On 4 January 2023, a consent order was issued to Coinbase Inc. (“Coinbase”), a crypto exchange platform, by the New York Department of Financial Services (the “NYDFS”) for conducting its business in an unsafe and unsound manner. Following investigation, the NYDFS discovered that Coinbase failed to comply with its obligations to maintain an effective transaction monitoring programme and did not track, monitor, or report various suspicious activity.
The NYDFS reached a $100 million settlement with Coinbase. As part of the settlement, Coinbase agreed to pay a $50 million monetary penalty to the state of New York for the failures in its compliance program and violation of state regulations. Coinbase also agreed to invest an additional $50 million on further improvements to its compliance program and the appointment of an independent monitor from the NYDFS to improve its anti-money laundering (“AML”) compliance programme.
The NYDFS highlighted compliance deficiencies in three key areas:
- Inadequate Know Your Customer (KYC) and Due Diligence practices: Coinbase failed to screen new users and conduct enhanced due diligence. As part of its investigation, the NYDFS found that Coinbase had a backlog of 14,000 users who had not been examined according to the necessary standards. It was also found that Coinbase failed to ask users for more information, in order to categorise them within the required risk ratings and determine the corresponding level of ongoing transaction monitoring.
- Inability to maintain an effective Transaction Monitoring System (TMS): The NYDFS found that i) Coinbase did not have an effective TMS system, ii) suspicious activity was not reviewed in a timely manner even when flagged, and iii) there were over 100,000 unreviewed transactions discovered in 2021. Where reviews had been carried out, the data was incorrect.
- Failing to appropriately file Suspicious Activity Reports (SARs) with the Financial Crimes Enforcement Network (FinCEN): As a result of Coinbase failing to monitor transactions in a timely manner, SARs were filed a few months post the suspicious activity being identified, with insufficient data. In turn, suspicious activity reports were filed late to FinCEN (suspicious activity should be filed within 30 days of identification).
Coinbase has been tasked with improving its compliance controls and will continue to be supervised by an independent monitor until at least December 2023.
Crypto exchanges are facing increased scrutiny in terms of their compliance controls and potential violations of reporting requirements. The consent order with Coinbase is an example for firms who operate in the crypto space to maintain and implement compliance programs that work, such as stronger AML programs, as well as procedures to detect, prevent, and report suspicious activity.
C&Co can assist with compliance and regulatory questions facing crypto companies as they expand, including staying up-to-date with regulatory changes, as well as identifying, assessing, and managing risks associated with their operations.
To read the full consent order click here.
For more information on compliance and regulatory questions facing crypto requirements, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.
Please click here to follow us on LinkedIn to receive the latest information on this and other important topics.