UK Cryptoasset Firms Likely Under-Reporting Sanctions Breaches
The British Treasury’s sanctions authority warns that UK cryptoasset firms have probably under-reported suspected financial sanctions violations to OFSI since August 2022. Many of these infractions are linked to the Russian exchange Garantex and North Korean cyber threats, as highlighted in a newly published threat assessment.
The Office of Financial Sanctions Implementation (OFSI) noted that over 90% of reports related to crypto breaches since January 2022 pertained to Russian sanctions, while the rest were connected to Iran. Surprisingly, only 7% of all suspected breach reports to OFSI involved cryptocurrency firms, despite the sector’s rapid expansion.
The assessment indicates it is highly likely that UK crypto firms have been exposed to Garantex since its designation in May 2022, leading to potential breaches of UK financial sanctions. Firms face serious legal consequences even for unintentional violations, as underscored by Konstantin Bureiko, a Counsel at Debevoise & Plimpton.
Bureiko explained that OFSI enforces breaches on a ‘strict liability’ basis, meaning that ignorance of engaging in prohibited transactions with sanctioned exchanges offers no defense. However, if a business unintentionally breaches sanctions and cooperates with OFSI while demonstrating robust compliance controls, enforcement action is less likely.
The threat assessment also warned of ongoing risks from North Korean hackers targeting UK crypto firms. Incidents like the April 2023 heist at Merlin Dex, which resulted in $1.8 million in theft, and a June 2024 attack on Lykke exchange, incurring losses around $19.5 million, are attributed to these threats. Iranian firms are another concern, with OFSI noting potential transfers to Iranian crypto firms linked to designated individuals.
OFSI recommended that UK firms examine transaction histories for ‘3-5 hops’ to detect indirect exposure to sanctioned entities, establishing a new compliance benchmark that may complicate implementation. While not a legal requirement, failing to meet this standard could exacerbate penalties if a sanctions breach is later identified.
