On 23 July 2024 the Financial Conduct Authority (FCA) issued a Final Notice against CB Payments Limited (CBPL), fining it c.£3.5m for a breach of a voluntary requirement imposed under the Electronic Money Regulations 2011 (the EMRs) and for breaching Principle 2 of the FCA’s Principles for Businesses (PRIN). This case is notable because it is the first time the FCA has used its enforcement powers under this legislation.
Background
CBPL, an entity in the Coinbase group, is an authorised electronic money institution (EMI), which provides payment services and issues electronic money (or “e-money”) by allowing customers to deposit fiat currency into e-money wallets, which can be used to trade via other entities within the Coinbase group.
During a financial crime controls assessment visit to CBPL in 2020, the FCA identified that there were a number of significant weaknesses and gaps in CBPL’s financial crime framework. One of the tools used by the FCA to mitigate risks at the CBPL level was to impose a voluntary requirement (where the terms had been agreed between the FCA and CBPL, then applied for by CBPL) (the VREQ). Under the VREQ, CBPL was required not to onboard, provide payment services or issue e-money to:
- new institutional or corporate customers identified as “high-risk” or “ineligible” in accordance with CBPL’s institutional customer risk rating methodology; and
- new retail or personal customers that met any one of a number of specific criteria.
CBPL voluntarily ceased to onboard new high-risk institutional clients but as its onboarding processes in respect of retail clients were automated, bespoke system changes were required. CBPL and the FCA engaged for several months to agree the text of the draft VREQ in order to agree the criteria applicable to retail clients, eventually agreeing on an automated flag to be placed on relevant customers’ accounts (the VREQ Flag).
However, the FCA found that since the start date of the VREQ CBPL had:
- onboarded and/or provided e-money services to 13,416 separate “high-risk” customers;
- permitted approximately 31% of these customers to make nearly 13,000 prohibited deposits worth nearly US$25m and to complete withdrawals, including executing multiple cryptoasset transactions via other Coinbase group entities using the same funds, of approximately US$226m; and
- filed suspicious activity reports (SARs) for 62 of these customers, to alert law enforcement to potential money laundering, scams and fraud, and the sale of illicit substances and stolen credit card information on the darknet. Some of transactions were of significant value, with several being in excess of over US$50,000 and the total value being US$1.75m.
- adequately test the VREQ Flag functionality prior to implementation;
The FCA found CBPL had failed to conduct its business with due skill, care and diligence (as required by PRIN 2) in the “design, testing, implementation and monitoring of the controls put in place” to ensure the VREQ was effective, including failing to:
- maintain adequate records regarding the steps it took to comply with the VREQ;
- ensure that the engineers tasked with updating the automated onboarding process were provided with complete instructions (including the most recent version of the VREQ);
- consider all of the products and systems through which customers could access e-money services when designing the VREQ Flag; and
- monitor compliance or review the effectiveness of their controls, meaning the breaches went undiscovered for almost two years.
As such, the FCA used its powers under regulation 51(1)(a) of the EMRs to impose a financial penalty of £3,503,546. Regulation 51(1)(a) grants the FCA the power to impose a penalty on any electronic money issuer (which includes an EMI but can also include a bank when it is issuing e-money) which has contravened any requirement imposed on it by or under the EMRs.
The FCA found that CBPL’s breaches of the VREQ were serious and persistent and significantly increased the risk that financial crime might be facilitated by the firm.
Penalty imposed
Regulation 51(1) of the EMRs allows the FCA to impose a penalty “of such amount as it considers appropriate”. Here, the total fine issued was just over £5m, but a 30% settlement discount was applied due to CBPL’s co-operation with the FCA.
The composition of this fine is interesting for a number of reasons:
- only c.£3,000 was included for disgorgement (the financial benefit derived from the breach);
- it included 10% of CBPL’s relevant revenue to account for the seriousness of the breach – which amounted to only £314; and
- the vast majority of the fine was due to an adjustment for deterrence.
This shows the FCA’s willingness to increase its fines in order to meet its objective of credible deterrence (even where limited financial benefit has been obtained) and could indicate potentially significant size of a future fine in cases where the relevant revenue is higher, or the firm derived a larger financial benefit.
Trends / key takeaways
This decision further emphasises the FCA’s focus on firms having effective financial crime systems and controls in place. Breaches of requirements relating to financial crime risks are taken particularly seriously by the FCA, due to there being a significant risk that financial crime would be facilitated, occasioned or otherwise occur. In addition, it is important for firms to monitor the effectiveness of the requirements and ensure that any breaches of requirements are identified and notified in a timely manner.
The decision also acts as a timely reminder that firms must keep appropriate records of their testing, and to ensure that any third party to whom functions are outsourced must receive appropriate information.