Superintendent of Financial Services Adrienne A. Harris announced today that Coinbase, Inc. will pay a $50 million penalty to New York State for significant failures in its compliance program that violated the New York Banking Law and the New York State Department of Financial Services’ (DFS) virtual currency, money transmitter, transaction monitoring, and cybersecurity regulations.

These failures made the Coinbase platform vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking.

In addition to the penalty, Coinbase has agreed to invest an additional $50 million in its compliance function over the next two years to remediate the issues and to enhance its compliance program pursuant to a plan approved by DFS.

Coinbase has been licensed by the Department to conduct a virtual currency business and money transmitting business in the State of New York since 2017. Following an examination and subsequent enforcement investigation, the Department found that Coinbase’s Bank Secrecy Act/Anti-Money Laundering program — including its Know Your Customer/Customer Due Diligence (“KYC/CDD”), Transaction Monitoring System (“TMS”), suspicious activity reporting, and sanctions compliance systems — were inadequate for a financial services provider of Coinbase’s size and complexity.

During much of the relevant period, Coinbase’s KYC/CDD program, both as written and as implemented, was immature and inadequate. Coinbase treated customer onboarding requirements as a simple check-the-box exercise and failed to conduct appropriate due diligence.

Coinbase was unable to keep pace with the growth in the volume of alerts generated by its TMS. By late 2021, Coinbase’s failure to keep pace with its alerts resulted in a significant and growing backlog of over 100,000 unreviewed transaction monitoring alerts.

One consequence of Coinbase’s failed TMS was that as uninvestigated TMS alerts languished for months in the backlog, Coinbase routinely failed to timely investigate and report suspicious activity as required by law. The Department’s investigation found numerous examples of SARs filed months after the suspicious activity was first known to Coinbase.

In light of the state of Coinbase’s compliance system, in early 2022, during the course of the investigation, the Department took the extraordinary step of installing an Independent Monitor to immediately evaluate the situation and begin working with Coinbase to fix the outstanding issues. Under the terms of the Consent Order, the Independent Monitor will continue to work with Coinbase for an additional year, extendable at the Department’s sole discretion.

In direct response to the Department’s findings and swift action, Coinbase has begun to remediate many of the referenced issues and to build a more effective and robust compliance program under the supervision of DFS and the DFS-appointed Independent Monitor.