The Jan. 4 consent order includes a $50 million penalty and a commitment from Coinbase to invest an additional $50 million in its compliance function over the next two years to remediate the issues and to enhance its compliance program.
As described in the consent order, the NYDFS examination found “significant deficiencies across Coinbase’s compliance program,” considering its size and complexity. These areas included Know-Your-Customer/Customer Due Diligence (KYC/CDD) procedures, its Transaction Monitoring System (TMS), and its OFAC (Office of Foreign Asset Control) screening program.
The examination also found that, since 2017, Coinbase “failed to conduct adequate annual anti-money laundering (AML) risk assessments since 2017” and “had not provided evidence of a validation review of its TMS system,” which are both required by New York State rules and regulations.
“These failures made the Coinbase platform vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking,” NYDFS stated in its press release.
“During much of the relevant period, Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate,” NYDFS stated. “Coinbase treated customer onboarding requirements as a simple check-the-box exercise and failed to conduct appropriate due diligence.”
NYDFS added that Coinbase was “unable to keep pace with the growth in the volume of alerts generated by its TMS. By late 2021, Coinbase’s failure to keep pace with its alerts resulted in a significant and growing backlog of over 100,000 unreviewed transaction monitoring alerts.”
“As uninvestigated TMS alerts languished for months in the backlog, Coinbase routinely failed to timely investigate and report suspicious activity, as required by law,” NYDFS continued. “The Department’s investigation found numerous examples of SARs filed months after the suspicious activity was first known to Coinbase.”
Independent monitor
According to the NYDFS, in light of the state of Coinbase’s compliance system, the NYDFS early last year took the “extraordinary step” of installing an independent monitor “to immediately evaluate the situation and begin working with Coinbase to fix the outstanding issues.”
Under the terms of the consent order, the independent monitor will continue to work with Coinbase for an additional year, which may be extended under the discretion of the NYDFS. “In direct response to the Department’s findings and swift action, Coinbase has begun to remediate many of the referenced issues and to build a more effective and robust compliance program under the supervision of DFS and the DFS-appointed independent monitor,” the NYDFS said.
Broader compliance lessons
The case provides broader compliance lessons for all those in the financial services industry. “It is critical that all financial institutions safeguard their systems from bad actors,” said Superintendent of Financial Services Adrienne Harris.
“Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth. That failure exposed the Coinbase platform to potential criminal activity requiring the Department to take immediate action including the installation of an independent monitor,” Harris added.
In a blog post, Coinbase acknowledged the settlement and described specific improvements it has since made to its compliance program over the last two years, which may be helpful for other compliance professionals in the cryptocurrency community to learn from.
These measures have included:
- Building crypto-focused AML and sanctions compliance tools, such as its blockchain analytics tool, Coinbase Tracer;
- Enhancing its automated TMS;
- Developing a Customer Risk Scoring (CRS) system to calculate risk ratings at onboarding and every day thereafter;
- Building out its enhanced due diligence (EDD) program targeting high-risk customers;
- Launching the Travel Rule Universal Solution Technology (TRUST) solution, designed to help in complying with the Travel Rule while protecting the security and privacy of customers.
“We view this resolution as a critical step in our commitment to continuous improvement, our engagement with key regulators, and our push for greater compliance in the crypto space, for ourselves and others.” 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.