Coinbase: A costly approach to compliance

A review of the recently announced fine by Superintendent Adrienne A. Harris of Financial Services reveals the continued failings of Fintechs and many other types of financial institutions. Startups fail by running through the list of regulatory requirements as a check-the-box process, then add to failure by not updating or testing the company’s internal programs and policies periodically.

Coinbase, founded in 2012, is a publicly-traded company headquartered in California. This American company operates a cryptocurrency exchange platform, promoting the easy and secure option for sending and receiving Bitcoin. The company also facilitates investments and savings, offering an alternative to traditional banking. Naturally, this type of company is subject to legislative and regulatory requirements based on state and country locations of operation within the financial industry. As a startup focused on one jurisdiction, navigating complex regulatory laws and ensuring compliance can be challenging. Increased complexity and difficulty are added as startups grow and expand. Further complications with startups, especially with unicorns, that grow and expand quickly to other jurisdictions with varied obligations that compound depending on company size, services, and much more. 

DFS INVESTIGATION FINDINGS

The New York Department of Financial Services (NY DFS) Investigation raised three main concerns regarding Coinbase, namely that:

• The company’s KYC/CDD program was inadequate. 

• The company’s transactional monitory system was not scalable as the company grew.

• As a result of the former two concerns, the company failed to promote healthy reporting of suspicious activities. 

RECOMMENDATIONS

The check-the-box process mentioned in the press release from NY DFS is familiarly attributed to many firms. Too often, companies adopt a check-the-box process through a template that does not apply to the company’s specific needs, objectives, and design. A successful and workable compliance program often requires the same initial steps and recommendations at the onset and often periodically. 

Risk Assessment

An in-depth risk assessment at a firm or enterprise level is crucial. Conducting a company’s risk assessment will reveal and assist in identifying the specific risks that the company is exposed to. These risks are discovered through the study of the jurisdictions, product offerings, services, anticipated growth, client demographics, and resources, to name a few. Understanding as much as possible of a company’s design assists in revealing the potential future risks. In the press release, the DFS Investigation identified a lack of sufficient resources to handle the increased monitoring and internal investigations of transactions. In other words, the compliance program was not scalable. However, a proper risk assessment would have revealed the growth pattern and made appropriate adjustments to avoidance of compliance failures and inevitable fines. 

Risk-Based Approach

A risk-based approach could have further assisted in the prevention of penalties. A risk-based approach aids in developing an adaptable and scalable program that addresses the needs of the company and the regulatory requires and maximizes resources. The full details of the backlog mentioned in the press release related to the failure to address suspicious transactions promptly were not disclosed. However, often, failure relates to a standard approach to addressing red flags. Although a risk assessment and risk-based approach are crucial to the success of a compliance program, it is useless without continuous monitoring and testing.

Monitoring and Testing

This leads to a third recommendation for prevention; monitoring. A well-thought-out and designed compliance program should not be considered stagnant. It is meant to evolve as the company evolves. Even a company that maintains the same business model year after year would be remiss in failing to monitor and test the continued success of the current compliance program. Testing would require reviewing the program as it is written and its applicability. It must be tested that the program remains practical. Elements of the program would also need testing, including the transactional monitoring tools. Often tools are outdated and require reprogramming or updating to remain relevant and appropriate.

CONCLUSION

It’s hard to fault companies for this check-the-box preference. Regulations and obligations are complex, and with limited resources and appropriate talent, the minimum is often seemingly acceptable, given the appearance of compliance. Unfortunately, successful and prominent companies, such as Coinbase, find out too late how perceptions can be costly.