Summary Overview of NYDFS Consent Order

On August 7, 2025, Paxos Trust Company, LLC (Paxos or the Company) entered into a Consent Order with the New York State Department of Financial Services (NYDFS or the Department), resolving an enforcement action stemming from significant deficiencies in its anti-money laundering (AML) compliance program. The settlement not only reflects the greater role that state regulators continue to play in the context of financial products marketed, sold, and distributed to their residents, but it also underscores this new reality of increased state-level oversight over market participants in the cryptoverse. With Congress’ recent passage of the Genius Act, designating certain stablecoin issuers as financial institutions subject to federal financial crime laws and regulations, including the Bank Secrecy Act (BSA), the Paxos consent order stands out as a significant step by New York to extend the enforcement of AML standards to other market participants in the virtual currency business.

Paxos Trust Company and NYDFS’ Jurisdiction

Paxos is a virtual currency company that offers various products and services, including stablecoins, asset tokenization services, settlement services, and cryptocurrency brokerage services. Companies that conduct virtual currency business activity in New York must be authorized by NYDFS and are subject to the Department’s ongoing supervision. Paxos was the first company to secure a limited-purpose trust charter from NYDFS to engage in virtual currency activities in New York. As a result, the Department required Paxos to maintain effective controls to guard against money laundering and certain other illicit financial services activities. 

Key Findings of the Consent Order

By way of background, Paxos formed a partnership with Binance, the world’s largest digital asset exchange, to market and distribute Binance’s USD stablecoin with the intent to expand Paxos’ market share and customer base. The consent order entered into by Paxos revealed several key findings by NYDFS.

Paxos failed to conduct adequate due diligence in connection with its administration of the Binance USD stablecoin.

NYDFS found the Company’s Know Your Customer (KYC) / Customer Due Diligence program to be underdeveloped despite servicing high-risk customers who shared addresses, corporate documents, beneficial owners, and certain behavioral characteristics indicative of potential illicit coordinated activity. These customers were able to open multiple accounts on the Paxos platform and remain undetected. The lack of KYC oversight resulted in the platform’s unreasonable exposure to trade-based money laundering risks.

The Department further concluded that the Company’s investigation procedures lacked standardization and were inherently deficient. This resulted in a further weakened diligence function and a general lack of accountability at the compliance level. Paxos was placed on notice of these issues as early as 2022 when its internal audit group found that the Company “lacked defined case investigation procedures to comprehensively describe the minimum requirements for investigative research and due diligence.”

For example, the Company did not have a set of reasonable steps in place to investigate account holders who submitted suspicious account opening or Enhanced Due Diligence (EDD) materials. Instead, the Company relied on prospective customers’ written responses during the EDD process and failed to obtain adequate documentation in support of those responses.

Moreover, Paxos’ formal investigations policy did not require an investigation upon receipt of a law enforcement request and instead reserved the decision of whether to perform an investigation to the discretion of the investigator. In fact, even when a pattern of potential trade-based money laundering transactions resulted in alerts, the Department was unclear on whether any investigation would have been required.

The Department also found that Paxos failed to conduct adequate due diligence with respect to Binance’s geofencing controls that were designed to exclude U.S. based customers from the platform. Beyond conducting an initial review of Binance’s existing AML policies and procedures, the Department found that Paxos “accepted Binance at its word and did not undertake an independent review” to verify the effectiveness of the controls despite public evidence of circumvention.

Paxos had inadequate and untailored policies and procedures, which did not address key money-laundering risks (e.g., trade-based) that were particularly sensitive given Paxos’ business.

Customers on the platform who purported to be bona fide cryptocurrency buyers and sellers engaged in suspicious transactions activity indicative of a trade-based money laundering scheme—namely, executing trades near in time to each other, depositing funds into accounts at round-dollar amounts, maintaining little to no account balance, and executing a high volume of trades in quick succession and across multiple accounts.

The patterns of transactions activity that occurred on the platform were also indicative of layering, a money movement strategy employed by individuals to conceal the true origins of illicit funds. However, Paxos did not have the policies and procedures in place to identify or investigate red flags indicative of high-risk transaction activity.

Paxos lacked effective AML controls and transaction monitoring systems, allowing potentially illicit actors to transact undetected.

NYDFS found that Paxos did not have appropriate systems and controls in place to effectively monitor the illicit activity occurring on their own platform and away from their platform through Binance. By way of example, NYDFS noted that Paxos’ manually intensive and technologically limited processes to monitor customer withdrawals in real-time prevented it from detecting recognizable patterns of money laundering. NYDFS once again found that Paxos failed to escalate red flags to Paxos’ management and Board.

Similar to Binance’s geofencing controls, Paxos’ knowledge of Binance’s AML controls was based solely on a preliminary review of their AML, Sanctions, KYC, and related policies, as well as the findings of Binance’s external auditor’s limited review of the same. This limited oversight was in spite of a 2020 Letter Agreement that Paxos entered into with NYDFS that included requirements that the Company review Binance’s AML program and conduct periodic due diligence refreshes of the platform. Nevertheless, it was not until late 2022 that Paxos engaged a third-party blockchain analytics firm to perform an EDD investigation of Binance.

The third party review revealed that Binance transactions executed between 2017 and 2022 across a select set of virtual currency assets collectively flowed approximately $1.6 billion in and out of the Binance platform that was connected to illicit actors such as individuals and entities sanctioned by the U.S. Office of Foreign Assets Control. Paxos’ lack of AML infrastructure and business partner oversight prevented it from having adequate visibility into these risks. The Department noted that Paxos’ systems were deficient and failed to appropriately maintain and tune them according to their particular AML risks. NYDFS found that Paxos failed to perform regular assessments of its system’s rules and scenarios, which were critical to closing significant gaps in surveillance for high-risk areas of its business.

Paxos lacked a training program.

The absence of a training program included the Company’s compliance staff, who were responsible for identifying AML-related risks. 

Regulatory Violations

The Department’s charges against Paxos include failure to maintain an effective and compliant AML program in violation of 3 NYCRR § 116.2, failure to maintain an effective transaction monitoring program in violation of 23 NYCRR § 504.3, and failure to conduct business in a safe and sound manner in violation of New York Banking Law § 44.

Settlement Terms

Pursuant to the Consent Order, Paxos agreed to the following. Paxos must pay a $26.5 million civil monetary penalty to the State of New York for failure to conduct sufficient due diligence of its former partner, Binance, and systemic failures in Paxos’ AML program. Despite Paxos’ contention that there was no customer harm, NYDFS still sought to impose a steep penalty.

Paxos must also invest $22 million to improve its compliance program and remediate deficiencies over three years (2025-2027), with Paxos having already spent $3.1 million in connection with improving and operating its compliance program. As part of the compliance undertaking, Paxos was obligated to submit status reports at regular intervals over a minimum three-year period addressing several key compliance categories, including customer due diligence, BSA/AML compliance, suspicious activity monitoring and reporting, corporate governance, management oversight and reporting, case and rules management systems, and technical program support. Importantly, the consent order offers market participants a roadmap for developing a robust compliance framework related to AML and other illicit payment issues.

Legal Significance

The Paxos enforcement action serves as a cautionary tale for market participants in the digital asset space operating under NYDFS jurisdiction or seeking licensure, including stablecoin issuers, custodial wallet providers, digital asset payment processors, and virtual currency exchanges. Firms must treat AML compliance and financial crimes prevention as a strategic imperative, not merely a regulatory checkbox, and proactively invest in systems, controls, policies, personnel, and culture that support financial integrity.

The following are several critical lessons to be taken from this matter.

1. Compliance programs must be tailored based on unique business risks. 

Paxos did not maintain an appropriate risk management framework that corresponded to their particular business risks, including conducting independent audits and testing of third-party controls for business partners like Binance. Instead, Paxos unreasonably relied on Binance’s self-reported controls without independent verification.

2. Examination preparation is essential. 

Paxos was subject to supervisory examinations by NYDFS, which focused on the Company’s risk management practices as well as its BSA/AML compliance program. Indeed, it was the Department’s examination in 2022 that helped bring some of the key issues to light after Paxos failed to demonstrate that it had the appropriate controls in place to effectively monitor illicit activity occurring away from its platform at Binance.

3. Cooperation credit can be earned. 

Paxos was not only cooperative with NYDFS in the course of the enforcement investigation and in connection with the oversight of terminating the Binance relationship, but they were recognized for “comprehensive enhancements to its compliance function,” including growing its compliance team, expanding the scope of its vendor support and expertise, and dedicating personnel from outside of its compliance division to develop compliance tooling. Paxos’ efforts to cooperate were given substantial weight by the Department, and from our perspective, that appreciation stemmed from a credible demonstration by Paxos to correct the compliance issues that led to the underlying violations before entering the consent order. Importantly, Paxos engaged an outside consultant upon learning of its AML program deficiencies in January 2023 and worked diligently to implement recommended remediation steps in real-time during the engagement.

4. Promotion of a compliance culture.

Internal communications at Paxos revealed a lax attitude toward due diligence, which regulators viewed as indicative of systemic weaknesses with the AML program. Firms can facilitate a greater awareness about AML compliance and financial crimes prevention by conducting regular trainings and delivering compliance messaging from the top of the organization down.

5. Technological systems alone are not enough.

Beyond an advanced transaction monitoring system, firms must maintain written protocols that set forth how alerts will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and the decision-making process will be documented. An effective AML program must also include other key elements such as comprehensive policies and procedures, heightened focus on KYC tailored to the firm’s risk profile, and clear governance structures that create greater accountability across the firm.

6. An emerging trend of greater state securities oversight and enforcement.¹

Market participants who operate in the digital asset space may experience greater oversight and enforcement by state regulators while key priorities and legal issues continue to work themselves out at the federal level. As a limited-purpose trust company, Paxos was subject to the supervision of NYDFS regulations and enforcement and was subsequently sanctioned with severe penalties due to its compliance weaknesses and failures.

7. Don’t forget about the Genius Act. 

Passed into law on July 18, the Genius Act designates stablecoin issuers as financial institutions subject to the Bank Secrecy requirements, which share similarities with the New York regulations discussed herein that are focused on AML compliance and financial crime prevention. The Genius Act restricts stablecoin issuance to approved “permitted payment stablecoin issuers,” requires 1:1 backing with liquid reserves like U.S. currency or Treasuries, enforces strict AML measures, and includes consumer protections like prioritizing stablecoin holders in case of insolvency. Its goal is to provide stability to the digital asset market, protect consumers, and bolster the global position of the U.S. dollar. While the key provisions of the Genius Act will not come into effect for well over a year, and the implementing rules by the Treasury Department are uncertain, the passage of this legislation marks a major step forward in the federal enforcement of financial crimes involving virtual currency businesses.

¹ See, e.g., Oregon Attorney General Rayfield Sues Coinbase for Promoting and Selling High-Risk Investments (April 18, 2025); DFPI Fines Coinme $300,000 Related to Crypto Kiosk Violations, Secures $51,700 in Restitution for Victims (June 25, 2025); Celsius Network Inc. Consent Order (March 18, 2025); S.B. 1979, 104th Gen. Assem., Reg. Sess. (ILL. 2025) (In September 2025, Illinois enacted the Digital Assets and Consumer Protection Act, giving the Illinois Department of Financial and Professional Regulation new authority over digital asset exchanges and businesses).