New York Whacks Crypto Firm on Compliance

Financial regulators in New York have fined cryptocurrency services firm Paxos $26.5 million for years of weak anti-money laundering compliance, and also ordered the firm to spend at least $22 million over the next three years on compliance program operations. 

The New York Department of Financial Services (DFS) announced the enforcement action Thursday, faulting Paxos for questionable dealings with crypto trading giant Binance (which itself pleaded guilty to federal criminal charges in 2023) and for operating a weak compliance program overall. Those weaknesses included poor customer due diligence, poor transaction monitoring, and lax investigation policies.

“Regulated entities must maintain appropriate risk management frameworks that correspond to their business risks, which includes relationships with business partners and third-party vendors,” DFS superintendent Adrienne Harris said in a prepared statement. “The Department continues taking significant steps to ensure accountability, in turn protecting consumers and safeguarding the integrity of the financial system.”

The good news is that Paxos started to beef up its compliance program circa 2023 and did cooperate with DFS in the agency’s investigation. For its part, Paxos stressed in a press release that “the compliance issues discussed are historical issues that were identified over two and half years ago, and have since been fully remediated.” 

That said, crypto is still an emerging industry. Plenty of crypto firms behaved for years like they lived on Libertarian Island, where rules were meant to be ignored and the firms did so with zeal. Plus, anti-money laundering compliance is a challenge for lots of other financial firms no matter what their crypto exposure is. So let’s look at the settlement and see what the rest of the crypto and AML compliance communities can learn. 

The Binance Failures

As outlined in the consent decree between Paxos and DFS, much of the misconduct here arose from Paxos’ dealings with Binance in the late 2010s. At the time, Binance was (and still is) the largest cryptocurrency trading platform in the world — but Binance was also notorious for allowing questionable customers onto its platform, and from 2019 onward wasn’t even allowed to do business with U.S. persons. 

Paxos still wanted a trading relationship with Binance so that Paxos customers could trade their crypto holdings through the Binance platform; which meant that Paxos had to perform due diligence on Binance and the supposed compliance program Binance operated. This is where the wheels started to come off. 

In mid-2019, Paxos did ask Binance to provide assurances that Binance had imposed geofencing controls to keep U.S. customers away from unregulated trading platforms. Binance’s then-chief compliance officer, Samuel Lim, responded, “[w]ith confidence, I can say the policies and procedures are already in effect” and later reiterated that Binance.com was “completely restricting U.S. persons.” 

As DFS said, “Paxos accepted Binance at its word and did not undertake an independent review of Binance’s assertions or request supporting documentation beyond the initial review it had conducted on Binance.”

Except, of course, Binance was a total compliance disaster, flouting pretty much every financial regulation on Earth and possibly a few on Mars. Lim was steeped in said misconduct up to his eyeballs, and eventually settled personal charges with the Commodities and Futures Trading Commission with a $1.5 million fine and a permanent bar from working in the industry again.

It gets worse. In 2019 DFS examiners asked Paxos for information about Binance’s compliance program. Paxos then drafted a letter for Binance to send directly to DFS. The letter said that Binance did use geofencing software to block U.S. persons from accessing the platform; and even if customers used tricks like a virtual private network to evade those geofencing controls, Binance had manual customer onboarding controls as a backup to block those U.S persons anyway. Lim, Binance’s then-CCO, signed the letter and sent it on to DFS.

The problem: Paxos never actually verified any of those claims. Perhaps if the firm did, it would have noticed that even while Binance was promising that it had multiple controls to block U.S. persons from its platform, Binance had a tutorial on its website for how to use virtual private networks to avoid geofencing controls. 

By 2020, Paxos signed a letter with DFS promising to make more frequent and thorough due diligence reviews of its exposure to illicit activity on Binance. A follow-up examination in 2022, however, declared that Paxos “failed to demonstrate that it had the appropriate controls in place to effectively monitor for significant illicit activity” or to pass red flags up the chain of command to senior management. 

Broader AML Compliance Failures

DFS sanctioned Paxos for more general compliance program failures too. Among the issues flagged. 

First, the compliance team used a centralized software tool to review its customer information, including KYC and transactional activity, and to assign  customer risk ratings. But the tool did not include automated alerts to indicate potentially risky shared customer attributes or provide frontline search capabilities during the onboarding process. That allowed customers who shared addresses, corporate documents, beneficial owners, and the like to open multiple accounts and remain undetected.

Second, the company’s transaction monitoring program was fair at best, bogged down in manual processes that made it difficult to monitor withdrawals in real time. That weakness allowed customers to engage in various structured transactions meant to avoid AML risk triggers (such as breaking up one large transaction into several smaller ones). Even by 2022, DFS said, Paxos “was still failing to appropriately tune these systems to the relevant AML risks by performing assessments on the business rules and scenarios employed by the systems.”

And third, Paxos had a flawed investigations policy. For example, prior to 2022, the formal investigations policy didn’t require an investigation upon receipt of a law enforcement request; the decision on whether to launch an investigation was instead left to the discretion of the investigator. As late as 2021, investigation procedures didn’t include any minimum requirements for performing and documenting investigative research and due diligence. 

Paxos Compliance Promises

Since 2023, Paxos has upgraded its AML compliance capabilities considerably. Still, DFS is holding Paxos to that commitment. This week’s settlement requires Paxos to spend…

• $6.25 million on compliance in 2025 (the company already spent $3.1 million so far);
• $7.25 million in 2026;
• $8.5 million in 2027.

Paxos must also submit progress reports to DFS every six months for the next three years documenting the company’s work to maintain and improve its compliance program. Those reports will include a detailed discussion of Paxos’ customer due diligence, AML compliance, suspicious activity reporting, and compliance program management efforts.