Last week, New York State Department of Financial Services (NYDFS) left no doubt that it will continue to actively regulate cryptocurrency despite the pullback in law enforcement efforts by the federal government, including by the U.S. Securities and Exchange Commission (SEC) and Department of Justice (DOJ). The most recent example of NYDFS’s focus on cryptocurrency is its settlement with blockchain technology company Paxos Trust Company (Paxos), which agreed to pay $48.5 million in civil penalties and compliance program investments to resolve claims related to its alleged failure to conduct sufficient due diligence of a former partner, Binance Holdings Limited (Binance), and anti-money laundering (AML) compliance program failures. Paxos had contracted with Binance to list, market, and distribute two stablecoins, until a February 2023 NYDFS order required Paxos to cease these activities. Although NYDFS stated that it gave “substantial weight” to Paxos’ cooperation, this significant settlement serves as a reminder of the heightened role state regulators play in the crypto space, including with respect to stablecoin transactions.
Key Takeaways
- Despite the White House’s call for expansion of the American digital asset markets, including by emphasizing that SEC and DOJ will not pursue “regulation by enforcement,” many crypto market participants engaging with customers in populous states like New York are subject to strict state government oversight.[1] Practically speaking, companies that facilitate the buying, selling, and exchange of digital currencies by New York State customers must ensure that they have robust, bespoke compliance programs that are regularly reviewed and updated.
- Companies that conduct virtual currency business activity in New York State, either through a limited purpose trust charter or through a BitLicense, must maintain an effective and compliant AML program, which includes customer due diligence and a transaction monitoring program that is reasonably designed to screen customer transactions for compliance with U.S. Office of Foreign Assets Control (OFAC) requirements.
- Relying on customer assurances about the customer’s compliance program will not shield companies subject to NYDFS supervision from liability. Companies with NYDFS authorization to conduct virtual currency businesses must conduct independent reviews of their customers’ compliance programs, including by requesting supporting documentation.
- Virtual currency businesses must maintain, update, and test policies that are reasonably designed to ensure that employees escalate compliance-related red flags and other concerns to senior management and to the board.
Background Summary
Paxos is a New York limited purpose trust company authorized to conduct virtual currency business activities under a charter granted by NYDFS in 2015. Accordingly, New York State regulations required Paxos to establish and maintain an effective AML compliance program and to monitor customer transactions for potential AML violations and compliance with OFAC requirements, specifically money laundering/terrorist financing violations and suspicious activity reporting.
In 2018 and 2019, Paxos partnered with Binance to list a “PAX” stablecoin and to market and distribute a Binance USD (BUSD) stablecoin. According to the Consent Order between Paxos and NYDFS, Paxos reviewed Binance’s compliance program in 2019, including its AML policies, and asked Binance to provide assurances that U.S. customers were not accessing an unregulated trading platform. Although Binance represented that it had geofencing controls, NYDFS alleged that Paxos did not independently review Binance’s representations.
In July 2020, after the NYDFS asked Paxos about Binance’s compliance program, Paxos signed a letter agreement with NYDFS that governed its ongoing relationship with Binance and marketing and distribution of BUSD. Among other things, this agreement required Paxos to conduct periodic due diligence “refreshes” of Binance.
By October 2020, media outlets reported that Binance was using virtual private networks or “VPNs” to permit U.S. customers to evade U.S. regulatory scrutiny, including related to AML and sanctions enforcement. Although Paxos’ monthly due diligence reports identified U.S. customers that directly transferred BUSD from Paxos to Binance, and despite a third-party due diligence firm identifying $1.6 billion in transactions flowing through the Binance platform by illicit actors, Paxos’ compliance leadership continued to represent internally to other business units that Binance maintained a reasonable compliance program. NYDFS alleged that Paxos’ controls for monitoring illegal activity through Binance were deficient and that there was a failure to escalate red flags to Paxos’ senior management and its board. In February 2023, NYDFS ordered Paxos to cease minting Paxos-issued BUSD and Paxos ended its relationship with Binance.
NYDFS also alleged that Paxos violated New York law by having deficient Know-Your-Customer or “KYC” controls and BSA/AML policies. According to NYDFS, Paxos employees commented on its “lax approach” to KYC and a third-party auditor identified deficiencies in the customer onboarding process. NYDFS also cited Paxos’ allegedly deficient investigation procedures related to AML compliance.
NYDFS found that Paxos failed to maintain an effective and compliant AML program, in violation of 3 NYCRR § 116.2; conducted business in an unsafe manner, in violation of New York Banking Law § 44; breached its 2020 letter agreement with NYDFS; and failed to have an effective transaction monitoring program, in violation of 23 NYCRR § 504.3. Paxos consented to a $26.5 million civil penalty and to commit a minimum of $22 million to strengthen its compliance program. NYDFS also ordered Paxos to make detailed compliance status reports to the agency.
[1] In 2023, California enacted the Digital Financial Assets Law (DFAL), which will require virtual currency service providers to obtain a state license, similar to New York’s BitLicense program. Although DFAL’s licensure provisions are not yet effective, this development underscores the need for companies operating in the crypto space to ensure that their compliance programs comply with state regulatory requirements.
[View source.]
