Coinbase yesterday, January 4th 2023, reached a settlement with the New York State Department of Financial services amounting $100 million.
The amount involves:
– $50 million penalty
– $50 million for investment in its compliance function
👉 Coinbase’s Compliance Deficiencies:
🚩 Not compliant with Bank Secrecy Act and AML obligations, reporting requirements and record keeping
🚩 Despite the identification of weaknesses by internal assessments and external reviews, Coinbase made a slow progress
👉 Coinbase’s KYC/CDD deficiencies:
🚩 Failed to truly know their clients by understanding the nature and purpose of their customers’ businesses, source of funds and the customer’s true identity or ownership
🚩 Treated customer onboarding as a simple “check-the-box” exercise
🚩 Before December 2020, no informed “risk rating” was assigned to individual retail customers
🚩 Did not obtain sufficient documentation from their clients to effectively identify and verify its clients
🚩 No timely EDD on high-risk customers and, when conducted only asked for the minimum documents
👉 Transaction monitoring systems (TMS) deficiencies
🚩 Coinbase failed to keep pace with its alerts. The company had more than 100,000 unreviewed transaction monitoring alerts
🚩 Had insufficient oversight over the third-party contractors it hired for TM
👉 Suspicious Activity Reporting (SAR) deficiencies:
🚩 Failed to timely investigate and report suspicious activity. Some SARs were filed in some cases more than six months from the date of the transaction
🚩 Record keeping for SARs were insufficient
👉 KYC and PEP Screening
🚩 The customers of Coinbase were not subject to ongoing PEP and sanctions screening
👉 Cybersecurity Event Reporting
🚩 Coinbase failed to timely report to the relevant authority a cybersecurity incident. The incident was reported five months after the event
The example highlights the importance of having a robust AML compliance program which must be risk-based and includes:
🔹 KYC/CDD procedures
🔹 PEP and Sanctions Screening systems
🔹 Transaction monitoring systems
🔹 Suspicious activity reporting procedures
🔹 Record keeping procedures