top of page

Coinbase will pay $100 million following a NYDFS investigation into compliance violations

Coinbase agreed to pay $100 million as part of a settlement with the New York State Department of Financial Services (NYDFS) for compliance lapses that allowed criminals to use the platform to launder money, sell drugs, and conduct other illicit activities.

The NYDFS stated Wednesday that Coinbase will pay a $50 million penalty to New York and invest another $50 million on its compliance functions over the next two years. The platform, which has around 100 million users worldwide, has been licenced by the NYDFS since 2017.

In its consent order, the agency stated that Coinbase underwent a standard safety and soundness test in May 2020. Based on its findings, it opened an enforcement inquiry in 2021 and required Coinbase to employ an outside monitoring consultant to help the platform address immediate concerns and make additional suggestions.

The NYDFS inquiry "uncovered significant failures" in nearly all of Coinbase's primary compliance programmes, according to the agency. Coinbase's systems were "overwhelmed" and "reached a crisis stage" by the end of 2021 after failing to keep up with the company's extraordinary and unanticipated development.

Between July 1, 2018, and January 1, 2020, the company's Bank Secrecy Act/anti-money laundering programme was insufficient for a financial services provider of Coinbase's size and complexity, according to the NYDFS. Furthermore, the regulator stated that its know your customer/customer due diligence programme was "immature and inadequate" as drafted and applied.

The NYDFS discovered that Coinbase's customer onboarding procedures were a "check-the-box exercise" lacking in diligence, and that its transaction monitoring system, suspicious activity reporting system, and sanctions compliance processes were unable to completely function.

The NYDFS stated that by late 2021, Coinbase has accumulated a backlog of more than 100,000 transaction monitoring notifications that needed to be reviewed. According to the regulator, it did not investigate notifications that required inspection or file timely suspicious activity reports as required by law.

According to the consent decree, one Coinbase customer was onboarded despite being charged with child sexual abuse-related activities in the 1990s. The individual conducted suspicious activities on the Coinbase platform for two years without being identified before their accounts were cancelled and reported.

In another case, a person impersonating a business employee transferred more than $150 million from the company's bank account to its Coinbase account and subsequently transferred the currency off the site in a single day. According to the decision, Coinbase didn't realise what was going on until the company's bank informed it six days later.

An outside monitor will continue to advise Coinbase for another year as part of the deal, following which the NYDFS will decide whether to prolong the contract.

So far, Coinbase has upgraded its compliance systems, "but further improvement is expected," according to the NYDFS. According to the mandate, the business has undertaken risk evaluations for all clients onboarded before September 2021.

"It is vital that all financial institutions protect their networks from unscrupulous actors," stated NYDFS Superintendent Adrienne Harris in a press release issued by the regulator. "[T]he department's standards for consumer protection, cybersecurity, and anti-money laundering programmes for cryptocurrency enterprises are just as stringent as they are for traditional financial services institutions."

Coinbase was also chastised for failing to notify the NYDFS of a 2021 breach that affected around 6,000 clients in a timely manner.

“We took NYDFS’s concerns seriously and have taken substantial measures to address these historical shortcomings,” said Paul Grewal, Coinbase chief legal officer, in a statement on the company’s website. “… We believe that New York—and the broader industry—needs more crypto players committed to compliance and working with regulators. That is one of the reasons why we knew it was important to bring this matter to a conclusion, even though it is never the type of agreement reached lightly.”



bottom of page