UPDATE (April 18 20:30 UTC): This article has been updated to include a response from Bittrex at the bottom.

Shirin Emami is the executive deputy superintendent for banking at the New York State Department of Financial Services.

Bittrex purportedly aims to get the facts straight about the denial of its license applications by the New York State Department of Financial Services (DFS) in recent statements to the media (including CoinDesk). But, the cryptocurrency exchange leaves out the context necessary to understand its failures to comply with DFS’s licensing requirements, it continues to misstate the facts and it presents a misleading picture about the denial.

First, Bittrex claims that DFS did not provide guidance to the company and that the company’s applications sat on DFS’s desk “for years.” These statements are untrue.

Bittrex either misunderstands or misrepresents the meaning of guidance from a regulator in the context of a license application. DFS’s guidance consists of informing an applicant of the regulatory requirements for a license and pointing out deficiencies that need to be addressed before a license is granted. The corrective work to address deficiencies remains the applicant’s responsibility.

Throughout the application process, Bittrex was repeatedly informed of the regulatory requirements for the licenses it sought and provided with letters describing its deficiencies so the company could address them. Instead, the company spent many rounds of interaction with DFS either promising compliance and failing to deliver it, or trying to persuade DFS that, unlike our other regulated firms, it did not have to comply.

Bittrex’s initial application had many deficiencies, including weak customer due diligence, a lack of transaction monitoring, and an absence of experienced compliance staff. DFS staff repeatedly communicated to Bittrex the department’s concerns regarding these deficiencies. Bittrex repeatedly promised improvements and solutions, but ultimately failed to meet the requirements.

Transaction monitoring

Bittrex’s story of a commitment to compliance is wholly undermined by key omissions concerning its long-term transaction monitoring noncompliance. According to an American Banker article, “[the company’s chief compliance and ethics officer, John] Roth said the company has a suspicious transaction monitoring process that’s partially automated and partially manual. It had been taking steps to fully automate it.”

In fact, DFS repeatedly informed Bittrex that it needed a robust transaction monitoring system. After promising that a transaction monitoring system would be implemented well before 2018, Bittrex finally hired compliance staff to create one in early 2018. After nearly a year of work, Bittrex rolled out what turned out to be a manual transaction monitoring system in December 2018, only capable of handling a small volume of transactions, lacking the comprehensive and accurate risk assessment that must underlie any compliance program.

A transaction monitoring system that is not based on comprehensive risk assessment and uses only transaction size to select targets for scrutiny cannot be called a risk-based system. Attempting to pass off a wholly inadequate limited-capacity manual system, while Bittrex was using rapid fire electronic systems to process millions of trades, could only be bad faith or extremely bad judgment.

If Bittrex continues to tout this December 2018 system as in any way adequate after being clearly told of its shortcomings, it is either evidence of an intent to mislead regulators and markets, or evidence of genuine ignorance.

Customer ID

Moreover, Bittrex’s grossly inadequate transaction monitoring system is exacerbated by an additional deficiency: incomplete or missing customer identity data.

Without accurate customer names, any pretense at customer due diligence or other compliance, including compliance with Office of Foreign Assets Control (OFAC) sanctions, is a sham.

As to its customer due diligence failures, Bittrex claimed to media outlets that “the fake accounts cited by the regulator were not active ones.” But, in fact, more than 70 percent of the “fake name” accounts sampled by DFS had been active accounts at some point, and some still contained funds at the time of DFS’s on-site review in 2019 of Bittrex’s operations.

More troubling, in a further sample taken to test customer due diligence processes, 39 percent of sampled accounts had no name associated with the account, never had their identification checked, and could not possibly be checked for OFAC or other compliance. When Bittrex delivered its new transaction monitoring system in December 2018, it had solved nothing concerning the defective due diligence, nor did it address the scale of transaction monitoring needed.

Bittrex’s gross lack of compliance has consequences. When DFS examiners sampled accounts in 2019, their small sample identified two North Korean accounts. More may exist. At least one North Korean account was active into 2017. At least two Iranian accounts were still active in the Bittrex system when DFS examiners visited Bittrex in 2019, and potentially usable.

Listing criteria

Bittrex also attempts to shirk responsibility for the coins it decides to list on its exchange, stating that some coins are decentralized. This is irrelevant since it ignores the fact that listing decisions are made by Bittrex, which has an obligation to conduct appropriate due diligence on all types of assets, and then obtain approval for them from DFS, as required by the DFS Virtual Currency Regulation.

What’s more, Bittrex admitted to using an informal process for coin-listing decisions, without systematic documentation. This is just another example of the company’s lackadaisical approach to all aspects of compliance.

Bittrex also objected to DFS’s standard supervisory agreement, which contained provisions that have been applied to all prior applicants, and which are either required by the Virtual Currency Regulation or are an implementation of its provisions. These supervisory agreement provisions require pre-approval of new products, pre-approval of mergers and acquisition transactions, and set forth a capitalization formula that implements the regulation’s capitalization requirement.

DFS’s 2019 visit to Bittrex was intended to be primarily a review of Bittrex’s Bank Secrecy Act (BSA), anti-money-laundering (AML) and OFAC compliance program in the context of its pending applications. It was the final confirmation of the company’s inability to meet the regulatory requirements for the licenses it sought.

Bittrex made promises and representations to obtain virtual currency and money transmission licenses in New York, was given every reasonable opportunity by DFS to meet the required regulatory requirements and was denied because it failed to deliver.

Editor’s note: In response to this op-ed, Bittrex provided the following statement. “At its core, the New York DFS is overstepping its regulatory authority and changing rules and guidelines on the fly. The sheer fact of the matter is that, despite all of the supposed concerns the NY DFS has claimed, it was willing to agree to a supervisory agreement with Bittrex and grant a BitLicense in January 2019. It was not until Bittrex attempted to negotiate the proposed agreement – and its regulatory overreach – that the NY DFS took such a combative stance as evidenced by the following actions: In an attempted power grab, the NY DFS tried to require things in the supervisory agreement that they otherwise couldn’t have asked for under existing BitLicense and Money Transmission License regulations. No other state requires the business-crippling provisions that the NY DFS wanted to implement and Bittrex has successfully worked with regulators to gain license approvals in dozens of other states.

The NY DFS chose to ignore its own rules to include (Rule 504.3) which allows for “manual or automated” transaction monitoring – and then ignored the fact that Bittrex will have fully automated transaction monitoring by this month.

The NY DFS chose to hold Bittrex to standards where none previously existed. There are no standards for listing coins by any entity and Bittrex tried to get DFS to provide a standard, but they could not.

The actions of the NY DFS show that it was focused on retribution, rather than consumer protection. Bittrex continues to deny the use of its platform by any citizens of North Korea or citizens of Iran in 2019. However, if the NY DFS found that evidence as it claims, why did it not share that intelligence with Bittrex in order to remedy or understand the situation? “By attacking a small company that applied in good faith for a license from DFS, DFS has demonstrated that companies should be wary about sharing information with them. “In addition, the personal and vindictive nature of the NY DFS’s actions is apparent and it, unfortunately, will only hurt the ability of New York consumers to leverage the benefits of blockchain technologies. Bittrex looks forward to working with customers and regulators across the United States and around the world where we are currently providing safe, secure and innovative digital trading platforms.”

New York skyline image via Shutterstock.