UK crypto firm fine highlights regulatory agreement breach perils, say experts

Jonathan Cavill and Sébastien Ferrière of Pinsent Masons were commenting after the FCA fined CB Payments Limited (CBPL) more than £3.5 million. It is the first time the FCA has used powers under the Electronic Money Regulations (EMRs) to issue a fine – and the first time it has taken formal enforcement action against a cryptoasset business.

CBPL is part of Coinbase Group, one of the largest cryptoasset exchange platforms in the world. CBPL does not itself undertake cryptoasset transactions for customers but rather enables customers to deposit fiat currency into e-money wallets which can then be used to purchase and exchange cryptoassets via other Coinbase entities.

The activities CBPL perform mean it is subject to regulation by the FCA as an electronic money (e-money) institution, under the EMRs. CBPL is also subject to anti-money laundering obligations under the UK’s Money Laundering Regulations 2017 (MLR 2017).

In October 2020, CBPL agreed to what is known as a ‘voluntary requirement’ or ‘VREQ’ with the FCA. Voluntary requirements are regulatory obligations that firms agree to abide by with the regulator. The voluntary requirement was agreed after what the FCA described as “significant engagement” between it and CBPL “relating to concerns about the effectiveness of CBPL’s financial crime control framework”. The voluntary requirement prevented CBPL from taking on new high-risk customers until such time as CBPL satisfactorily addressed issues with its framework.

According to the FCA, despite the voluntary requirement being in place, CBPL “onboarded and/or provided e-money services to 13,416 high-risk customers” between 31 October 2020 and 1 October 2023. It said approximately 31% of those customers deposited around $24.9 million – and that those funds were subsequently used to execute cryptoasset transactions worth approximately $226m in total.

The FCA considered that CBPL breached a regulatory principle that required it to conduct its business with due skill, care and diligence (Principle 2) as well as its voluntary requirement. It initially proposed to fine CBPL £5m under the EMRs – a level of fine it arrived at after identifying the need to deter other firms from engaging in similar action, as is provided for under the FCA’s fines policy. However, the final fine was set at just over £3.5m after the FCA applied a 30% discount to recognise CBPL’s settlement of the case at an early stage.

“The Authority considers that CBPL’s failings in relation to the controls that it put in place to comply with the [voluntary requirement] were serious and persistent,” the FCA said in its final notice. “The failings significantly increased the risk that financial crime might be facilitated by [CBPL] at a time when the Authority had informed CBPL that its systems and controls were not fully effective and required remediation.”

Cavill and Ferrière said the enforcement action taken by the FCA in this case represents the latest example of the regulator’s ongoing activity to tackle financial crime risk within financial markets, something which they highlighted that the FCA has identified as a major priority within its strategy for 2022 to 2025, and its business plan for 2024/25. They said the fine imposed in this case also illustrates that the FCA can and will take enforcement action where a firm breaches any regulatory requirements that have been voluntarily agreed with it – and that the case further highlights the increasing speed with which the FCA is acting to enforce against non-compliance, with the fine in this case being imposed within nine months of the breach period ending.

Ferrière said: “The FCA’s action demonstrates that financial crime systems and controls remain firmly on the FCA’s agenda. It also demonstrates the perils of breaching requirements agreed with the FCA – and can be read across to firms on which requirements have been imposed by the FCA. Firms should take note of the details in the final notice, which provides practical examples of the types of risks the FCA expects firms to identify and address when discharging their financial crime obligations, and when discharging regulatory requirements.”

Cavill said: “The turnaround time from regulatory breach to enforcement action in this case appears to stand out against recent FCA enforcement trends. This is a case which may have been prioritised within the FCA, as it straddles a number of key priorities: financial crime, cryptoasset markets, and the enforcement of requirements imposed through its increasing interventions activity. However, it is too early to tell if this is a sign that the new FCA enforcement leadership’s efforts to streamline its investigative caseload is working.”

Cavill and Ferrière said not all cryptoasset businesses will be regulated as e-money institutions at present, but it said that many such businesses will be in-scope of requirements to be registered with the FCA for the purposes of the MLR 2017 and will be impacted by themes in the enforcement notice. They said that with the anticipated future expansion of the FCA regulatory perimeter to cover cryptoasset businesses, it is likely that further enforcement action will follow in the market.