First FCA crypto-related enforcement action – four key reminders arising from the FCA decision

August 5, 2024

The Financial Conduct Authority (FCA) has fined CB Payments Ltd (CBPL) for breach of the Electronic Money Regulations 2011 (the EMRs). CBPL was fined in excess of £3.5 million for repeatedly providing payment services to high-risk customers in breach of a voluntary requirement it agreed with the FCA as a result of significant weaknesses and gaps identified in the firm's financial crime framework. This was the first enforcement action taken by the FCA exercising its powers under the Electronic Money Regulations 2011.

As well as being the first crypto-related enforcement action, the case serves as another reminder that ensuring effective financial crime systems and controls within financial services firms remains a key objective for the FCA and is indicative that it intends to utilise all enforcement powers in pursuit of that objective across the range of regulated and authorised firms.

Background

CBPL, a UK-based subsidiary of the Coinbase Group (a cryptocurrency exchange), operates as a globally accessible crypto trading platform and has permission to issue electronic money as an Authorised Electronic Money Institution. Whilst not itself undertaking cryptoasset transactions, CBPL acts as a gateway for its customers to purchase and trade cryptoassets via other entities in the Coinbase Group.

During a supervisory visit in early 2020, the FCA identified weaknesses in CBPL's financial crime control framework. Following significant engagement with the FCA, CBPL entered into a voluntary agreement (VREQ) which imposed mandatory requirements preventing it from onboarding high-risk customers whilst it undertook work to improve its financial crime framework.¹ A definition of "high-risk" was agreed between both parties to enable CBPL's automated onboarding systems to prevent such customers from being onboarded.

Despite CBPL confirming to the FCA that the terms of the VREQ had been fully implemented, between 31 October 2020 and 1 October 2023 CBPL onboarded and/or provided payment or e-money services to 13,416 high-risk customers. CBPL then allowed approximately 31% of those customers to make prohibited deposits worth a total value of US$24.9 million. SARs were eventually filed in respect of 62 of those customers. The FCA found that each high-risk customer onboarded, and each deposit or transaction performed by them, constituted a separate breach of the terms of the VREQ.

The FCA found that this conduct amounted to a breach of Principle 2 of its Principles for Businesses (the Principles), in that CBPL failed to exercise due skill, care and diligence in relation to the design, testing implementation and monitoring of its controls to comply with the terms of the VREQ.

In particular, the FCA found that:

• CBPL failed to maintain adequate records detailing the steps it took to ensure compliance with the VREQ;
• CBPL's pre-implementation testing was inadequate and it failed to ensure that the engineers implementing the changes were provided with full instructions;
• when updating its processes, CBPL failed to adequately consider the various products and systems through which customers could access e-money services or the various ways in which customers might be onboarded (such as customers migrating from another Coinbase Group entity); and
• the post-implementation compliance monitoring of the VREQ was inadequate and CBPL failed to undertake a formal review of its overall effectiveness for more than two years after it had come into force.

It is no secret that financial crime compliance is a big focus for the FCA and this decision further demonstrates that, with the FCA stressing that the money laundering risks associated with crypto were "obvious" and should be taken "seriously". The seriousness with which the FCA viewed CBPL's continuing failings and, in particular, its remediation shortcomings which meant that there was a "significant increase in the risk of CBPL facilitating financial crime", can clearly be seen in the way it has calculated its penalty - increasing its fine of CBPL by £5 million (subsequently reduced as a result of the settlement discount) to ensure credible deterrence for both CBPL and other firms. Although this action was taken under the Electronic Money Regulations, firms both inside and outside the crypto space should not be complacent - in our view, this is a clear message to all firms about the importance, not only of creating and managing robust financial crime frameworks, but also particularly about ensuring that appropriate skill and care is taken when engaging with the FCA in respect of remediation work.

What should firms be thinking about?

• Understand and assess your AML risk: Conducting and documenting a firm-wide risk assessment that is approved by the business and regularly reviewed to ensure it remains in line with the business and how it evolves is key. If full thought was given to the customer journey in a holistic way, it may have made a difference in this case.
• Design your AML framework to meet your risk: Firms should use their AML risk assessment to ensure that they have designed and implemented procedures which meet their risk, including putting in place an effective governance and oversight model to ensure that the risk is being managed effectively and identifying higher-risk business areas and customers so that the firm can make an informed decision based on risk appetite.
• Importance of robust testing: While the FCA recognised the improvements that CBPL made to its financial crime controls and the firm's commitment in that regard, the matters giving rise to the FCA's decision highlight the importance of pre- and post- implementation testing. While the failings that are the subject of the decision relate to the implementation of controls required to adhere to the VREQ, regular and comprehensive testing of the controls a firm puts in place to combat financial crime is important to ensure effectiveness of the controls on implementation and thereafter continues to be adequate.
• Consider AML as part of a holistic approach to financial crime compliance: A common error made by firms is managing their financial crime risk in silos, with AML, sanctions, ABC, fraud and tax evasion all subject to slightly different controls and oversight. While not a focus of the decision, firms can get ahead of this by ensuring that their approach to AML feeds into and helps inform other financial crime risks, to get a clearer picture of where key financial crime risks to the business are, and helping to identify and managing those risks early.

1. In addition, the FCA decided that it would be appropriate to appoint a skilled person review under s166 of the Financial Services and Markets Act 2012 after CBPL had undertaken the necessary remediation work to its financial crime control framework.↩