United States: NYDFS Announces $100 Million Settlement With Coinbase For Anti-Money Laundering Compliance Deficiencies

The New York Department of Financial Services ("NYDFS") announced on January 4 that it had reached a $100 million settlement with Coinbase, Inc. ("Coinbase"), a NYDFS-licensed money transmitter and "Bitlicensee," to resolve deficiencies in Coinbase's anti-money laundering ("AML") compliance program.¹ As part of the $100 million in the settlement, Coinbase will pay $50 million as a civil penalty to the NYDFS and invest an additional $50 million over the next two years to improve its AML compliance program, including by appointing a NYDFS-selected independent monitor.

The Consent Order between the NYDFS and Coinbase describes how NYDFS' supervision of Coinbase led to a discovery of significant deficiencies in Coinbase's compliance program, including failures to (1) conduct adequate Know Your Customer ("KYC") due diligence at customer onboarding, (2) timely clear alerts identified by Coinbase's transaction monitoring systems; (3) timely file suspicious activity reports; (4) conduct proper politically exposed person ("PEP") and sanctions screening, and (5) take required cybersecurity measures in response to a cyberattack.

Below please find the "key takeaways" for NYDFS regulated financial institutions:

• Ensure you are risk rating your customers and collecting KYC information commensurate with such risk — collecting the same KYC information for all customers is not necessarily sufficient;
• Ensure your customer due diligence process considers the purpose of a customer's account, expected annual activity, and enhanced due diligence for high-risk customers;
• Ensure you increase the size of your compliance staff as your business grows in order to prevent a backlog of transaction monitoring alerts and other compliance deficiencies;
• Maintain proper oversight of any third-party contractors retained to do compliance-related work;
• Conduct ongoing sanctions and PEP screening to adjust your risk for customers, including those using Virtual Private Networks ("VPNs") or The Onion Router ("TOR");
• Test or audit your reporting procedures to ensure that your financial institution is in a position to notify the NYDFS within 72 hours of a cybersecurity event in accordance with Part 500 of the New York Superintendent's Regulations; and
• Dedicate adequate resources to ensure timely compliance with NYDFS examination findings and implementation of remediation efforts.

Background on NYDFS Supervision of Coinbase

In May 2020, the NYDFS conducted a supervisory examination of Coinbase for the time period of July 2018 to December 2019 and found numerous significant deficiencies in Coinbase's compliance program. Such problems continued into the present, despite Coinbase having engaged an independent consultant soon after the examination and the NYDFS installing an independent monitor in February 2022.

KYC Deficiencies

According to the Consent Order, Coinbase had severe KYC and customer due diligence deficiencies. The Consent Order states that Coinbase treated customer onboarding requirements "as a simple check-the box exercise."² Examples of such deficiencies included, but were not limited to, failing to assign a "risk rating" to retail customers, retail customer due diligence files often consisting of only a copy of a photo ID, allowing customers to open accounts without providing the purpose of the account or expected annual activity, and failing to conduct enhanced due diligence on high-risk customers.

Transaction Monitoring Deficiencies

Coinbase also failed to maintain a proper transaction monitoring system, as mandated by Part 504 of the New York Superintendent's Regulations.³ It failed to review transaction monitoring alerts as a backlog of such alerts grew. The Consent Order describes that Coinbase failed to have adequate compliance staff to review the unexpected high alert volume, and when Coinbase hired third-party contractors to "burn through" the backlogged alerts, Coinbase failed to provide sufficient oversight of the contractors.

• Examples of the insufficient oversight that Coinbase conducted of the contractors included failing to (1) monitor attendance of contractors at training sessions, and (2) implement a system to audit the contractors' quality of work.
• Coinbase also failed to notify the NYDFS of the poor results of a Coinbase quality check of the contractors' work.⁴ Specifically, after a Coinbase Quality Assurance review in March 2022 revealed quality issues with the work of certain outside contractors, Coinbase retained a third-party audit firm to review and check the quality of a few contractors who together "cleared" more than 73,000 transaction monitoring alerts. The third-party audit firm reported in July 2022 to Coinbase that the clearance of more than half of the 73,000 alerts failed a quality check. Coinbase did not inform the NYDFS of these issues until July 2022, despite Coinbase already being subject to a Memorandum of Understanding with the NYDFS in February 2022 to inform the NYDFS of these issues as they arose.

Failure to Timely Report Suspicious Activity

The Consent Order also states that as a result of Coinbase's transaction monitoring system accruing a large backlog of transaction monitoring alerts, Coinbase failed to timely report suspicious activity to the Financial Crimes Enforcement Network within the required 30 days of the detection of the suspicious activity. The Consent Order also states that Coinbase often had poor recordkeeping of its own suspicious activity investigations and reporting.⁵ For example, after the NYDFS made a request for data related to Coinbase's suspicious activity identification and reporting from 2018 to 2019, Coinbase could not meaningfully respond to the request.

Improper Sanctions and PEP Screening

The Consent Order states that Coinbase failed to conduct sufficient sanctions and PEP screening. With regard to sanctions screening, Coinbase did not use a risk-based system to adjust the risk for customers using VPNs or TOR (as VPNs and TOR allow people to make their location appear different than where the user is actually physically located, and thus can be effective tools for dodging sanctions screening).⁶ With regard to PEP screening, the Consent Order states that although Coinbase conducted initial PEP screening at customer onboarding, Coinbase did not conduct ongoing PEP screening on its institutional customers until December 2020, and as a result, Coinbase had not been aware if some of those institutions were at a higher risk for corruption, bribery, money laundering and any other illegal activity.

Failure to Report Cybersecurity Event

Finally, in 2021, Coinbase failed to inform the NYDFS within 72 hours that thousands of Coinbase's customers' accounts were illegally accessed due to a phishing scam. ⁷ Part 500 of the New York Superintendent's Regulations require reporting of cybersecurity events to the NYDFS within 72 hours of the event.⁸

Remediation

Under the terms of the Consent Order, Coinbase must invest $50 million into its compliance function and must also be subject to supervision of an independent monitor (who already was installed by the NYDFS prior to the Consent Order) for an additional year. The NYDFS at its sole discretion may extend the tenure of the independent monitor.⁹

Conclusion

The NYDFS' settlement and consent order with Coinbase is a reminder to any New York-regulated financial institutions that such institutions should ensure their AML and sanctions programs do not have the same deficiencies that Coinbase had. Moreover, the targeting of Coinbase by the NYDFS is demonstrative that state regulators hold cryptocurrency exchanges to high AML and sanctions compliance standards typical of more traditional financial institutions.

Footnotes

1. In the Matter of: Coinbase, Inc., Consent Order (Jan. 4, 2022), available here; Press Release, Superintendent Adrienne A. Harris Announces $100 Million Settlement with Coinbase, Inc. after DFS Investigation Finds Significant Failings in the Company's Compliance Program (Jan. 4, 2023), available here.

2. Consent Order at 13-14.

3. 3 NYCRR Part 504. For more information on New York's transaction monitoring requirements, please see our prior Alert "NYDFS Issues AML/Sanctions Programs and Annual Certification Requirements for Banks, Money Transmitters and Check Cashers."

4. Consent Order at 16-18.

5. Id., at 18-19.

6. Id., at 19-20.

7. Id., at 21.

8. 23 NYCRR § 500.17.

9. Consent Order at 23-25.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.