Continuing the trend of enforcement that the Financial Conduct Authority (FCA) has embarked on, the FCA has taken its first enforcement action under the Electronic Money Regulations 2011 (EMR), publishing its final notice issued to CB Payments Limited (CBPL), an authorised electronic money institution with permission to issue electronic money and to provide payment services.

CBPL is part of the Coinbase Group, which operates a cryptoasset platform that is accessible globally. CBPL does not undertake cryptoasset transactions for customers, however it acts as a gateway, enabling customers to deposit fiat currency into e-money wallets, which can then be used to purchase and exchange cryptoassets through other entities within the Coinbase Group. 

In October 2020, following significant engagement with the FCA relating to concerns about the effectiveness of CBPL’s financial crime control framework, CBPL entered into a voluntary requirement (VREQ) under regulation 8 of the EMRs. The VREQ prevented CBPL from taking on new high-risk customers or providing them with e-money services while it addressed these concerns.

Between October 2020 and October 2023, CBPL onboarded approximately 3.9 million customers. The FCA found that CBPL repeatedly breached the VREQ during this period by onboarding and/or providing e-money services to 13,416 high risk customers and permitting approximately 31 per cent. of these customers to make 12,912 prohibited deposits with a total value of approximately US$24.9 million. These funds were then used to make withdrawals and then execute multiple cryptoasset transactions via other Coinbase Group entities using the same funds, totalling approximately US$226 million.

The FCA found that the breaches of the VREQ by CBPL were caused by a failure on the part of CBPL (in breach of Principle 2 of the FCA’s Principles for Business) to exercise due skill, care and diligence in relation to the design, testing, implementation and monitoring of the controls put in place to ensure compliance with the VREQ, including an automated “flag” placed on relevant customers’ accounts (the VREQ flag) (CBPL having retained regulatory responsibility notwithstanding it had outsourced certain of its important operational functions to other entities in the Coinbase Group). The FCA highlighted numerous failings on CBPL’s part including:

  • failure to maintain adequate records regarding the steps taken to comply with the VREQ;
  • failure to ensure that engineers tasked with updating the automated onboarding process had complete instructions, meaning that when originally implemented the controls failed to give full effect to the VREQ;
  • inadequate testing of the VREQ flag;
  • failure to adequately consider all of the products and systems through which customers could access e-money services when designing and implementing the VREQ flag;
  • failure to adequately consider all of the various ways in which customers might be onboarded when designing and implementing the VREQ flag, in particular the position of customers migrating from other Coinbase Group entities and, crucially, whether an assessment was conducted at that time to ensure that any high-risk customers seeking to onboard were subject to the VREQ flag;
  • the inadequacy of the initial monitoring of compliance with the VREQ, meaning that repeated and material breaches of the VREQ went undiscovered for almost 2 years; and
  • failure to conduct a formal review of the overall effectiveness of the controls intended to ensure compliance with the VREQ until 2 years after it came into force, and failure to issue a formal documented framework for ensuring compliance with the VREQ until April 2023.

Because of these inadequacies in the initial monitoring of compliance with the VREQ, the FCA says repeated and material breaches went undiscovered for almost two years.

The FCA commented that: 

“The money laundering risks associated with crypto are obvious and firms must take them seriously. Firms like CBPL that enable crypto trading need to have strong financial crime controls. CBPL's controls had significant weaknesses and the FCA told it so, which is why the requirements were needed. CPBL, however, repeatedly breached those requirements.

This increased the risk that criminals could use CBPL to launder the proceeds of crime. We will not tolerate such laxity, which jeopardises the integrity of our markets.”

CBPL agreed to resolve the matter, so it qualified for a 30 per cent. discount on the fine, resulting in a fine of £3,503,546.