08/05/2024 | News release | Distributed by Public on 08/05/2024 05:45
The Financial Conduct Authority (FCA) has fined CB Payments Ltd (CBPL) for breach of the Electronic Money Regulations 2011 (the EMRs). CBPL was fined in excess of £3.5 million for repeatedly providing payment services to high-risk customers in breach of a voluntary requirement it agreed with the FCA as a result of significant weaknesses and gaps identified in the firm's financial crime framework. This was the first enforcement action taken by the FCA exercising its powers under the Electronic Money Regulations 2011.
As well as being the first crypto-related enforcement action, the case serves as another reminder that ensuring effective financial crime systems and controls within financial services firms remains a key objective for the FCA and is indicative that it intends to utilise all enforcement powers in pursuit of that objective across the range of regulated and authorised firms.
CBPL, a UK-based subsidiary of the Coinbase Group (a cryptocurrency exchange), operates as a globally accessible crypto trading platform and has permission to issue electronic money as an Authorised Electronic Money Institution. Whilst not itself undertaking cryptoasset transactions, CBPL acts as a gateway for its customers to purchase and trade cryptoassets via other entities in the Coinbase Group.
During a supervisory visit in early 2020, the FCA identified weaknesses in CBPL's financial crime control framework. Following significant engagement with the FCA, CBPL entered into a voluntary agreement (VREQ) which imposed mandatory requirements preventing it from onboarding high-risk customers whilst it undertook work to improve its financial crime framework.1 A definition of "high-risk" was agreed between both parties to enable CBPL's automated onboarding systems to prevent such customers from being onboarded.
Despite CBPL confirming to the FCA that the terms of the VREQ had been fully implemented, between 31 October 2020 and 1 October 2023 CBPL onboarded and/or provided payment or e-money services to 13,416 high-risk customers. CBPL then allowed approximately 31% of those customers to make prohibited deposits worth a total value of US$24.9 million. SARs were eventually filed in respect of 62 of those customers. The FCA found that each high-risk customer onboarded, and each deposit or transaction performed by them, constituted a separate breach of the terms of the VREQ.
The FCA found that this conduct amounted to a breach of Principle 2 of its Principles for Businesses (the Principles), in that CBPL failed to exercise due skill, care and diligence in relation to the design, testing implementation and monitoring of its controls to comply with the terms of the VREQ.
In particular, the FCA found that:
It is no secret that financial crime compliance is a big focus for the FCA and this decision further demonstrates that, with the FCA stressing that the money laundering risks associated with crypto were "obvious" and should be taken "seriously". The seriousness with which the FCA viewed CBPL's continuing failings and, in particular, its remediation shortcomings which meant that there was a "significant increase in the risk of CBPL facilitating financial crime", can clearly be seen in the way it has calculated its penalty - increasing its fine of CBPL by £5 million (subsequently reduced as a result of the settlement discount) to ensure credible deterrence for both CBPL and other firms. Although this action was taken under the Electronic Money Regulations, firms both inside and outside the crypto space should not be complacent - in our view, this is a clear message to all firms about the importance, not only of creating and managing robust financial crime frameworks, but also particularly about ensuring that appropriate skill and care is taken when engaging with the FCA in respect of remediation work.