Paxos fined $48.5M over AML and Binance oversight failures

The New York State Department of Financial Services, or NYDFS, announced on Thursday a $48.5 million settlement with Paxos, a nonbank financial institution with crypto-focused services, citing significant anti-money-laundering, or AML, deficiencies and failures in its due diligence concerning its partnership with crypto exchange Binance.

The agreement, detailed in a consent order, requires Paxos, which offers services including cryptocurrency brokerage and settlement, to pay a $26.5 million penalty to New York and invest an additional $22 million into improving its compliance program and remediating deficiencies.

For U.S. banks and credit unions, the settlement underscores the imperative of maintaining robust AML compliance programs, particularly as the fight against money laundering escalates and the U.S. enables — even compels — financial institutions to engage to a greater extent with crypto firms and crypto assets.

The findings by NYDFS also highlight the critical need for comprehensive due diligence on all third-party partners and vendors, as well as vigilance in know-your-customer processes and transaction monitoring.

Failures in these areas have led to significant regulatory penalties and reputational damage not just for crypto companies such as Paxos but banks as well.

Paxos-Binance partnership created key issues

Paxos, which was chartered by NYDFS in 2015, did not implement appropriate controls to effectively monitor for significant illicit activity occurring on and through cryptocurrency exchange Binance, according to NYDFS. Paxos had partnered with Binance to market and distribute the Binance USD stablecoin.

One critical finding against Paxos in the NYDFS consent order involved the company's reliance on Binance's assurances regarding geofencing.

Samuel Lim, Binance's chief compliance officer from 2018 to 2022, told Paxos in 2019 that the company had implemented geofencing to prevent U.S. users from accessing Binance's unregulated trading platform.

"With confidence, I can say the policies and procedures are already in effect," Lim told Paxos. Binance was "completely restricting U.S. persons," he said.

However, NYDFS found Paxos did not verify Lim's claims, and Binance's geofencing turned out to be "deficient and circumventable," through the use of virtual private networks, or VPNs, according to the consent order.

NYDFS pointed out that Binance itself had published a guide in April 2019 on using VPNs, which explained that they can "unlock sites that are restricted in your country."

Later, in an October 2020 article detailing "an elaborate corporate structure designed to intentionally deceive regulators and surreptitiously profit from crypto investors in the United States," Forbes reported that a Binance senior executive had advocated for promoting "strategic" use of VPNs to obscure traders' locations and evade regulatory scrutiny.

After the Forbes report, Paxos' own employees confirmed that using a VPN could indeed circumvent Binance's geofencing, and they were able to access and make trades on the platform from New York IP addresses.

In addition, a review of Binance transactions from 2017 to 2022 identified $1.6 billion in transactions flowing to or from the Binance platform involving illicit actors, according to NYDFS.

For example, Binance processed transactions to and from entities after the U.S. Office of Foreign Assets Control, or OFAC, had sanctioned them. These entities included Chatex (a virtual currency exchange that facilitated financial transactions for ransomware actors), Hydra Market (an online market for illicit goods and services) and Tornado Cash (a service for making virtual currency transactions harder to trace).

Specifically, Binance handled over $32 million in transactions to or from Chatex, which NYDFS said had shown red flags of involvement with Russian ransomware that Binance should have been able to identify.

Paxos' chief compliance officer in January 2023, Carolina Ceballos, acknowledged internally at the time that Binance "does not have an independent external audit report of their AML/Sanctions program which attests to the degree of compliance with its own policies and procedures."

Since then, the Commodities Futures and Trades Commission has issued multiple penalties against former Binance executives for the compliance violations. In March, Binance's new CEO, Richard Teng, publicly stressed the importance to the company of compliance.

Know-your-customer and customer-due-diligence shortcomings at Paxos

Beyond its Binance relationship, NYDFS also identified systemic weaknesses in Paxos' internal compliance program that the department said had persisted for years.

Paxos operated an unsophisticated know-your-customer, or KYC, and customer-due-digiligence, or CDD, program, according to NYDFS. The company onboarded customers with limited insight into their true identities, the legitimacy of their businesses or the sources of their funds.

This allowed customers sharing addresses, corporate documents, beneficial owners, and behavioral characteristics indicative of illicit coordinated activity to open multiple accounts and remain undetected.

An example highlighted in the investigation involved Paxos onboarding 11 businesses in the same South Florida strip mall, with three linked to an individual who transacted approximately $260 million, all without triggering an alert.

Paxos compliance employees internally voiced concerns, with one stating, "I feel like every export or trading company we have on platform is fake."

Another commented on onboarding an unlicensed money services business, or MSB, noting, "so they told us they are an unlicensed [money services business] … and we onboarded [laughing out loud] … also they are an [over-the-counter] desk … zero trades."

An over-the-counter desk is a service that facilitates large, private transactions of financial instruments, including cryptocurrencies, directly between two parties, off of public exchanges.

A third employee's observation underscored major due diligence failures.

"Yea, going through this newer one I found, we never received anything from them showing that they should be conducting this volume of activity," the employee said, according to the consent order. "Just a bunch of likely fake policies and org docs and then just let them go because they are an [over-the-counter] desk."

Transaction monitoring deficiencies

Paxos' transaction monitoring system failed to detect "obvious money laundering patterns," according to the NYDFS press release.

Paxos had a manual and technologically limited processes for monitoring withdrawals, meaning it often would not identify potential money laundering until 2-4 weeks later, former Chief Compliance Officer Lim said in March 2020.

This allowed a money-laundering network to operate on Paxos' exchange for approximately five years, according to NYDFS. The network exhibited rapid fund movements, the use of multiple accounts, round-dollar transactions and consistently small to zero end-of-day balances — all obvious signs of money laundering.