Coinbase to pay $100M after NYDFS probe into compliance lapses

Coinbase will pay a $50 million penalty to New York and invest another $50 million in its compliance functions over the next two years, the NYDFS announced Wednesday. The platform has about 100 million users globally and has been licensed by the NYDFS since 2017.

The regulator said in its consent order it conducted a routine safety and soundness examination of Coinbase in May 2020. Based on its findings, it launched an enforcement investigation in 2021 and took the “extraordinary step” of requiring Coinbase to hire an outside monitoring consultant to help the platform remediate immediate concerns and make further recommendations.

The NYDFS’s investigation “uncovered substantial lapses” in nearly all of Coinbase’s major compliance programs, the regulator said. Coinbase’s systems failed to keep up with the dramatic and unexpected growth of the company’s business and, by the end of 2021, were “overwhelmed” and “reached a critical stage.”

The company’s Bank Secrecy Act/anti-money laundering program between July 1, 2018, and Jan. 1, 2020, was inadequate for a financial services provider of Coinbase’s size and complexity, the NYDFS said. Further, its know your customer/customer due diligence program was “immature and inadequate” as written and implemented, the regulator said.

Coinbase’s customer onboarding requirements were a “check-the-box exercise” lacking in diligence, and its transaction monitoring system, suspicious activity reporting, and sanctions compliance systems were unable to fully function, the NYDFS found.

By late 2021, Coinbase accumulated a backlog of more than 100,000 transaction monitoring alerts it needed to review, the NYDFS said. It didn’t investigate alerts that warranted inspection or file timely suspicious activity reports as the law required, the regulator continued.

One Coinbase customer had been onboarded despite being charged with child sexual abuse-related activity in the 1990s, according to the consent order. The person engaged in suspicious activities through the Coinbase platform for two years undetected before their accounts were closed and reported.

In another instance, someone posing as an employee of a business transferred more than $150 million from the company’s bank account into its Coinbase account and then moved the currency off the platform in a single day. Coinbase didn’t catch on until the company’s bank contacted it six days later, according to the order.

As part of the agreement, an outside monitor will continue to advise Coinbase for another year, after which the NYDFS will decide whether to extend the contract.

So far, Coinbase has strengthened its compliance programs, “albeit with further improvement required,” the NYDFS said. The company has begun risk assessments of all customers onboarded before September 2021, according to the order.

“It is critical that all financial institutions safeguard their systems from bad actors,” said NYDFS Superintendent Adrienne Harris in the regulator’s press release. “[T]he department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions.”

Coinbase was also faulted for failing to timely disclose to the NYDFS a 2021 breach that affected approximately 6,000 customers.

“We took NYDFS’s concerns seriously and have taken substantial measures to address these historical shortcomings,” said Paul Grewal, Coinbase chief legal officer, in a statement on the company’s website. “… We believe that New York—and the broader industry—needs more crypto players committed to compliance and working with regulators. That is one of the reasons why we knew it was important to bring this matter to a conclusion, even though it is never the type of agreement reached lightly.”