AML, Cybersecurity Noncompliance Costs Coinbase $100MCrypto Exchange to Pay $50M Penalty, Invest $50M to Boost AML Compliance
Coinbase agreed to a $100 million settlement with the New York financial regulator on Wednesday over cybersecurity lapses and failure to comply with anti-money laundering guidelines that allowed criminals to use the platform for fraud, money laundering and other illicit activities.
See Also: LIVE Webinar | Hackers Don't Back Down, So You Need to Back Up: Data Security's Hardest Truths
The crypto exchange will pay a $50 million penalty for violating New York banking law and the New York State Department of Financial Services virtual currency, money transmitter, transaction monitoring and cybersecurity regulations, the New York State Department of Financial Services said. Coinbase is expected to invest an additional $50 million to apply the necessary AML background checks and implement other compliance programs over the next two years. The deal also mandates that Coinbase hire an independent, DFS-appointed monitor for at least a year to evaluate compliance issues and implement the fixes.
The settlement is one of the largest in the space and on par with similar AML-related penalties levied by NYDFS against traditional banks such as Wells Fargo and Deutsche Bank in the past five years, Avivah Litan, a vice president at Gartner who specializes in emerging technologies, tells Information Security Media Group.
The settlement actually could have been more substantial if the failures for AML and Know Your Customer are indeed as negligent as the state of New York alleges, says Troy Leach, a congressional subject matter expert on payment security and key architect of the PCI Standards Council.
Inadequate Checks and Balances
Coinbase's compliance program did not keep up with its growth over the years, making it vulnerable to potential criminal activity, the state financial regulator said.
"It is critical that all financial institutions safeguard their systems from bad actors, and the department's expectations with respect to consumer protection, cybersecurity and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions," Adrienne A. Harris, superintendent of financial services, says in a statement.
As Coinbase works under a Bitlicense in the state, it is obligated to comply with the New York financial regulator's requirements. The agency found during an examination and subsequent enforcement investigation that Coinbase's Bank Secrecy Act and AML program, including its know-your-customer, customer due diligence, transaction monitoring, suspicious activity reporting and sanctions compliance systems, were "inadequate for a financial services provider of Coinbase's size and complexity," the agency said.
By the end of 2021, Coinbase had an "unmanageable" monthslong backlog of more than 100,000 unreviewed transaction monitoring alerts and more than 14,000 customers requiring enhanced due diligence. But the company had neither the personnel to address the issue nor the resources and tools. Coinbase's customer onboarding requirements were merely a "simple check-the-box," the agency says.
The uninvestigated alerts also led to Coinbase routinely failing to investigate and report suspicious activity required by law, it said. The Bitlicense requires that the licensee notify the department of a cybersecurity event no later than 72 hours after its discovery. But Coinbase reported a phishing scam that resulted in 6,000 of its customers losing $1.5 million five months after the event in 2021, although it reimbursed the funds to customers and worked with law enforcement to nab the perpetrators. Coinbase has since updated its internal procedures to ensure timely notification of incidents, the agency adds.
The crypto company also did not check customers against sanctions, allowed the use of virtual private networks and an Onion router that potentially enabled criminals to hide their location and failed to conduct annual risk assessments.
Loose background checks can make it easier for criminals to set up accounts under false identities to launder stolen money through the exchange. With inadequate transaction monitoring, customer accounts can be more easily hijacked and the funds therein more easily stolen, Litan said.
"We have been very outspoken about illicit financing concerns in the space. It is why our framework holds crypto companies to the same standard as for banks,” Harris told The New York Times.
The crypto exchange said it has since addressed the concerns the NYDFS raised. Paul Grewal, Coinbase's chief legal officer, says the agency's investigation was centered on its compliance program in 2018 and 2019 and compliance backlogs through 2021. "We took NYDFS's concerns seriously and have taken substantial measures to address these historical shortcomings," the company said. It also "routinely conducts proactive investigations to remove bad actors from our platform and work with law enforcement to ensure they are brought to justice," its blog post said.
The financial regulator's order addresses the onboarding of businesses, along with how transacting authority was given to a company representative who was not allowed to transact on the business's behalf, says Sarah Beth Felix, co-founder and chief AML officer at Acceleron Bank. This, she said, is also the case with several banks. "Always good for ML and fraud purposes to know who you are doing business with and who has the authority to transact on the account," she said.
While this action focuses on Coinbase, other cryptocurrency exchanges may potentially have a similar lack of controls.
"It's unfortunate Coinbase has to bear the brunt of regulatory enforcement because other exchanges have far fewer controls than Coinbase does," Litan says. "But they are a leader in market share and certainly have had their share of problems. All the exchanges, including Coinbase, need to do a much better job of protecting customer funds and accounts and hopefully this action will result in that goal being met.”
Due to the absence of clear cybersecurity and safety regulations and compliance guidance in the space, agencies such as the NYDFS have paved the way to regulate the space by forcing improvements, Litan said. Historically, she says, regulations and compliance have forced banks to improve their AML and fraud detection measures and operations.
The silver lining to this case is that it will likely push exchanges and other custodians to pay more attention to background checks and compliance when setting up new customer accounts and potentially cut laundering of stolen or other illicit funds moving through these custodians, Litan says.
The settlement also will force greater investment in compliance and fraud detection than most exchanges expend today, she says. "For traditional financial companies that already are heavily invested in compliance and fraud detection, it will only require incremental upgrades to manage these new types of digital currency functions," she adds.
Leach says this settlement likely will have less impact on broader crypto regulation than the bankruptcy and scandal at FTX because Coinbase chose to be under additional government scrutiny by being a publicly traded company. “The collapse of FTX and the loss of billions of consumer funds by crypto exchanges not following basic cybersecurity practices will likely be a greater catalyst for change and attempts for regulatory oversight,” he says.
In fact, the resolution of the Coinbase violations may improve adoption of digital assets and help other entities that maintain custody of cryptocurrencies, he says. "We saw Coinbase shares rise after the settlement. You see Coinbase leadership acknowledge the interest to do the right things and have been actively involved with policymakers to create a fair path forward that does have oversight for consumer protection,” he says.
Holding crypto companies to the same standards as traditional financial organizations will help assure users that regulators are ensuring that exchanges operate legally with proper controls, Leach says. One disadvantage of using the same regulatory yardstick is that web3 companies may also face the same centralized processes as traditional financial companies. “Traditional financial institutions are expected to meet dozens of regulatory frameworks, often having the same controls validated independently by dozens of different regulatory agencies. Part of the decentralized finance movement is not to avoid accountability, but to evolve how we assess the integrity and due diligence of commerce with digital assets,” he says.
Update Jan. 6, 2022, 4 A.M. UTC: Analysis from payment security expert Troy Leach on the wider implications of the Coinbase settlement.