- Central Bank of Ireland issues a €21.4 million penalty to Coinbase Europe for AML/CTF monitoring failures between 2021 and 2025.
- Misconfigured systems left 30M+ transactions unmonitored over 12 months, worth over €176 billion (around 31% of activity).
- Retrospective checks led to 2,708 STRs covering suspected money laundering, fraud, ransomware, drug trafficking and child exploitation.
- Coinbase admitted breaches, citing three coding errors that affected five of 21 TMS scenarios; a 30% settlement discount was applied.
Coinbase Europe has been hit with a €21.4 million penalty by the Central Bank of Ireland after investigators identified significant AML/CTF monitoring failures stretching from 2021 to 2025. The case zeroes in on lapses in automated transaction surveillance rather than any issues with client assets.
Regulators framed the action as a clear signal that crypto firms must maintain bank‑grade controls, describing it as a landmark step in oversight of virtual asset service providers and, for Ireland, the first enforcement against a crypto company.
What the regulator found
The central bank said a misconfigured transaction‑monitoring setup meant that more than 30 million transactions were not properly screened over a 12‑month period. Those payments were valued at over €176 billion and represented roughly 31% of Coinbase Europe’s activity during the window in question.
According to the supervisor, it took Coinbase nearly three years to complete retrospective screening of the affected flows, which ultimately resulted in filing 2,708 Suspicious Transaction Reports (STRs) to Ireland’s National Financial Intelligence Unit for further analysis.
Authorities said the late STRs included suspected serious criminal activity connected to several categories:
- Money laundering
- Fraud and scams
- Drug trafficking
- Cyberattacks (malware/ransomware)
- Child sexual exploitation
Deputy Governor Colm Kincaid underscored that law‑enforcement efforts depend on timely, accurate reporting from regulated firms and warned that system failures create opportunities for criminals—opportunities that will be exploited if controls are weak. He also pointed to crypto’s cross‑border and pseudo‑anonymous features as reasons for stringent safeguards.
How Coinbase responded
Coinbase acknowledged the breaches and accepted the reprimand under Ireland’s settlement scheme, which applied a 30% settlement discount to an initially proposed penalty of about €30.66 million, bringing the figure to €21.4 million.
The company explained that its in‑house Transaction Monitoring System (TMS) contained three coding errors that caused five of the 21 scenarios to miss evaluating certain transactions in 2021–2022. For example, crypto addresses separated by special characters were not captured by those scenarios.
Coinbase added that other scenarios were unaffected and said complementary compliance checks continued to operate. The exchange says it has since strengthened testing and governance of TMS logic, and enhanced oversight of retrospective reviews and case handling.
Impact on users and compliance expectations
For everyday customers, the enforcement targets internal monitoring processes, not wallets or trading functionality; customer balances and trading access remain unchanged. The focus is on whether Coinbase’s surveillance and reporting controls met legal standards.
Irish authorities reiterated that virtual asset firms must uphold bank‑grade AML controls to spot, escalate and report suspicious behavior without delay—particularly given crypto’s speed, reach and design characteristics that can obscure identities.
The findings and remedial work paint a clear picture: even unintentional configuration flaws can spiral into a major supervisory issue. The numbers—€21.4 million fine, 30M+ unscreened transactions, €176B in value, and 2,708 STRs—highlight how gaps in monitoring can become costly and resource‑intensive to unwind, and how quickly regulators will respond when critical AML controls fall short.
