have classified Bitcoin as a commodity, currency, and property. Our legal team will be providing an opinion as to how this will affect our business.” Despite knowledge of regulatory application to BitMEX’s business from its inception, BitMEX did not implement appropriate policies, procedures, and controls to comply with its various obligations.
a. Warnings from Other U.S.-Based Financial Institutions BitMEX tried to establish business relationships with other U.S.-based financial institutions subject to the BSA to support their trading liquidity. In these discussions with U.S.-based CVC exchanges, BitMEX acknowledged that they traded in commodities regulated by the CFTC. For example, BitMEX’s co-founder and CEO told his employees about an email conversation he had with a CVC exchange employee: “I shot [employee at CVC Exchange] another email about us just needing them to state we trade cftc commodities with them, will see what he comes back with.” In these communications, BitMEX made admissions to other U.S.-based financial institutions that it conducted trades in commodities regulated by the CFTC.
Many of these U.S.-based CVC exchanges directly asked about BitMEX’s AML policies, procedures, and internal controls. For example, on June 21, 2016, BitMEX’s co-founder and CEO responded to an email from a U.S.-based CVC exchanger’s onboarding form that requested compliance information, stating that, “the answer to all AML questions is no.” In response to a separate request by a different U.S.-based CVC Exchange to fill out an AML onboarding questionnaire, BitMEX’s co-founder and CEO stated, “No we don’t do any [Office of Foreign Assets Control] screening. The only country banned from our platform is the USA….we do no other [Know Your Customer] as we are not required to under Seychelles law,” and, “for non-US persons we require only a verified email address.” In response, the U.S.-based CVC Exchange decided against entering into business with BitMEX stating, “[W]e cannot allow [BitMEX] to create an account and trade on [CVC Exchange]. Should [BitMEX] amend its [Know Your Customer] and sanctions screening process, we are happy to revisit this decision.” Nevertheless, BitMEX continued to operate without appropriate policies, procedures, or internal controls in place throughout the Relevant Time Period, until at least late 2020.
2. Compliance Officer
An FCM is required to designate a person or persons responsible for implementing and monitoring the operations and internal controls of the program.13 Some of the core responsibilities of this person include, but are not limited to, ensuring the FCM files reports and creates and retains records, updates the compliance program as necessary to reflect the current requirements of the BSA, and provides adequate training. Throughout the Relevant Time Period, until at least late 2020, BitMEX failed to designate a compliance officer to ensure day-to-day compliance with an AML program or any of the BSA’s implementing regulations.
BitMEX’s senior leadership acknowledged that it did not have appropriate compliance personnel in place and that compliance personnel were necessary. In an internal chat dated December 14, 2018, BitMEX’s Chief Operating Officer asked the Head of Business Development, “are we almost done with hiring a real compliance person to take over onboarding” to which the Head of Business Development responded, “We are hiring a compliance person, not sure when that person is going to come aboard.”
Nevertheless, the individual designated as responsible for compliance in 2019 failed to ensure compliance with the BSA and did not establish a formal AML program, including any policies, procedures, and internal controls or procedures to identify, detect, and report suspicious activity. BitMEX did not hire an individual responsible specifically responsible for AML compliance until October 2020.
3. Training
An FCM must provide for training of personnel,14 including training in the detection of suspicious transactions. Senior leadership acknowledged BitMEX provided no training programs or materials to BitMEX employees, and no individual was identified as responsible for BSA/AML training. As a result, BitMEX failed to train its personnel to meet recordkeeping and reporting requirements, and failed to train its personnel in identifying, monitoring, and reporting suspicious activity.
4. Independent Testing
An FCM must provide for independent review to monitor and maintain an adequate AML program.15 BitMEX did not conduct required independent testing during the Relevant Time Period.
[15]. 31 C.F.R. §
1026.210(b)(2).
5. Failures to Conduct Customer Due Diligence and Transaction Monitoring FCMs must conduct both due diligence to understand the nature and purpose of customer relationships for the purpose of developing customer risk profiles, and ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.16 Throughout the Relevant Time Period, until at least May 2018, BitMEX did not conduct due diligence to develop a customer risk profile or make a risk-based decision to maintain and update customer information. Instead, BitMEX chose not to conduct customer due diligence, allowed customers to create an account with only an email address, and decided not to collect, maintain, or update any customer information or supporting verification documents at all throughout the Relevant Time Period. Even after BitMEX began to put certain due diligence measures in place, until at least late 2020, they did not satisfy the BSA’s due diligence requirements.
[16]. 31 C.F.R. §
1026.210(b)(5).
Transactions conducted in CVCs such as bitcoin are generally pseudonymous. However, certain information about past transactions and counterparties that have transacted with certain CVC wallets can be determined by applying address-clustering tools. These tools can uncover the identity of the transacting parties by linking CVC wallet addresses controlled by the same user based on the information available from the blockchain. Financial institutions utilize public information, transactional information on public, immutable CVC ledgers, and internal customer due diligence information to assist in identifying suspicious activity or patterns of suspicious activity occurring through the financial institution. Despite the availability of such tools, BitMEX failed to implement any policies, procedures, and internal controls to review bitcoin transactions and identify potentially suspicious transactions occurring through their platform both at the time transactions took place and as new information about past transactions, customers, and counterparties became available to them.
Based on FinCEN’s analysis, BitMEX’s failure to conduct due diligence and transaction monitoring allowed thousands of transactions with suspicious counterparties, including numerous transactions with darknet markets; high-risk jurisdictions; unregistered MSBs offering enhanced CVC anonymity services, such as mixing services; and fraud schemes. Significantly, BitMEX failed to conduct proactive suspicious activity screening to determine whether transactions involved possible terrorist financing. When directly asked if BitMEX conducted any transaction monitoring or reporting to detect or report potential terrorist financing, the co- founder and CEO stated only, “if alerted to something from law enforcement we will assist.” A financial institution may not rely solely on communications from law enforcement to satisfy its obligations to conduct ongoing monitoring to identify and report suspicious transactions.
In addition, BitMEX failed to implement additional policies, procedures, and internal controls specifically related to jurisdiction screening, including to exclude U.S. Customers from its platform. BitMEX continued to welcome openly U.S. Customers until at least late 2015. In an email sent by BitMEX’s co-founder and CEO to a mailing list titled, “Bye Bye, New York State,” he announced that the platform would only stop doing business in New York State effective August 16, 2015. The email did not describe the impact on customers in other U.S. states and territories.
Further, in 2015 a potential business partner for BitMEX asked the co-founder and CEO about BitMEX’s “regulatory compliance landscape,” asking, “do you have any particular licenses or registrations in any jurisdictions to conduct your business? Such as FinCEN, BitLicense or money transmitter licenses? Do you do business in the US (ie do you accept customers resident in the US)?” The co-founder and CEO responded, “We do not have any licenses. We are incorporated in the Seychelles, and accept customers globally except for [New York] State.”
BitMEX received reports from its third-party user verification vendor reflecting that customers providing a U.S. identification accounted for 4.3% of all customers who verified their identity on BitMEX in September 2018, 8% of all customers in October 2018, and 5.1% of all customers in November 2018. While BitMEX continued to represent that it only did business outside the U.S. – at times, representing that the U.S. was the only jurisdiction where transactions were prohibited – in practice BitMEX actively ignored signs that U.S. Customers traded on the platform and chose to overlook or alter data indicating that customers were located in the U.S. For example, a BitMEX co-founder and employee discussed user statistics for the platform and ignored signs that U.S. Customers may be accessing BitMEX in December 2018:
[BitMEX Co-Founder]
Looks pretty good, lines up w/what we talked about earlier. Will also want to talk w/the rest of the team about it. Re: the last pages where did you get that data especially re: USA traders in October? We don’t have any USA traders.
[BitMEX Employee]
I meant to flag that datapoint, it was in our country revenue reports for October, figured we should purge/scrub the data of any US stuff.
[BitMEX Co-Founder]
Yeah. May be erroneous, could be corporate customers that are actually offshore or false [Internet Protocol (IP) address location] - yeah please remove[.]
In other instances, BitMEX employees guided U.S. Customers to establish shell companies to trade on the platform. For example, one BitMEX support desk ticket told a U.S. Customer “Unfortunetly [sic] you will not be able to trade on our platform. However, you do have the option to set up a non-US company and open a corporate account with us.” The customer indicated they would do so.
BitMEX co-founders also directly altered customer information to mask the location of its U.S. Customers. In one such example, a BitMEX co-founder proactively altered data related to a prominent U.S.-located investor to show that they were located in Canada when, in fact, their IP address placed them in New York.
[BitMEX Head of Customer Support]
Yo. When you get a chance can you check for me [account number].”
[BitMEX Co-Founder]
Hahah that’s [U.S.-based bitcoin investor]. He’s a US based affiliate. And we kind of let him keep it as a favour. He’s famous in Bitcoin
[BitMEX Head of Customer Support]
Ok, so i dont send him an email? Can i change the country to something else?
[BitMEX Co-Founder]
I’ve just edited it to Canada
[BitMEX Head of Customer Support]
Cool
[BitMEX Co-Founder]
But yes, he has NY [IP Address] [BitMEX Head of Customer Support] That needs changing too please
Based on BitMEX documents and admissions by BitMEX’s employees, BitMEX further failed to implement appropriate policies, procedures, and internal controls to screen for customers that use a virtual private network (VPN) to access the trading platform and circumvent IP monitoring. When reviewing customer activities in October 2018, BitMEX identified 43,422 accounts whose country of registration at that time was set to the U.S., one of its territories, or a U.S. or U.N. sanctioned country, such as Cuba, Iran, Syria, North Korea, and Sudan, or whose IP address field at that time indicated Quebec. A separate October 2018 query conducted by BitMEX identified over 800 accounts opened by users located in China logging in to BitMEX from U.S.- based IP addresses. In December 2018, a BitMEX employee highlighted this compliance weakness, stating to the company co-founders, “at some point we should start discussing vpn detection.”
BitMEX also failed to implement controls over its mirror website available through The Onion Router (TOR).17 While use of TOR in and of itself is not suspicious, transactions through a torrent service may be a strong indicator of potential illicit activity when no additional due diligence is conducted to determine customer identity and whether funds are derived from illegal activity. As an internet-based financial institution, BitMEX can collect specific metadata, including the IP addresses of its users. Not only did BitMEX fail to identify, assess, and mitigate the risks associated with browsers using IP anonymizers such as TOR web browsers, BitMEX deliberately assisted their customer base in doing so by providing them with a TOR webpage to conduct transactions without any additional risk-based policies, procedures, or internal controls until it stopped doing so in or around 2016.
[17]. TOR is an anonymizing torrent service that directs internet traffic through a series of layers to conceal a user’s location and identity. A “mirror website” is a copy of a website that is accessible both on the traditional internet as well as through TOR.
BitMEX Willfully Failed to Implement a Customer Identification Program
An FCM is required to implement a written CIP appropriate for its size and business that, at a minimum, includes the collection and verification of specific customer information, and corresponding recordkeeping.18 By its own admission, BitMEX never established or implemented a written CIP and did not collect or verify information regarding the majority of its customers during the Relevant Time Period. In fact, BitMEX deliberately instituted policies and procedures that violated these requirements. For example, BitMEX’s registration pages advertised, “Sign up takes less than 30 seconds and requires no personal information. Trade in minutes, deposits only require one confirmation.” BitMEX was aware that it had a regulatory obligation to collect and verify customer information, but it refused to change its policy to comply with these requirements unless “under significant government pressure.” An internal senior leadership communication in 2014 stated:
“If we start getting pressure we institute an account verification process for any accounts with balances over 10,000 USD equivalent of [bitcoin]. The documents we would require would be name, address and address proof, and copy of government ID. We should not implement this policy unless we come under significant government pressure. The stated policy should just be a valid email address.”
These policies persisted despite communications with other U.S.-based CVC exchanges that inquired about BitMEX’s CIP measures. In addition to the examples cited above, in a February 2017 email, BitMEX’s Head of Business Development stated to a U.S.-based financial institution, “We do not require any [Know Your Customer information] to deposit, withdraw, or trade.”
[18]. 31 C.F.R. §
1026.220(a).
BitMEX Willfully Failed to File Suspicious Activity Reports
The BSA and its implementing regulations require FCMs to report a transaction conducted or attempted by, at, or through the financial institution that involves or aggregates to at least $5,000 in funds or other assets that the financial institution “knows, suspects, or has reason to suspect”: (a) involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity to violate or evade various legal obligations; (b) is designed to evade reporting requirements or any other regulations under the BSA; (c) has no business or apparent lawful purpose or is not the sort in which a particular customer would normally be expected to engage, and the FCM knows of no reasonable explanation for the transaction after examining the available facts; or (d) involves use of the FCM to facilitate criminal activity.19 An FCM must file a suspicious activity report no later than 30 calendar days after initially detecting facts that may constitute a basis for filing a suspicious activity report.20
[19]. 31 C.F.R. §
1026.320(a)(2).
[20]. 31 C.F.R. §
1026.320(b)(3).
Based on FinCEN’s analysis and as discussed below, at least $209 million worth of transactions were conducted by, at, or through BitMEX with known darknet markets or unregistered MSBs providing mixing services, as well as transactions involving high- risk jurisdictions and alleged fraud schemes. Of these transactions, BitMEX failed to file a
SAR on at least $15 million through at least 588 specific transactions that exceeded the minimum threshold and were either suspicious at the time of the transaction, or became suspicious when additional information about the suspicious nature of the transactions became available to BitMEX.
1. Darknet and Other Illicit Marketplaces
BitMEX processed transactions with darknet marketplaces and other illicit markets where individuals and vendors bought and sold illegal narcotics and controlled substances, drug paraphernalia, counterfeit and fraud-related goods and services, and other illegal contraband. BitMEX-hosted CVC wallet addresses transacted over 2,371 times with 17 darknet markets from May 2015 to November 2020, sending 79.52 BTC and receiving 33.44 BTC during this timeframe. These transactions included marketplaces that were shut down and seized by law enforcement, such as AlphaBay and Wall Street Marketplace. At least 26 of these direct transactions were for an amount over the $5,000 reporting threshold. BitMEX failed to file a SAR on all 26 of these transactions.
2. High-Risk and Prohibited Jurisdictions
BitMEX failed to report suspicious transactions originating from high-risk and prohibited jurisdictions. BitMEX conducted transactions with CVC exchanges operating in jurisdictions with AML/CFT deficiencies, including jurisdictions such as Iran,21 that have restrictions placed on them by the U.S. and have been the subjects of advisories issued by FinCEN and the Financial Action Task Force (FATF).22 BitMEX failed to file a SAR on at least 16 transactions, valued at $138,189 in total, that were conducted with Iranian CVC exchanges.
[21] See “Advisory on the Iranian Regime’s Illicit and Malign Activities and Attempts to Exploit the Financial System (FIN-
2018-A006),” October 11, 2018, https://www.fincen.gov/sites/default/files/ advisory/2018-10-12/Iran%20Advisory%20FINAL%20508.pdf.
[22] See “Advisory on the
FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2014-A009),” November 12, 2014; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2015-A001),” March 16, 2015; “Advisory on the FATF-Identified Jurisdictions with AML/ CFT Deficiencies (FIN-
2015-A002),” July 20, 2015;
“Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2016-A001),” January 19, 2016; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2016-A002),” March 21, 2016; “Advisory on the FATF- Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2016-A004),” September 7, 2016; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2017-A001),” January 19, 2017; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2017-A002),” April 5, 2017; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-
2017-A005),” S
FINANCIAL CRIMES ENFORCEMENT NETWORK DEPARTMENT OF THE TREASURY
Number 2021-02
IN THE MATTER OF:
HDR Global Trading Limited,
100x Holdings Limited,
ABS Global Trading Limited,
Shine Effort Inc. Limited,
HDR Global Services (Bermuda) Limited d/b/a BITMEX
ASSESSMENT OF CIVIL MONEY PENALTY
I. INTRODUCTION
The Financial Crimes Enforcement Network (FinCEN) has determined that grounds exist to assess a civil money penalty against HDR Global Trading Limited, 100x Holdings Limited, ABS Global Trading Limited, Shine Effort Inc. Limited, and HDR Global Services (Bermuda) Limited, which operate as an integrated, common enterprise doing business as BitMEX (collectively, BitMEX or Respondents) pursuant to the Bank Secrecy Act (BSA) and regulations issued pursuant to that Act.1
[1]. The BSA is codified at 12 U.S.C. §§ 1829b, 1951-1959 and 31 U.S.C. §§ 5311-5314, 5316-5336. Regulations implementing the BSA appear at 31 C.F.R. Chapter X.
Without admitting or denying any factual or legal findings or conclusions herein, BitMEX has consented to the assessment of a civil money penalty and entered into a CONSENT TO THE ASSESSMENT OF CIVIL MONEY PENALTY (CONSENT) with FinCEN. Pursuant to the CONSENT, BitMEX agrees to pay a civil penalty in the amount of $100 million and to comply with the Undertakings set forth below. The CONSENT is incorporated into this ASSESSMENT OF CIVIL MONEY PENALTY (ASSESSMENT) as if fully set forth herein.
II. RESPONDENTS
BitMEX is a convertible virtual currency (CVC) derivatives exchange. BitMEX is part of the 100x Group, which includes 100x Holdings Limited, and is wholly owned and operated by HDR Global Trading Limited, a company incorporated in the Seychelles. As described in the Statement of Facts below, BitMEX employed personnel and conducted operations and trading through various subsidiaries and affiliates, including ABS Global Trading Limited; Shine Effort Inc. Limited; and HDR Global Services (Bermuda) Limited, in various locations and offices throughout the world, including, but not limited to, New York, San Francisco, Milwaukee, Hong Kong, Singapore, and Bermuda. Respondents operate and do business as an integrated, common enterprise, “BitMEX.”
III. JURISDICTION
FinCEN, a bureau of the United States Department of the Treasury, is the primary regulator and administrator of the BSA with overall authority for enforcement and compliance, including the assessment of civil money penalties on financial institutions that violate the BSA and implementing regulations and coordination and direction of other agencies exercising delegated authority under the BSA and its implementing regulations.2
[2]. 31 U.S.C. § 5321(a); 31 C.F.R. §§ 1010.810(a), 1010.810(d); Treasury Order 180-01 (July 1, 2014).
At all times relevant to this proceeding, FinCEN has had jurisdiction over BitMEX and the matters that are the subject of and related to the CONSENT and this ASSESSMENT because BitMEX was a “financial institution”3 within the meaning of the BSA and its implementing regulations and was required to meet the statutory and regulatory obligations under the BSA and implementing regulations. Specifically, beginning on or about November 1, 2014 through on or about December 12, 2020 (Relevant Time Period), BitMEX operated as a “futures commission merchant” (FCM) that was required to register with the Commodity Futures Trading Commission (CFTC) under the Commodity Exchange Act (CEA).4 During the Relevant Time Period, BitMEX conducted significant aspects of its business and maintained offices in the U.S., solicited and accepted orders from U.S. persons5 and other individuals and entities located in the United States(collectively, U.S. Customers) on commodity futures contracts and swaps, and in connection with these activities, accepted deposits and, otherwise, accepted money, securities, or property, including bitcoin, to margin, guarantee, or secure resulting trades on the BitMEX platform. In addition, while operating in substantial part in the United States, BitMEX provided money transmission services, transmitting funds for U.S. Customers by accepting currency, funds, or other value that substitutes for currency from one person and transmitting currency, funds, or other value that substitutes for currency to another location or person.6
[3]. See 31 CFR §§ 1010.100(t)(3); 1010.100(t)(8), 1010.100(x), 1010.100(ff)(5); 1010.100(ff)(8)(ii).
[4]. 31 C.F.R. §§ 1010.100(t)(8); 1010.100(x); see also 7 U.S.C. §§ 1-26 (2018).
[5]. 31 C.F.R. § 1010.100(iii).
[6] A person doing business wholly or in substantial part in the United States that provides money transmission services is not a money services business if the person is registered with, and functionally regulated or examined by, the CFTC. 31 C.F.R. § 1010.100(ff)(8)(ii). However, BitMEX does not qualify for this exception because BitMEX was not registered with the CFTC and, therefore, BitMEX was also subject to FinCEN’s jurisdiction on this separate basis. See 31 CFR §§ 1010.100(t)(3); 1010.100(ff)(8)(ii).
Accordingly, FinCEN has jurisdiction over BitMEX and the matters contained in and related to the CONSENT and this ASSESSMENT, and FinCEN has the authority to enter into and adopt the CONSENT. BitMEX agrees not to object to or contest FinCEN’s jurisdiction and authority to enter into and adopt the CONSENT in this proceeding or any related proceedings brought by or on behalf of FinCEN based on a violation of or to enforce the CONSENT.
IV. FINDINGS AND DETERMINATIONS
FinCEN has determined that during the Relevant Time Period, BitMEX willfully violated certain of its obligations under the BSA and its implementing regulations.7 Specifically, as described below, BitMEX willfully (a) failed to implement and maintain a compliant AML program;8 (b) failed to implement and maintain a compliant customer identification program (CIP);9 and (c) failed to report certain suspicious activity.10
[7] In civil enforcement of the BSA under 31 U.S.C. §5321(a)(1), to establish that a financial institution or individual acted willfully, the government need only show that the financial institution or individual acted with either reckless disregard or willful blindness. The government need not show that the entity or individual had knowledge that the conduct violated the BSA, or that the entity or individual otherwise acted with an improper motive or bad purpose.
[8]. 31 U.S.C. § 5318(h) and 31 C.F.R. § 1026.210.
[9]. 31 U.S.C. § 5318(l) and 31 C.F.R. § 1026.220.
[10]. 31 U.S.C. § 5318(g)(1) and 31 C.F.R. § 1026.320.
A. STATEMENT OF FACTS
The following facts took place during the Relevant Time Period.
Background
BitMEX is one of the oldest and largest CVC derivatives exchanges. With more than 1.3 million accounts, BitMEX has consistently ranked among the largest by trade volume, having facilitated over a trillion U.S. dollars’ worth of trades, accepted over $11 billion in convertible virtual currency deposits, and collected over $1 billion in fees. BitMEX offered leveraged trading of CVC derivatives to retail and institutional customers throughout the world, including to U.S. Customers, through BitMEX’s website, www.bitmex.com, the BitMEX mobile app, and by direct connection to its trading engine servers via the BitMEX application programming interface (API).
BitMEX specifically offered futures, options, and swaps on CVC assets such as bitcoin, ether, and litecoin, amongst others. All derivatives were settled in bitcoin, and all deposits and withdrawals were made exclusively in bitcoin.
Two U.S. citizens and one citizen of the United Kingdom founded BitMEX. The trading platform is wholly owned and operated by HDR Global Trading Limited (HDR), a company incorporated in the Seychelles. 100x Holdings Limited describes itself as, “the holding group for HDR Global Trading Limited and its assets, including the BitMEX platform.” BitMEX operates through ABS Global Trading Limited (ABS), a subsidiary incorporated in Wilmington, Delaware, and conducted proprietary trading through the Hong Kong subsidiary of HDR, Shine Effort Inc. Limited (Shine). Certain personnel performing duties for BitMEX operate out of HDR Global Services (Bermuda) Limited (HDR Global Services) as well. HDR, 100x, ABS, Shine, and HDR Global Services operate and do business as a single, common, integrated enterprise, BitMEX, with a global presence, and has maintained employees, including maintaining at least half of its workforce, at its headquarters in San Francisco, California, and New York,
and also operated out of Chicago, Illinois, Milwaukee, Wisconsin, Hong Kong, Bermuda, and Victoria, Seychelles.
BitMEX Willfully Failed to Implement an Anti-Money Laundering Program
FFCMs must have a written anti-money laundering (AML) program approved by senior management that satisfies all AML program requirements under the BSA and implementing regulations.11 The AML program must include, at a minimum: i) the establishment and implementation of policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorist activities and to achieve compliance with the BSA and implementing regulations; ii) independent testing for compliance; iii) designation of an individual or individuals responsible for implementing and monitoring the operations and internal controls of the program; iv) ongoing training of appropriate personnel; and v) appropriate risk-based procedures for conducting ongoing customer due diligence, including, but not limited to, understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and conducting ongoing monitoring to identify and report suspicious transactions.12 BitMEX willfully failed to implement an AML program that met these requirements.
[11]. 31 U.S.C. §§ 5318(h)(1), (2); 31 C.F.R. § 1026.210(b).
[12]. 31 C.F.R. §§ 1026.210(b)(1)-(5).
1. Policies, Procedures, and Controls
Throughout its operations, BitMEX failed to (1) establish and implement policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorism; (2) conduct independent testing for compliance; (3) designate an individual responsible for implementing and monitoring operations and internal controls of an AML program; (4) conduct ongoing training for appropriate persons; and (5) establish appropriate risk- based procedures for conducting ongoing customer due diligence.
BitMEX represents that, since its engagement with U.S. regulators, it has accelerated the implementation of its enhanced internal controls designed to detect and prevent suspicious transactions. BitMEX also represents that it has engaged in remedial measures, including the development of an AML program and user verification program, and it has appointed a new Chief Compliance Officer.
BitMEX’s founders, executive officers, and additional senior leaders at the company were aware of their AML obligations at the beginning of its operations, including specifically how providing services to U.S. Customers could affect the company, as reflected in internal communications regarding licenses and other legal obligations. Yet throughout the Relevant Time Period, until at least late 2020, BitMEX continued to operate without establishing and implementing a written AML program approved by senior management with adequate AML policies, procedures, and internal controls.
For example, in an email dated October 28, 2014, just prior to the first bitcoin transactions occurring on the BitMEX platform, BitMEX’s co-founder and Chief Executive Officer (CEO) discussed with his co-founders the regulatory environment as it applies to BitMEX’s business model, demonstrating knowledge of both the CFTC (“this is the organization that policies [sic] derivatives in the states”) and FinCEN (“this most affects us currently”). Furthermore, in this email, BitMEX’s co-founder and CEO recognized the obligations financial institutions have under the different regulatory frameworks when providing services to U.S. Customers and evaluated options that “might allow us not to have to ban US customers.” Despite this, BitMEX did not implement any of the requirements of an AML program when it first launched on or about November 2014.
Similarly, almost a year after it began operating, in an email dated September 20, 2015, BitMEX’s co-founder and CEO stated, “CFTC rules Bitcoin is a commodity this will have an impact on our business, and our legal will advise,” and “[t]he CFTC ruled through a cease and desist enforcement letter against a small Bitcoin options operator in California that Bitcoin is a commodity. This complicates the regulatory landscape because different U.S. agencies have classified Bitcoin as a commodity, currency, and property. Our legal team will be providing an opinion as to how this will affect our business.” Despite knowledge of regulatory application to BitMEX’s business from its inception, BitMEX did not implement appropriate policies, procedures, and controls to comply with its various obligations.
a. Warnings from Other U.S.-Based Financial Institutions BitMEX tried to establish business relationships with other U.S.-based financial institutions subject to the BSA to support their trading liquidity. In these discussions with U.S.-based CVC exchanges, BitMEX acknowledged that they traded in commodities regulated by the CFTC. For example, BitMEX’s co-founder and CEO told his employees about an email conversation he had with a CVC exchange employee: “I shot [employee at CVC Exchange] another email about us just needing them to state we trade cftc commodities with them, will see what he comes back with.” In these communications, BitMEX made admissions to other U.S.-based financial institutions that it conducted trades in commodities regulated by the CFTC.
Many of these U.S.-based CVC exchanges directly asked about BitMEX’s AML policies, procedures, and internal controls. For example, on June 21, 2016, BitMEX’s co-founder and CEO responded to an email from a U.S.-based CVC exchanger’s onboarding form that requested compliance information, stating that, “the answer to all AML questions is no.” In response to a separate request by a different U.S.-based CVC Exchange to fill out an AML onboarding questionnaire, BitMEX’s co-founder and CEO stated, “No we don’t do any [Office of Foreign Assets Control] screening. The only country banned from our platform is the USA….we do no other [Know Your Customer] as we are not required to under Seychelles law,” and, “for non-US persons we require only a verified email address.” In response, the U.S.-based CVC Exchange decided against entering into business with BitMEX stating, “[W]e cannot allow [BitMEX] to create an account and trade on [CVC Exchange]. Should [BitMEX] amend its [Know Your Customer] and sanctions screening process, we are happy to revisit this decision.” Nevertheless, BitMEX continued to operate without appropriate policies, procedures, or internal controls in place throughout the Relevant Time Period, until at least late 2020.
2. Compliance Officer
An FCM is required to designate a person or persons responsible for implementing and monitoring the operations and internal controls of the program.13 Some of the core responsibilities of this person include, but are not limited to, ensuring the FCM files reports and creates and retains records, updates the compliance program as necessary to reflect the current requirements of the BSA, and provides adequate training. Throughout the Relevant Time Period, until at least late 2020, BitMEX failed to designate a compliance officer to ensure day-to-day compliance with an AML program or any of the BSA’s implementing regulations.
BitMEX’s senior leadership acknowledged that it did not have appropriate compliance personnel in place and that compliance personnel were necessary. In an internal chat dated December 14, 2018, BitMEX’s Chief Operating Officer asked the Head of Business Development, “are we almost done with hiring a real compliance person to take over onboarding” to which the Head of Business Development responded, “We are hiring a compliance person, not sure when that person is going to come aboard.”
Nevertheless, the individual designated as responsible for compliance in 2019 failed to ensure compliance with the BSA and did not establish a formal AML program, including any policies, procedures, and internal controls or procedures to identify, detect, and report suspicious activity. BitMEX did not hire an individual responsible specifically responsible for AML compliance until October 2020.
3. Training
An FCM must provide for training of personnel,14 including training in the detection of suspicious transactions. Senior leadership acknowledged BitMEX provided no training programs or materials to BitMEX employees, and no individual was identified as responsible for BSA/AML training. As a result, BitMEX failed to train its personnel to meet recordkeeping and reporting requirements, and failed to train its personnel in identifying, monitoring, and reporting suspicious activity.
4. Independent Testing
An FCM must provide for independent review to monitor and maintain an adequate AML program.15 BitMEX did not conduct required independent testing during the Relevant Time Period.
[15]. 31 C.F.R. § 1026.210(b)(2).
5. Failures to Conduct Customer Due Diligence and Transaction Monitoring FCMs must conduct both due diligence to understand the nature and purpose of customer relationships for the purpose of developing customer risk profiles, and ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.16 Throughout the Relevant Time Period, until at least May 2018, BitMEX did not conduct due diligence to develop a customer risk profile or make a risk-based decision to maintain and update customer information. Instead, BitMEX chose not to conduct customer due diligence, allowed customers to create an account with only an email address, and decided not to collect, maintain, or update any customer information or supporting verification documents at all throughout the Relevant Time Period. Even after BitMEX began to put certain due diligence measures in place, until at least late 2020, they did not satisfy the BSA’s due diligence requirements.
[16]. 31 C.F.R. § 1026.210(b)(5).
Transactions conducted in CVCs such as bitcoin are generally pseudonymous. However, certain information about past transactions and counterparties that have transacted with certain CVC wallets can be determined by applying address-clustering tools. These tools can uncover the identity of the transacting parties by linking CVC wallet addresses controlled by the same user based on the information available from the blockchain. Financial institutions utilize public information, transactional information on public, immutable CVC ledgers, and internal customer due diligence information to assist in identifying suspicious activity or patterns of suspicious activity occurring through the financial institution. Despite the availability of such tools, BitMEX failed to implement any policies, procedures, and internal controls to review bitcoin transactions and identify potentially suspicious transactions occurring through their platform both at the time transactions took place and as new information about past transactions, customers, and counterparties became available to them.
Based on FinCEN’s analysis, BitMEX’s failure to conduct due diligence and transaction monitoring allowed thousands of transactions with suspicious counterparties, including numerous transactions with darknet markets; high-risk jurisdictions; unregistered MSBs offering enhanced CVC anonymity services, such as mixing services; and fraud schemes. Significantly, BitMEX failed to conduct proactive suspicious activity screening to determine whether transactions involved possible terrorist financing. When directly asked if BitMEX conducted any transaction monitoring or reporting to detect or report potential terrorist financing, the co- founder and CEO stated only, “if alerted to something from law enforcement we will assist.” A financial institution may not rely solely on communications from law enforcement to satisfy its obligations to conduct ongoing monitoring to identify and report suspicious transactions.
In addition, BitMEX failed to implement additional policies, procedures, and internal controls specifically related to jurisdiction screening, including to exclude U.S. Customers from its platform. BitMEX continued to welcome openly U.S. Customers until at least late 2015. In an email sent by BitMEX’s co-founder and CEO to a mailing list titled, “Bye Bye, New York State,” he announced that the platform would only stop doing business in New York State effective August 16, 2015. The email did not describe the impact on customers in other U.S. states and territories.
Further, in 2015 a potential business partner for BitMEX asked the co-founder and CEO about BitMEX’s “regulatory compliance landscape,” asking, “do you have any particular licenses or registrations in any jurisdictions to conduct your business? Such as FinCEN, BitLicense or money transmitter licenses? Do you do business in the US (ie do you accept customers resident in the US)?” The co-founder and CEO responded, “We do not have any licenses. We are incorporated in the Seychelles, and accept customers globally except for [New York] State.”
BitMEX received reports from its third-party user verification vendor reflecting that customers providing a U.S. identification accounted for 4.3% of all customers who verified their identity on BitMEX in September 2018, 8% of all customers in October 2018, and 5.1% of all customers in November 2018. While BitMEX continued to represent that it only did business outside the U.S. – at times, representing that the U.S. was the only jurisdiction where transactions were prohibited – in practice BitMEX actively ignored signs that U.S. Customers traded on the platform and chose to overlook or alter data indicating that customers were located in the U.S. For example, a BitMEX co-founder and employee discussed user statistics for the platform and ignored signs that U.S. Customers may be accessing BitMEX in December 2018:
[BitMEX Co-Founder]
Looks pretty good, lines up w/what we talked about earlier. Will also want to talk w/the rest of the team about it. Re: the last pages where did you get that data especially re: USA traders in October? We don’t have any USA traders.
[BitMEX Employee]
I meant to flag that datapoint, it was in our country revenue reports for October, figured we should purge/scrub the data of any US stuff.
[BitMEX Co-Founder]
Yeah. May be erroneous, could be corporate customers that are actually offshore or false [Internet Protocol (IP) address location] - yeah please remove[.]
In other instances, BitMEX employees guided U.S. Customers to establish shell companies to trade on the platform. For example, one BitMEX support desk ticket told a U.S. Customer “Unfortunetly [sic] you will not be able to trade on our platform. However, you do have the option to set up a non-US company and open a corporate account with us.” The customer indicated they would do so.
BitMEX co-founders also directly altered customer information to mask the location of its U.S. Customers. In one such example, a BitMEX co-founder proactively altered data related to a prominent U.S.-located investor to show that they were located in Canada when, in fact, their IP address placed them in New York.
[BitMEX Head of Customer Support]
Yo. When you get a chance can you check for me [account number].”
[BitMEX Co-Founder]
Hahah that’s [U.S.-based bitcoin investor]. He’s a US based affiliate. And we kind of let him keep it as a favour. He’s famous in Bitcoin
[BitMEX Head of Customer Support]
Ok, so i dont send him an email? Can i change the country to something else?
[BitMEX Co-Founder]
I’ve just edited it to Canada
[BitMEX Head of Customer Support]
Cool
[BitMEX Co-Founder]
But yes, he has NY [IP Address] [BitMEX Head of Customer Support] That needs changing too please
Based on BitMEX documents and admissions by BitMEX’s employees, BitMEX further failed to implement appropriate policies, procedures, and internal controls to screen for customers that use a virtual private network (VPN) to access the trading platform and circumvent IP monitoring. When reviewing customer activities in October 2018, BitMEX identified 43,422 accounts whose country of registration at that time was set to the U.S., one of its territories, or a U.S. or U.N. sanctioned country, such as Cuba, Iran, Syria, North Korea, and Sudan, or whose IP address field at that time indicated Quebec. A separate October 2018 query conducted by BitMEX identified over 800 accounts opened by users located in China logging in to BitMEX from U.S.- based IP addresses. In December 2018, a BitMEX employee highlighted this compliance weakness, stating to the company co-founders, “at some point we should start discussing vpn detection.”
BitMEX also failed to implement controls over its mirror website available through The Onion Router (TOR).17 While use of TOR in and of itself is not suspicious, transactions through a torrent service may be a strong indicator of potential illicit activity when no additional due diligence is conducted to determine customer identity and whether funds are derived from illegal activity. As an internet-based financial institution, BitMEX can collect specific metadata, including the IP addresses of its users. Not only did BitMEX fail to identify, assess, and mitigate the risks associated with browsers using IP anonymizers such as TOR web browsers, BitMEX deliberately assisted their customer base in doing so by providing them with a TOR webpage to conduct transactions without any additional risk-based policies, procedures, or internal controls until it stopped doing so in or around 2016.
[17]. TOR is an anonymizing torrent service that directs internet traffic through a series of layers to conceal a user’s location and identity. A “mirror website” is a copy of a website that is accessible both on the traditional internet as well as through TOR.
BitMEX Willfully Failed to Implement a Customer Identification Program
An FCM is required to implement a written CIP appropriate for its size and business that, at a minimum, includes the collection and verification of specific customer information, and corresponding recordkeeping.18 By its own admission, BitMEX never established or implemented a written CIP and did not collect or verify information regarding the majority of its customers during the Relevant Time Period. In fact, BitMEX deliberately instituted policies and procedures that violated these requirements. For example, BitMEX’s registration pages advertised, “Sign up takes less than 30 seconds and requires no personal information. Trade in minutes, deposits only require one confirmation.” BitMEX was aware that it had a regulatory obligation to collect and verify customer information, but it refused to change its policy to comply with these requirements unless “under significant government pressure.” An internal senior leadership communication in 2014 stated:
“If we start getting pressure we institute an account verification process for any accounts with balances over 10,000 USD equivalent of [bitcoin]. The documents we would require would be name, address and address proof, and copy of government ID. We should not implement this policy unless we come under significant government pressure. The stated policy should just be a valid email address.”
These policies persisted despite communications with other U.S.-based CVC exchanges that inquired about BitMEX’s CIP measures. In addition to the examples cited above, in a February 2017 email, BitMEX’s Head of Business Development stated to a U.S.-based financial institution, “We do not require any [Know Your Customer information] to deposit, withdraw, or trade.”
[18]. 31 C.F.R. § 1026.220(a).
BitMEX Willfully Failed to File Suspicious Activity Reports
The BSA and its implementing regulations require FCMs to report a transaction conducted or attempted by, at, or through the financial institution that involves or aggregates to at least $5,000 in funds or other assets that the financial institution “knows, suspects, or has reason to suspect”: (a) involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity to violate or evade various legal obligations; (b) is designed to evade reporting requirements or any other regulations under the BSA; (c) has no business or apparent lawful purpose or is not the sort in which a particular customer would normally be expected to engage, and the FCM knows of no reasonable explanation for the transaction after examining the available facts; or (d) involves use of the FCM to facilitate criminal activity.19 An FCM must file a suspicious activity report no later than 30 calendar days after initially detecting facts that may constitute a basis for filing a suspicious activity report.20
[19]. 31 C.F.R. § 1026.320(a)(2).
[20]. 31 C.F.R. § 1026.320(b)(3).
Based on FinCEN’s analysis and as discussed below, at least $209 million worth of transactions were conducted by, at, or through BitMEX with known darknet markets or unregistered MSBs providing mixing services, as well as transactions involving high- risk jurisdictions and alleged fraud schemes. Of these transactions, BitMEX failed to file a SAR on at least $15 million through at least 588 specific transactions that exceeded the minimum threshold and were either suspicious at the time of the transaction, or became suspicious when additional information about the suspicious nature of the transactions became available to BitMEX.
1. Darknet and Other Illicit Marketplaces
BitMEX processed transactions with darknet marketplaces and other illicit markets where individuals and vendors bought and sold illegal narcotics and controlled substances, drug paraphernalia, counterfeit and fraud-related goods and services, and other illegal contraband. BitMEX-hosted CVC wallet addresses transacted over 2,371 times with 17 darknet markets from May 2015 to November 2020, sending 79.52 BTC and receiving 33.44 BTC during this timeframe. These transactions included marketplaces that were shut down and seized by law enforcement, such as AlphaBay and Wall Street Marketplace. At least 26 of these direct transactions were for an amount over the $5,000 reporting threshold. BitMEX failed to file a SAR on all 26 of these transactions.
2. High-Risk and Prohibited Jurisdictions
BitMEX failed to report suspicious transactions originating from high-risk and prohibited jurisdictions. BitMEX conducted transactions with CVC exchanges operating in jurisdictions with AML/CFT deficiencies, including jurisdictions such as Iran,21 that have restrictions placed on them by the U.S. and have been the subjects of advisories issued by FinCEN and the Financial Action Task Force (FATF).22 BitMEX failed to file a SAR on at least 16 transactions, valued at $138,189 in total, that were conducted with Iranian CVC exchanges.
[21] See “Advisory on the Iranian Regime’s Illicit and Malign Activities and Attempts to Exploit the Financial System (FIN-2018-A006),” October 11, 2018, https://www.fincen.gov/sites/default/files/ advisory/2018-10-12/Iran%20Advisory%20FINAL%20508.pdf.
[22] See “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-2014-A009),” November 12, 2014; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-2015-A001),” March 16, 2015; “Advisory on the FATF-Identified Jurisdictions with AML/ CFT Deficiencies (FIN-2015-A002),” July 20, 2015;
“Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-2016-A001),” January 19, 2016; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-2016-A002),” March 21, 2016; “Advisory on the FATF- Identified Jurisdictions with AML/CFT Deficiencies (FIN-2016-A004),” September 7, 2016; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-2017-A001),” January 19, 2017; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-2017-A002),” April 5, 2017; “Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies (FIN-2017-A005),” S