In January 2023, Coinbase reached a settlement agreement with the New York State Department of Financial Services and agreed to pay a $50 million fine. The settlement will also require Coinbase to invest an additional $50 million over the next two years to improve its compliance program.

All the news outlets reported that this happened due to AML deficiencies, however, when I read the settlement order, I realized – this is actually not entirely true. 🙅🏻

Coinbase was fined because they created very inefficient policies and then were not able to follow their own policies. The root cause of these fines – is lots of ridiculous operational inefficiencies.

Let me break it down for you. There were 4 areas where Coinbase reportedly had deficiencies:

• Insufficient customer onboarding,
• Backlog with transaction monitoring alerts and inconsistencies with PEP and sanctions scanning,
• Late suspicious activities filings, and
• Late reporting of one security incident.

It’s a classic trap for a company that grows fast but does not take the time (or does not see a need) to take a smarter approach to its compliance and simply keeps adding tools and people to handle growing volumes.

Over time, Coinbase has been adding and deploying a lot of tools that generated redundant alerts and duplicated checks that were not reviewed timely. Most of these alerts (likely close to 99%) were false positives anyway (which is likely why they did not prioritize this work).

These deficiencies were first discovered during the 2020 audit (covering previous years). At the time, the company was not fined but was rather given the time to fix its issues, however, during 2021 and beyond, Coinbase experienced significant growth in users and volumes, so not only the problems were not fixed, they got bigger. Hence, the fine. 💰

Here are some quotes from the NYSDFS (so many classic errors, it is almost funny, even though obviously the fine is serious).

The order looks like Coinbase was not doing enough compliance checks. My argument is that Coinbase was doing WAY too many compliance checks, got overwhelmed, and missed a few important cases that they simply overlooked or discovered too late because they were focused on completely unnecessary processes.

Every deficiency in this order except for one is a result of operational backlogs, redundant and inefficient monitoring rules, and unnecessary self-imposed requirements. There is only one surprise for me – related to the usage of VPNs and TOR (I will discuss it at the end).

• By the end of 2021, Coinbase had a backlog of unreviewed transaction monitoring alerts that grew to more than 100,000 (many of which were months old), and the backlog of customers requiring enhanced due diligence (“EDD”) exceeded 14,000…
• Coinbase committed to completing a risk-prioritized KYC Refresh and using provided information to update risk scores for all of its trade-eligible retail customers… Coinbase has not placed restrictions on all of these historical accounts while it undertakes this re-review…
• Coinbase hired more than one thousand third-party contractors to “burn through” the remainder of the backlog…The quality control process was not always performed by the contractor organizations to the standards that Coinbase provided, and initially, Coinbase did not have a system in place to audit the quality … 
• Quality Assurance reviews revealed that there were serious quality issues with the work of certain outside contractors… the third-party audit firm reported to Coinbase that … more than half failed the quality check. For one contractor, the failure rate was 96% in a sample of 186 alerts…
• [SURPRISE] OFAC maintains geographical sanctions against broad sectors of the economies of certain nations such as Iran, Cuba, Syria, Russia, and North Korea. Such prohibitions necessarily require a company like Coinbase to understand where its users are physically located. Coinbase allows its users to access its sites using VPNs or TOR. Both methods allow a user to appear to be located in a jurisdiction other than that of the user’s actual, physical location… Coinbase has never promulgated a risk-based policy (for instance, instituting a rule that the use of such tools raises the level of risk from medium to high, or from low to medium) for those users it detects using such tools. Instead, Coinbase allows its investigators to consider the such activity as a factor in investigations.

The problem with this story is not that the company actually missed some suspicious activities (it is not surprising and happens to everyone), but rather that these alerts were likely completely unnecessary, duplicates, and false positives. 

For example, if your volumes grow significantly and you have an automated rule that says “flag every transaction that is 2x bigger than the previous transaction of this customer and all transactions above $10,000” – you will have a ton of alerts that mean absolutely nothing. There is no law that actually requires the company to implement such rules, however, if you decided to do so, you cannot ignore the alerts. This is how you shoot yourself in the foot. 🔫

The actual solution, in this case, would be to review the rules triggering the alerts, analyze which rules result in only false positives and which rules actually detect suspicious behavior, and then change the rules.

The real problem is that changing the rules or your previous policy approach requires judgment and critical thinking. It requires some risk-taking and justification. It may feel uncomfortable, especially for the traditional ex-banking compliance people. It feels “safer” to conclude that compliance needs more people to manually work on all the alerts and dismiss each of them “to be sure”.  

The same problem happens with the decision of where to assign enhanced due diligence checks and to which extent. There is normally no specific law that says which customers are risky enough to require EDD (other than in cases of PEPs) and how extensive these EDD checks should be. The more customers you have in the risky category, the more likely it is that some of the verification steps will have human errors.

Very often traditional compliance professionals define “high-risk accounts” very broadly (for example, based on higher volumes of customers, or categorizing some of the industries or countries as risky even when it is not strictly necessary). If you happen to define your policy in such a way that every customer who has an initial deposit of more than 10,000 USD is risky, you will have a lot of EDD cases to do.

Another common mistake many companies make is not downgrading the risks of customers after they have established a good track record with you over many years.

Long story short: Coinbase established onboarding and monitoring rules that were so broad and inefficient that it was not able to follow its own processes. The NYSDFS found a handful of suspicious cases that were overlooked by Coinbase or not detected timely, which is completely normal for such a huge volume. 

It does not mean that Coinbase is unsafe or fostering terrorists and helping money launderers – far from that. It just appears to me that their compliance leadership is too conservative, not familiar with statistical and numerical analysis for the purposes of doing risk assessments, does not know how to set up a risk-based approach in a scalable way, and is not in favor of automation. This is a classic example of why “just in case” compliance will never work in FinTech and “just in time” compliance is the only way to build a scalable and defendable compliance program.

Now, let’s talk about VPN and TOR. The NY regulator argued that allowing customers to use these tools must require some compensating controls to ensure that the customer does not come from a sanctioned country. Typically, establishing the location of the user is very easy to address, for example, by requiring a phone verification or an address verification or analyzing where their fiat funds are coming from or going to (the fiat account would have a clear geographic attribute to it).

My guess is that this issue was not particularly important compared to other deficiencies. Most likely, Coinbase mentioned somewhere in their policies that using VPN and TOR could be a risk indicator, but was not specific enough what are their alternative methods of establishing the location of the user. If this would be the only issue, it is highly unlikely this would trigger any fines at all, because it could be fixed by simple clarifications in the operational procedures.

Any questions? 

Obviously, if your company is undergoing an audit and is facing similar challenges, please, don’t hesitate and reach out to me – there are many ways to mitigate the risk of fines or implement an effective and lasting remediation plan before it’s too late.

Prefer to listen to this content on a podcast instead of reading it? – Click here and tune in!