Takeaways
- Virtual currency licensees should ensure that their compliance programs – including with respect to anti-money laundering and cybersecurity – keep pace with the growth and any changes to their operations so as to avoid substantial alert backlogs.
- Risk assessments, independent testing, and prompt remediation are bedrock compliance tasks that the DFS expects every licensee to undertake without exception.
- DFS continues to levy significant sanctions for violations of its regulations, including, as was the case here, a steep civil penalty and the imposition of an independent consultant or monitor.
On January 4, 2023, the New York State Department of Financial Services (“DFS”) announced that Coinbase, Inc., a major U.S. cryptocurrency exchange, will pay a $50 million penalty and invest an additional $50 million in its compliance function over the next two years to remediate significant violations of the New York Banking Law and the DFS virtual currency, money transmitter, transaction monitoring, and cybersecurity regulations. DFS published a Consent Order describing the alleged violations of the New York Banking Law and DFS regulations, as well as the terms of the settlement. This is the second consent order published by DFS involving a cryptocurrency market actor.[1]
DFS’s Regulation of Virtual Currency Business Activity
As the primary regulator of financial services in New York State, DFS licenses and oversees financial institutions within the state. Among other things, DFS regulations require licensed money transmitters to establish, implement, and maintain an effective anti-money laundering (“AML”) compliance program. DFS’s Virtual Currency Regulation[2] similarly requires DFS-regulated virtual currency entities to establish an effective AML program.[3] Likewise, DFS’s Cybersecurity Regulation[4] requires licensees, including virtual currency businesses and money transmitters, to create and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems.
DFS Examination Evolves into Investigation and Monitorship
In January 2017, DFS issued licenses to Coinbase to operate a virtual currency business and money transmitter business in New York. In 2020, DFS conducted a safety and soundness examination (“Examination”) of Coinbase for the period of July 1, 2018, through December 31, 2019, and, according to the Consent Order, found serious deficiencies in Coinbase’s compliance function. As a result, DFS required Coinbase to hire an independent consultant to assess Coinbase’s Bank Secrecy Act (“BSA”) and Office of Foreign Assets Control (“OFAC”) sanctions program (together, the “Compliance Program”). That independent consultant then provided a report to Coinbase and DFS in February 2021 and Coinbase adopted a remediation plan and took steps to enhance its Compliance Program.
Despite Coinbase’s remediation efforts, in 2021, DFS began an enforcement investigation into issues identified during the Examination. In 2022, DFS and Coinbase entered into a memorandum of understanding (“MOU”) that mandated Coinbase to retain an independent monitor to review and assist in addressing Coinbase’s compliance shortcomings. The independent monitor then provided a report to DFS assessing Coinbase’s Compliance Program and finding that Coinbase had made progress in remediating its compliance weaknesses, albeit with further improvement required. In response, Coinbase worked with the monitor to develop a further, targeted remediation plan. The Consent Order followed.
Alleged BSA, AML, Reporting, and Record Keeping Violations
Among other things, the Consent Order cited the following violations:
Know-Your-Customer/Customer Due Diligence
The Consent Order noted that “[d]uring much of the relevant period,” Coinbase’s know-your-customer (“KYC”) and customer due diligence (“CDD”) program, “both as written and as implemented, was immature and inadequate” and “Coinbase treated customer onboarding requirements as a simple check-the-box exercise and failed to conduct appropriate due diligence.” The Consent Order cited the following examples of Coinbase’s KYC/CDD deficiencies:
- Prior to December 2020, Coinbase often failed to assign an informed “risk rating” to retail customers at onboarding, and lacked a risk rating quality assurance process until September 2021;
- Coinbase’s CDD file from its retail customers historically consisted of little more than a copy of a photo ID;
- Coinbase historically did little to verify CDD information, instead relying on self-reported social media profiles while overlooking information that was clearly inaccurate and/or incomplete;
- Prior to July 2021, Coinbase allowed customers to open accounts without supplying essential information such as annual expected activity and account purpose; and
- Coinbase failed to timely conduct enhanced due diligence (“EDD”) on high-risk customers and for a time had a substantial backlog of open EDD cases.
Specifically, DFS’ investigation identified a former Coinbase customer “who was criminally charged in the 1990s with crimes related to child sexual abuse material” and stated that “[f]or more than two years, this customer engaged in suspicious transactions potentially associated with illicit activity.” The Consent Order also cited an example where an individual opened an account on behalf of a corporation without authorization, allowing the individual to misappropriate more than $150 million from the corporation’s bank account by transferring those funds to a Coinbase wallet, converting the funds into virtual currency, and then withdrawing the funds to a wallet off Coinbase’s platform.
Transaction Monitoring System
With regard to Coinbase’s Transaction Monitoring System (“TMS”), according to the Consent Order, “Coinbase was unable to keep pace with the growth volume of alerts generated by its TMS,” which by late 2021 led to a “growing backlog of over 100,000 unreviewed transaction monitoring alerts.” To resolve the backlog, Coinbase allegedly hired “more than one thousand third-party contractors to ‘burn through’ the remainder of the backlog.” However, allegedly, “Coinbase provided insufficient oversight over the third-party contractors,” and the reviews were “rife with errors.” According to the Consent Order, a third-party audit firm reviewed one backlog, consisting of approximately 73,000 alerts that had been cleared by three contractors, and found that “more than half failed the quality check”; one contractor had a failure rate of 96% of the alerts sampled; and another contractor had “a 73% failure rate in a sample with respect to one kind of alert.”
Suspicious Activity Reporting
According to the Consent Order, Coinbase “failed to timely investigate and report suspicious activity as required by law” and was unable to provide sufficient data on suspicious activity when requested because “it did not adequately track or retain that information.”
KYC and PEP Screening
The Consent Order noted that DFS found 1,600 institutional customers that, while subject to sanctions and Politically Exposed Persons (“PEP”) screening at onboarding, were not subject to ongoing screening until December 2020. And although Coinbase is required to know its users’ physical location, Coinbase allowed its users to access its sites using Virtual Private Networks (“VPNs”) or The Onion Router, tools that Coinbase knew can obfuscate a user’s actual physical location. The Consent Order further noted that “Coinbase never promulgated a risk-based policy (for instance, instituting a rule that use of such tools raises the level of risk from medium to high, or from low to medium) for those users it detects using such tools” and instead simply considered such activity as a factor in investigations.
Cybersecurity Event Reporting
According to the Consent Order, “[i]n 2021, approximately 6,000 Coinbase customers appear to have been the victims of a phishing scam unrelated to Coinbase that ultimately led to unauthorized access of those customers’ Coinbase accounts” and the theft of nearly $1.5 million from New York customers. Despite being required to report these events to DFS within 72 hours pursuant to 23 NYCRR § 500.17, Coinbase allegedly waited until five months after the event occurred.
The Settlement and Consent Order
The DFS Settlement calls for a civil monetary penalty of $50 million; a continuation of the independent monitor selected by DFS for a further 12 months, with the independent monitor issuing a final report to DFS; a commitment to invest $50 million into a plan approved by DFS to further improve and enhance Coinbase’s compliance program; and quarterly updates describing progress on that investment plan and detailing expenditures. In determining its response to Coinbase’s compliance failures, DFS considered all the factors set forth in New York Banking Law § 44(5), together with mitigating factors such as Coinbase’s cooperation, willingness to enter into an MOU, engagement with an independent consultant and independent monitor, and investment of substantial resources toward improving the company’s compliance system.
Conclusion
Digital asset businesses should ensure that their BSA and OFAC compliance programs expand at pace with their operations. Those that fail to do so risk facing substantial fines and penalties. Digital asset businesses also should be mindful of this Consent Order and its allegations, which provide insight into what DFS, and other regulators, view to be best practices for mature AML and OFAC programs, including, but not limited to, (i) maintaining up-to-date and verified KYC/CDD information to allow assignment of appropriate “risk scores” or “risk ratings” to customers, (ii) preventing backlogs of TMS alerts, (iii) reporting suspicious activity within the proper time frame, and (iv) structuring compliance programs to fully account for the use of technologies such as VPNs. Additionally, to help prevent becoming the subject of a similar action, cryptocurrency businesses located in New York should establish a working relationship with DFS and be prepared to demonstrate compliance with the required programs.
[1] The first such consent order was published on August 1, 2022, between DFS and a large consumer trading platform. BakerHostetler, New York State Dept. of Financial Services Publishes First Crypto Industry Consent Order (Aug. 11, 2022), https://www.bakerlaw.com/alerts/new-york-department-of-financial-services-publishes-first-crypto-industry-consent-order.
[3] 23 NYCRR § 200.15 (b), (d).
[View source.]