In this Law360 Expert Analysis series, attorneys provide quarterly recaps discussing the biggest developments in New York banking regulation and policymaking.
The third quarter of 2025 had few banking legal developments in New York, but, of note, the New York State Department of Financial Services and the New York state attorney general moved forward on their agendas to limit abuse of digital and electronic banking.
NYDFS Settlement With Stablecoin Issuer Paxos Trust
On Aug. 7, Paxos Trust Co. LLC agreed to pay a $26.5 million penalty to New York state to settle NYDFS allegations that Paxos had not conducted sufficient due diligence of its former partner Binance. Paxos also agreed to pay a further $22 million to improve its compliance program, in accordance with a plan approved by the NYDFS.
The agreement is contained in a consent order describing what the department considers to be Bank Secrecy Act, anti-money laundering and know-your-customer compliance failures.[1]
In the order, the department found fault with Paxos' due diligence in its relationship with Binance, as well as deficiencies in Paxos' AML and KYC procedures. The order describes some beginning procedures for due diligence and KYC in virtual currency banking, thereby giving bank counsel an introduction to KYC and AML techniques.
Paxos was chartered by the NYDFS in 2015 as a limited purpose trust company and authorized to engage in virtual currency business.[2] In September 2018, Paxos and Binance, the world's largest digital asset exchange, agreed that Binance would list the Paxos standard stablecoin, called PAX.[3]
In 2019, Paxos agreed to market and distribute Binance's stablecoin called Binance USD.
Paxos asked Binance to assure that Binance's geofencing controls ensured that U.S. customers were not accessing Binance's unregulated trading platform. The chief compliance officer of Binance stated that Binance had geofencing policies and procedures in effect and that Binance.com was "completely restricting U.S. persons."[4] Paxos did not inquire further.[5]
The NYDFS asked Paxos for information regarding Binance's compliance program. Paxos drafted a letter that Binance sent to the NYDFS stating that (1) Binance had software to detect user IP addresses; (2) Binance blocked IP addresses based in the U.S.; and (3) if a customer's IP address was masked, or if a customer attempted to circumvent the restriction against a U.S. IP address, then Binance used a secondary manual control to prevent access by that U.S. person.
Paxos did not, however, test the assertions in the letter.[6]
Paxos and the NYDFS signed a letter agreement with the NYDFS on July 24, 2020, in accordance with which Paxos agreed to review Binance's AML and KYC procedures and to maintain effective controls to prevent potential and actual wrongful use of Binance's stablecoin.
Paxos also agreed to ensure that Binance timely inform Paxos of material changes to Binance's procedures, and Paxos agreed to refresh its due diligence periodically.[7]
In October 2020, there was a report in the press that Binance was using virtual private networks as a method of accepting U.S. customers and evading U.S. regulation and that Binance was attempting to undermine the ability of U.S. AML to detect illegal activity occurring at or through Binance.[8]
The NYDFS asked Paxos for information, and Paxos asked Binance for an independent AML audit and an audit focused on Binance's geofencing controls. Binance gave Paxos its most recent KYC review report, and the chief compliance officer of Binance told Paxos that a U.S. person could not pass Binance's geofencing controls.[9]
"In fact, Binance's geofencing was deficient and circumventable by U.S. persons — a fact that Binance itself hinted at publicly," the consent order states.[10]
After the October 2020 press report, Paxos conducted monthly "due diligence refreshes" to identify U.S.-based Paxos clients who transferred Binance USD from Paxos to Binance.com, and its first refresh identified 99 of them.[11]
The NYDFS examined Paxos in 2022 and determined that Paxos had not shown that its Binance controls were effective to monitor for significant illegal activity and that Paxos failed to escalate red flags to Paxos' senior management and board.
Although Paxos had reviewed Binance's AML, sanctions, and KYC policies and procedures, Binance's external auditor had conducted only a limited review of those policies and procedures, and Paxos did not have third-party assurances that Binance's compliance with Binance's own policies and procedures was effective.[12]
As a consequence of the NYDFS' examination, Paxos requested that a third-party blockchain analytics firm perform an enhanced due diligence investigation of Binance.
The firm found $1.6 billion in transactions in and out of the Binance platform involving illicit actors, plus transactions to and from entities after the U.S. had imposed sanctions upon them.[13] The consent order does not state when the blockchain analytics firm delivered its report to Paxos.
By Feb. 13, 2023, the NYDFS ordered Paxos to cease minting Binance USD because Paxos' oversight of its relationship with Binance had unresolved issues.[14]
The department concluded that Paxos had failed to comply with its 2020 letter agreement because Paxos had not conducted proper due diligence of Binance's geofencing controls and BSA and AML programs and policies.[15]
With regard to Paxos' own customers, the NYDFS found that Paxos also failed to have adequate KYC compliance (when the customers were onboarded, that is to say, when Paxos opened accounts for them) and BSA/AML compliance (when the customers ordered transactions).[16]
"A successful KYC program enables financial institutions to establish the identity of a person or entity, assign a risk rating to the customer, and then effectively manage the risk," the consent order states.[17]
The NYDFS found Paxos' KYC procedures deficient in that Paxos' software did not include automated alerts to indicate potentially risky shared customer attributes, such as shared addresses, corporate documents, beneficial owners and behavioral characteristics suggesting illicit coordinated activity.
For instance, Paxos did not link 11 businesses that were located in the same strip mall in South Florida, three of which were associated with an individual who had transacted $260 million on Paxos during a 14-month period and who was listed as an accountant for a company that prepared the corporate books for at least four other customers on the Paxos platform.[18]
The consent order stated that Paxos' procedures were not adequate to detect money laundering.
To avoid raising alerts within banking and money transmitter systems, money launderers often break up large transactions into smaller transactions. To anonymize the transactions, money launderers often use multiple real or fabricated identities on either side of the transaction. A compliant AML program will include control scenarios to detect attempts to structure transactions.[19]
The NYDFS said Paxos had a network of customers who engaged in a trade-based money laundering scheme on Paxos for five years. Some transactions occurred within minutes of each other, many deposits were in round-dollar amounts and the customers rarely maintained a balance on the Paxos platform.
The rapid movement of high-volume transactions, the use of multiple accounts and small-to-zero end-of-day balances indicated that the Paxos accounts were used to conceal the source of the funds. The transactions were undetected.[20]
The consent order criticized Paxos' investigation policy because the policy allowed, but did not require, Paxos itself to commence an investigation after a law enforcement agency requested information regarding a person or transaction.[21]
This criticism by the NYDFS suggests that, in the future, an AML policy will automatically require such an investigation if a person or transaction is the subject of a law enforcement agency request.
The consent order was approved by the NYDFS on Aug. 7. On Aug. 11, Paxos announced that it had applied to convert its charter from a New York state limited purpose trust company to a national trust charter under the supervision of the Office of the Comptroller of the Currency.[22]
New York Attorney General Sues Zelle for Insufficient Security Measures
The New York attorney general filed a complaint on Aug. 13 against Early Warning Services LLC, or EWS, the parent company of electronic payments platform Zelle. The complaint, filed in the Supreme Court of the State of New York, County of New York, alleges that Zelle did not protect its users adequately and allowed a total of $1 billion to be stolen from Zelle users.[23]
The complaint is brought under New York Executive Law Section 63(12), which authorizes the attorney general to seek injunctive and other equitable relief when a person engages in repeated and persistent fraud in business.
The complaint states, "Such fraudulent conduct includes that which has the capacity or tendency to create an atmosphere conducive to fraud."[24]
The conduct alleged by the attorney general is that Zelle "created an atmosphere conducive to fraud" when it created the Zelle app and Zelle network and integrated the Zelle network into bank customers' banking apps and websites, knowing that it was "highly susceptible to fraudulent activity," but failing to take basic measures to prevent or remedy fraud.
At the same time, EWS allegedly promoted and marketed, and assisted its participating banks in promoting and marketing, the safety and security of the Zelle network, when Zelle was not safe or secure from fraudsters.[25]
The attorney general alleges that from Zelle's inception in 2017 through 2023, persons committing fraud would trick Zelle users into unknowingly giving the fraudsters control over the users' bank accounts and into paying money to fraudsters impersonating legitimate payees.
However, the attorney general claims, Zelle did not take significant measures to combat fraudulent activity until 2023.
"EWS's meager antifraud measures, as well as its lax enforcement practices, made it cheaper for banks to participate in the Zelle network and easier for EWS to sign up and retain banks," the complaint states.[26]
EWS signed up over 1,800 participating banks by the end of 2022.[27] The attorney general alleges that, throughout this time, EWS advertised Zelle as a "safe and secure way for consumers to make electronic payments."[28]
The relief requested in the complaint consists primarily of an injunction ordering EWS "to maintain the basic network safeguards and any other antifraud measures that are necessary to protect consumers and limit consumer harm from fraudulent activity"; provide an accounting of all New York consumers who reported losses to EWS or a participating bank; "pay restitution and damages to all injured New York consumers," "whether known or unknown, at the time of the decision and order"; and disgorge profits.[29]
The suit is similar to a lawsuit the Consumer Financial Protection Bureau brought against EWS and three of its owner banks in December 2024. The CFPB dismissed its lawsuit in March 2025 without explanation.[30]
NYDFS Instructs Banks to Use Blockchain Analytics Tools
On Sept. 17, the NYDFS issued an industry letter stating that "New York State-regulated banking organizations are expected to consider incorporating blockchain analytics as an additional risk-management tool."[31] Among the NYDFS' suggested uses are the following:
- Customer wallet screening and funds verification of virtual assets;
- Verifying the source of funds originating from virtual assets;
- Monitoring the crypto ecosystem to assess customer exposure to money laundering and sanctions violations;
- Analyzing the risk of virtual asset service providers with which a customer is engaged;
- "Evaluating expected versus actual activity (e.g., dollar thresholds) of customers engaging in virtual currency activity";[32]
- Using intelligence gathered from a banking organization's "holistic monitoring" to develop further an organization's risk assessments and risk appetite; and
- "Weighing the risks associated with a virtual currency product or service to be offered."[33]
The NYDFS emphasizes that these uses are by no means exclusive, and that risk-identification and risk-management tools must be continually updated.
"With increasing virtual currency adoption, covered Institutions play a critical role in safeguarding the integrity of the financial ecosystem to prevent illicit activities like money laundering, terrorist financing, and sanctions evasion," the NYDFS said.[34]
Other News
In late-breaking news, New York Gov. Kathy Hochul announced on Sept. 29 that Adrienne Harris would be leaving her position as superintendent of the NYDFS and will be replaced, effective Oct. 18, by Kaitlin Asrow.[35]
Before her appointment, Asrow was executive deputy superintendent of the research and innovation division at the NYDFS.[36]
Concluding Observation
New York continues to lead in the regulation of digital banking. In the third quarter of 2025, the NYDFS and the state attorney general acted to guide financial institutions in the limitation of illegal activity and protection of bank customers from fraud.
[1] In the Matter of Paxos Trust Company LLC, Consent Order dated August 7, 2025, https://www.dfs.ny.gov/system/files/documents/2025/08/ea20250807-co-paxos-trust-co.pdf. (September 16, 2025) (the "Order").
[2] Order, ¶ 1.
[3] Order, ¶ 9.
[4] Order, ¶ 10.
[5] Id.
[6] Order, ¶ 11.
[7] Order, ¶¶12-13.
[8] Order, ¶ 14.
[9] Order, ¶ 15.
[10] Order, ¶ 16.
[11] Order, ¶ 17.
[12] Order, ¶¶19-20.
[13] Order, ¶ 21.
[14] Order, ¶ 23.
[15] Order, ¶ 24.
[16] Order, ¶¶25-40.
[17] Order, ¶ 27.
[18] Order, ¶¶28-29.
[19] Order, ¶ 34.
[20] Order, ¶ 36.
[21] Order, ¶ 39.
[22] Reuters, "Paxos joins spate of crypto companies applying for US trust bank licenses," https://finance.yahoo.com/news/exclusive-paxos-joins-spate-crypto-144209798.html (September 18, 2025).
[23] https://ag.ny.gov/press-release/2025/attorney-general-james-sues-company-behind-zelle-enabling-widespread-fraud (September 18, 2025). A redacted copy of the Complaint is attached to the press release.
[24] Complaint, ¶ 154.
[25] Complaint, ¶ 155.
[26] Complaint, ¶124.
[27] Complaint, ¶127.
[28] Complaint, Part II, ¶¶ 24-31.
[29] See Complaint, Demand for Relief, pp. 35-36.
[30] Complaint, ¶¶ 149-152.
[31] The Department's Industry Guidance is at https://www.dfs.ny.gov/industry-guidance/industry-letters/il20250917-blockchain (September 18, 2025).
[32] Id.
[33] Id.
[34] See id.
[35] https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202509291.
[36] Id.