New York State Department of Financial Services and Coinbase reach $100 Million Settlement

The New York State Department of Financial Services ("NYDFS") announced on January 4 that it had reached a $100 million settlement with Coinbase, Inc. ("Coinbase") for failures in its Bank Secrecy Act and anti-money laundering program ("BSA/AML Program") as well as its transaction monitoring and cybersecurity programs. Coinbase obtained a virtual currency business license ("BitLicense") in New York under 23 NYCRR § 200 and money transmitter license in January 2017. As a BitLicense holder and money transmitter, Coinbase is subject to NYDFS-mandated BSA/AML Program, transaction monitoring and cybersecurity requirements.

The Consent Order between the NYDFS and Coinbase (the "Consent Order") is based on findings by the NYDFS that Coinbase conducted its business in an unsafe and unsound manner in violation of New York Banking Law § 44, failed to maintain an effective BSA/AML Program in violation of the Virtual Currency Regulation (NYCRR Part 200) and Money Transmitter Regulation (3 NYCRR Part 417), failed to comply with its obligations to maintain an effective transaction monitoring program in violation of the Transaction Monitoring Regulation (23 NYCRR Part 504), and failed to properly report a cybersecurity incident in violation of the NYDFS's Cybersecurity Regulation (23 NYCRR Part 500).

The Consent Order comes on the heels of a similar settlement in August 2022 between the NYDFS and Robinhood, LLC, with respect to its BSA/AML Program and cybersecurity program failures (the "Robinhood Settlement"). In both instances, the NYDFS cited an inadequacy of resources dedicated to compliance functions with respect to several of the alleged violations, especially given both companies' rapid growth in recent years.

The NYDFS Enforcement Investigation and Findings of Compliance Deficiencies

The NYDFS conducted a routine supervisory examination of Coinbase in 2020, which covered Coinbase's operations from July 1, 2018, through December 31, 2019. The examination revealed multiple alleged deficiencies in Coinbase's compliance program, including its KYC/DD procedures, its transaction monitoring system and its sanctions screening program. In light of its findings, the NYDFS required Coinbase to hire an independent consultant to assess its BSA/AML Program and sanctions program and provide recommendations for improvement, and Coinbase committed to improving its BSA/AML Program and sanctions program in line with the independent consultant's recommendations.

The NYDFS initiated an enforcement investigation in 2021 and, as alleged by the NYDFS, its investigation found that despite Coinbase's efforts, it did not fulfill its commitments to improve its BSA/AML Program and sanctions program and uncovered additional alleged material issues. In response to the findings of the enforcement investigation, the NYDFS and Coinbase entered into a Memorandum of Understanding in February 2022, which mandated that Coinbase retain an independent monitor to review the company's shortcomings and assist with addressing such concerns. In August 2022, the independent monitor provided the NYDFS its report, in which it found that Coinbase improved the weaknesses in its compliance systems, but that further improvement would be required. The NYDFS and Coinbase entered into the Consent Order to resolve the continued shortcomings and establish a remedial plan.

BSA/AML Program Failures and Deficiencies

The Consent Order details numerous findings of deficiencies in Coinbase's BSA/AML Program. The NYDFS stated that its most serious concern was Coinbase's money laundering and terrorist financing program, especially in regards to its customer onboarding and transaction monitoring obligations. The Consent Order notes that Coinbase was has been aware of such issues since 2018, but progress has been slow and in certain instances, had not occurred until recently.

Coinbase's KYC/CDD program was allegedly, as written and as implemented, "immature and inadequate." In addition, customer onboarding requirements were said to be treated as a "simple check-the-box exercise."  The Consent Order provides examples of such failures and deficiencies, including the failure to assign an informed risk rating to customers at onboarding, inadequacy of documentation to support customer due diligence, failure to conduct enhanced due diligence where customers were flagged for such review, and, where such enhanced due diligence was conducted, only the "bare minimum" was done to request and review customer identification documentation. As a result, the NYDFS alleges that suspicious or unlawful conduct was facilitated through Coinbase's platform, pointing to specific examples within the Consent Order.

Pursuant to Part 504 of the Superintendent's Regulations, Coinbase is required to have a system in place for monitoring transactions after their execution for potential money laundering and terrorist financing violations and suspicious activity reporting. As noted in the Consent Order, Coinbase experienced a period of rapid growth, which strained its existing compliance program controls and processes. Most notably, the NYDFS found that by late 2021, Coinbase had amassed a backlog of more than 100,000 transaction monitoring alerts as a result, at least in part, of Coinbase's inability to predict or manage the growing alert volume and a lack of compliance staffing. In attempting to remediate such shortcomings, Coinbase allegedly hired more than 1,000 third-party contractors to review and resolve the backlog of transaction monitoring alerts. The contractors' reviews were "rife with errors," as their training was insufficient and not properly tracked, and Coinbase did not have a system in place to adequately audit the quality of the contractors' work. Upon review, Coinbase determined that there were "serious quality issues" with the work of the contractors. Of more than 100,000 alerts reviewed, three contractors reviewed and resolved approximately 73,000 alerts, and of those 73,000 alerts, over half failed the quality check. Such shortcomings were not, as the NYDFS notes, reported to the NYDFS in a timely fashion under the terms of the February 2022 Memorandum of Understanding it had in place with Coinbase.

As a result of the backlog of transaction monitoring alerts, Coinbase was unable to file timely suspicious activity reports ("SARs"), which are federally required to be filed within 30 calendar days of detection. SARs were instead filed months, some more than six months, after Coinbase discovered the suspicious activity. In addition, the NYDFS alleged that Coinbase's recordkeeping with respect to such suspicious activity was insufficient, as Coinbase was unable to "meaningfully respond" to the NYDFS's request for data related to suspicious activity identification, tracking and reporting.

Lastly, Coinbase allegedly failed to institute ongoing sanctions and Politically Exposed Persons screening for approximately 1,600 institutional customers. This failure was compounded by the fact that users were permitted to access Coinbase's sites while using Virtual Private Networks or The Onion Router, which obscures the location of its user.

Cybersecurity Event Reporting Failure

The Consent Order noted that in 2021, approximately 6,000 Coinbase customers were victims of a phishing scam, which ultimately led to unauthorized access to those customers' Coinbase accounts and the theft of $1.5 million from New York customers. Under 23 NYCRR 500.17, Coinbase was required to report this event to the NYDFS within 72 hours of its being discovered, but it did not do so until five months after the event.

NYDFS Settlement Terms

As part of the settlement, in addition to a $50 million monetary penalty, the NYDFS requires Coinbase to spend at least $50 million on further improvements and enhancements to its compliance program (the "Compliance Investment"). In engaging in the Compliance Investment, Coinbase must submit to the NYDFS within 60 days a plan, subject to the NYDFS's approval, identifying the type of activities and engagements on which it intends to spend the entirety of the Compliance Investment funds, including an expected timeline for such investments. The NYDFS also retains a right not to deduct from the Compliance Investment any purported disbursements allocated to "inappropriate" activities and engagements. Any unspent part of the Compliance Investment after 24 months will be forfeitable to the NYDFS at its discretion. In addition, Coinbase is required to retain the independent monitor engaged since April 2022.

A Line in the Sand

The Robinhood Settlement had been the first-ever cryptocurrency enforcement action by the NYDFS. As we noted in our Alert on August 10, 2022, the Robinhood Settlement provided the industry with a baseline understanding of what constitutes sufficient BSA/AML and cybersecurity compliance and adequate transaction monitoring in respect of the NYDFS regulations, including those applicable to BitLicense holders. The Consent Order imposes a penalty and remedial requirements on Coinbase that far exceed those imposed on Robinhood, commensurate with the scale and size of Coinbase's business, and the degree to which its compliance failures resulted in violations of applicable New York laws and regulations.

The NYDFS has made clear, through both the Consent Order and the Robinhood Settlement, that violation of such laws and regulations, even if they do not amount to proven money laundering, will be treated with material consequence. In addition, the expectation of a BitLicense holder to comply with the applicable BSA/AML and cybersecurity requirements is no different from that of a traditional financial institution.  Although the cryptoasset industry is still relatively nascent as compared to traditional finance, the business activities of BitLicense holders, at their core, and the associated compliance requirements, are not. Adequate resources should be dedicated to compliance functions, whose programs must be tailored to the size, scale and risk of the business, most especially during periods of rapid change and growth.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2023 White & Case LLP}