The New York Department of Financial Services (DFS) has reached a $100 million settlement with Coinbase over issues regarding the company’s compliance programs.
The DFS said it found “significant failures” in Coinbase’s compliance program that violated New York Banking Law and state regulations regarding virtual currencies, money transmitting, transaction monitoring, and cybersecurity.
Superintendent of Financial Services Adrienne A. Harris said that Coinbase will pay a $50 million penalty to New York State for significant failures in its compliance program that violated the New York Banking Law and the New York State Department of Financial Services’ (DFS) virtual currency, money transmitter, transaction monitoring, and cybersecurity regulations.
These failures made the Coinbase platform vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking. In addition to the penalty,
Coinbase has agreed to invest an additional $50 million in its compliance function over the next two years to remediate the issues and to enhance its compliance program pursuant to a plan approved by DFS.
“It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions,” said Superintendent Harris.
“Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity requiring the Department to take immediate action including the installation of an Independent Monitor.”
Coinbase has been licensed by the Department to conduct a virtual currency business and money transmitting business in the State of New York since 2017. Following an examination and subsequent enforcement investigation, the Department found that Coinbase’s Bank Secrecy Act/Anti-Money Laundering program — including its Know Your Customer/Customer Due Diligence (“KYC/CDD”), Transaction Monitoring System (“TMS”), suspicious activity reporting, and sanctions compliance systems — were inadequate for a financial services provider of Coinbase’s size and complexity.
- During much of the relevant period, Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate. Coinbase treated customer onboarding requirements as a simple check-the-box exercise and failed to conduct appropriate due diligence.
- Coinbase was unable to keep pace with the growth in the volume of alerts generated by its TMS. By late 2021, Coinbase’s failure to keep pace with its alerts resulted in a significant and growing backlog of over 100,000 unreviewed transaction monitoring alerts.
- One consequence of Coinbase’s failed TMS was that as uninvestigated TMS alerts languished for months in the backlog, Coinbase routinely failed to timely investigate and report suspicious activity as required by law. The Department’s investigation found numerous examples of SARs filed months after the suspicious activity was first known to Coinbase.
In light of the state of Coinbase’s compliance system, in early 2022, during the course of the investigation, the Department took the extraordinary step of installing an Independent Monitor to immediately evaluate the situation and begin working with Coinbase to fix the outstanding issues.
Under the terms of the Consent Order, the Independent Monitor will continue to work with Coinbase for an additional year, extendable at the Department’s sole discretion. In direct response to the Department’s findings and swift action, Coinbase has begun to remediate many of the referenced issues and to build a more effective and robust compliance program under the supervision of DFS and the DFS-appointed Independent Monitor.