Compliance & Investigations

Coinbase and the increasing regulatory activity around cryptocurrency compliance – setting the pace for Germany?

It was only August 2022 that the New York State Department of Financial Services (“DFS”) reached a USD 30 million settlement with crypto exchange Robinhood for compliance failures. Now the next settlement has been announced – this time, with Coinbase, Inc. (“Coinbase”). Coinbase agreed to a USD 100 million settlement with U.S. authorities in a case that reads like a textbook example of (inadequate) compliance with anti-money laundering rules.


Growing need for action on cryptocurrency

Cryptocurrency is particularly vulnerable to money laundering. This virtual payment system has three characteristics that put it at risk: It is (i) decentralised, (ii) pseudonymous and (iii) global. New legislation is creating an increasingly complex set of rules for crypto exchanges, financial services, and other companies that handle cryptocurrency in their business – and plans are underway for more legislative changes in the future. For example, the European Commission is moving forward with new rules against money laundering and terrorist financing, incorporating wide-ranging regulations and obligations related to cryptocurrency.

The increasing regulatory requirements are forcing the companies concerned to strengthen their anti-money laundering operations. The steadily increasing numbers of suspicious activity reports received by the German Financial Intelligence Unit (FIU) concerning irregularities in connection with cryptocurrency suggest that awareness has increased among entities obliged under the Money Laundering Act (Geldwäschegesetz, “GWG”). Following the collapse of FTX Trading Ltd. (FTX) – one of the world’s largest crypto exchanges – U.S. financial and regulatory authorities have been playing an increasingly prominent role in combating the risks that cryptocurrency poses. In doing so, U.S. authorities will likely set the pace for supervisory authorities in European jurisdictions.

For more on anti-money laundering with regard to cryptocurrency and how it may affect non-financial companies, see our article from November 2022.


From routine audit to EUR 100 million settlement

In May 2020, DFS conducted a supervisory examination of crypto exchange Coinbase, a cryptocurrency trading platform with more than 100 million customers around the world. DFS’s audit identified significant deficiencies across Coinbase’s anti-money laundering operations. DFS launched an enforcement investigation, while Coinbase invested heavily in the development of its compliance system. However, given the rapid increase in the customer base, the authorities felt that these efforts were not sufficient. In February 2022, DFS placed Coinbase under the supervision of an independent monitor to oversee and assist in the resolution of the compliance issues and implementation of future measures. This type of monitor is, in essence, similar to the special representative (Sonderbeauftragter) under German law as provided for in section 45c Banking Act (Kreditwesengesetz, “KWG”). In August 2022, the monitor issued a report that found that despite discernible effort, certain deficiencies in its compliance system persisted.

On 4 January 2023, Coinbase and DFS finally reached a settlement concluding the investigation. The crypto exchange and the regulator agreed that Coinbase would pay a civil monetary penalty of USD 50 million and that the monitor would remain for at least another year. Coinbase also agreed to invest a further USD 50 million over the next two years into expanding its compliance programme in line with an investment plan to be approved by DFS. DFS states in the settlement agreement that Coinbase failed to establish and maintain an appropriate and effective anti-money laundering compliance programme that could keep up with the crypto exchange’s dramatic growth. This failure represented not only a violation of regulatory requirements, it said, but also made the platform vulnerable to serious criminal conduct. U.S. authorities believe that the crypto exchange may have been used to carry out offences such as fraud, money laundering, the distribution of child sexual abuse material, and narcotics trafficking. The reputational damage associated with these serious allegations is obvious and could even outweigh the financial losses imposed in the long term.


Know-Your-Customer/Customer Due Diligence

DFS highlighted the deficiencies in Coinbase’s Know-Your-Customer (“KYC”) and Customer Due Diligence (“CDD”) processes, in particular. It found that the KYC/CDD programmes, both as written and as implemented, were “immature” and inadequate, noting that Coinbase had treated customer onboarding requirements as a simple “check-the-box” exercise and had failed to conduct appropriate due diligence. While the entire CDD documentation for some customers had consisted of little more than a copy of a photo ID, the submission of a social media profile had been accepted for necessary verification processes, even though that information was often clearly inaccurate or incomplete. Coinbase had frequently asked for the bare minimum of identifying documents and at times simply accepted non-responses.

DFS pointed out that such inadequate KYC and CDD measures had made it impossible for Coinbase to assign an appropriate risk rating to customers, and therefore to determine the proper amount of oversight to be exercised over them. During the course of the investigation, the backlog of customers requiring enhanced due diligence based on their risk rating grew to 14,000, but Coinbase appeared to be unable to remedy the situation due to insufficient personnel and resources. This failure to obtain and verify customer data ultimately left it exposed to an increased risk of money laundering.


Failure to deal with suspicious activity reports

DFS also found that Coinbase had failed to maintain an effective and appropriate transaction monitoring system (“TMS”) – a proven anti-money laundering instrument that monitors customers’ transactions for suspicious activity and issues an alert if necessary. Generally speaking, a TMS takes the information obtained through the KYC process and carries out a risk assessment. Although Coinbase had implemented such a system, it was already inadequate because of the deficiencies in the KYC process.

In addition, Coinbase – likely also as a result of the rapid increase in customers combined with a lack of sufficient personnel and resources – was unable to keep pace with the TMS alerts received. This led to a backlog of over 100,000 unreviewed TMS alerts. Coinbase then hired more than 1,000 (!) third-party contractors to clear the backlog within a few months – but it later turned out that almost half the alerts checked by the contractors failed to meet the quality requirements. It had also become impossible for Coinbase to investigate the suspicious activities and report them to the authorities as required. This led to the crypto exchange only fulfilling its obligations to submit suspicious activity reports months after becoming aware of the activity concerned in some cases.


Requirements for dealing with cryptocurrency

DFS also explained what appropriate CDD measures would have looked like. Coinbase should have obtained more fulsome information from public databases as well as information about the rationale for the customer’s transactions, the nature of the business and the sources of the funds. Institutional customers should only have been accepted following approval by senior management. DFS refers in this respect to the relevant standards on combating money laundering in the FATF Recommendations (see “Enhanced CDD measures”, p. 70 et seq.).

These recommendations generally tally with the GwG requirements regarding customer due diligence. The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) makes reference to the following three-pronged approach to effectively combating money laundering, including cryptocurrency money laundering:

  • Effective risk management pursuant to section 4 GwG. This must cover the entire business activity of the obliged entity, take the resulting individual risks into account in a clear and transparent manner and incorporate internal security measures that are appropriate to mitigate these risks in accordance with section 6 GwG. It must also include a risk assessment according to section 5 GwG.
  • Customer due diligence in accordance with section 10 GwG, in particular identifying the contracting partner, the person acting on the contracting partner’s behalf and the beneficial owner. This includes not only collecting essential information, but also continuously monitoring the business relationship.
  • Reporting suspicious activity pursuant to section 43 GwG.

That goes to show that KYC, CDD and TMS processes serve as cornerstones of Germany’s anti-money laundering efforts for cryptocurrency, too. But it’s not enough just to implement the individual measures – the information collected and processes implemented must be combined to deliver customer onboarding that meets the legal requirements and acts as a foundation for ongoing risk-based monitoring.


Conclusion and implications for Germany

The Coinbase case shows how important it is to have appropriate (anti-money laundering) compliance systems that can deal effectively with the relevant risks and are based on three key systems: know your customer, customer due diligence and transaction monitoring. On page 14 of its current report “Risiken im Fokus der BaFin 2022”, BaFin repeatedly refers to the money laundering risks posed by cryptocurrency – something that affects not only crypto exchanges, but every business that handles cryptocurrency.

These businesses face a particular challenge: In the case of cryptocurrency, the source of the funds and the beneficial owner can be concealed. Companies must accept this challenge, however, and introduce appropriate risk-based processes, ensuring that sufficient resources are allocated where the risk profile demands it. BaFin (and possibly the European anti-money laundering authority (AMLA)) will no doubt be stepping up scrutiny of how anti-money laundering provisions are implemented in connection with cryptocurrency and taking a tougher line on punishing violations. Businesses are therefore strongly advised to invest in appropriate and effective anti-money laundering compliance systems – or risk their very existence.