NYDFS Settles with Coinbase for State BSA/AML Violations | Practical Law

NYDFS Settles with Coinbase for State BSA/AML Violations | Practical Law

The New York Department of Financial Services (NYDFS) entered into a consent order with major crypto exchange Coinbase, Inc. settling violations of state bank secrecy act and anti-money laundering (BSA/AML) regulations for operating an inadequate compliance program.

NYDFS Settles with Coinbase for State BSA/AML Violations

Practical Law Legal Update w-038-1595 (Approx. 5 pages)

NYDFS Settles with Coinbase for State BSA/AML Violations

by Practical Law Finance
Published on 11 Jan 2023USA (National/Federal)
The New York Department of Financial Services (NYDFS) entered into a consent order with major crypto exchange Coinbase, Inc. settling violations of state bank secrecy act and anti-money laundering (BSA/AML) regulations for operating an inadequate compliance program.
On January 4, 2023, the New York Department of Financial Services (NYDFS) entered into a consent order with major crypto exchange Coinbase, Inc., settling violations of state bank secrecy act and anti-money laundering (BSA/AML) regulations. NYDFS found Coinbase failed to develop and maintain a functional compliance program that could keep pace with its growth.
Both federal and New York state law require financial institutions to maintain effective AML programs and devise and implement systems to identify and report suspicious activity and block prohibited transactions. Coinbase was licensed by NYDFS to conduct a virtual currency business and money transmitting business in New York in 2017. In 2020, NYDFS conducted an examination of Coinbase's compliance program for the period July 1, 2018, through December 31, 2019, and found deficiencies across multiple areas, including its:
  • Know-your-customer/customer due diligence procedures.
  • Transaction Monitoring System (TMS).
  • US Department of the Treasury's Office of Foreign Assets Control screening program.
Know-your-customer/customer due diligence (KYC/CDD) requirements protect financial systems by ensuring that financial services providers understand:
  • The nature and purpose of the customer’s business;
  • The source of the customer’s funds; and
  • The customer’s identity or ownership.
NYDFS found Coinbase’s KYC/CDD program, both as written and as implemented, was inadequate because it treated customer onboarding requirements as a check-the-box exercise and failed to conduct appropriate due diligence. Examples of this inadequacy included:
  • Before December 2020, Coinbase often failed to assign an informed risk rating to individual retail customers at the time of onboarding, and no risk rating quality assurance process was in place until September 2021.
  • Coinbase relied on self-reported social media profiles to verify customer due diligence information and overlooked information that was, on its face, inaccurate or incomplete.
  • Before July 2021, Coinbase allowed customers to open accounts without supplying essential information, such as annual expected activity and account purpose.
  • Coinbase failed to timely conduct enhanced due diligence (EDD) on high-risk customers and had a substantial backlog of open EDD cases.
TMS trigger alerts on select elements of potentially suspicious transactions. Compliance professionals review these alerts and analyze the transaction involved in the alert. Coinbase was unable to keep pace with the volume of alerts generated by its TMS. By 2021, this failure resulted a backlog of over 100,000 unreviewed transaction monitoring alerts.
US Department of the Treasury's Office of Foreign Assets Control (OFAC) is aware that there is technology, such as virtual private networks and the Onion Router network, available to circumvent OFAC's geographical sanctions against sectors of the economies of certain nations, and that some its customers use that technology, Coinbase did not structure its compliance program to address this use and prevent customer activity from sanctioned nations. (For information on OFAC economic sanctions applicable to cryptocurrency and blockchain, see Practice Note, OFAC Economic Sanctions: Cryptocurrency and Blockchain.)
Coinbase's compliance program deficiencies constituted violations of:
  • Virtual Currency regulation, 23 NYCRR Part 200.
  • Cybersecurity Regulation, 23 NYCRR Part 500.
  • Money Transmitter Regulation, 3 NYCRR Part 417.
  • Transaction Monitoring Regulation, 23 NYCRR Part 504.
In February 2022, NYDFS and Coinbase entered into a memorandum of understanding mandating that Coinbase retain an independent monitor to review and suggest means to redress its compliance shortcomings. In August 2022, the independent monitor provided a report on Coinbase's compliance program and found that Coinbase had improved its compliance systems and made progress in remediating its compliance weaknesses.
Under the consent order, Coinbase agrees to:
  • Pay a $50 million penalty.
  • To invest $50 million to:
    • remediate ongoing identified issues in its compliance program; and
    • enhance its compliance program pursuant a NYDFS approved remediation plan developed in concert with the independent monitor in response to its August 2022 report.
For additional information on the NYDFS regulatory framework for VC, see Practice Notes, NYDFS Virtual Currency BitLicense Framework: Overview and Virtual Currency Business Regulation (NY State).