The New York Department of Financial Services entered a consent order on January 4, 2023, requiring a large cryptocurrency trading platform to immediately pay a $50 million civil monetary penalty and invest another $50 million on its own compliance improvements over the next 24 months. The DFS found the company violated the Anti-Money Laundering Act, Bank Secrecy Act and New York banking laws as a result of deficiencies in its compliance functions including its Know-Your-Customer/Customer Due Diligence procedures, Transaction Monitoring System, OFAC screening program, and Anti-Money Laundering risk assessments.
The DFS had previously identified these deficiencies in 2020, and the cryptocurrency trading platform agreed to remedial efforts at that time. Nonetheless, the company’s compliance systems could not keep up with the “dramatic and unexpected” growth of its business in 2020 and 2021. By the end of that year, it was overwhelmed with a substantial backlog of more than 100,000 unreviewed transaction monitoring alerts (many of which were months old) and more than 14,000 customers requiring enhanced due diligence. These backlogs left the platform vulnerable to criminals and other bad actors.
For example, because the platform failed to implement adequate KYC/CDD policies and procedures, one customer fraudulently claiming to be a corporate employee was able to transfer $150 million from the corporate bank account to the platform, convert the money into cryptocurrency, and then transfer the cryptocurrency off the platform. Additionally, the DFS has identified transactions on the platform that should have been stopped and reported to authorities for possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking; but because the Transaction Monitoring System was inadequate, these transactions were not prevented nor reported.
Upon entering the consent order, DFS Superintendent Adrienne A. Harris said, “It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions.”