FIAU slaps cryptocurrency exchange with €1m fine

A cryptocurrency exchange has been handed down an administrative penalty of more than €1 million by the Financial Intelligence Analysis Unit for risk assessment failures.

OKCoin Europe Ltd was fined €1,054,269 following an onsite compliance examination carried out in April 2023. However, the FIAU also acknowledged that the company has since remedied the deficiencies identified in the compliance review.

The decision was posted on the FIAU website today and the fine is subject to appeal.

OKCoin Europe is licensed as a virtual asset service provider (VASP). VASPs facilitate activities involving virtual assets such as cryptocurrency transactions.

The FIAU noted that at the time of the compliance examination in 2023, the company had compiled a business risk assessment (BRA) in an attempt to identify the threats and vulnerabilities it is exposed to. “Notwithstanding, deficiencies were noted within the company’s BRA methodology, making it unable to properly assess the risks of money laundering and financing of terrorism it was exposed to and to adequately apply the required mitigating measures to manage them,” the FIAU said.

Additionally, despite the company’s strategy was to service only European-based customers, the FIAU said it was essential to also consider the potential exposure to money laundering emanating from other jurisdictions.

The FIAU noted that the company failed to carry out risk assessments for around half of the customer files reviewed during the compliance examination.

Additionally, OKCoin Europe failed to “adequately scrutinise” executed transactions for around 80% of customer files reviewed. These transactions collectively amounted to more than $20 million.

In one case flagged by the FIAU, a customer onboarded in June 2019 was indicated as having a low-risk rating at the time of the compliance examination.

The only information obtained at onboarding was that the client worked within the information technology industry, had investments as their source of funds, and was estimated to deposit €100,000 a month.

The FIAU found that during the years 2019 and 2020, the customer engaged in limited activity, with total deposits not exceeding $50,000. However, in 2021, over a period of less than four months, the client made cryptocurrency deposits amounting to approximately $1.8 million.

“In this case, not only was the declared anticipated activity of the client substantial, warranting further questioning, but there were months where the deposits made significantly surpassed the €100,000 threshold,” the FIAU said.

These highvalue deposits were not being scrutinised by the company, save for one instance where it reached out to the customer to query the purpose of the account and the funding sources for the deposits. The client provided short, generic replies that were not corroborated.

It was only in October 2022, more than a year after the customer was last active, an ad-hoc risk review was conducted, and documentation requested. However, the FIAU said this request went unanswered, resulting in the account being frozen.

Nonetheless, the FIAU noted that the company adopted a proactive approach to remedy the shortcomings flagged by the compliance examination.

In January last year, the Malta Financial Services Authority agreed to settle pending matters with the OKCoin Europe after the company demonstrated “goodwill”.

A settlement agreement was reached between the company and the MFSA, by which an administrative penalty amounting €304,000 was levied.

The company and the MFSA also agreed on a number of measures, including the appointment of an independent third-party service provider, to review the adequacy of the company’s governance arrangements.