Privacy & Information Security Law Blog

On January 12, 2024, the New York State Department of Financial Services (“NYDFS”) announced a consent order with virtual currency company Genesis Global Trading, Inc. (“Genesis”) for “significant” failings in Genesis’ Anti-Money Laundering and cybersecurity compliance frameworks. According to the NYDFS, Genesis’ failure to comply with the NYDFS’ virtual currency and cybersecurity regulations left the company vulnerable to cybersecurity risks and related unlawful activity. 

Genesis is a virtual currency trading company that acted as the principal in the buying and selling of digital currencies from its own cryptocurrency inventory. Between 2018 and 2022, the NYDFS conducted two examinations into the company’s cybersecurity procedures, which found that Genesis failed to maintain effective compliance with the regulator’s Virtual Currency Regulation and Cybersecurity Regulation, and that the company’s policies, procedures and processes did not keep pace with its significant growth in business throughout the relevant period.  

Specifically, the consent order alleges that Genesis did not complete a risk assessment that met the Virtual Currency Regulation’s requirements until 2022, and as a result did not have proper controls in place to mitigate the risks certain products and services posed to the company and its customers. In addition, Genesis could not demonstrate that it was providing to consumers the transaction disclosures required under the Virtual Currency Regulation, and did not implement a process to ensure that the required disclosures were received by the consumers.

The NYDFS also found that Genesis’ anti-money laundering program was generic and contained significant gaps. In addition, in the period covered by the regulator’s investigations, Genesis failed to conduct enhanced screening of employees and third-party service providers, in violation of guidelines issued by the Office of Foreign Assets Control. 

Finally, the NYDFS determined that the cybersecurity risk assessment Genesis completed pursuant to the Cybersecurity Regulation’s requirements was inadequate and did not identify areas, systems, or processes that required addressing to bring the company’s cybersecurity compliance programs in line with NYDFS requirements. Relatedly, the consent order alleges that the company failed to respond to technological developments and evolving threats that could present cybersecurity risks to Genesis’ business operations. 

The consent order requires Genesis to pay an $8 million fine. The company, which is currently in the process of winding down, also agreed to surrender its New York State cryptocurrency trading license and accepted the denial of any pending applications for NYDFS-issued licenses.