“It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions”
Coinbase, Inc. has agreed to pay a $50 million penalty to New York State for significant failures in its compliance program that violated the New York Banking Law and the New York State Department of Financial Services’ (DFS) virtual currency, money transmitter, transaction monitoring, and cybersecurity regulations.
These failures made the Coinbase platform vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking, Superintendent of Financial Services Adrienne A. Harris explained.
The crypto exchange has also agreed to invest an additional $50 million in its compliance function over the next two years to remediate the issues and enhance its compliance program pursuant to a plan approved by DFS.
Failure exposed the Coinbase platform to potential criminal activity
Superintendent of Financial Services Adrienne A. Harris said: “It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions. Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity requiring the Department to take immediate action including the installation of an Independent Monitor.”
Coinbase obtained a “Bitlicense” from the NYDFS in 2017, which authorized the firm to conduct a virtual currency business and money transmitting business in the State of New York.
New York State Department of Financial Services has since found that Coinbase’s Bank Secrecy Act/Anti-Money Laundering program — including its Know Your Customer/Customer Due Diligence (“KYC/CDD”), Transaction Monitoring System (“TMS”), suspicious activity reporting, and sanctions compliance systems — were inadequate for a financial services provider of Coinbase’s size and complexity.
According to the DFS, Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate with inappropriate due diligence. For example, customer onboarding requirements were made of a simple check-the-box exercise, the regulator alleged.
Coinbase had over 100,000 unreviewed transaction monitoring alerts
In addition, Coinbase failed to address the growth in the volume of alerts generated by its TMS, resulting in a significant and growing backlog of over 100,000 unreviewed transaction monitoring alerts by 2021.
One consequence of Coinbase’s failed TMS was that as uninvestigated TMS alerts languished for months in the backlog, Coinbase routinely failed to timely investigate and report suspicious activity as required by law. The Department’s investigation found numerous examples of SARs filed months after the suspicious activity was first known to Coinbase.
In early 2022, during the course of the investigation, the Department took the extraordinary step of installing an Independent Monitor to immediately evaluate the situation and begin working with Coinbase to fix the outstanding issues. The Independent Monitor will continue to work with Coinbase for an additional year, extendable at the Department’s sole discretion.
Coinbase has begun to remediate many of the referenced issues and to build a more effective and robust compliance program under the supervision of DFS and the DFS-appointed Independent Monitor.