The New York State Department of Financial Services (NYDFS) kicked off 2023 by announcing a $100m penalty on crypto-currency trading firm Coinbase Inc on 4th January. The Department’s Consent Order identifies significant historic failings in the Coinbase Compliance Program across due diligence procedures, transaction monitoring, OFAC sanctions screening and customer AML risk assessment, as well as issues around record keeping and regulatory communications.
The NYDFS Consent Order, comprising $50m monetary penalty plus $50m compliance spending commitment, is packed full of insight into regulatory expectations for an effective compliance programme. In this article we focus on the lessons relating to Know-Your-Customer (KYC) and Transaction Monitoring (TM), considering in particular the positive impact that training can have on boosting capability in these key areas, deterring criminals and protecting the wider financial system.
Background
First things first. What is Coinbase and what does it do? Coinbase is a cryptocurrency trading platform with a stated mission to increase economic freedom in the world. It aims to do this by providing access to financial services, enabled by crypto, in a trusted, secure and compliant manner. To date Coinbase has acquired over 108 million users, operating in over one hundred countries1.
Coinbase’s size and scale is such that the NYDFS views its business operations as "comparable to more traditional financial institutions such as large banks in terms of customer base and assets on its platform"2 . According to its website, the quarterly volume traded via Coinbase was $159 billion and the platform holds $101 billion of assets3.
The firm is a veteran of the digital space, having held US licences to operate as both a virtual currency provider and as a money transmitter business in New York State since 2017. Under the terms of its operating licences, Coinbase is required to establish and maintain a compliant AML programme and agrees to be subject to oversight by the NYDFS, which is responsible for ensuring the safety and soundness of New York’s financial services industry.
It is worth pausing here a moment to reflect that the NYDFS is a pioneering regulator in the digital space, having established a first-of-its-kind regulatory licensing framework for virtual currency businesses back in 2015. The implication being that where the NYDFS leads, other regulators may follow.
What went wrong
In early 2020 the NYDFS notified Coinbase of concerns arising from its 2018/19 supervisory safety and soundness Examination. As a result, Coinbase committed to review its Compliance programme, and later in 2020 the firm engaged an external consultancy firm to perform an independent assessment. The resultant report, delivered in February 2021, identified a number of recommendations for enhancement and Coinbase duly developed a remediation plan covering both AML and Sanctions.
Perhaps in a different environment Coinbase would have been able to uplift its financial crime systems and controls to the satisfaction of the regulator, and to do so in a timely manner. However, history shows that the popularity and adoption of cryptocurrency accelerated through 2020 and into 2021 before falling back during 2022. Over the 2020 and 2021 period Coinbase experienced an exponential jump in the volume of new customers and transactions. In short, Coinbase grew very fast, very quickly and its financial crime compliance systems and controls did not evolve and scale at the same pace. As the CEO, Brian Armstrong, recently acknowledged, the firm ‘became too focused on growing headcount as a metric for success4.
The Consent Order tells us that ‘The most serious noncompliance concern’s Coinbase’s ML/TF compliance program, specifically in its customer onboarding and transaction monitoring obligations5. Let’s move on to examine each of these in turn.
KYC / EDD – New customer on-boarding
Knowing your customer is a cornerstone of an effective AML environment and the regulator requires Coinbase to maintain a customer identification program. Robust KYC/CDD policies, processes and procedures are fundamental expectations of an effective AML Program designed to assess the nature and purpose of the customer relationship, and the risks associated with that relationship.
Put simply, if you don’t fully know who your customer is or understand what they do, then you may be opening the door to money laundering. Yet the Order tells us that ‘Coinbase’s compliance failed to keep up with the dramatic and unexpected growth of Coinbase’s business6. As the volume of new customer sign-ups in May 2021 rose to fifteen times those of January 2020, the on-boarding process was not able to service this volume. The result was a backlog of over 14,000 customers requiring Enhanced Due Diligence (EDD) by the end of 2021.
The Consent Order describes Coinbase’s KYC/CDD program during this period as ‘immature and inadequate’, citing examples of:
- Customer files without an informed customer risk rating;
- Lack of quality assurance over customer risk rating;
- Customer files comprising of little more than a copy of photo ID;
- Minimum customer ID verification overlooking inaccurate or incomplete information;
- Accounts opened without essential information such as account purpose and expected annual activity;
- EDD on high-risk customers not completed in a timely manner; and
- EDD where completed was cursory and based on incomplete responses7
The collection and verification of accurate customer data at onboarding is fundamental to the assessment of customer financial crime risk, which in turn determines the expected level and frequency of customer due diligence. The Consent Order informs us that Coinbase not only ‘lacked sufficient personnel, resources, and tools’, but also treated customer on-boarding requirements as a ‘simple check-the-box exercise8.
In our experience, a well-designed training program is, to quote Dr. Marcus Pleyer, former President of the Financial Action Task Force, an investment in our future. Good training can be highly motivating and boost staff confidence to question the validity of information or to challenge the reasons behind partial or non-responses to KYC information requests. The use of industry specific case studies, for example, can really drive home to front line teams how allowing bad actors to open accounts can enable money laundering and other criminal activity. This is very effective at promoting staff perception that KYC processes are very far removed from a ‘simple check-the-box’ exercise.
The risks to which front line staff are exposed do not just exist in the training classroom; they are real and have the potential to adversely impact all or any of us. The Consent Order provides actual examples of suspicious or unlawful conduct facilitated through the Coinbase platform. These include:
- One former customer was onboarded without a criminal record for child exploitation being identified and factored into his risk rating, even though this information was publicly available. This customer used the platform to process suspicious transactions potentially related to illicit activity for two years without tailored higher risk detection scenarios being applied9.
- Another customer fraudulently opened a Coinbase account in early 2021 on behalf of a corporation, claiming to be an employee and authorised representative of that corporation. Had the Coinbase on-boarding team verified the identity of the account holder or the connection to the company, they may have detected that the account was not authorised by the company and declined the account. Instead, the account was opened without these checks and customer was subsequently able to raise the daily withdrawal limit by 50 times without any account activity. Then, over the course of a single day the customer deposited approximately $150m into the account, converted these funds into virtual currency and transferred the balance off the platform and into an anonymous wallet. Coinbase did not become aware of criminal activity until it received an enquiry, at which point it became apparent that the $150 million was made up of funds stolen from the corporation10.
Whilst Coinbase has subsequently assisted law enforcement enquiries in these matters and committed to a risk-prioritised KYC refresh of customers onboarded pre-2021, the issues might have been prevented by a control framework operated by staff trained to view KYC as more than merely a tick-the-box process. This type of training not only raises knowledge and core competency, but in raising awareness of the importance of KYC – and of the consequences of failure - can also boost staff confidence to ask pertinent questions and make tough judgement calls.
Transaction Monitoring (TM)
Transaction Monitoring (TM) is another cornerstone of an effective AML Compliance Programme, enabling a firm to identify, investigate and report potentially suspicious transactions. If optimised - and supported by good quality customer KYC data - transaction monitoring can be much more than a post event detective control; it can also prevent criminals from using financial institutions to facilitate illegal activity.
The operational growth of Coinbase was such that monthly transactions in November 2021 were twenty-five times those of January 2020. The Order tells us that ‘Coinbase’s compliance…by the end of 2021, was overwhelmed, with a substantial backlog of unreviewed transaction monitoring alerts, exposing its platform to risk of exploitation by criminals and other bad actors11 . By this time Coinbase was unable to keep pace with the volume of TM alerts and had allowed a backlog of over 100,000 unreviewed TM alerts to build up, many of which were months old.
The regulator cites capacity planning and ‘a lack of adequate compliance staff12 as root causes of the alert build up (here it is not a stretch to interpret ‘adequate’ as meaning skilled, i.e., trained). The Coinbase solution was to engage a team of over 1,000 third-party contractors to ‘burn through’ the backlog. This initially appeared to be an effective resolution, with the backlog being cleared within three months. However, Coinbase did not initially identify ‘serious quality issues’ in the burn down and subsequently had to reperform the review of over 50% of these alerts.
The reperformance was an entirely avoidable cost which could have been prevented by more rigorous quality controls combined with appropriate training and oversight. The Consent Order tells us that ‘the training Coinbase provided was not scalable for the size of the contractor force, and attendance at the training sessions was not adequately tracked13. Just as for KYC/CDD staff, a well-designed training program is fundamental to ensuring TM staff are equipped with the requisite knowledge and skills to review alerts and to determine whether or not they are indicative of suspicious activity. Without such training, staff may be left exposed and the entity is far more vulnerable to being compromised by those with a criminal intent.
As for KYC above, these are more than just theoretical scenarios, they are real life examples with a quantifiable negative impact on both operational cost efficiency and on the disruption of financial crime.
Remediation and Next Steps
Since the findings, Coinbase has made new senior leadership and compliance staff hires as well as developing a new dynamic customer risk rating model, new periodic KYC review procedures and upgrading its TM investigation portal to streamline alert review and SAR filing processes.
The Consent Order identifies areas in which progress to correct issues has been slow but also acknowledges the time and resources that Coinbase has invested to remediate and strengthen its Compliance Programme. According to the official Coinbase blog, ‘our FCC (Financial Crime Compliance) Program incorporates all of the components and controls customers expect from a traditional financial institution – from policies and procedures, to training, to customer due diligence…our Financial Crime Compliance (FCC) work is led by a team of specially trained experts in compliance within a crypto context14.
Coinbase has developed an additional, more targeted remediation plan agreed with a state appointed Independent Monitor and continues to report implementation progress to the NYDFS. Significantly, the Consent Order also includes a requirement for the Independent Monitor to be retained for at least twelve months, accompanied by a formal commitment to spend a minimum of $50m on further enhancements.
Whilst at the time of writing the $50m Compliance ‘Investment plan’ is yet to be agreed with the NYDFS, we can reasonably expect it to include a material investment in training to equip staff with the appropriate skills and knowledge to perform their financial crime compliance roles with confidence. It is also an opportunity to reinforce a positive culture of vigilance and global financial crime prevention across all staff that will deter criminals and help make financial systems, whether traditional or digital, that little bit safer.
Written by: Louis Roddam Director, FC Compliance Ltd GCI Accredited Trainer
1 Source – website www.coinbase.com
2 NYDFS Consent Order, page 4, para 2
3 Coinbase website – figures as at 19 Feb 2023
4 A message from CEO and co-founder, Brian Armstrong, to Coinbase employees’ – Coinbase website, 10/01/2023
5 Consent Order, page 12, para 36
6 Consent Order, page 2
7 Order, page 13, para 39
8 Order, page 13, para 39
9 Order, page 15, Para 43
10 Order, page 15, Para 44
11 Order page 2
12 Order, page 17, paragraph 48
13 Order, page 17, paragraph 50
14 Coinbase official blog, 24/1/2023, ‘How Coinbase identifies bad actors and keeps the ecosystem safe’, www.coinbase.com