Cyber, AML Lessons From a Crypto Flop
New York financial regulators have served up another case study in poor cybersecurity, transaction monitoring, and anti-money laundering compliance, courtesy of an enforcement action against a bankrupt cryptocurrency platform found to be deficient in all three.
The state’s Department of Financial Services announced the sanction against Genesis Global Trading last Friday, fining the company $8 million for violating DFS regulations known as the Cybersecurity Rule and the Virtual Currency Rule. (Genesis Global Trading is a subsidiary of Genesis Global Holdco, which filed for bankruptcy last year; Genesis Global Trading has been winding down its operations since September.)
Sure, most compliance officers don’t work in the crypto industry, but the case does offer numerous examples of weak compliance practices around cybersecurity, transaction monitoring, and customer due diligence. Those issues can flummox many more than people in the crypto crowd, and the need to do better at them is going nowhere but up. So there’s much worth studying here no matter what your industry.
As described in the NY-DFS settlement order, the compliance practices in question came to light first during DFS examinations in 2018 and again in 2022. The tale is as old as time itself: Genesis Global’s business had grown significantly during that period, but “little effort or resources had been directed to addressing the deficiencies identified in the first exam,” DFS said. Sigh.
We can start with a close look at the AML violations.
Failures in AML Compliance
Under the DFS Virtual Currency Rule, any firm dabbling in crypto must maintain an anti-money laundering compliance program based on an enterprise-wide risk assessment.
Except, Genesis didn’t conduct a firm-wide risk assessment of its products, services, customers, and lines of business until mid-2022, so it didn’t have sufficient controls in place to address “the high inherent risks certain products and services posed to [Genesis] and its customers,” as DFS diplomatically phrased it. Even worse, when Genesis did finally perform that risk assessment in 2022, most of the firm’s mitigating controls were classified as weak or marginal.
Genesis had other failures beyond the risk assessment, too. For example, the first DFS exam in 2018 found that Genesis’ transaction monitoring process (to identify suspicious transactions) wasn’t documented in the company’s AML policies and procedures. Nor did the AML procedures detail the enhanced due diligence reviews that were being conducted for high-risk customers and accounts.
The situation had somewhat improved by the second DFS exam in 2022, but DFS examiners still found that Genesis’ AML policies and procedures were “generic and contained significant gaps” — a finding first flagged in 2018, and still lingering as a shortcoming four years later.
DFS also faulted Genesis for designating an AML compliance officer (yay!) but only making that appointment in an informal email (boo), and prior to 2022 “there was no evidence that the appointed individual had sufficient authority or resources to administer an effective AML compliance program” based on the company’s risk profile.
I’m struck by a few things here.
First, yet again we see regulators talking about the importance of policies and procedures that are specific to your company’s operations and risks; generic policies simply don’t cut it. The Securities and Exchange Commission has warned about using generic policies in relation to customer identity theft, other regulators have raised similar concerns for years, and now DFS is saying the same about AML compliance. Written policies and procedures, specific to your company and its own internal operations, are crucial.
Second, however, let’s consider how policies and procedures, an empowered AML compliance officer, and rapid growth all tie together.
Crafting effective policies and procedures can be hard work — especially when the company is in a high-growth period, such as the go-go virtual currency boom of 2018-22. Rapid growth requires more investment in compliance. That costs money, and other employees might not embrace the changes to their daily routines. Only a strong compliance officer, with clear autonomy and support from senior management, can make that happen.
Ain’t it funny how that point keeps cropping up.
Failures in Cybersecurity
NY-DFS also faulted Genesis for numerous failures in its cybersecurity program. These are worth a close look because the DFS Cybersecurity Rule requires companies to do specific things. In contrast, the SEC’s new cybersecurity disclosure rule only requires you to disclose certain facts to investors, without much regard for the mechanics of your cybersecurity program. DFS gets into those mechanics.
Again, DFS faulted Genesis for policy shortcomings first uncovered in the 2018 exam that hadn’t been fixed by the 2022 exam. For example, Genesis’ policies didn’t address asset inventory and device management; nor did they include the mandatory step that financial firms need to report cyber events to DFS within 72 hours.
DFS also flagged Genesis’ business continuity plans in 2018 for an inadequate business impact analysis, which is a fundamental pillar of any business continuity program. The situation was somewhat better by 2022, but employees still weren’t sufficiently trained on their roles during a continuity crisis and the plans didn’t undergo annual testing.
Perhaps most interesting, however, was that DFS faulted Genesis for incomplete data classification policies — which is a big deal, because if you aren’t classifying your data correctly, then your other efforts for access control, encryption, and data disposal suddenly get a lot more rickety. (Little surprise, then, that DFS also flagged Genesis’ data disposal policies as weak, too.)
So yet again we’re reminded that in the modern, digitally transformed world, your ability to identify and classify data within your enterprise is crucial for compliance and risk management.
Plus one final deficiency: poor board oversight of cybersecurity. For example, DFS said, none of the meeting minutes for Genesis’ board contain reference to annual reporting by the CISO on the status of the cybersecurity program. Genesis even admitted to DFS that until the company hired a new CISO in November 2022, “no annual cybersecurity reports were developed, let alone presented to the board of directors or the department.”
So we have a board not engaged with cybersecurity, and shortcomings in the cybersecurity program allowed to linger for years. Another tale as old as time itself.