The FCA has fined CB Payments Ltd (“CBPL”) over £3.5 million pursuant to regulation 51(1)(a) of the EMRs. This is the first time that the FCA has taken enforcement action using these powers.
CBPL, part of the Coinbase Group, is an Authorised Electronic Money Institution (“AEMI”), with permission to issue electronic money (“e-money”) and to provide payment services. CBPL did not undertake any cryptoasset transactions for customers itself, but enabled customers to deposit fiat currency into e-money wallets, which could then be used to purchase and exchange cryptoassets via other entities within the Coinbase Group. In effect, therefore, CBPL acted as a gateway for UK customers to exchange fiat currency for cryptoassets and vice versa.
The FCA say that whilst "the vast majority of cryptoasset transfers are conducted for valid purposes, they can be an attractive technological enabler for criminals seeking to launder funds." The FCA say this is due to a number of factors including what the FCA refer to as the "pseudo-anonymous" nature of cryptoassets and services, their accessibility online, and constant innovation offering new opportunities for criminals to exploit novel applications.
During an FCA visit to CBPL in February 2020, they identified significant weaknesses and gaps in its financial crime control framework. The FCA considered these weaknesses meant that CBPL’s business should be restricted so as to prevent high-risk customers accessing its e-money and payment services while CBPL remediated its financial crime controls. The FCA engaged with CBPL to agree a definition of “high-risk” customers which would enable CBPL’s automated onboarding systems to prevent such customers being onboarded.
The FCA had also decided that it would be appropriate for the CBPL to appoint a s.166 skilled person to conduct a review of CBPL’s financial crime controls, following the remediation work, at the start of 2021.
On 30 October 2020, on CBPL’s voluntary application, the FCA imposed requirements which prevented such customers from being onboarded or provided with payment or e-money services – a Voluntary Requirement (the “VREQ”).
However, it transpired that between October 2020 and 1 October 2023, CBPL had repeatedly breached the requirements imposed by the VREQ.
In particular, CBPL:
a) onboarded and/or provided payment or e-money services to 13,416 "high-risk" customers as defined by the VREQ, with some of those customers being provided with payment or e-money services on multiple occasions;
b) permitted approximately 31% of those customers to make nearly 13,000 prohibited deposits with a total value of approximately US$24.9 million; these monies were then used to make withdrawals and, thereafter, execute multiple cryptoasset transactions via other Coinbase Group entities using the same funds, totalling approximately US$226 million.
CBPL filed Suspicious Activity Reports (“SARs”) in respect of 62 customers. A number of the transactions subject to those SARs were of significant value, with several being in excess of US$50,000, and the total value of the transactions involved being approximately US$1.75 million.
The FCA found that CBPL's breaches of the VREQ were caused by a failure, in breach of Principle 2 of the FCA’s Principles for Businesses (the “Principles”), to exercise due skill, care and diligence in relation to the design, testing, implementation and monitoring of its controls put in place to ensure compliance with the VREQ, including an automated "flag" to be placed on relevant customers’ accounts (the “VREQ Flag”).
In particular:
a) CBPL failed to maintain adequate records regarding the steps it took to ensure compliance with the VREQ;
b) CBPL failed to ensure that the engineers tasked with updating the automated onboarding process were provided with complete instructions, including the most recent version of the VREQ, meaning that, when originally implemented, the controls failed to give full effect to the VREQ;
c) CBPL's pre-implementation testing of the VREQ Flag was inadequate;
d) CBPL failed to adequately consider all of the various products and systems through which customers could access e-money services when designing and implementing the VREQ Flag;
e) CBPL failed to ensure that when certain new systems enabling customers to execute transactions were introduced, effective controls were introduced to ensure that the new systems did not undermine CBPL’s compliance with the terms of the VREQ;
f) CBPL failed to adequately consider all of the various ways in which customers might be onboarded when designing and implementing the VREQ Flag, in particular the position of customers migrating from other Coinbase Group entities and, crucially, whether an assessment was conducted at that time to ensure that any high-risk customers seeking to be onboarded were subject to the VREQ Flag;
g) The initial monitoring of compliance with the VREQ, conducted by a Product, Engineering and Design team within the Coinbase Group, was inadequate, meaning that repeated and material breaches of the VREQ went undiscovered for almost two years; and
h) Notwithstanding CBPL identifying breaches of the VREQ shortly after it came into effect (and notifying the FCA of this in December 2020), it had then failed to conduct a formal review of the overall effectiveness of the controls intended to ensure compliance with the VREQ until two years after it came into force. CBPL also did not issue a formal documented framework for ensuring compliance with the VREQ until April 2023.
The FCA considered CBPL’s failings were serious and persistent, significantly increasing the risk that financial crime might be facilitated by the firm. This was at a time when the FCA had already informed CBPL that its systems and controls were not fully effective and that they required remediation.
The FCA highlighted that in July 2020, it had published a letter sent to CEOs of payment and e-money firms which highlighted weaknesses identified in the sector, including ineffective systems and controls for preventing financial crime. Firms were required to put in place robust frameworks and governance and consider the financial crime risk posed by innovative products, unusual or agency-type business models and cross-border payments. A further letter was sent to payment and e-money firms in March 2023 reiterating the importance of robust systems and controls as there had been increasing evidence of financial crime in the sector over the previous two years. Weaknesses in some firms’ systems and controls were specifically identified as making these types of firms a target for bad actors.
The FCA also pointed out that from at least 2018, they had published materials highlighting the financial crime risks specifically associated with cryptoassets, and that the UK’s 2020 National Risk Assessment noted that it would likely be increasingly easy for criminal actors to enter the cryptoasset market by converting fiat currency. The National Strategic Assessment for Serious and Organised Crime 2023 warned that cryptoassets are an important facilitator for criminal transactions including paying for goods and services on the dark net, making ransom demands and a wide range of frauds.
Our observations
This case is noteworthy for being the first use by the FCA of its enforcement powers against an AEMI under the EMRs. It highlights the financial crime risks, and associated enforcement exposures in the event of failure to manage those risks, that face not only by cryptoasset exchange or custody wallet services providers ("cryptoasset firms")1, but also other institutions who merely act as a conduit through which fiat currency passes to cryptoasset firms, in this case an e-money institution.
If failings are identified at the cryptoasset firm level, presumably it will be open to the FCA to take steps under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as the FCA's Principles will not apply.
1 Such firms have since January 2020, been subject to an Anti-Money Laundering and Counter Terrorist Finance (AML/CTF) registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
