14
c. Coinbase historically did the bare minimum to verify customer due diligence
information for customers, relying on self-reported social media profiles while
overlooking information that was, on its face, clearly inaccurate, and/or
incomplete;
d. Prior to July 2021, Coinbase allowed customers to open accounts without
supplying essential information such as annual expected activity, and account
purpose;
e. Coinbase failed to timely conduct EDD on high-risk customers and for a time
had a substantial backlog of open EDD cases as of July 11, 2022, for example,
there were over 10,000 cases in the backlog for Coinbase and its affiliates;
f. Coinbase’s analysts, when they historically performed EDD, often asked for
the bare minimum of identifying documents, conducted only a cursory review
of the material provided, and at times accepted responses that were either non-
or partially- responsive.
40. Coinbase’s lack of knowledge about its customers exposed the Company and the
financial system to increased ML/TF risk. Appropriately, Coinbase’s compliance program is
“risk-based,” that is, the amount of scrutiny an account or transaction is given depends upon the
risk rating assigned to the account. Such a risk-based system, however, is only effective if the
risk rating is conducted rationally, and that simply did not happen at Coinbase (and in many
cases still has not happened) for accounts opened prior to December 2020.
41. As a result of its ongoing engagement with the Department, and in recognition of
the risks presented by operating with incomplete and/or inaccurate customer due diligence data,
Coinbase committed to completing a risk-prioritized KYC Refresh and using provided
information to update risk scores for all of its trade eligible retail customers who onboarded
before September 2021. That process has been slow, however, and despite this incomplete
customer due diligence, Coinbase has not placed restrictions on all of these historical accounts
while it undertakes this re-review.