Opinion: Cryptocurrency Companies to Develop Compliance Programs
Stephen Aschettino, Mayling Blanco, and Matthew Niss of member company Norton Rose Fulbright authored this informational article.
Cryptocurrency companies continue to make the headlines even during these challenging economic times as regulators and enforcers continue to corral the risks presented by this new industry, including its serious commitment to developing effective compliance programs. Last week the New York State Department of Financial Services (NYSDFS) announced a settlement of its investigation into cryptocurrency trading platform Coinbase, Inc. (Coinbase) and its anti-money laundering (AML), Know-Your-Customer (KYC) and Office of Foreign Asset Control (OFAC) sanctions compliance program, which requires Coinbase to pay $100 million in fines and compliance program enhancements. This action against Coinbase is just the latest in a series of compliance-focused enforcement efforts directed against cryptocurrency companies. Scrutiny of cryptocurrency compliance programs appear likely to remain an enforcement priority for many regulators as the industry begins to mature.
The Coinbase Settlement
According to the consent order, in 2017 NYSDFS issued a license to Coinbase allowing it to operate both a virtual currency business and money transmitter business in New York, with Coinbase concomitantly agreeing to be subject to the NYSDFS’s oversight. In 2020, NYSDFS conducted a supervisory examination of Coinbase in which it identified “significant deficiencies” in Coinbase’s AML, KYC, and OFAC screening compliance programs. In 2021, NYSDFS initiated an enforcement investigation to determine whether these compliance issues rose to the level of a legal violation. In response to NYSDFS’s actions, Coinbase made efforts to remediate these compliance issues, but “substantial weaknesses” remained. These were compounded by the rapid operational growth Coinbase experienced during this period: Coinbase’s compliance function was allegedly unable to keep up, resulting in a rapidly expanding backlog of unreviewed transaction alerts and customer due diligence. As examples, NYSDFS noted that this backlog allowed Coinbase customers to engage in suspicious transactions without Coinbase imposing the required controls or becoming aware of the activity until well after the transactions were completed.
Although in early 2022 Coinbase was required to, and did, retain an independent monitor to assess Coinbase’s compliance program and assist Coinbase in addressing deficiencies, problems remained, and on January 4, 2023 NYSDFS and Coinbase agreed to a $50 million fine. Coinbase also agreed to extend the monitorship for another year, and committed to spending $50 million on compliance improvements. In imposing the fine, NYSDFS considered Coinbase’s compliance remediation efforts, agreement to a monitorship, and cooperation with NYSDFS as mitigating factors, but considered the egregiousness of Coinbase’s compliance failures an aggravating factor. Moreover, although NYSDFS acknowledged that Coinbase had already “invested very substantial time and resources” to attempt to remediate its compliance issues, NYSDFS also described progress in certain areas as “slow.”
Compliance-Focused Actions are Not New
Regulators of all stripes continue to bring similar, compliance-focused enforcement actions against cryptocurrency companies. In October 2022, OFAC and the Financial Crimes Enforcement Network (FinCEN) announced a $29 million settlement with cryptocurrency exchange Bittrex, Inc., over alleged failures in its AML and sanctions compliance programs. In August 2022, NYSDFS reached a similar consent order against a separate cryptocurrency trading platform over its allegedly deficient AML compliance program, resulting in a $30 million fine. More recently, it was reported that the Department of Justice (DOJ) is preparing to wrap up its long-running investigation into the AML and sanctions compliance program of the world’s largest cryptocurrency exchange, Binance, with prosecutors currently weighing criminal charges. On January 18, 2023, the DOJ arrested the founder of cryptocurrency exchange Bizlato Ltd., which, among other things, allegedly “failed to implement required anti-money laundering safeguards,” and whose “deficient” KYC procedures allowed it to become a “haven for criminal proceeds.” Legislators have also trained their attention on cryptocurrency compliance issues, and on December 14, 2022 U.S. Senators Elizabeth Warren (D-Mass.) and Roger Marshall (R-Kan.) introduced a bipartisan bill to, among other things, expand AML and sanctions compliance obligations to a broader set of companies within the cryptocurrency industry.
Preparing for Continued Compliance in Crypto
Viewed against this backdrop, regulators’ efforts to ensure robust compliance programs in the cryptocurrency space show no signs of abating. NYSDFS’s settlement with Coinbase demonstrates the importance of a well-resourced compliance function, particularly when a company experiences rapid operational growth that may stretch its compliance capabilities. Coinbase’s experience also illustrates that after-the-fact remediation efforts will present as a mitigating factor, but they must be taken in earnest and with suitable haste in light of the risk posed by lax compliance. Despite the myriad other challenges faced by the cryptocurrency industry writ large, prudence dictates that cryptocurrency companies not lose sight of their compliance obligations.