This article appears as the "Discussion of the month" topic in AML News and Updates Newsletter - December 2023 edition which can be found here
In recent years, the cryptocurrency industry has seen an explosive rise, attracting millions of users worldwide. However, this rapid growth has also attracted increased scrutiny from regulators, particularly in the area of compliance culture.
The story of Binance, the world's largest cryptocurrency exchange, serves as a wake-up call for companies, highlighting importance of fostering a robust compliance framework.
What exactly happened with Binance?
In November 2023, Binance faced a series of regulatory actions and penalties for failing to comply with anti-money laundering (AML) and know-your-customer (KYC) regulations. These actions resulted in a settlement with the U.S. Department of Justice (DOJ), in which Binance agreed to the following:
👉 Forfeit $2.5 billion and pay a criminal fine of $1.8 billion – a total financial penalty of $4.3 billion.
👉 Enter a 5-year monitorship program to ensure Binance's complete exit from the US.
👉 Identify and report to FinCEN the suspicious transactions that it processed and willfully failed to report (more than 100k)
The DOJ's settlement highlighted several critical shortcomings in Binance's compliance culture. The company was found to have:
✖️ Turned a blind eye to its legal obligations in the pursuit of profit.
✖️ Had an inadequate KYC and AML procedures, allowing criminals to use its platform for illicit activities.
✖️ Willfully failed to report well over 100,000 suspicious transactions that it processed as a result of its deficient controls.
✖️ Willfully enabled hundreds of millions of dollars in transactions between American users and users subject to US sanctions.
✖️ Failed to adequately monitor and investigate suspicious transactions.
✖️ Operated as an unregistered securities exchange.
✖️ Failed to restrict US customers from its platform, despite public statements to the contrary.
What was wrong with Binance's compliance Culture?
The Binance’s approach to compliance were reflected in multiple internal discussions starting from 2018.
According to Chief Compliance Officer’s communication to employees:
🔷 “Our stance is [n]ot to openly do business with Iran due to sanctions. [I]t affects our banking relationships. I understand that we still support [I]ranian customers but that has to be done non-openly”.
🔷 With respect to users from sanctioned countries, “[w]e are servicing [them] but non-public.” He further added, “[I] [t]old [yo]u we have [I]ranian customers; [the CEO of Binance] knows also. And allows it.”
🔷 “We currently have users from sanction[ed] countries on Binance, adding that the “[d]ownside risk is if FinCEN or OFAC has concrete evidence we have sanction[ed] users, they might try to investigate or blow it up big on worldstage.”
🔷 The Deputy Head of Compliance in a communication he explained to the then CCO that “[the CEO] keeps saying that compliance is here to make Binance APPEAR compliant.”
🔷 Additionally, at a point CZ told employees it was “better to ask for forgiveness than permission,” and prioritized Binance’s growth over compliance with U.S. law.
The above communications reveal the real stance that Binance held in regard to compliance and confirm that the company's management did not take compliance seriously.
How about personal liability?
While personal liability for compliance failures is still a not such a common occurrence, due to the seriousness of the case, Binance CEO Changpeng Zhao (CZ) and Chief Compliance Officer (CCO) were also fined $50 million and $1.5 million, respectively.
CZ faces up to 10 years in prison (but may get no more than 18 months under a plea deal).
These individual penalties underscore the personal responsibility that senior managers have in ensuring that their companies adhere to compliance regulations.
Lessons Learned from Binance's Compliance Failures
Binance’s compliance failures underscore the importance of fostering a strong compliance culture. Non-compliance can have severe consequences, including financial penalties, reputational damage, and even criminal charges.
Here are some key takeaways from the Binance case:
✅ Compliance is an ongoing process: Compliance is not a one-off task. It requires continuous monitoring and improvement.
✅ Compliance is a cultural issue: Top management must not treat compliance as an afterthought or a box to be checked. Instead, they must embed compliance into the organization's culture, values, and everyday operations.
✅ Compliance is not unique to financial institutions: All entities subject to AML laws must have a robust compliance program in place.
Regardless of your industry or size, establish a comprehensive compliance program tailored to your specific risk profile. Some best practices for entities to prepare for AML compliance are:
📌 𝐒𝐭𝐚𝐫𝐭 𝐞𝐚𝐫𝐥𝐲: Use the 𝒄𝒐𝒎𝒑𝒍𝒊𝒂𝒏𝒄𝒆-𝒃𝒚-𝒅𝒆𝒔𝒊𝒈𝒏 approach, embedding compliance into the development and operation of products, services and processes.
📌 𝐆𝐞𝐭 𝐞𝐱𝐩𝐞𝐫𝐭 𝐚𝐝𝐯𝐢𝐜𝐞: Employ an AML consultant who can help businesses develop and implement an effective AML compliance program.
📌 𝐔𝐬𝐞 𝐭𝐞𝐜𝐡𝐧𝐨𝐥𝐨𝐠𝐲: Technology can help businesses automate AML processes and improve their ability to identify and report suspicious transactions.
📌 𝐓𝐫𝐚𝐢𝐧 𝐞𝐦𝐩𝐥𝐨𝐲𝐞𝐞𝐬: All employees should be trained on AML risks, their personal legal liability and how to identify suspicious transactions.
And remember: Non-compliance can be more expensive than compliance!