In its first enforcement action involving a firm that facilitated crypto trading, the U.K.’s Financial Conduct Authority (FCA) sanctioned a Coinbase company for repeated violations of a pledge to guard against risky clients.

The regulator fined CB Payments Ltd. (CBPL), which the FCA said acts as a gateway for customers to trade cryptoassets within the Coinbase group, £3.5 million for breaching a requirement to which it agreed and that was supposed to prevent the firm from offering services to high-risk customers.

In 2020 after “significant engagement with the FCA” driven by the regulator’s concerns about the firm’s financial crime controls, the firm agreed to a voluntary requirement that barred it from taking on high-risk customers. 

The FCA found that, despite these restrictions, the company provided services to 13,416 high-risk customers, which resulted in approximately US$226 million in crypto trading.

“The breaches were the result of CBPL’s lack of due skill, care and diligence in the design, testing, implementation and monitoring of the controls put in place to ensure that the [voluntary requirement] was effective,” the FCA said. 

Because of weaknesses in its internal compliance monitoring, “repeated and material breaches [of the requirement] went undiscovered for almost two years,” it said.

The firm agreed to settle the allegations, qualifying for a 30% discount on the fine.

“The money laundering risks associated with crypto are obvious, and firms must take them seriously,” said Therese Chambers, joint executive director of enforcement and market oversight with the FCA, in a release.

“Firms like CBPL that enable crypto trading need to have strong financial crime controls,” she said. “CBPL’s controls had significant weaknesses and the FCA told it so, which is why the requirements were needed. CBPL, however, repeatedly breached those requirements.”

In a statement following the settlement, Coinbase said, “We take the FCA’s findings and our broader regulatory compliance very seriously, and CBPL continues to proactively enhance its controls to ensure compliance with its regulatory obligations.”

The firm reported it “unintentionally onboarded” certain high-risk customers between Oct. 30, 2020, and Oct. 1, 2023.

Coinbase said that, since the FCA raised its concerns about the firm’s anti-crime controls, “we have dedicated significant time and resources to improving our U.K. financial crime framework, and these efforts have been acknowledged by the FCA.”

Coinbase remains committed to high standards of regulatory compliance, and this means partnering with regulators when it comes to compliance and other areas,” it said. “We are always willing to acknowledge when we fall short, and to make improvements — which is what we have done here.”