Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

FCA fines crypto trading firm for weak financial crime controls

Logo for cryptocurrency exchange Coinbase on debit card edge.
Photo: Smith Collection/Gado/Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Action against CBPL is the first enforcement against a firm enabling crypto asset trading.

CBPL is authorized by the FCA to issue e-money and provide payment services. It is part of the Coinbase Group and acts as a deposit gateway for customers enabling them to trade cryptoassets via other Coinbase Group entities.

During a 2020 supervisory visit the FCA identified significant weaknesses in the firm’s financial crime controls. The firm agreed to the imposition of mandatory regulatory requirements preventing the onboarding and provision of services to customers designated as high-risk or those meeting specific defined criteria.

The firm repeatedly breached these regulatory requirements between October 2020 and October 2023 by:

  • onboarding / providing services to 13,416 high-risk customers;
  • permitting approximately 31% of these customers to make 12,912 prohibited deposits totaling approximately $24.9m.

The implementation of controls that would permit the firm to comply with the requirements was inadequate. A key shortcoming in this context was the build and implementation of the flag that would help identify customers as high-risk.

High-risk customers

Initially a draft version of the requirements was used to configure a flag identifying customers potentially subject to these, which meant that the flag “did not take account of certain of the criteria which should have led to the assessment of a customer as high-risk.”

Pre-implementation testing was inadequate and mostly undocumented. And, to compound the issues, politically exposed persons screening for customers living outside of the UK was not implemented until two weeks after the mandatory requirements had come into force.

The firm itself uncovered these issues reasonably quickly and reported them to the regulator. But although problems with the flag were addressed at this point in time, the firm did not use this early warning of problems with the flag as an opportunity to closer scrutinize its functioning specifically or its ability to comply with the regulatory requirements more broadly.

Further problems with the flag were identified in 2022 as a result of the flag not working for customers:

  • using a new product;
  • using a product whose functionality had been extended (fiat services being made available);
  • migrated from another entity to the firm.

The firm took some positive steps following these further breaches, including implementing a compliance dashboard and putting a formal framework in place to ensure compliance with the mandatory requirements.

Unfortunately the problems with the flag continued into 2023 because of:

  • delays in assessing whether a flag should apply to some customers;
  • the roll-out of a feature enabling payments to be made by way of a third-party payments platform which circumvented the controls;
  • credits and fee rebates that were issued to high-risk customers – a scenario not considered during the design, implementation or testing phase.

The FCA acknowledged the fact that the firm did notify it of the various breaches and also recognized its attempts to enhance its financial crime framework.

However, the regulator was critical of the repeated nature of the breaches, extending over a period of three years. Therese Chambers, joint executive Director of Enforcement and Market Oversight at the FCA, said that the repeated breaches “increased the the risk that criminals could use CBPL to launder the proceeds of crime” and that the FCA would “not tolerate such laxity, which jeopardises the integrity of our markets.”

GRIP Comment

The problems here stem from the firm’s failure to adequately consider all the various products and systems that enabled customers to access e-money services when designing the system intended to ensure compliance with the mandatory requirements.

This, coupled with a lack of adequate testing, meant that the effectiveness of the flag was compromised at the very start and was ultimately the primary cause of many if not all of the subsequent compliance issues.

It is worth noting that the FCA action here was taken under the Electronic Money Regulations 2011. This is the first time the FCA has taken enforcement action using these powers.

, , , ,

You may also like