Paxos: Defining Disingenuity

Disingenuity: disingenuous use of dishonest and unjustified self-praise and appeals to potential future innovation to evade responsibility for transparent and obvious current failures.

We have previously talked about web3 industry positions that look ripe for misuse. We have speculated that certain parties were, for example, lobbying hard to establish legal safe harbours their products would not deserve with the intention of claiming them anyway and decrying "regulation by enforcement" when someone tries to enforce against them . We have written about absurd, transparent and obvious problems inside companies that otherwise try to present a straight-and-narrow appearance .

But Paxos' recent settlement with the New York Department of Financial Services (NYDFS) gives a concrete example of how this works in practice. It proves Paxos was peddling in disingenuity for years. Paxos' compliance failures are not just funny. They are not just diametrically opposed to how the company presented itself at the time. We have a situation where management was publicly boasting to the outside world, often in testimony before government bodies, about how well funded and compliance focused they were while on the inside, the compliance operation was a catastrophic shambles.

We are not going to claim anyone here was lying. It is always possible that, for example, a CEO and co-founder has no idea what is happening day-to-day inside the company they founded and run even if that company has only a few hundred employees. It is also possible for senior management to not know the the company had no dedicated chief compliance officer for a decade until 2022. With no CCO at all there would be no CCO to show up to meetings. So, in theory, unless somebody asked they would never know. It is also possible that, even after the CEO signed a consent order in 2020 for unlicensed money transmission in Connecticut where they did not yet have a license, they still did not realize compliance was inadequate.

That sequence of events, and what we will discuss below, raise more questions than they answer. And we kind of know already the answers are not going to be good.

The Story

By web3 standards Paxos is old. The company was founded in 2012. It just settled with NYDFS because "Paxos’s BSA/AML compliance function was deficient" and it had a "deficient compliance user interface" among other issues. The settlement is pretty wild and it is worth your time to read it.

What we are going to do here is compare Paxos' behaviours and systems with what Paxos' CEO was telling the US government in real time. This starts with the long-time CEO and co-founder of Paxos claiming in February 2020 they " have really tried to make sure that we set ourselves up as trying to follow regulation and with a regulatory-first approach to everything " and that they "think of ourselves as creating financial market infrastructure." Those quotes come from a US Commodity Futures Trading Commission (CFTC) Technical Advisory Committee meeting. The Paxos CEO was on that committee at the time. Contemporaneously, according to the NYDFS settlement:

Paxos's manually intensive and technologically limited processes to monitor withdrawals in real-time prevented it from detecting obvious and easily detectable patterns of money laundering. Paxos's quality assurance team found as much, noting the Paxos failed to identify certain alerts as potentially suspicious and thus warranting an investigation.

As far as those investigations are concerned the NYDFS report has an entire section entitled "Paxos's Investigation Failures" which includes this little nugget: Prior to 2022, Paxos's formal investigations policy did not require an investigation upon receipt of a law enforcement request.

If at this point you are wondering how that could possibly be "regulatory-first" you are not alone.

In December 2021 the same CEO testified to the US House Financial Services Committee that they have " witnessed the shortcomings and systemic risks of our financial market infrastructure firsthand – and I’ve seen how digital assets, and the blockchain technologies they're based on, could solve many of those problems. " Funny then that:

Paxos onboarded 11 businesses located in the same single-story strip mall in South Florida without identifying their shared attributes and Paxos’s deficient compliance user interface did not generate an alert. Compliance staff at Paxos acknowledged that the system did not adequately address the “linking” of individuals and entities. Three of these businesses were associated with an individual who had transacted approximately $260 million on the exchange during a period of fourteen months. This individual was listed as the accountant for a company that prepared the corporate books for at least four other customers onboarded to the platform.

Whatever issues the global financial market infrastructure has that sounds more like a scene in a bad police television show than a challenging problem for non-deficient compliance software. Bank software has problems. All software has problems. But not these problems. These problems were solved decades ago. You can buy off-the-shelf software to solve these problems.

And it is not like the people inside Paxos were unaware of problems. It is one thing for the company to have deficient software and investigations policies but well-meaning and conscientious employees. No. NYDFS reports conversations like "I feel like every export or trading company we have on platform is fake" and "so they told us they are an unlicensed money services business and we onboarded lol." Another employee refers to "a bunch of likely fake policies and org docs" which did not stop Paxos from onboarding that client. In 2023. By 2023 we know Paxos had settled with Connecticut and was years into long running demands for improvements from New York.

We also know the employees had known about compliance failures for years. NYDFS gives us more comedy gold:

An example of the failure of Paxos to conduct thorough investigations was the TBML network. Of this network of customers, 32 accounts had previously been brought to Paxos’s attention through law enforcement subpoenas or information requests from other financial institutions. Notwithstanding these inquiries, Paxos’s compliance staff failed to identify the larger network. Paxos’s quality assurance team reported that team members indicated that they did not want or did not have the time to investigate alerts. The quality assurance team also found that there was a lack of accountability for poor quality work by Paxos employees.

Other financial institutions clearly spotted this problem because Paxos got "information requests from other financial institutions." The overall thrust of the settlement is that Paxos made no real attempt to follow the rules between getting their licences in 2015 and this conduct in 2023. Then, after repeated demands from the New York regulator, Paxos finally engaged a real auditor that warned the company about money laundering risks and, it seems, progress finally began. Notice above how Paxos finally hired a "dedicated" CCO in September 2022. That is long after presenting a "regulatory-first approach" to government officials.

Highest Profile Lobbying

In 2024 Paxos' CEO released an open letter to a US presidential candidate claiming " One of the hallmarks of Paxos is that we have always built within established regulatory frameworks " and that "In the last four years, Paxos and its U.S.-based peers have faced countless examples of regulatory overreach, questionable banking policies and onerous and needless legal actions, resulting in enormous costs in wasted time and money." Those four years include:

1. A written 2020 agreement with NYDFS to resolve several issues.
2. A Consent Order in Connecticut where "Paxos specifically assures the Commissioner that the violation alleged herein shall not occur in the future."
3. Paxos essentially failing a 2022 NY examination when it "failed to demonstrate that it had the appropriate controls in place" and "failed to escalate red flags to Paxos’s senior management."
4. A finding Paxos breached the 2020 NYDFS agreement.
5. Paxos then essentially failing a 2023 examination where it "onboarded customers with limited insight into their true identities."
6. NYDFS finding Paxos' BSA/AML function was deficient.
7. A raft of comical compliance failures, some of which are quoted above.

Once you read what was actually happening inside Paxos it is hard to see the claims in that letter as anything other than disingenuous, self-serving posturing. The alternative would appear to be that the Paxos executive that made all these statements was a "deficient" CEO with no idea what was happening inside the company they founded and ran (and, please note, still run). Some of the NYDFS findings conclude that senior management was not notified of problems so managerial insufficiency is surely some part of this. But, again, if you are a co-founder and CEO from the start and still have no "dedicated" compliance chief after a decade you cannot really call that a legacy issue you have not had time to address yet.

But then we still find the same person testifying to the US House in March 2025 about stablecoins with the claim to " have worked closely with global regulators to advance the safe and widespread adoption of regulated stablecoins. " The most charitable reading of that testimony is that Paxos worked closely with NYDFS in much the same way a struggling student might "work closely" with their teacher. "I stayed after class for extra tuition" is not a declaration of victory.

The natural question, then, is why Paxos did not simply lose its license. Or, at least, why none of this conduct was made public with an admonition, fine and settlement years ago. The struggling student eventually either gets better or fails the class. Seven years is a lot of leeway.

Paxos' Response

The company responded to the NYDFS settlement with a statement that reads in part:

For the avoidance of doubt, the compliance issues discussed are historical issues that were identified over two and half years ago and have since been fully remediated. These matters had no impact on customer accounts and there was no consumer harm.

"Over two and a half years ago" is accurate in so far as they entered into a written agreement five years ago to remediate problems that were already serious at that time. It might be more accurate to say, "This relates to problems we spent more than half a decade clownishly failing to resolve. Among other things our decision to finally hire a 'dedicated' compliance chief a decade after the company's founding might have been a little slow." The first step is to admit you have a problem .

But, even more absurdly, look at the last sentence. Onboarding clients that present obviously fake documents and failing to offboard them when your compliance skeleton crew – "team" feels like an overstatement at this point – finds problems is a benefit to the clients. Money launderers and sanctions evaders benefit from lax compliance. Clients are not a business' only constituency. If 100% of a financial services business' clients are happy, there are almost certainly crime is going on.

What Paxos did absolutely did have an impact on is "customer accounts." It gave value to criminals. To then claim, as the statement does, that "no other blockchain and tokenization platform has shown more dedication to seeking oversight and complying with global institutional standards as Paxos has done for over a decade" is laugh-out-loud funny. There have been some pretty ridiculous web3 compliance problems and settlements over the years. Binance's "We're operating an unlicensed broker in the US, bro" was funny and bad. But Binance never had the temerity to claim it was more dedicated to compliance than anybody else. Contrast Paxos' statement with a 2023 Bloomberg interview of Binance co-founder He Yi:

“We respect the attitude of regulators, whether it supports or opposes the development of crypto... I understand that the overall intention of regulation is good in order to protect investors.”

"The trend of regulations is inevitable globally...It's not something you can solve by shouting ‘fight’ a couple of times."

That reads as some version of "we screwed up and misjudged this and are changing tack" which is both likely honest and entirely believable. Imagine the response if Binance issued a statement regarding their large US settlement that "We have always been the greatest at compliance and are happy to put these historical issues behind us with a record-setting $4.3 billion fine and our CEO going to prison." Paxos is smaller in every way but the statement has a similar flavour to that.

So?

We are not going to criticize the regulator for this situation. The lesson here has nothing to do with that. If you read the settlement the overall tone makes it clear a regulator free of political considerations would have shuttered Paxos long ago. Here is a comment regarding the findings of a 2023 investigation:

Notwithstanding the Department’s guidance in 2022 to all virtual currency businesses highlighting the need to augment Know-your-Customer (“KYC”)-related controls, Paxos onboarded customers with limited insight into their true identities, the legitimacy of their businesses, or the sources of their funds.

There was already a written agreement regarding improvements in surveillance in 2020. How many years are you allowed to fail before you get kicked out? This is a lot of leeway. And, again, we do not blame NYDFS for this situation. They were operating in a climate where web3 CEOs sat on government advisory boards and decried regulatory overreach, the stifling of innovation and unfair discrimination against their businesses left and right.

The Paxos CEO quoted at length here sat on the CFTC Technical Advisory Committee for much of this time. He testified to the US House and Senate to help shape policy. He released an open letter to a US presidential candidate that claimed "the US has become an inhospitable place for financial innovation." Perhaps it looked inhospitable from his seat because Paxos was opening accounts for unknown parties, missed "obvious and easily detectable patterns of money laundering" and had a generally "deficient" compliance department with no "dedicated" compliance chief. Such a company might find the US financial system an inhospitable place.

This settlement should be a wake-up call to the people who write the regulations – not the regulators, the elected lawmakers – that things are very wrong. Reading the settlement it is impossible to view Paxos as a good-faith actor that struggled with technology. The CEO boasted in 2020 to the US CFTC that "we have been around now for almost seven years, and we have raised quite a bit of capital." Paxos raised over $500 million. If you make that claim, you can afford a proper compliance department and should be held to a high standard. Any resource issues in the compliance department were self-inflicted wounds.

The play here is easy to read. This was, with thanks to NYDFS for making it possible to use this word, an "obvious" attempt to bully the government into permitting the unlawful. Or at least if not permitting it then just ignoring violations and not enforcing the law as written. Get on enough government advisory boards – perhaps by hiring former government officials to be on your own board and saying the right things at meetings – and nobody will bother you. Reading the settlement one gets the feeling NYDFS was exasperated by the need to keep privately admonishing this unruly child.

We can have a long debate about what the correct level of AML/KYC is in an ideal world. We can even have a debate about precisely where to draw the line on interesting cases. But you simply cannot operate a trust company in New York without knowing who your clients are. There is no plausible lack of clarity around knowing your clients' "true identities" or the "legitimacy of the their businesses" or "the sources of their funds." If you run a trust company it is your job not to foster an "environment vulnerable to exploitation by criminal actors."

NYDFS does not have the power to charge anyone criminally so this settlement does not do so. If this is the end of the story – nearly a decade of what-really-looks-like-willful-noncompliance followed by a $22 million fine for a company that has raised over $500 million – and no tightening of the system then there is no reason for anyone to follow the rules. Perhaps charging individuals is not possible in this case. Then lawmakers should fix it. Perhaps it is considered inappropriate or against policy. Then someone should run for NY Attorney General on a platform of changing the policy and see what the voters think. Paxos was given so much time, so much leeway and so much rope. And so much high-profile credibility-burnishing exposure in front of government bodies.

Joking about opening accounts for obviously comically non-compliant clients is about as far from acceptable as it gets. And Paxos is not systemically important at all. There is no systemic risk problem shuttering Paxos or criminally charging Paxos employees. How do we know? Paxos' largest product – BUSD – was forcibly shut down with no visible external problems. Bank employees do get criminally charged in egregious cases. This is clearly an egregious case. If this sort of disingenuity works then banks should hire web3 PR firms and fire their compliance departments.