News

New York’s record $100 million assessment against Coinbase, the largest cryptocurrency platform in the U.S., reflects the company’s failure to correct extensive anti-money laundering deficiencies following an examination in 2020, sources told ACAMS moneylaundering.com.

A 29-page consent order published Wednesday by the state’s Department of Financial Services, or DFS, requires Coinbase to pay a $50 million fine and spend another $50 million on remediation over the next two years, some of which will cover the continued expenses of a state-mandated independent monitor that the company appointed in February 2022.

Wednesday’s consent order follows Coinbase’s accumulation of a backlog of more than 100,000 unreviewed, potentially illicit transactions, and comes four months after DFS assessed a then-unprecedented $30 million penalty against the cryptocurrency trading unit of Robinhood Markets for similar, but less-extensive AML lapses.

The penalty against Robinhood Markets, where a backlog of transactions awaiting review amounted to fewer than 5,000, marked the state regulator’s first crackdown on a BitLicense holder.

“It’s really incomprehensible how they got to this point,” former DFS Superintendent Linda Lacewell told moneylaundering.com in an interview Wednesday. “Coinbase has no one to blame but themselves.”

‘Compliance 101’

The department’s four-month examination in 2020, which covered Coinbase’s operations from July 2018 through December 2019, found “significant deficiencies” in the platform’s know-your-customer and ongoing due-diligence programs, monitoring of transactions and screening of politically exposed persons against blacklists kept by the U.S. Office of Foreign Assets Control.

Coinbase pledged in a memorandum of understanding two months after the examination to eliminate its shortcomings and hired an independent monitor to oversee that effort, while DFS began a follow-up investigation to determine whether legal violations occurred.

The company made progress in building a sound compliance program in 2021, according to DFS, before becoming overwhelmed by a “tremendous growth” in customers.

“At that time, Coinbase lacked sufficient personnel, resources, and tools needed to keep up with [transactional] alerts, and backlogs rapidly grew to unmanageable levels,” the regulator found. “This was compounded by Coinbase’s reliance in 2019 through November 2021 on an inadequate case management system for dispositioning alerts and filing.”

Coinbase often allowed clients to submit only a copy of their photo ID before onboarding them, failed to assign a risk rating during that process, and relied on their social media profiles to vet them “while overlooking information that was, on its face, clearly inaccurate” or incomplete, DFS concluded.

Coinbase further failed to conduct enhanced due diligence on high-risk customers in a timely manner, leading to a backlog of more than 10,000 open cases by July 2022.

As a result of the lapses, an individual charged in the 1990s with crimes related to child sexual abuse managed to engage in a pattern of suspicious transactions for two years before Coinbase closed the accounts in question.

“This publicly available information was not discovered by Coinbase at the time of onboarding, and thus the customer was not designated as high risk and no specially tailored controls or restrictions were imposed,” DFS noted.

The platform’s attempt to eliminate a backlog of more than 100,000 transactional alerts by the end of February 2022 by hiring more than 1,000 contractors to “burn through” them also fell flat after the company failed to ensure that the new employees attended the requisite training sessions, and afterwards neglected to supervise their work.

Wednesday’s consent order underscores the intensive level of scrutiny that DFS brings to compliance programs and includes specific examples of shortfalls, including several basic failures, of which other cryptocurrency platforms should take note, said John Ashley, a senior compliance consultant with the Bates Group in Denver.

“It’s compliance 101,” Ashley said.

Coinbase also took five months – instead of the required 72 hours – to notify DFS of a phishing scam in which the perpetrators gained access to 6,000 accounts and stole $1.5 million, although the company notified law enforcement and reimbursed customers for their losses.

Growing pains

The order shows that rapid growth does not excuse AML violations, said Lacewell, especially when companies fail to invest in their compliance programs up front.

“Now they have to invest the money anyway,” said Lacewell, who now works as an independent consultant in Los Angeles.

Shares of the publicly traded company’s stock rose more than 10 percent Wednesday following news of the settlement, which shields the company from further penalties if remediation continues as promised.

Coinbase disclosed the existence of the state’s investigation to the Securities and Exchange Commission in February 2022 and claimed in a blog post Wednesday that it has already taken “substantial” steps to address the shortcomings.

“I think it is fair to say that AML/BSA [Bank Secrecy Act] controls are lacking generally, both in the cryptocurrency industry and still in the [traditional] financial-institution space,” former DFS General Counsel Richard Weber told moneylaundering.com in an email. “I also believe that DFS, as well as federal regulators and law enforcement, will ramp up their activities in 2023.”

Contact Fred Williams at fwilliams@acams.org