Gold and silver color shiny Bitcoins with smartphone with Coinbase logo text

Coinbase pays $100M to atone for shoddy AML/KYC compliance

Coinbase (NASDAQ: COIN) is $100 million poorer after New York regulators found that the digital asset exchange viewed anti-money laundering (AML) and know your customer (KYC) requirements as someone else’s problem.

Early Wednesday, the New York State Department of Financial Services (DFS) announced that it had reached a $100 million settlement with Coinbase after a probe identified “wide-ranging and long-standing failures in Coinbase, Inc.’s [AML] program, including with regard to its [KYC]/customer due diligence [CDD], transaction monitoring, and suspicious activity reporting [SAR] systems, among others.”

The problems surfaced at Coinbase as early as 2018 and the exchange’s appointment of an independent consultant did little to remedy the issues. Frustrated by the lack of progress, DFS opened an enforcement investigation in 2021.

During the period probed by the DFS, Coinbase’s KYC/CDD program was found to be “immature and inadequate. Coinbase treated customer onboarding requirements as a simple check-the-box exercise.” As the crypto market grew, Coinbase’s failure to update and expand its compliance programs resulted in a backlog of “over 100,000 unreviewed transaction monitoring alerts” and over 14,000 customers requiring Enhanced Due Diligence (EDD).

Coinbase’s inadequate Transaction Monitoring Service (TMS) meant that the exchange “routinely failed to timely investigate and report suspicious activity as required by law.” DFS found “numerous examples of SARs filed months after the suspicious activity was first known to Coinbase.”

Coinbase “did the bare minimum” to verify that customers were who they claimed they were, “relying on self-reported social media profiles while overlooking information that was, on its face, clearly inaccurate, and/or incomplete.” Coinbase analysts “at times accepted responses that were either non- or partially-responsive.”

The “risk-based” compliance program that Coinbase implemented “is only effective if the risk rating is conducted rationally, and that simply did not happen at Coinbase (and in many cases still has not happened).”

Just so much fail

Coinbase’s shortcomings left the exchange “vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking.”

The DFS Consent Order cites the example of “a former Coinbase customer who was criminally charged in the 1990s with crimes related to child sexual abuse material.” Coinbase remained unaware of this reality and the aforementioned pervert “engaged in suspicious transactions potentially associated with illicit activity” for over two years before Coinbase got wise.

A different customer claimed to be an employee of an unspecified corporation and opened an account on that corporation’s behalf “without authorization from that corporation, and without the appropriate personal identification documentation required by Coinbase policy.”

In the “sophisticated fraud” that ensued, the scammer successfully requested a 50x boost in the account’s daily withdrawal limit “despite a total lack of account activity and, therefore, no evidence that the existing thresholds were insufficient for the customer’s activity.”

The scammer proceeded to transfer over $150 million in stolen funds into the Coinbase account, “immediately converted” this sum into digital tokens, then transferred it off the exchange. Coinbase only got wise when the corporation’s bank contacted the exchange six days later.

No, Brian, you can’t grade your own test

The DFS agreement requires Coinbase to pay a $50 million penalty and invest an additional $50 million into beefing up its shoddy compliance programs. Furthermore, DFS is no longer willing to take Coinbase at its word.

DFS Superintendent of Financial Services Adrienne Harris said Coinbase’s failure “to build and maintain a functional compliance program that could keep pace with its growth” required DFS “to take immediate action including the installation of an Independent Monitor” in early 2022.

This DFS monitor will remain in place throughout 2023 and may remain in perpetuity should the DFS see little evidence that Coinbase can be trusted to independently comply with its regulatory obligations.

Coinbase shares, which last week sunk to an all-time low below $32, enjoyed a 12% bump on Wednesday, evidently because investors were relieved the DFS penalty wasn’t larger. Then again, given the exposure of illegality that accompanied the downfall of rival exchange FTX, perhaps this is what passes for ‘upstanding’ in the crypto sector these days.

Regardless, Coinbase shares have lost around 90% of their value following their early-2021 Nasdaq debut. For investors who failed to dump their shares on unsuspecting rubes, that must seem a long, long time ago indeed.

Our moms say we’re doing swell

Following the DFS announcement, Coinbase’s chief legal officer Paul Grewal issued a blog post in which he insisted (without evidence) that Coinbase’s goal “has always been and will always be to build the most trusted, compliant, and secure crypto exchange in the world.” In short, Coinbase vows to continue its noble work of shutting the barn door long after the last cow has fled.

Grewal went on to claim that Coinbase “routinely conduct[s] proactive investigations to remove bad actors from our platform,” without clarifying whether any of these investigations actually resulted in the removal of ‘bad actors.’

Those ‘bad actors’ would include Coinbase itself, as detailed in its 2021 settlement with the U.S. Commodity Futures Trading Commission (CFTC) in which Coinbase was fined $6.5 million for “reckless, false, misleading or inaccurate reporting.” Coinbase also failed to notice that one of its employees (widely suspected to be Litecoin founder Charlie Lee) was wash-trading the hell out of LTC via his personal Coinbase accounts to artificially inflate the token’s value.

Despite all these failures, Coinbase continues to trumpet its mantra that “trust is our greatest asset.” Following the well-worn path laid down by Binance, FTX and Tether, Coinbase appears to believe that simply repeating ‘the big lie’ often enough will convince everyone it’s not a lie. So far, regulators aren’t buying it.

For the record, we imagine the settlement discussions between the DFS and Coinbase’s senior management, including CEO Brian Armstrong, went something like this:

Shortly before Christmas, Coinbase corporate counsel Jolie Yang may have inadvertently shed some light on the exchange’s approach to its legal obligations when she tweeted: “one of the cool things about working at @coinbase is that i have the freedom to think about how the law should be, not what they are”.

When ‘crypto twitter’ understandably inferred that Yang was describing a ‘choose your own adventure’ approach to which laws Coinbase might choose to obey, Yang backpedaled, saying “let me be super clear *i never said we should disregard the law* … Sorry, not sorry that I am not the villain y’all make me out to be.”

That other probe

Like Yang, Coinbase’s Armstrong continues to paint a supposed lack of “regulatory clarity” as the source of all crypto injustice, ignoring the prevailing wisdom that existing financial rules are perfectly applicable to digital assets. As countless others have observed during crypto’s rise and fall, not liking existing regulations doesn’t eliminate your need to comply with existing regulations.

Wednesday’s DFS settlement will boost speculation as to when Coinbase might settle its beef with the U.S. Securities and Exchange Commission (SEC), which is probing (among other things) the exchange’s history of offering unregistered securities to customers.

The SEC is increasingly demonstrating that it means business on this front. Last August, the SEC imposed a $30.9 million springing penalty against ‘identity attestation platform’ Bloom Protocol for offering unregistered securities via an initial coin offering (ICO) between November 2017 and January 2018.

Last November, a judge agreed with the SEC that the LBRY blockchain-based digital content-sharing platform’s LBC token met the Howey test definition of a security. LBC tokens weren’t launched via an ICO but were sold directly on the platform. However, the judge found that LBC met the Howey test definition based on LBRY’s assertion that LBC had a “tremendous” long-term value if the LBRY team continued to build out the platform.

Just this week, the SEC filed a complaint against Neil Chandran and multiple other defendants for “a brazen and far-reaching unregistered offering fraud.” The fraud involved the promotion of a “unique blockchain technology” called CoinDeal that was in reality an outright sham but managed to raise $45 million from investors/marks before the rug was pulled.

The three SEC actions above involve a range of activities, but the common thread is that the agency has lost its patience with all things crypto. As such, Coinbase has no reason to expect that its rote ‘we love regulations’ pronouncements will do much to dissuade SEC boss Gary Gensler from cutting them any slack.

Last July, as part of an insider trading scandal involving a Coinbase staffer, the SEC identified nine tokens listed on Coinbase as unregistered securities. Last November, Coinbase revealed that the SEC had issued “investigative subpoenas and requests” for documents related to Coinbase’s “processes for listing assets, the classification of certain listed assets, its staking programs, and its stablecoin and yield-generating products.”

Sell! Sell! Sell!

Coinbase may have sown the seeds of its own misfortune with its 2021 decision to accelerate the process by which it decides which function-free tokens to list. But despite its efforts to shear the credulous crypto sheep, Coinbase lost over $2 billion in just the first nine months of 2022 and this red ink stain will almost certainly widen when the full-year figures are reported next month.

Just for fun, let’s check how some of the tokens that Coinbase listed last year are faring. There’s ApeCoin, which made its Coinbase debut on March 17 at a value of US$8.54, spiked to nearly $24 over a few weeks, but currently trades around $4. Hedera (HBAR) was added on October 13 at a value of $0.065 and currently trades at $0.038. Coinbase added NEAR on September 1 at a price of $4.35, after which it enjoyed a modest jump before settling at its current value of $1.60.

Obviously, the market as a whole was on a downward trajectory throughout 2022 but Coinbase’s need to boost its lagging trading commission revenue seems to ensure further pointless token listings in future. All the while, Coinbase continues to erroneously list the BTC token as ‘Bitcoin,’ offering yet another indictment of senior management’s decision-making abilities.

Meanwhile, Coinbase management continues to display absolute confidence in the seaworthiness of its listing ship by dumping more shares. Armstrong sold off around $525,000 on December 22 while CFO Alesia Haas made a nearly $3.2 million dash for cash on December 29, bringing her total December sales to over $7.3 million. And nothing changes on New Year’s Day…

Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.

[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]