Ireland’s central bank has fined crypto exchange Coinbase €21 million for breaching anti-money laundering obligations, in a failure that saw it overlook 30 million transactions.
Shutterstock.com/miss.cabul
The Central Bank of Ireland (CBI) announced the fine today, which it revealed was for transaction monitoring deficiencies at the crypto exchange between 2021 and 2025.
It had its roots in Coinbase’s European operation outsourcing “significant” aspects of its transaction monitoring to its US-based sister entity Coinbase Inc, but remaining responsible for Irish oversight under the Criminal Justice Act (CJA). Between April 2021 and April 2022, five of the 21 high-risk scenarios forming part of its monitoring system did not operate fully as intended due to data configuration issues.
As a result, the exchange failed to fully and properly monitor more than 30 million transactions worth approximately €176 billion, which made up some 31% of all Coinbase Europe transactions in the time period, the CBI said.
The exchange then rescreened the lost transactions in August 2022 and found over 180,000 needing further review, but failed to investigate these in a timely manner, only beginning the following year and only completing them by March this year.
The CBI noted the completion “took almost three years, undermining the efficacy of the [suspicious transaction reports] ultimately submitted as a result”.
After fully assessing the lost transactions, Coinbase Europe offboarded some of the related customers due to their engagement in suspicious transactions, with the CBI pointing out that they remained customers of Coinbase Europe for “longer than they should have” with access to its services.
Despite Coinbase Europe being responsible for ensuring proper transaction monitoring under the CJA, the central bank said the company was unaware of the above issues for a longer time because its systems and controls were, “at the time, ineffective to oversee the work of Coinbase Inc”.
The European unit did not follow up on the non-monitoring issues when the US unit flagged them in February 2023, the order said, and only did so months later. Coinbase obtained its Irish crypto licence in December 2022 and did not know about the failings at that point, only flagging to the regulator it had a backlog in transaction monitoring due to an unexpected boom in business. Coinbase provided the CBI with detailed plans on how it would deal with the backlog, including timelines for resolving it, it said.
However, Coinbase Europe still failed to notify the central bank in a timely manner after discovering the shortcomings, only flagging the issue in November 2023, leading the CBI to treat the delay as an “aggravating feature” of the case.
Coinbase began its operations in Ireland in 2023 but opted to change tack this year; it secured a Markets in Crypto-Assets (MiCA) licence from Luxembourg’s financial regulator in June.
Coinbase has said this was due to Luxembourg being a “forward-thinking financial hub” and that the decision was made “less-so due to Ireland, but rather for the reasons that Luxembourg presented a highly compelling option”.
The CBI acknowledged the move in the settlement notice. “Coinbase Europe’s registration as a VASP [virtual asset service provider] with the Central Bank will therefore lapse at the end of 2025 and Coinbase Europe will cease conducting business in Ireland,” it said.
Coinbase is under scrutiny elsewhere for its control functions. In the US, the Independent Community Bankers of America urged the country's banking regulator on Monday to reject Coinbase's national trust bank charter application, saying the exchange has "demonstrably flawed" risk and control functions and operates under governance that does not allow independent oversight.