Coinbase, Inc., a Delaware-incorporated cryptocurrency trading platform with more than 100 million users globally, has signed a Consent Order with the New York State Department of Financial Services, resolving an investigation by NYDFS into the company’s compliance with New York banking laws and regulations governing virtual currency, transaction monitoring, cybersecurity, and money transmission.
As a licensed virtual currency business in New York, Coinbase was subject to a safety and soundness examination by NYDFS in 2020; as a result of compliance deficiencies identified in that examination, Coinbase was required to hire an independent consultant to assess the company’s Bank Secrecy Act, anti-money laundering, and sanctions compliance. The independent consultant’s report, submitted in February 2021, precipitated an enforcement investigation by NYDFS, and this resulted in a Memorandum of Understanding between NYDFS and Coinbase whereby Coinbase agreed to retain an independent third party monitor to review compliance shortcomings attributable in large part to the rapid growth of Coinbase and its inability to keep up with transaction monitoring alerts and other compliance requirements.
The Consent Order describes some of the deficiencies: for example, by the end of 2021, Coinbase had a backlog of 100,000 transaction monitoring alerts pending review, and at least 14,000 customers for whom enhanced due diligence was called for but not performed; moreover, when enhanced due diligence was performed, it entailed only a cursory review. The Consent Order also notes that in early 2022, working with NYDFS, Coinbase hired a thousand third-party contractors to review the transaction monitoring alert backlog – but insufficient oversight, inadequate contractor training, and poor quality control led to “serious issues” with this work, a professional audit, and the necessity to re-review thousands of alerts.
NYDFS found that Coinbase’s Know Your Customer and customer due diligence programs were “immature and inadequate,” and that, until December 2020, the company often failed to assign an informed risk rating to retail customers at the time of onboarding. Furthermore, NYDFS found that prior to July 2021, Coinbase allowed customers to open accounts without supplying essential information, and did the bare minimum to verify information provided by customers. And once Coinbase committed to completing a risk-prioritized Know Your Customer review and updating risk scores for trade eligible retail customers who onboarded before September 2021, the company failed to place restrictions on these historical accounts pending the review.
NYDFS identified instances of actual harm that resulted from Coinbase’s Know Your Customer, due diligence, and transaction monitoring deficiencies. For example, the company failed to discover publicly available information about one of its customers, whose criminal history should have marked the person as high risk. NYDFS cited another example in which a person who claimed to be employed by a corporation was allowed to open an account in the corporation’s name without authorization from the corporation, laying the groundwork for the individual to transfer over $150 million from the corporation’s bank account to the Coinbase account, convert the fiat funds into virtual currency, and move the virtual currency to a wallet off of the Coinbase platform. In the Consent Order, NYDFS also describes examples of possible money laundering, suspected child sexual abuse-related activity, and potential narcotics trafficking that should have been reviewed and possibly reported to authorities, but was not caught in a timely manner due to Coinbase’s transaction monitoring deficiciencies. Furthermore, Coinbase failed to structure its compliance program to account for the possible use of sanctions-evading technology by its customers, and failed to report to the authorities cybersecurity events – albeit unrelated to Coinbase -- that allowed malfeasants to access Coinbase customers’ accounts and steal approximately $1.5 million.
As detailed in the Consent Order, these compliance deficiencies constituted violations of § 44 of the New York Banking Law, 23 New York Codes, Rules and Regulations §§ 200.15, 504.3, 500.17, and 3 New York Codes, Rules and Regulations § 417.2 for conducting business in an unsafe and unsound manner, for failing to maintain an effective and complaint Bank Secrecy Act and anti-money laundering compliance program, for failing to maintain an effective transaction monitoring program, and for failing to properly report a cybersecurity incident to NYDFS.
An August 2022 report by the independent monitor found that the company had enhanced its compliance systems and taken significant remediation measures; however, additional improvement would be needed. Together with the independent monitor, Coinbase developed an additional targeted remediation plan, which the company is working to implement. According to NYDFS, “Coinbase has invested very substantial time and resources in an effort to remediate its issues and strengthen its Compliance Program.” The company has hired new senior personnel in its legal and financial crimes compliance function, implemented a dynamic risk rating model for new accounts, is in the process of doing a Know Your Customer review of customers onboarded before the current risk rating system was implemented, and has upgraded its investigations portal for reviewing transaction monitoring alerts and filing suspicious activity reports.
In determining the appropriate amount of the penalty, NYDFS took into consideration the egregiousness of the compliance failures, on the one hand, as well as mitigating factors such as Coinbase’s cooperation during all stages of the investigation, its willingless to enter into a Memorandum of Understanding with NYDFS, its engagement of an independent consultant and independent monitor, and its investment of substantial resources toward remediation and enhanced compliance. Pursuant to the consent order, Coinbase must pay a penalty of $50 million to NYDFS. In addition, Coinbase will extend the independent monitor’s work for twelve months, after which the monitor will issue a final report to NYDFS. In addition to the monetary penalty, Coinbase must, within two years of the consent order, spend at least $50 milllion on additional improvements to its compliance program, following a plan approved by NYDFS. Any portion of the $50 million not spent pursuant to the approved plan will be forfeitable to NYDFS at the end of the two-year period. The settlement also requires full and complete cooperation with NYDFS regarding all terms of the Consent Order.