On January 4, 2023, the New York State Department of Financial Services (“NYDFS”) issued a consent order against Coinbase, Inc. (“Coinbase” or the “Company”), the largest U.S.-based cryptocurrency trading exchange, for alleged failures to adequately guard against money laundering. Pursuant to the consent order, Coinbase will pay a $50 million civil monetary penalty to the State of New York for failing to maintain a sufficient anti-money laundering (“AML”) compliance program, and invest an additional $50 million to improve its compliance function over the next two years. The settlement also requires Coinbase to continue working with a third-party monitor to oversee remediation efforts.
Coinbase operates a publicly traded cryptocurrency trading platform with more than 100 million users worldwide. In 2017, the Company secured a license to allow customers to trade crypto currency on its platform in New York State. Coinbase’s compliance problems were first detected during routine examination in 2020. However, issues with the exchange’s AML controls went back to 2018.
According to the consent order, Coinbase violated New York banking law and NYDFS regulations by failing to maintain an adequate compliance program that could keep pace with the Company’s growth. NYDFS found that Coinbase’s customer due diligence systems, transaction monitoring systems, sanctions screening systems, risk assessment processes, and case management system were inadequate for a financial services provider of Coinbase’s size and complexity. Coinbase allegedly had failed to build and maintain a functioning, risk-based AML program that could keep pace with its growth.
Customer Onboarding and Transaction Monitoring
The most serious concerns involved Coinbase’s Money Laundering/Terrorist Financing (“ML/TF”) compliance program: specifically, its customer onboarding and transaction monitoring obligations. NYDFS found that customer onboarding requirements were “a simple check-the-box exercise,” and that Coinbase failed to conduct appropriate customer due diligence. The consent order includes these specific examples. Arguably, some of the following specific items represent a form of “regulation through enforcement,” because some of the following steps are not explicitly required by federal or state AML-related regulations, even if they represent good practices for establishing an appropriate, risk-based AML compliance program:
a. Prior to December 2020, Coinbase often failed to assign an informed “risk rating” to individual retail customers at the time of onboarding, and no quality assurance process was in place concerning risk rating until September 2021;
b. Coinbase’s customer due diligence file from its retail customers historically consisted of little more than a copy of a photo ID;
c. Coinbase historically did the bare minimum to verify customer due diligence information for customers, relying on self-reported social media profiles while overlooking information that was, on its face, clearly inaccurate, and/or incomplete;
d. Prior to July 2021, Coinbase allowed customers to open accounts without supplying essential information such as annual expected activity, and account purpose;
e. Coinbase failed to timely conduct [enhanced due diligence, or EDD] on high-risk customers and for a time had a substantial backlog of open EDD cases as of July 11, 2022[;] for example, there were over 10,000 cases in the backlog for Coinbase and its affiliates; [and]
f. Coinbase’s analysts, when they historically performed EDD, often asked for the bare minimum of identifying documents, conducted only a cursory review of the material provided, and at times accepted responses that were either non- or partially-responsive.
These alleged AML-related process failures during customer onboarding, coupled with insufficient transaction monitoring, resulted in suspicious or unlawful conduct being facilitated through Coinbase’s platform. For example, NYDFS identified a former Coinbase customer who was criminally charged with crimes related to child sexual abuse material – although information regarding this customer was publically available, it was not discovered by Coinbase at the time of onboarding. Coinbase also allowed an individual purporting to be an employee of a corporation to open an account without the personal identification documentation required by Coinbase’s own policy, and withdraw $150 million. This illicit activity went undetected for six days until the corporation contacted Coinbase.
The consent order noted that Coinbase did not consider its considerable growth in connection with its compliance program. By 2021, Coinbase was no longer able to keep pace with the volume of alerts generated by its transaction monitoring system. At the end of 2021, Coinbase had a backlog of more than 100,000 unreviewed transaction monitoring alerts, many of which were months old, and the backlog of customers requiring EDD exceeded 14,000. Coinbase lacked sufficient personnel, resources, and tools to conduct EDD as to these clients.
In an effort to remediate, Coinbase hired more than one thousand third-party contractors to “burn through” the remainder of the backlog. However, Coinbase provided insufficient oversight over the third-party contractors it hired, and a substantial portion of the alerts reviewed by third parties were rife with errors. NYDFS cautioned against using unvetted, untrained, non-quality controlled third-party staffing firms to clear alerts. One of the most eye-catching details within the consent order is that, for example, one third-party contractor had reviewed about 41,000 alerts but nonetheless had a 73% percent failure rate when a sample was reviewed. The consent order sets forth other unnerving statistics, and underscores the need to vet the competency of third-parties.
Additional vulnerabilities highlighted in the consent order include Coinbase’s alleged routine failure to timely investigate and report suspicious activity. Suspicious activity reports, or SARs, were filed months after the activity was first known, rather than within 30 days of detection. Coinbase also allegedly failed to check its clientele against OFAC’s sanctions list and the list for Politically Exposed Persons (“PEPs”) regularly after onboarding. This allegation is particularly interesting because no U.S. regulation directly requires the vetting of PEPs – rather, the PEP list is set forth by the international Financial Action Task Force (“FATF”). The NYDFS nonetheless de facto incorporated and adopted this FATF requirement by alleging that Coinbase’s failure to account for PEPs meant that, under a traditional BSA risk-based assessment, Coinbase failed to identify customers deserving of enhanced due diligence and enhanced risk ratings.
Further, and importantly, Coinbase allegedly allowed customers to access its sites while using Virtual Private Networks and The Onion Router, which enabled them to hide their actual location, circumventing geographic restrictions. Lastly, Coinbase failed to timely report cybersecurity incidents to NYDFS as required.
However, NYDFS credited Coinbase for its remediation efforts, noting that Coinbase had invested substantial time and resources in its effort to remediate its issues and strengthen its compliance program. Nevertheless, as part of the settlement, Coinbase agreed to extend the work of the Independent Monitor put in place by NYDFS in 2022 for an additional twelve months.
Arguably, Coinbase’s compliance mistakes exemplify issues recurring across the entire cryptocurrency industry: 1) weak controls to verify customer identity at onboarding and on an ongoing basis, and 2) failure to implement an effective transaction monitoring program. The takeaway is that a strong compliance program should mirror the size and complexity of the business. ML/TF risks potentially can be mitigated if companies understand their clientele and do not rely on a check-the-box approach to onboarding, take appropriate measures commensurate with identified risks, and invest in continuously improving internal processes.
The Coinbase enforcement action is similar, albeit larger and more detailed, to NYDFS’s August 2022 consent order penalizing Robinhood Crypto LLC (“RHC”) $30 million for alleged AML, cybersecurity and consumer protection violations. The key focus of the RHC consent order from BSA/AML perspective was on the adequacy of RHC’s transaction monitoring systems, as well as RHC’s funding and staffing of compliance functions. Both enforcement actions are entirely consistent with the Guidance on Use of Blockchain Analytics issued by the NYDFS, directed to all virtual currency business entities that either have a NYDFS Bitlicense or are chartered as a limited purpose trust company under the New York Banking Law. As we have blogged, the Guidance emphasizes “the importance of blockchain analytics to effective [AML] policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.”
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.