The crypto / virtual assets industry has been in turmoil for the last several months. The collapse of FTX, once the leading virtual asset exchange, sent shockwaves through the industry and had a domino effect leading to what many are calling a prolonged “crypto winter,” which began with the fall in prices of Bitcoin and other leading virtual currencies. The falling prices of virtual currencies have left many investors in the lurch. Coinbase, another leading virtual currency exchange, was also recently in the news for a $100-million penalty by the New York Department of Financial Services (NYDFS) for serious lapses in their Bank Secrecy Act and Anti-Money Laundering (BSA/AML) controls.

Many of the recent crypto failures point to an inadequate understanding and implementation of basic governance, risk management, accounting, and compliance controls. In pursuit of rapid growth, crypto companies seem to have neglected some fundamental areas that would have provided confidence about the industry being on a sound footing.

A lack of clear regulatory framework has often been touted as an excuse to continue pushing the envelope on innovative products and services that may not have had the appropriate governance, risk management, and compliance foundations.

A growth-at-all-costs mentality among crypto companies, driven by easy venture capital and investor funds, a business model that places a premium on rapid growth, and market share expansion without investing in the right resources, systems, and controls and/or figuring out a sound path to profitability, has also characterized the industry.

Coinbase Consent Order for AML and Sanctions Program Deficiencies

The NYDFS issued a consent order against Coinbase that highlighted serious deficiencies in their Anti-Money Laundering (AML) program, and Coinbase agreed to pay a $50-million penalty and invest another $50 million to improve its AML and sanctions compliance program. Key deficiencies were noted in several areas, including:

• Know Your Customer/Customer Due Diligence (KYC/CDD) procedures
• Anti-Money Laundering (AML) risk assessments
• Transaction Monitoring System (TMS)
• OFAC screening program

The NYDFS noted among other items that “during the course of the Department’s investigation, the compliance situation inside Coinbase reached a critical stage, with a very large backlog of unreviewed transaction monitoring alerts and … of customers requiring enhanced due diligence (‘EDD’). These backlogs were exacerbated by business and operational growth occurring in 2020 through 2021 … At that time, Coinbase lacked sufficient personnel, resources, and tools needed to keep up with these alerts, and backlogs rapidly grew to unmanageable levels.”¹

The Shifting Regulatory Landscape

The regulatory authorities have taken heed and have begun to put in place the regulatory framework, guidance, and expectations that can hopefully blend the innovative practices of crypto and the underlying blockchain technology while addressing some key risks that have led to the recent crypto debacles. Guidance was also released for banks and financial institutions that had launched or planned to launch crypto-related offerings by themselves or in partnership with fintech/crypto companies.

Interagency Joint Statement on Key Risks Associated With Crypto Assets

On January 3, 2023, an interagency joint statement was issued by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation highlighting key risks to banks associated with crypto-assets and crypto-asset sector participants. The interagency statement:

• Highlighted key risks associated with crypto-assets that could affect banks
• Reminded banks to engage in robust supervisory discussions with their supervisory office regarding proposed and existing crypto-asset-related activities
• Reminded banks that, before launching crypto-asset-related activities, banks should ensure that an activity can be performed in a safe and sound manner, is legally permissible, complies with applicable laws and regulations, and can be conducted in a manner that is fair to consumers²

The guidance highlighted a number of key risks associated with crypto-assets and crypto-asset sector participants that banking organizations should be aware of, including the following:

• Risk of fraud and scams among crypto-asset sector participants
• Legal uncertainties related to custody practices, redemptions, and ownership rights, some of which are currently the subject of legal processes and proceedings
• Inaccurate or misleading representations and disclosures by crypto-asset companies, including misrepresentations regarding federal deposit insurance, and other practices that may be unfair, deceptive, or abusive, contributing to significant harm to retail and institutional investors, customers, and counterparties
• Significant volatility in crypto-asset markets, the effects of which include potential impacts on deposit flows associated with crypto-asset companies
• Susceptibility of stablecoins to run risk, creating potential deposit outflows for banking organizations that hold Stablecoin reserves
• Contagion risk within the crypto-asset sector resulting from interconnections among certain crypto-asset participants, including through opaque lending, investing, funding, service, and operational arrangements. These interconnections may also present concentration risks for banking organizations with exposures to the crypto-asset sector
• Risk management and governance practices in the crypto-asset sector exhibiting a lack of maturity and robustness
• Heightened risks associated with open, public, and/or decentralized networks, or similar systems, including, but not limited to, the lack of governance mechanisms establishing oversight of the system; the absence of contracts or standards to clearly establish roles, responsibilities, and liabilities; and vulnerabilities related to cyberattacks, outages, lost or trapped assets, and illicit finance³

NYDFS Virtual Currency Guidance

In June 2015, the Department had adopted its “Part 200” regulation (23 NYCRR Part 200) under the New York Financial Services Law. Part 200 was the United States’ first comprehensive licensing requirement and regulatory framework for non-depository institutions to engage in virtual currency business activity.

The NYDFS developed and oversees a first-of-its-kind regulatory framework for virtual currency businesses, and those that conduct business activity in the State of New York must be licensed to do so by the Department through a “BitLicense” and be subject to the Department’s ongoing supervision. BitLicensees are also required to obtain a money transmitter license from the Department, to abide by the Department’s regulations applicable to both money transmitters and virtual currency businesses, and to comply with the requirements set forth in the Department’s transaction monitoring and sanctions filtering regulation and the Department’s cybersecurity regulation.

Further, on December 15, 2022, with a view to further protect the broader financial services and banking industry from the “contagion” effects of recent crypto failures, the NYDFS released virtual-currency guidance for banking organizations or “Covered Institutions” that reiterated the NYDFS’s expectation to review virtual currency-related activities for prior approval and outlined criteria by which proposals will be evaluated. To develop the Guidance, NYDFS conducted a robust analysis of the existing regulatory landscape and market trends, and engaged with consumer advocates, other state and federal regulators, industry, and academics.

“It is critical that regulators communicate in a timely, transparent manner about the evolution of our regulatory approach,” said Superintendent Adrienne A. Harris. “Today’s Guidance is critical to ensuring that consumers’ hard-earned money is protected, that New York regulated banking organizations remain resilient and competitive, and that the expectations are clear for those that wish to submit proposals for virtual currency-related activity.”⁴

The Guidance outlines six broad categories of information that DFS will consider in assessing a Covered Institution’s proposal:

• Business plan
• Risk management
• Corporate governance and oversight
• Consumer protection
• Financials
• Legal and regulatory analysis

The guidance also includes a supplemental checklist of initial documents and information that a Covered Institution should provide for DFS to consider in its assessment. Three key aspects from the NYDFS guidance that Stout believes will help crypto firms and banking entities that offer crypto services in the State of New York rebuild trust among customers, investors, regulatory bodies, and society at large are the following:

Risk Management

Crypto firms and banks that offer crypto products should consider risks from a holistic lens and build an enterprise risk-management framework to identify, measure, monitor, and control applicable risks arising from the virtual-currency-related activity and should address the following:

• Operational risk, including the sufficiency of operational mitigating controls, people, processes, and systems to engage safely and soundly in the activity
• Market risk, including volatility of virtual asset price or value
• Liquidity risk
• Cybersecurity and fraud risk
• Technology risk, including risks associated with the use of the blockchain technology
• Third-party service provider risk
• Compliance, especially financial crime and sanctions risks
• Reputational risk, including negative public opinion regarding the nature of the service or unexpected losses and potential conflicts of interest
• Strategic risk, including misalignment of a business model with market demands, misalignment with other business activities of the institution, or the inability to service existing customers⁵

Corporate Governance and Oversight

Crypto firms and banks should also consider and build a suitable corporate governance framework that includes the following:

• Board / senior management approval for the proposed virtual-currency-related activity
• The board and senior management’s understanding and knowledge of the risks associated with the virtual asset activity, setup of board level committees for the ongoing oversight of assessment and management of such risks, and allocation of appropriate resources for management of such risks
• The integration of risks in the enterprise-wide risk appetite framework, including limits and thresholds, and an escalation process for when risk limits are breached
• The board and senior management oversight relating to the development of policies and procedures that contain the entity’s risk management framework, including the internal control framework across the three lines (i.e., risk ownership and management, controls and compliance, internal audit)⁶

Consumer Protection

Crypto firms and banks that offer crypto products should include appropriate disclosures of virtual currency risks to ensure consumer protection.

Greater Clarity in 2023

The recent regulatory guidance from the OCC and the NYDFS provides greater clarity and certainty for traditional financial institutions and crypto/digital asset firms toward establishing and enhancing sound business models, a solid governance, and a compliance risk management framework in line with regulatory, customer, and investor expectations, commensurate with their growth/maturity.

This will be a crucial year when financial institutions and crypto firms can begin to re-establish trust in the marketplace that has been sorely missing due to the recent crypto debacles.

¹Consent Order, in the matter of Coinbase, Inc., New York State Department of Financial Services.

²“Crypto-Assets: Joint Statement on Crypto-Asset Risks to Banking Organizations,” Office of the Comptroller of the Currency Bulletin 2023-1, January 3, 2023.

³Consent Order.

⁴Press release, “Superintendent Adrienne A. Harris Releases Virtual Currency Guidance for Banking Organizations, December 15, 2022.

⁵Industry letter, “Prior Approval for Covered Institutions’ Virtual Currency-Related Activity,” December 15, 2022.

⁶Consent Order.