ledgernoise.com
Daily Crypto News

US Crypto Exchange Consents To $100M DFS Settlement For AML Compliance Failures – Fin Tech


Takeaways

  • Virtual currency licensees should ensure that their compliance
    programs – including with respect to anti-money laundering
    and cybersecurity – keep pace with the growth and any changes
    to their operations so as to avoid substantial alert backlogs.
  • Risk assessments, independent testing, and prompt remediation
    are bedrock compliance tasks that the DFS expects every licensee to
    undertake without exception.
  • DFS continues to levy significant sanctions for violations of
    its regulations, including, as was the case here, a steep civil
    penalty and the imposition of an independent consultant or
    monitor.

On January 4, 2023, the New York State Department of Financial
Services (“DFS”) announced that Coinbase, Inc., a major U.S.
cryptocurrency exchange, will pay a $50 million penalty and invest
an additional $50 million in its compliance function over the next
two years to remediate significant violations of the New York
Banking Law and the DFS virtual currency, money transmitter,
transaction monitoring, and cybersecurity regulations. DFS
published a Consent Order describing the alleged
violations of the New York Banking Law and DFS regulations, as well
as the terms of the settlement. This is the second consent order
published by DFS involving a cryptocurrency market actor.1

DFS’s Regulation of Virtual Currency Business Activity

As the primary regulator of financial services in New York
State, DFS licenses and oversees financial institutions within the
state. Among other things, DFS regulations require licensed money
transmitters to establish, implement, and maintain an effective
anti-money laundering (“AML”) compliance program.
DFS’s Virtual Currency Regulation2 similarly requires
DFS-regulated virtual currency entities to establish an effective
AML program.3 Likewise, DFS’s Cybersecurity
Regulation4 requires licensees, including virtual
currency businesses and money transmitters, to create and maintain
a cybersecurity program designed to protect the confidentiality,
integrity, and availability of information systems.

DFS Examination Evolves into Investigation and Monitorship

In January 2017, DFS issued licenses to Coinbase to operate a
virtual currency business and money transmitter business in New
York.5 In 2020, DFS conducted a safety and
soundness examination (“Examination”) of Coinbase for the
period of July 1, 2018, through December 31, 2019, and, according
to the Consent Order, found serious deficiencies in Coinbase’s
compliance function. As a result, DFS required Coinbase to hire an
independent consultant to assess Coinbase’s Bank Secrecy Act
(“BSA”) and Office of Foreign Assets Control
(“OFAC”) sanctions program (together, the
“Compliance Program”). That independent consultant then
provided a report to Coinbase and DFS in February 2021 and Coinbase
adopted a remediation plan and took steps to enhance its Compliance
Program.

Despite Coinbase’s remediation efforts, in 2021, DFS began
an enforcement investigation into issues identified during the
Examination. In 2022, DFS and Coinbase entered into a memorandum of
understanding (“MOU”) that mandated Coinbase to retain an
independent monitor to review and assist in addressing
Coinbase’s compliance shortcomings. The independent monitor
then provided a report to DFS assessing Coinbase’s Compliance
Program and finding that Coinbase had made progress in remediating
its compliance weaknesses, albeit with further improvement
required. In response, Coinbase worked with the monitor to develop
a further, targeted remediation plan. The Consent Order
followed.

Alleged BSA, AML, Reporting, and Record Keeping Violations

Among other things, the Consent Order cited the following
violations:

Know-Your-Customer/Customer Due Diligence

The Consent Order noted that “[d]uring much of the relevant
period,” Coinbase’s know-your-customer (“KYC”)
and customer due diligence (“CDD”) program, “both as
written and as implemented, was immature and inadequate” and
“Coinbase treated customer onboarding requirements as a simple
check-the-box exercise and failed to conduct appropriate due
diligence.” The Consent Order cited the following examples of
Coinbase’s KYC/CDD deficiencies:

  • Prior to December 2020, Coinbase often failed to assign an
    informed “risk rating” to retail customers at onboarding,
    and lacked a risk rating quality assurance process until September
    2021;
  • Coinbase’s CDD file from its retail customers historically
    consisted of little more than a copy of a photo ID;
  • Coinbase historically did little to verify CDD information,
    instead relying on self-reported social media profiles while
    overlooking information that was clearly inaccurate and/or
    incomplete;
  • Prior to July 2021, Coinbase allowed customers to open accounts
    without supplying essential information such as annual expected
    activity and account purpose; and
  • Coinbase failed to timely conduct enhanced due diligence
    (“EDD”) on high-risk customers and for a time had a
    substantial backlog of open EDD cases.

Specifically, DFS’ investigation identified a former
Coinbase customer “who was criminally charged in the 1990s
with crimes related to child sexual abuse material” and stated
that “[f]or more than two years, this customer engaged in
suspicious transactions potentially associated with illicit
activity.” The Consent Order also cited an example where an
individual opened an account on behalf of a corporation without
authorization, allowing the individual to misappropriate more than
$150 million from the corporation’s bank account by
transferring those funds to a Coinbase wallet, converting the funds
into virtual currency, and then withdrawing the funds to a wallet
off Coinbase’s platform.

Transaction Monitoring System

With regard to Coinbase’s Transaction Monitoring System
(“TMS”), according to the Consent Order, “Coinbase
was unable to keep pace with the growth volume of alerts generated
by its TMS,” which by late 2021 led to a “growing backlog
of over 100,000 unreviewed transaction monitoring alerts.” To
resolve the backlog, Coinbase allegedly hired “more than one
thousand third-party contractors to ‘burn through’ the
remainder of the backlog.” However, allegedly, “Coinbase
provided insufficient oversight over the third-party
contractors,” and the reviews were “rife with
errors.” According to the Consent Order, a third-party audit
firm reviewed one backlog, consisting of approximately 73,000
alerts that had been cleared by three contractors, and found that
“more than half failed the quality check”; one contractor
had a failure rate of 96% of the alerts sampled; and another
contractor had “a 73% failure rate in a sample with respect to
one kind of alert.”

Suspicious Activity Reporting

According to the Consent Order, Coinbase “failed to timely
investigate and report suspicious activity as required by law”
and was unable to provide sufficient data on suspicious activity
when requested because “it did not adequately track or retain
that information.”

KYC and PEP Screening

The Consent Order noted that DFS found 1,600 institutional
customers that, while subject to sanctions and Politically Exposed
Persons (“PEP”) screening at onboarding, were not subject
to ongoing screening until December 2020. And although Coinbase is
required to know its users’ physical location, Coinbase allowed
its users to access its sites using Virtual Private Networks
(“VPNs”) or The Onion Router, tools that Coinbase knew
can obfuscate a user’s actual physical location. The Consent
Order further noted that “Coinbase never promulgated a
risk-based policy (for instance, instituting a rule that use of
such tools raises the level of risk from medium to high, or from
low to medium) for those users it detects using such tools”
and instead simply considered such activity as a factor in
investigations.

Cybersecurity Event Reporting

According to the Consent Order, “[i]n 2021, approximately
6,000 Coinbase customers appear to have been the victims of a
phishing scam unrelated to Coinbase that ultimately led to
unauthorized access of those customers’ Coinbase accounts”
and the theft of nearly $1.5 million from New York customers.
Despite being required to report these events to DFS within 72
hours pursuant to 23 NYCRR § 500.17, Coinbase allegedly waited
until five months after the event occurred.

The Settlement and Consent Order

The DFS Settlement calls for a civil monetary penalty of $50
million; a continuation of the independent monitor selected by DFS
for a further 12 months, with the independent monitor issuing a
final report to DFS; a commitment to invest $50 million into a plan
approved by DFS to further improve and enhance Coinbase’s
compliance program; and quarterly updates describing progress on
that investment plan and detailing expenditures. In determining its
response to Coinbase’s compliance failures, DFS considered all
the factors set forth in New York Banking Law § 44(5),
together with mitigating factors such as Coinbase’s
cooperation, willingness to enter into an MOU, engagement with an
independent consultant and independent monitor, and investment of
substantial resources toward improving the company’s compliance
system.

Conclusion

Digital asset businesses should ensure that their BSA and OFAC
compliance programs expand at pace with their operations. Those
that fail to do so risk facing substantial fines and penalties.
Digital asset businesses also should be mindful of this Consent
Order and its allegations, which provide insight into what DFS, and
other regulators, view to be best practices for mature AML and OFAC
programs, including, but not limited to, (i) maintaining up-to-date
and verified KYC/CDD information to allow assignment of appropriate
“risk scores” or “risk ratings” to customers,
(ii) preventing backlogs of TMS alerts, (iii) reporting suspicious
activity within the proper time frame, and (iv) structuring
compliance programs to fully account for the use of technologies
such as VPNs. Additionally, to help prevent becoming the subject of
a similar action, cryptocurrency businesses located in New York
should establish a working relationship with DFS and be prepared to
demonstrate compliance with the required programs.

The BakerHostetler White Collar, Investigations, and Securities
Enforcement and Litigation; Blockchain Technologies and Digital
Assets; Federal Policy; and International Trade – Export
Controls and Economic Sanctions teams are composed of dozens of
experienced individuals, including attorneys who have served in the
Department of Justice, the SEC, and Congress. Our attorneys include
former U.S. attorneys, branch chiefs and unit chiefs as well as
partners who have served in the SEC’s Division of Enforcement
and the SEC’s Office of the General Counsel, and attorneys with
extensive experience across all…



Read More: US Crypto Exchange Consents To $100M DFS Settlement For AML Compliance Failures – Fin Tech

Disclaimer:The information provided on this website does not constitute investment advice, financial advice, trading advice, or any other sort of advice and you should not treat any of the website’s content as such. NewsOfBitcoin.com does not recommend that any cryptocurrency should be bought, sold, or held by you. Do conduct your own due diligence and consult your financial advisor before making any investment decisions.