An Independent Review of Coinbase’s AML Process Could Have Saved Them $100 Million

At a glance

• The main takeaway: As Coinbase became the world’s largest cryptocurrency platform, the company neglected to prioritize Bank Secrecy Act/anti-money laundering (AML) compliance, resulting in $100 million in fines and remedial efforts.
• Impact on your business: Use Coinbase’s mistakes as an opportunity to examine your BSA/AML program and make sure you have the best-possible processes to mitigate compliance risk and accommodate the growth of your organization.
• Next steps: Aprio’s Forensic Services Team can help you assess your BSA/AML program and accounting needs.

Schedule a consultation with Aprio today

The full story:

Despite being the largest cryptocurrency exchange in the world, Coinbase could not scale its compliance functions to successfully monitor the transactions of its over 100 million users. 

Over a period of five years, flagged transaction monitoring alerts and other compliance failures rapidly accumulated on the Coinbase platform. The company has taken remedial steps to review a backlog of over 100,000 transaction monitoring alerts, and those efforts are still underway. 

In the meantime, it is worth analyzing what the company could have done to prevent this debacle — such as conducting an independent AML assessment, which could have triggered a different and more positive outcome. 

A recap of Coinbase’s compliance missteps

The New York State Department of Financial Services (the Department) initially conducted an examination of Coinbase for the period starting July 1, 2018, through December 31, 2019; the examination culminated with a report transmitted to Coinbase’s leadership in September 2020. The Department identified numerous deficiencies across Coinbase’s compliance program, including but not limited to the following areas:

• Lack of know-your-customer/customer due diligence/enhanced due diligence (KYC/CDD/EDD) procedures
• Failure to maintain transaction monitoring system (TMS) and Office of Foreign Assets Control (OFAC) screening programs
• Failure to conduct annual AML risk assessments and validation review of the TMS system
• Failure to properly retain books and records
• Failure to investigate and/or report suspicious activity in a timely manner 

In response to these findings, Coinbase agreed to hire an independent consultant and adopted the Department’s remediation plan. However, as of late 2021, the backlog of TMS alerts grew to more than 100,000 cases, and the cases that required enhanced due diligence exceeded 14,000. Coinbase lacked the personnel and proper case management system to handle these alerts, so the organization hired approximately 1,100 contractors to review the backlog of cases. 

Unfortunately, this only exacerbated Coinbase’s compliance failures because contractors were not adequately trained to review cases, and there was no quality assurance (QA) process in place to review their work. As of May 2022, an audit firm revealed that 73,000 cleared alerts had a failure rate over 50%, which ultimately resulted in numerous money-laundering incidents that Coinbase did not report. 

The question is, where did it all go wrong? Coinbase’s management team could have prevented the situation from escalating by conducting proper AML risk assessments and AML independent reviews from the start.

Failure to plan an adequate BSA/AML program is planning to fail

In its consent order, the Department noted that Coinbase had failed to conduct adequate AML risk assessments since 2017 and the company had not provided evidence that its TMS system received a validation review. What’s more, Coinbase’s ability to focus on compliance was further hindered when the organization laid off over 1,000 employees, or 18% of its workforce.  

When the volume of business increased, it became clear that Coinbase’s compliance program lacked the proper staffing, training and case management system to keep pace.  As a result, Coinbase was forced to pay a $50 million fine to the Department and spend an additional $50 million to hire an independent consultant to assess the company’s BSA/AML and OFAC Sanctions Program.  

The bottom line

Put simply, companies can learn from Coinbase’s mistakes and follow well-known compliance best practices, including establishing a BSA/AML program and having periodic reviews of that program. Without an adequate BSA/AML program, your company has no plan in place to meet growing compliance requirements — and failure to meet those requirements results in financial and reputational damages.  

The good news is that you do not have to embark on the BSA/AML compliance process alone. It is a smart idea to enlist the help of a qualified and credentialed forensic accounting team to support you in the process. Aprio’s Forensic Services professionals can guide you in implementing the proper BSA/AML program and monitoring best practices and procedures so that you can maintain compliance and even catch mistakes before they spiral out of control. 

If you are ready to establish a BSA/AML program or would like your existing program reviewed, please schedule a consultation with us today.