On 3rd January 2023, the New York State Department of Financial Services (NYDFS) fined Coinbase Inc for failure in their AML program. Coinbase is a licenced virtual currency business and money transmitter and is required to comply with New York regulations. Coinbase was fined USD50m and required to spend a further USD50m on enhancing its compliance program over the next 24 months. A monitor will oversee the remedial actions.

Following a familiar path, a review in 2020 by the regulator found serious deficiencies in the Coinbase AML framework. The failings are consistent with other financial institutions in recent years and focused on KYC/CDD program, transaction monitoring, sanctions screening and not undertaking adequate risk assessments. The NYDFS clearly expect that those firms operating in the cryptocurrency arena to implement a comparable compliance program to that of the banking sector. Coinbase operates a cryptocurrency trading platform with 100 million customers globally.

As we have seen before, the failures in KYC/CDD and transaction monitoring programs were known back in 2018, having been flagged through internal and external reviews, but insufficient remedial actions were taken. Understanding the risk that a customer presents to an organisation is one of the key tenets that regulators expect from institutions. Prior to December 2020, Coinbase failed to apply risk rating to its retail customers, with limited information recorded and no quality assurance undertaken. Where firms use KYC/CDD as a purely operational process to onboard a customer rather than a risk-based process, problems will arise.

The lack of robust policies and procedures is further amplified by a period of exceptional growth in the business, between January 2020 to May 2021, the customer base by a multiple of 15. The number of transactions from January 2020 to November 2021 increased by a multiple of 25.

Coinbase did take action to address the issues that were identified, however, there were substantial weaknesses in its control framework. The lack of sufficient personnel, resources and technology to manage their risks further contributed to being able to resolve the issues in a timely manner.

An important lesson from this finding is that when AML issues are discovered, how a financial institution responds is critical. Failure to implement a thoroughly resourced and detailed remediation plan is essential; not fully committing to it will only result in additional remediation from regulators.

Coinbase’s transaction monitoring system was clearly not operating effectively, compounded by an inadequate case management system and a lack of adequate compliance staff. This resulted in a backlog of over 100,000 cases. To Coinbase’s credit, they did take steps to address this issue and hired more than one thousand 3rd party contractors to resolve the issue. Outsourcing to such a large number of contractors provides additional requirements and requires that the outsourcer must ensure that there is sufficient planning, training and understanding of risk appetite, processes and procedures. The outsourcer must also ensure that that there is sufficient oversight and quality assurance to maintain their standards, failure to do so normally a repeated exercise at considerable cost.

Monitoring does not apply to just payment monitoring. Companies operating in the virtual world must be able to monitor where their customers are operating from, how they are communicating and whether a client is seeking to hide their location. Virtual Private Networks facilitate anonymity which is beneficial to criminals and rogue states.

The Consent Order provides specific examples of failures in the KYC/CDD, monitoring and screening facilitated the movement of the Proceeds of Crime through their organisation. There were also significant failures in the identification and reporting of suspicious activities.

Irrespective of being a virtual or physically located regulated firm, the requirement to comply with the law, regulation and guidance remain. This may be the first AML regulatory enforcement against a cryptocurrency entity, but I doubt it will be the last.

John Flynn
9th January 2023