AML failures compelled Coinbase to reach a settlement with the New York Department of Financial Services (DFS) for $100 million.
The investigation by the financial regulator for New York State, which lasted months and revealed the crypto exchange's lax AML compliance, led to the settlement, which includes a $50 million fine.
The DFS determined that Coinbase did not conduct enough background checks and treated its customer onboarding obligations as a "simple check-the-box."
"Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity ," according to New York DFS Superintendent Adrienne Harris.
The regulator discovered that Coinbase's KYC/CDD program was insufficient and immature throughout a large portion of the pertinent period, both as written and as implemented.
Additionally, it was discovered that Coinbase neglected to perform adequate due diligence and treated user onboarding requirements as a straightforward check-the-box process.
One of the biggest cryptocurrency exchanges in the world and a publicly traded company, Coinbase, said it would spend an additional $50 million to step up compliance operations targeted at preventing prospective criminals from accessing the exchange. Coinbase must collaborate with a third-party monitor as part of the agreement.
In announcements released today, the exchange and the regulator revealed the significant settlement (Wednesday).
"It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions," according to Superintendent Harris.
"Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity requiring the Department to take immediate action including the installation of an Independent Monitor," she continued.
The Department of Financial Services (DFS) determined that Coinbase's BSA (Bank Secrecy Act)/AML program, including its KYC/CDD and Transaction Monitoring System (TMS), suspicious activity reporting (SARa), and sanctions compliance systems, was insufficient for a financial services provider of Coinbase's size and complexity. Therefore, the DFS discovered:
- Coinbase's KYC/CDD program, both as written and as implemented, was insufficient for a large portion of the pertinent period.
- Coinbase did not perform the necessary due diligence and considered the criteria for onboarding new customers as a straightforward check-the-box process.
- With the volume of warnings issued by its TMS, Coinbase was unable to keep up.
- Over 100,000 unreviewed transaction monitoring warnings were still pending evaluation as of late 2021 as a result of Coinbase's inability to keep up with its alerts.
- As uninvestigated TMS alarms accumulated in the backlog for months, one effect of Coinbase's failing TMS was that it frequently neglected to timely investigate and report suspicious activities as required by law.
- Numerous instances of SARs being submitted months after Coinbase initially became aware of the suspicious conduct were discovered throughout the Department's inquiry.
Early in 2022, as the investigation was ongoing, the Department claimed it "took the extraordinary step of installing an Independent Monitor to immediately evaluate the situation and begin working with Coinbase to fix the outstanding issues" due to the status of Coinbase's compliance system.
The Independent Monitor will continue to engage with Coinbase in accordance with the Consent Order for a further year, which may be extended at the Department's sole discretion.
Federica Taccogna, a partner at Interpath Advisory, said of the decision: "So many lessons to learn from this and the actual consent order is worth a read."
"The shortfalls are so clearly outlined that it could be used as a laundry list of things to get in order by other firms. Those failings are incredibly widespread," she said.
Regulators warn "against using unvetted, untrained and un-QC'd third-party staffing firms to clear alerts, and they even spell out the failure rates of these alert disposition efforts," according to US AML specialist Sarah Beth Felix.
According to the co-founder of Palerma Consulting, in the judgment ther were "mentions several times that the growth of Coinbase was not taken into account and on page 6 provides a great example of trending growth that should be incorporated into any FIs risk assessment as it can be useful for determining when an FI has out kicked their monitoring coverage.."
According to Sarah, the regulator's findings "can't reference federal requirements. That’s got to change at some point. The US can’t be last to the party on PEP laws."
"Today, New York continues to set the bar for prudential regulation of virtual currency. DFS deploys a wide range of tools to regulate the industry including licensing, supervision, examination, and enforcement. Together, these tools protect consumers; preserve safety and soundness of companies; ensure cybersecurity compliance; and help to root out financial crimes like money laundering and terrorist financing," according to a statement from the DFS.
Coinbase declared that it has started to address many of the shortcomings mentioned and to develop a more effective and comprehensive compliance program under the guidance of DFS and the DFS-appointed Independent Monitor in direct response to the Department's conclusions.
DFS and other regulators have been looking into Coinbase.
It has previously revealed receiving investigation subpoenas and demands for documents and information from the U.S. Securities and Exchange Commission (SEC).
The issues have been rectified, according to a statement from Coinbase's chief legal officer, Paul Grewal.
Separately, Coinbase said in a blog post that the focus of the inquiry was on the organization's compliance program in the years 2018 and 2019, as well as the compliance backlogs as the exchange expanded in 2021.
The blog post stated, "We took NYDFS’s concerns seriously and have taken substantial measures to address these historical shortcomings."
By fLEXI tEAM