A Department of Financial Services (DFS) Investigation found significant failings in Coinbase’s compliance program, particularly with regards to AML, KYC, transaction monitoring, and suspicious activity reporting systems.
The failures violated the New York Banking Law and the DFS’s virtual currency, money transmitter, transaction monitoring, and cybersecurity regulations, making Coinbase vulnerable to serious criminal conduct. The platform was vulnerable to fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking, resulting in the $50m fine.
In addition to the penalty, Coinbase has agreed to invest an additional $50m in its compliance function over the next two years to remediate the issues and to enhance its compliance program pursuant to a plan approved by the DFS.
“It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions,” said Superintendent Adrienne A. Harris.
“Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity requiring the Department to take immediate action including the installation of an Independent Monitor.”
The DFS said that Coinbase has been licensed by the Department to conduct a virtual currency business and money transmitting business in the State of New York since 2017. During an examination and subsequent enforcement investigation, the DFS found:
- Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate;
- Customer onboarding in particular was treated as a simple check-the-box exercise without appropriate due diligence being conducted;
- The volume of alerts generated by its transactions monitoring system overwhelmed those tasked with reviewing these; by late 2021 this resulted in a backlog of over 100,000 unreviewed transaction monitoring alerts;
- Because the alerts went unchecked for months suspicious activity was neither investigated or reported in a timely fashion – suspicious activity reports were filed months after they had been flagged.
The investigation found such inadequate compliance that it took the extraordinary step of installing an independent monitor during the course of the investigation.
The independent monitor will continue to work with Coinbase for at least an additional year while Coinbase implements a more robust compliance program and addresses the issues identified during the course of the investigation.