Lessons From Coinbase’s Compliance Flop

Another week, another scandal in the cryptocurrency world that offers lessons in corporate compliance for the rest of us. This time around the culprit is trading platform Coinbase, which just agreed to pay $50 million to New York state regulators and to spend another $50 million over the next two years to improve  its compliance program. 

The New York Department of Financial Services announced the settlement Wednesday afternoon, painting a picture of money-laundering risks and customer due diligence needs that far exceeded what Coinbase’s compliance program could manage. The company failed to perform customer due diligence in a timely manner, couldn’t clear backlogs of suspicious transactions, failed to report cybersecurity breaches by legally required deadlines. You get the picture.

“[The] Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions,” Adrienne Harris, head of the New York Department of Financial Services, said in a statement. “Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth.” 

For its part, Coinbase put out a statement calling the settlement “a critical step in our commitment to continuous improvement” and then listed numerous investments the company has made in its compliance program over the last two years.

That’s the interesting part here: that Coinbase did make efforts to strengthen its compliance program — but even as the company took those steps, surging customer growth left its compliance capabilities falling further and further behind anyway. So what began as a routine DFS regulatory examination soon turned into an enforcement investigation, and here we are.

Of course, a company failing to invest in its compliance program to keep pace with rapid growth is nothing new. Still, the ways in which Coinbase failed to invest can be instructive for other financial firms. So let’s take a look. 

How Coinbase Fell Behind

As described in the settlement order, DFS regulatory examiners first visited Coinbase in 2020 for a standard supervisory examination that covered 2018 and 2019 activity. That exam found “significant deficiencies” in Coinbase’s customer due diligence, anti-money laundering, and transaction monitoring programs. Coinbase quickly agreed to hire an independent consultant to help rectify its compliance shortcomings.

DFS then launched an enforcement investigation in 2021— and during the course of that investigation, “the compliance situation inside Coinbase reached a critical stage.” The company had a backlog of more than 100,000 transaction monitoring alerts that hadn’t been reviewed, and more than 14,000 customers awaiting enhanced due diligence. 

In early 2022 DFS assigned a compliance monitor to Coinbase; by August of last year, that monitor issued a report that although Coinbase had made some progress in remediating its compliance issues, “certain deficiencies persisted.” Coinbase is still working to implement its improvement plan to this day. 

Coinbase’s most significant problem, according to DFS, has been its “immature and inadequate” customer due diligence program. Most of the time, Coinbase compliance employees did the bare minimum to collect and verify data from its customers. Specific examples:

• Coinbase’s customer due diligence file from its retail customers historically consisted of little more than a copy of a photo ID.
• Routine customer due diligence processes relied on customers’ self-reported social media profiles while overlooking information that was, on its face, clearly inaccurate, or incomplete.
• When compliance analysts did perform enhanced due diligence, “they often asked for the bare minimum of identifying documents, conducted only a cursory review of the material provided, and at times accepted responses that were either non- or partially responsive.”

OK, that’s bad. So what should an enhanced due diligence program look like? DFS had some thoughts about that, too: 

• More fulsome information from public databases and internet searches; 
• Information about the nature of the customer’s business and sources of funds; 
• The rationale for the customer’s transactions; and 
• Approval from senior management of an institutional customer. 

All that supplemental information should then be tied to a strong approval process, documenting the rationale for accepting the account, updating customer information more frequently, and monitoring the customer’s transactions more closely. 

That’s a lot of effort. It requires a blend of data collection (ideally automated, but not always), human analysis, and thoughtfully designed approval processes. Then you still need procedures and technology to monitor customer transactions after the onboarding is done. 

Now imagine doing all that circa 2020-21, when the crypto sector was growing like weeds.

Challenges in Keeping Pace

Let’s return to that huge backlog of suspicious transactions and enhanced due diligence work. Coinbase did try to catch up with that work — but the company encountered numerous challenges there, too, in its oversight of that hurry-up effort to burn through the backlog. So what lessons can the rest of us learn here? 

Coinbase first promised DFS in late 2021 that it would clear its transaction monitoring backlog by February 2022. The company then hired more than 1,000 third-party contractors to review the backlog, and at first that strategy seemed to be working; by April 2022, Coinbase reported to DFS that its transaction backlog had been resolved. 

Except, Coinbase didn’t exercise enough oversight and quality control over the contractors it had hired, and “a substantial portion of the alerts reviewed by third parties was rife with errors,” as DFS phrased it. So Coinbase had to hire an audit firm to review the contractors’ work. That audit firm found that three specific contractors “cleared” some 73,000 suspicious transaction alerts — when in reality, more than half of the reviews performed by those three individuals failed the audit firm’s quality check.

You see the picture here. Coinbase came up with an idea that always sounds great when you say it — “Hey, let’s just hire a bunch of off-site, low-cost contractors!” — but is far more complicated to manage when you actually do it. 

Before throwing manpower at a compliance program, you first need to build a solid foundation of clearly defined procedures, ideally supported by effective and efficient technology. That foundation is what lets you scale up rapidly and put those legions of low-cost contractors to good use. When you just throw manpower at a problem without systems of quality control and oversight already in place, the contractors make mistakes. Lots of them. 

Moreover, that failure to manage the compliance program wisely can bring real harm to the company’s legal liability, because you’re letting bad actors get away with doing bad things — which is precisely what leaves regulators seeing red and drawing up plans for monetary penalties. 

You can see that in the DFS complaint against Coinbase. Because of the company’s sloppy customer due diligence, it didn’t catch that one of its customers was a known child pornographer; that customer then engaged in suspicious transactions for more than two years on Coinbase’s trading platform. Other transactions that Coinbase didn’t investigate properly were later connected to drug deals and money laundering.

If you manage your compliance program poorly, the net meant to catch bad actors becomes a sieve that lets them get away with crime. Then your problems become much worse. Again, this is exactly what happened with Coinbase: matters went from a standard regulatory examination of its compliance program, to an enforcement investigation of actual violations. 

That’s an argument FCPA compliance professionals have been making for years. It’s just as true in the crypto world.