In a significant regulatory action, the Financial Conduct Authority (“FCA”) fined CB Payments Ltd (“CB”), part of the Coinbase Group, £3,503,546 under Regulation 51(1)(1) of the Electronic Money Regulations 2011 (“EMRs”). This case highlights critical shortcomings in the firm’s financial crime framework and is a cautionary tale for firms in the electronic money and payment services sectors. Specifically, it underscores the importance of having robust systems and controls to manage financial crime risks, particularly in firms that use shared services or outsource critical functions within a group.

Background of the Case

CB operates as an authorised electronic money institution (“AEMI”), allowing customers to deposit fiat currency into e-money wallets to purchase or exchange crypto assets with other entities in the Coinbase Group. However, during a visit in February 2020, the FCA identified severe deficiencies in the firm’s anti-financial crime framework. Despite earlier audits and a feedback letter issued by the FCA on 30 April 2020, the firm had made little progress in addressing these issues, particularly in high-risk customer situations.

In October 2020, the FCA imposed a Voluntary Requirement (“VREQ”) on CB, restricting its business to prevent high-risk customers from accessing e-money and payment services. The firm was expected to complete its remediation efforts by the end of 2020, but between October 2020 and October 2023, CB Payments repeatedly breached the VREQ. These breaches involved onboarding 13,416 high-risk individuals, who were then allowed to make prohibited deposits and engage in cryptoasset transactions.

The FCA found that CB had breached Principle 2 of its Principles for Businesses, which requires firms to conduct their business with skill, care, and due diligence. Specifically, the firm failed to design, test, and implement effective systems to comply with the VREQ, which significantly increased the risk that the firm might be used to facilitate financial crime.

Key Failings and Lessons for Firms

The FCA’s findings provide a roadmap for firms in the electronic money and payment services sectors to improve their financial crime prevention systems. The following lessons can be drawn from the case:

  1. Complete Instructions and Clear Oversight
    CB outsourced technical development to other Coinbase Group entities using a “shared service model.” However, engineers who were updating the firm’s automated onboarding processes were not given complete instructions. This led to flawed implementation of the VREQ flag, undermining the effectiveness of controls. Firms must ensure that any outsourced functions are closely supervised and those responsible for implementation have the information required to design adequate controls.
  2. Consider All Risk Scenarios
    One critical failing was the inadequate consideration of how customers could access e-money services. When designing and implementing controls like the VREQ flag, it is essential to account for how high-risk customers might exploit the firm’s services. This includes customers transferring from other entities within the group or using unconventional business models. Firms must ensure that risk assessments consider all access points and mitigate potential risks across all channels.
  3. Rigorous Testing and Monitoring
    Initial monitoring of compliance with the VREQ was insufficient. Repeated and material breaches went undetected for nearly two years, and the firm did not formally review its controls’ effectiveness until two years after the VREQ had entered into force. Robust testing, followed by continuous monitoring of systems and controls, is critical. Firms should periodically review their processes to identify and address any deficiencies. Independent audits and reviews can provide an additional layer of oversight, ensuring controls remain effective over time.
  4. Documented Framework for Compliance
    CB did not have a formal, documented framework for VREQ compliance until 2023. A clear, well-documented compliance framework ensures regulatory requirements are met. This includes record-keeping processes that demonstrate steps taken to comply with obligations. Firms should establish and maintain comprehensive compliance records to provide a clear audit trail and evidence of their due diligence.

FCA’s Expectations: Innovating While Managing Risks

The FCA’s enforcement case against CB is part of a broader initiative to strengthen financial crime controls in the electronic money and payment services sectors. In its July 2020 “Dear CEO” letter, the FCA stressed the importance of considering the financial crime risks posed by innovative products, cross-border payments, and unusual business models. Firms must take proactive steps to assess and mitigate these risks, particularly when launching new products or entering new markets.

The FCA’s March 2023 letter further highlighted the importance of ongoing vigilance in managing financial crime risks. Firms should ensure that they have adequate systems and controls in place, mainly when dealing with high-risk customers, and that these controls are regularly reviewed and updated in light of new risks or regulatory changes.

Self-Assessment Questions: Evaluating Your Firm’s Financial Crime Prevention Controls

For firms operating in the electronic money and payment services sectors, the following self-assessment questions can help evaluate the effectiveness of their systems and controls to prevent financial crime:

  1. Governance and Oversight:
    • Do we have clear lines of accountability for financial crime prevention within our organisation?
    • Are our outsourced functions (including those within a group) closely supervised, with clear instructions provided?
  2. Risk Management:
    • Have we identified all possible ways high-risk customers might access our services?
    • Are we conducting robust risk assessments, particularly in high-risk situations, and documenting these assessments appropriately?
  3. Systems and Controls:
    • Are our controls regularly tested to ensure they function as intended, and do we monitor their ongoing effectiveness?
    • Have we implemented a formal, documented framework to ensure compliance with regulatory requirements, including any VREQs we are subject to?
  4. Monitoring and Auditing:
    • Are we conducting regular independent reviews of our financial crime prevention framework?
    • Do we have processes to escalate and promptly address identified control deficiencies?
  5. Compliance and Record-Keeping:
    • Are we keeping comprehensive records of all steps to comply with regulatory obligations?
    • Are our systems designed to capture and report on compliance with financial crime prevention controls effectively?

Addressing these questions can help firms identify weaknesses in their financial crime prevention systems and take corrective action to mitigate risks.

Conclusion

The FCA’s enforcement action against CB Payments Ltd is a stark reminder of the need for firms to adopt a proactive approach to financial crime prevention. By designing robust systems, conducting thorough testing, and monitoring controls on an ongoing basis, firms can reduce the risk of facilitating financial crime and ensure compliance with regulatory requirements. Firms must remain vigilant to comply with the FCA’s expectations, particularly when outsourcing essential functions.

Need help?

Please contact us if you have any questions about the implications of this case for your firm.

References

  1. FCA takes first enforcement action against firm enabling cryptoasset trading, Financial Conduct Authority.