The crypto exchange platform Coinbase agreed Wednesday to pay US$100 million to settle charges levied by the New York State Department of Financial Services (DFS) after it was found to have violated anti-money-laundering laws and not be up to code in managing its security protocols.
Half of that some are settlement fees and the other half self-funded investments for the company’s security features to prevent future instances of criminal exploitation.
Founded in 2012, the platform’s user base has since ballooned to over 108 million customers worldwide. Its cybersecurity and transaction monitoring capabilities, however, have not managed to keep up with the demands that come with such growth, leading to the DFS to launch an investigation in 2021 after several security concerns came to light.
The DFS report shows that, by the end of 2021, Coinbase had become overwhelmed by a “substantial backlog of unreviewed transaction monitoring alerts, exposing its platform to risk of exploitation by criminals and other bad actors.”
This backlog prevented the platform from carrying out anti-money laundering and customer due diligence protocols, as required by federal and New York state law.
“Coinbase failed to build and maintain a functional compliance program that could keep pace with its growth,” said Superintendent of Financial Services Adrienne A. Harris. “That failure exposed the Coinbase platform to potential criminal activity requiring the Department to take immediate action including the installation of an Independent Monitor.”
A prime contributor to this was the platform’s own popularity; customer sign ups in May 2021 were fifteen times January 2020 levels and monthly transactions in November 2021 were twenty-five times those recorded in January 2020, the report found.
By the end of 2021, more than 100,000 transaction monitoring alerts and over 14,000 customer enhanced due diligence flags were yet to be attended to by company personnel.
These security shortcomings had real world ramifications for the platform’s user base.
In one instance in 2021, 6,000 Coinbase users were victims of a phishing scam, wherein criminals gained authorized access to their accounts and ran off with approximately $1.5 million. Although the company reimbursed the stolen funds, it did not report the crime to DFS authorities until five months after the fact, well after the 72 hour deadline as required by law.
The problem appears endemic within the crypto trade. From January 2021 to March 2022, more than 46,000 people reported losses totalling more than $1 billion as a result of crypto scams, a figure nearly sixty times 2018 levels, according to the U.S. Federal Trade Commission.
Also in 2021, an unnamed individual defrauded a corporation of more than $150 million by transferring the funds from the corporation’s bank account to its Coinbase account, before finally transferring it off the platform without anyone being the wiser.
The crypto platform did not flag the individual’s unauthorized access to the corporation’s account until six days later, although its assistance in the subsequent investigation did lead to the recovery of the funds.
“We are always willing to acknowledge where we have fallen short and we welcome opportunities to improve our programs,” Coinbase said of its settlement with DFS authorities. “Our goal has always been and will always be to build the most trusted, compliant, and secure crypto exchange in the world.”
The crypto platform has two years from the date of the settlement to invest no less than $50 million in bringing its security and compliance protocols up to code.
“It is critical that all financial institutions safeguard their systems from bad actors, and the Department’s expectations with respect to consumer protection, cybersecurity, and anti-money laundering programs are just as stringent for cryptocurrency companies as they are for traditional financial services institutions,” Harris said.