New York’s Department of Financial Services (“DFS”) recently announced a $100 million settlement with Coinbase, Inc., one of the world’s largest cryptocurrency exchanges, for Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) compliance failures, which could have broad impact on both the fiat currency and cryptocurrency (digital assets) communities. DFS found a broad range of significant failures in the customer identification program (“CIP”)/customer due diligence (“CDD”), transaction monitoring, suspicious activity reporting, politically exposed person (“PEP”) screening, and cyber event reporting. DFS indicated Coinbase’s BSA/AML compliance program failed to keep up with Coinbase’s growth, despite working with an independent monitor since early 2022. As a result, Coinbase will pay a $50 million penalty and invest an additional $50 million in its BSA/AML compliance program. While directed at crypto exchanges and relevant to the blockchain industry, this settlement also provides clear warnings to all financial institutions.

CIP/CDD

DFS described Coinbase’s CIP/CDD onboarding requirements as “a simple check-the-box exercise.” Importantly, Coinbase failed to assign customers an informed customer risk rating; collect CIP beyond a copy of a photo ID; identify clearly inaccurate information; determine the customer risk profile; or conduct CDD on high-risk customers, resulting in a backlog of over 10,000 CDD reviews.

Transaction Monitoring System Deficiencies

According to DFS, Coinbase was unable to keep up with the increased number of alerts generated by its transaction monitoring system, resulting in a backlog of over 100,000 unreviewed transaction monitoring alerts by late 2021. While Coinbase hired more than 1,000 consultants to review the alert backlog, Coinbase provided insufficient oversight. As a result of poor training and quality control, a substantial portion of the alert reviews contained errors.

PEP Screening

Coinbase allowed its customers to access its platform while using VPNs or the Dark Web, permitting a user to appear to be located in a location or country different from their actual location. DFS found Coinbase never developed a risk-based policy for customers using these channels. Additionally, Coinbase customers were purportedly not subject to ongoing sanctions monitoring or PEP screening until December 2020.

Cybersecurity Event Reporting Requirements

In 2021, approximately 6,000 Coinbase customers were victims of a phishing scam that led to unauthorized account access. Although DFS regulations required Coinbase to report this event to DFS within 72 hours of its discovery, the intrusion was not reported until five months later.

Suspicious Activity Reporting Deficiencies

The BSA/AML compliance failures led to multiple instances of potential money laundering, narcotics trafficking, and other suspicious activity going unreported. DFS also found Coinbase repeatedly filed Suspicious Activity Reports (“SAR”) months after the suspicious activity was identified. In many other instances, Coinbase was unable to manage SAR data and could not meaningfully respond to DFS requests for information related to suspicious activity.

The Takeaway for All Financial Institutions

When announcing the settlement, DFS Superintendent Adrienne A. Harris said, “It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions.” Her statement clearly put blockchain and traditional financial institutions – including banks – on notice they must implement robust CIP/CDD policies, procedures and processes that are the foundational element of BSA/AML compliance programs. The settlement also makes clear financial institutions must monitor how customers access online platforms and mitigate the risks, and banks must monitor their customer’s transactions to and from crypto exchanges. As DFS reiterated several times, financial institutions must manage their growth proactively and adeptly or risk enforcement actions. Finally, this settlement and other cases, such as FTX and Bittrex, make clear federal and state regulatory oversight – arguably long overdue for blockchain and crypto – may have finally arrived.