The consent order issued by the New York Department of Financial Services (NYDFS) to crypto asset exchange, Coinbase, serves as a reminder of regulators’ growing interest in ensuring that crypto asset companies meet their anti-money laundering (AML) and sanctions compliance obligations.

On January 4, 2023, Coinbase agreed to pay $50 million after the NYDFS found that it failed to track, monitor, and report suspicious activity that may have, and in some instances did, result in illegal activity. Coinbase also agreed to invest another $50 million to improve its AML and sanctions compliance program.

In 2017, the NYDFS issued a BitLicense (license to engage in a “virtual currency business activity” involving New York or with New York residents) and a money transmitter license to Coinbase. New York imposes affirmative AML and sanctions compliance obligations on BitLicense and money transmitter licensees that are separate from federal AML and sanctions laws. Accordingly, Coinbase is required to comply with New York-specific regulations related to AML and sanctions screening, in addition to its federal obligations, and the NYDFS has supervisory and enforcement authority.

Coinbase’s initial AML and sanctions violations allegedly occurred in 2018 and 2019 and were discovered during a 2020 routine examination. According to the consent order, Coinbase agreed to hire an independent consultant to help improve its compliance program following the examination, but a 2021 follow-up inspection conducted by the NYDFS concluded that Coinbase was “overwhelmed” by its recent growth and was still operating in violation of various federal and state regulations.

The NYDFS highlighted compliance deficiencies in three primary areas: Coinbase had inadequate Know Your Customer (KYC) and due diligence practices, was unable to maintain an effective Transaction Monitoring System (TMS), and it did not appropriately file Suspicious Activity Reports (SARs) with the Financial Crimes Enforcement Network (FinCEN).

• Know Your Customer and Due Diligence: According to the consent order, Coinbase’s failure to screen new users and conduct enhanced due diligence when necessary was at the core of its violations. The NYDFS found that Coinbase had a backlog of 14,000 users whose backgrounds needed examination. The consent order stated that Coinbase treated KYC requirements, which require companies to collect and maintain certain information about their users, as a “check-the-box” exercise. It also stated that Coinbase should have been asking for more information from users, assigning risk ratings to determine the appropriate level of ongoing transaction monitoring, conducting enhanced due diligence (EDD) when high-risk users were identified, and conducting additional screening for individuals who were politically exposed or from sanctioned jurisdictions.
• Transaction Monitoring: The NYDFS found that that Coinbase had an inadequate TMS. While potentially suspicious transactions were often flagged in Coinbase’s system, they were allegedly not reviewed in a timely manner and there were over 100,000 unreviewed transactions in late 2021. When Coinbase hired third-party reviewers to speed up the process, the reviews were, according to the NYDFS, sometimes conducted incorrectly.
• Suspicious Activity Reporting: All financial institutions are required to report suspicious activity to FinCEN within 30 days of identification. Allegedly, because Coinbase did not monitor transactions in a timely manner, it frequently filed SARs multiple months after suspicious activity was detected and sometimes reported insufficient data.

The NYDFS acknowledged that Coinbase has invested significant time and resources into addressing its compliance deficiencies and said that this cooperation and improvement was a “mitigating factor” in the settlement. According to the consent order, Coinbase must still improve its compliance programs and will continue to be supervised by an independent monitor until at least December 2023.

Notably, the NYDFS settlement is limited to Coinbase’s violations of New York law. The consent order specifically states that it “does not bind any federal or other state agency or any law enforcement authority.” Coinbase has disclosed in each of its quarterly reports to the U.S. Securities and Exchange Commission since March 2021 that it has submitted voluntary disclosures to the Office of Foreign Assets Control (OFAC) and that certain of these voluntary disclosures are currently under review by OFAC. OFAC therefore could impose additional penalties or remediation requirements on Coinbase related to any sanctions compliance deficiencies.

This settlement is part of a larger trend: regulators are concerned about the illicit use of crypto assets and are increasingly scrutinizing crypto asset businesses. On August 8, 2022, crypto asset mixer TornadoCash was sanctioned by OFAC because its weak AML program allowed users to launder over $7 billion. On the same day, a top employee at BitMEX was found guilty of violating the Bank Secrecy Act, demonstrating that individuals, and not just crypto asset companies themselves, can be held liable for such violations. Crypto asset exchanges Kraken and Bittrex both settled with federal regulators in 2022 because of alleged sanctions and AML violations. The Commodity Futures Trading Commission has even brought an action against a so-called “decentralized autonomous organization,” or DAO, for failures to comply with KYC/AML requirements. Regulators are unlikely to take their eyes off crypto asset businesses anytime soon, making proper compliance programs more important than ever.

Other federal regulators are also giving greater scrutiny to the crypto asset industry. On January 3, 2023, the federal banking agencies (the Federal Reserve, Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency) issued a joint statement highlighting crypto asset risks to banks, in response to significant volatility in the crypto asset industry throughout 2022. While acknowledging that banks are not broadly prohibited or discouraged from providing financial services to businesses legally operating in the crypto asset industry, the statement sends a clear message that banks will have to clear a rather high supervisory bar to 1) issue or hold (on balance sheet) crypto assets that are underpinned by an open, public, or decentralized network, or 2) have business models that are concentrated in crypto asset business activities or have concentrated exposures to crypto asset-focused companies. The statement is the clearest signal yet that the agencies view certain crypto asset-related risks as better kept outside the federal banking system.

Crypto asset companies must ensure that their compliance program is tailored to the company’s unique business model. OFAC issued its Sanctions Compliance Guidelines for the Virtual Currency Industry in October 2021. As noted therein and in the resources described above, crypto asset companies must consider risk factors such as geographic location, activities, size, and counterparties when implementing such a program. And, as this settlement shows, crypto asset companies will be held accountable for AML and sanctions violations when they experience unexpected growth that exceeds their previous compliance capacity. According to the consent order, crypto asset companies cannot simply “check a box” as Coinbase did; they must continually evaluate the effectiveness of their AML procedures and adapt quickly when their program is no longer sufficient or when the law changes.

If you have any questions about AML and sanctions issues, or about other regulatory developments affecting the crypto asset industry, please contact any member of Wilson Sonsini's national security practice or fintech and financial services practice.