By STEPHEN RAE for AML Intelligence
AML FAILINGS today forced Coinbase to reach a $100 million settlement with New York’s Department of Financial Services (DFS).
The settlement – which includes a $50 million penalty – follows a months-long inquiry by the NY State financial regulator which uncovered shambolic AML compliance at the crypto exchange.
The DFS found how Coinbase treated its onboarding requirements for customers as a “simple check-the-box” and did not carry out sufficient background checks.
“Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity,” New York DFS Superintendent Adrienne Harris said today.
During much of the relevant period, Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate, the regulator found.
Coinbase was also found to treat customer onboarding requirements as a simple check-the-box exercise and failed to conduct appropriate due diligence.
Coinbase, a publicly traded firm and one of the largest global crypto exchanges, will pay another $50M to boost compliance efforts aimed at blocking potential criminals from using the exchange, the company said. The deal also requires Coinbase to work with a third-party monitor.
The exchange and the regulator announced the massive settlement in statements today (Wednesday).
“It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions,” said Superintendent Harris.
“Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity requiring the Department to take immediate action including the installation of an Independent Monitor,” she added.
The DFS found Coinbase’s BSA (Bank Secrecy Act)/AML program — including its KYC/CDD and Transaction Monitoring System (TMS), suspicious activity reporting (SARa), and sanctions compliance systems — were inadequate for a financial services provider of Coinbase’s size and complexity. As a result the DFS found:
- During much of the relevant period, Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate.
- Coinbase treated customer onboarding requirements as a simple check-the-box exercise and failed to conduct appropriate due diligence.
- Coinbase was unable to keep pace with the growth in the volume of alerts generated by its TMS.
- By late 2021, Coinbase’s failure to keep pace with its alerts resulted in a significant and growing backlog of over 100,000 unreviewed transaction monitoring alerts.
- One consequence of Coinbase’s failed TMS was that as uninvestigated TMS alerts languished for months in the backlog, Coinbase routinely failed to timely investigate and report suspicious activity as required by law.
- The Department’s investigation found numerous examples of SARs filed months after the suspicious activity was first known to Coinbase.
In light of the state of Coinbase’s compliance system, in early 2022, during the course of the investigation, the Department said it “took the extraordinary step of installing an Independent Monitor to immediately evaluate the situation and begin working with Coinbase to fix the outstanding issues.”
Under the terms of the Consent Order, the Independent Monitor will continue to work with Coinbase for an additional year, extendable at the Department’s sole discretion.
Interpath Advisory partner Federica Taccogna said of the ruling: “So many lessons to learn from this and the actual consent order is worth a read.
“The shortfalls are so clearly outlined that it could be used as a laundry list of things to get in order by other firms. Those failings are incredibly widespread,” she said.
US AML expert Sarah Beth Felix said regulators cautioned “against using unvetted, untrained and un-QC’d third-party staffing firms to clear alerts, and they even spell out the failure rates of these alert disposition efforts.”
The Palerma Consulting co-founder said that in the judgment there were “mentions several times that the growth of Coinbase was not taken into account and on page 6 provides a great example of trending growth that should be incorporated into any FIs risk assessment as it can be useful for determining when an FI has out kicked their monitoring coverage.”
Sarah says the regulator’s findings reference FATF’s PEP risk qualities “but can’t reference federal requirements. That’s got to change at some point. The US can’t be last to the party on PEP laws.”
“Today, New York continues to set the bar for prudential regulation of virtual currency. DFS deploys a wide range of tools to regulate the industry including licensing, supervision, examination, and enforcement. Together, these tools protect consumers; preserve safety and soundness of companies; ensure cybersecurity compliance; and help to root out financial crimes like money laundering and terrorist financing,” said the DFS in a statement.
In direct response to the Department’s findings, Coinbase said it has begun to remediate many of the referenced issues and to build a more effective and robust compliance program under the supervision of DFS and the DFS-appointed Independent Monitor.
Coinbase has been under scrutiny from DFS and other regulators.
It has previously disclosed receiving investigative subpoenas and requests from the U.S. Securities and Exchange Commission (SEC) for documents and information.
The exchange has addressed the problems, claimed Paul Grewal, Coinbase’s chief legal officer in a statement.
Separately in a blog post, Coinbase said the investigation centered on the company’s compliance program circa 2018 and 2019, as well as the compliance backlogs as the exchange grew in 2021.
“We took NYDFS’s concerns seriously and have taken substantial measures to address these historical shortcomings,” the blog post said.
The New York Times first reported the settlement.