Two months in and 2023 is set to be a big year for crypto enforcement. Fueled in part by the bankruptcy of FTX and other crypto-related companies in late 2022, regulators have begun to move past mainly rhetorical warnings regarding the crypto industry and to take a heavier hand. The SEC’s main claim has been for unregistered securities and exchanges, but banking regulators seem focused in particular on issues surrounding crypto-related money laundering risks.

A key example in understanding the money laundering risks associated with digital assets, potential risk mitigation techniques and anti-money laundering (“AML”) requirements is the New York Department of Financial Services (“NYDFS”) settlement with Coinbase, Inc. (“Coinbase”), announced on January 4, 2023, and the “wide-ranging and long-standing” AML and other compliance failures described in that action. In this post, we provide background on that action and discuss key takeaways.

Background

Coinbase is a cryptocurrency trading platform licensed by NYDFS to conduct virtual currency and money transmitter business in New York since 2017.  NYDFS requires that all money transmitters and virtual currency licensees have an AML program in place that complies with federal laws and regulations.

According to NYDFS, Coinbase maintained an AML program that was inadequate for its size and complexity, including deficiencies in know-your-customer/customer due diligence (“KYC/CDD”) procedures, transaction monitoring, suspicious activity reporting and sanctions compliance systems. Under the settlement, Coinbase agreed to a $50 million penalty and an additional $50 million commitment to invest in compliance improvements over a two-year period.

Below are key takeaways from the settlement.

AML programs should be appropriate in scale and scope.

AML programs need to be tailored to the size of the institution. According to NYDFS, as Coinbase grew, the company’s AML program failed to keep pace, resulting in backlogs of unreviewed transaction monitoring alerts and customers requiring enhanced due diligence reviews. NYDFS initially identified these issues in 2018 and, while steps were taken to remediate some of these issues, Coinbase had not entirely remedied the deficiencies or implemented its remediation plan by the time of the settlement. By appropriately resourcing the program from the outset and continuously monitoring its effectiveness, Coinbase could have avoided the backlogs and deficiencies identified by NYDFS.

Many companies in the crypto space, such as Coinbase, have experienced rapid growth, which can offer opportunities to scale the business but also can introduce difficulties in keeping compliance at pace. Companies in this space should be prepared to build out their AML programs in line with any expansions in their operations.

AML programs should consider specific risks to the company and the risks that the law attempts to mitigate.

Robust KYC/CDD programs tailored to the specific risks posed by a company’s business are foundational to AML compliance.  According to NYDFS, Coinbase treated KYC/CDD as a “simple check-the-box exercise” and did not accurately assess the risks posed by certain customers.  Furthermore, Coinbase allowed its customers to access its sites while using virtual private networks (“VPNs”) or “The Onion Router,” which obscure the user’s location. This prevented Coinbase from accurately assessing whether its customers were located in jurisdictions subject to sanctions or that would otherwise raise red flags.

This finding underscores the importance of understanding the specific risks to a company’s business to ensure the company effectively tailors its compliance program and appropriately mitigates risks. Working in the online space and particularly through a blockchain-based system, which lends itself to anonymity, crypto-based companies should be sensitive to the different technologies available that could make KYC/CDD and other screenings more difficult. In particular, crypto companies should structure their compliance programs to account for the use of such technologies, as appropriate on a risk basis.  The Coinbase settlement suggests that, at a minimum, a customer’s use of VPNs or similar tools may call for a higher risk rating for the customer.

AML programs should maintain oversight over third parties.

AML programs that rely on third parties should ensure these parties are acting in compliance with AML laws and regulations. Coinbase hired more than 1,000 third-party contractors to get through a backlog of unreviewed transaction monitoring alerts, but then failed to provide sufficient oversight, training and quality control.  A third-party audit firm discovered that more than half of 73,000 alerts reviewed by certain contractors failed a quality check and many had to be reviewed again.

To avoid similar pitfalls, crypto companies should implement sufficient training, oversight and quality control in hiring third parties to perform AML functions. The level of oversight should be risk-based, including consideration of the third party’s experience and the difficulty of the task.

Conclusion

AML compliance can be difficult for even established firms, and digital asset-based companies should be particularly careful that their businesses operate in line with AML requirements given heightened regulatory focus on the risks surrounding these businesses. This includes any company dealing with digital assets, from crypto-based start-ups to established financial institutions that provide services involving digital assets.

***

To subscribe to the Debevoise Fintech Blog, click here.

***

Author

Aseel Rabie is a corporate counsel and a member of Debevoise’s Banking Group. She can be reached at arabie@debevoise.com.

Author

Zila R. Acosta-Grimes is a corporate associate and a member of Debevoise's Financial Institutions Group. She can be reached at zracostagrimes@debevoise.com.

Author

Jonathan Steinberg is a corporate associate and a member of Debevoise's Financial Institutions Group. He can be reached at jrsteinb@debevoise.com.

Author

Jessica Szymeczek is a corporate law clerk and a member of the Banking Group. She can be reached at jszymecz@debevoise.com.