Coinbase Europe, the Dublin-based arm of the U.S. crypto exchange, has been hit with a €21.5m fine by the Central Bank of Ireland (CBI) for significant AML failures.
The fine, imposed as part of a November 2025 settlement, addresses breaches of Ireland’s Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 between April 2021 and March 2025, said Flagright.
According to the CBI’s findings, Coinbase’s transaction monitoring system was misconfigured, leaving over 30m transactions (worth €176bn) unmonitored during a 12-month period, meaning a large share (around 31%) of Coinbase’s transactional activity went unscreened for suspicious behavior.
Critically, Coinbase Europe failed to file Suspicious Transaction Reports (STRs) in a timely manner and took almost three years to retrospectively review the flagged transactions and report 2,708 suspicious transactions to authorities, involving suspected cases of money laundering, fraud, drug trafficking, cybercrime, and even child exploitation.
The €21.5m fine represents the largest AML-related penalty ever issued by the Irish regulator and, as CBI officials noted, this “record-high” AML penalty surpasses the prior Irish AML fine record of €4.5m levied on Permanent TSB in 2016. It also marks the first enforcement action the CBI has taken against a crypto firm, signalling that virtual asset service providers are now firmly on regulators’ radar. The action lands amid a broader pattern of rising scrutiny across Europe, with the UK’s Financial Conduct Authority issuing its first crypto-platform fine in 2024, penalising a Coinbase affiliate £3.5m for AML control failings, while the Dutch central bank fined Coinbase €3.3m in early 2023 for operating without registration and previously fined Binance for similar violations.
For crypto firms operating in Europe, the Coinbase case is a cautionary tale ahead of major regulatory change, including MiCA and the EU’s Sixth Anti-Money Laundering Directive (AMLD6). MiCA, taking effect across 2024–2025, will require crypto-asset service providers to be licensed and to meet stricter AML/KYC expectations across the bloc. The core message is that regulators will expect firms to strengthen controls proactively, rather than treat compliance as something to retrofit after growth.
In parallel, the EU’s AML reform package elevates expectations through a more harmonised enforcement approach and the creation of a new EU Anti-Money Laundering Authority (AMLA), which is expected to begin direct supervision of certain high-risk, cross-border firms from 2025–2026.
A key implication is that crypto compliance can no longer be treated as a country-by-country exercise. With MiCA’s passporting regime, a firm authorised in one member state can operate across the EU, but that also increases the consequences of weak controls anywhere in the operating footprint. The CBI described Coinbase Europe as an “entry point” for European and international customers into the group’s platform, illustrating why a local monitoring breakdown can quickly become a wider reputational and supervisory issue. Under the new regime, expectations will increasingly converge around consistent controls “from day one”, as authorities share concerns and apply pressure to prevent weak links.
The enforcement also exposes recurring AML pain points in crypto operating models, starting with delayed suspicious activity reporting. Coinbase Europe’s backlog of 2,708 STRs, filed long after the relevant activity, illustrates how late reporting undermines prevention and frustrates investigations, particularly when regulators view timely STR filing as one of the “cornerstones” of an effective AML regime. The case also highlights rule tuning gaps and technical blind spots: Coinbase’s monitoring system suffered coding errors that caused 5 out of 21 alert scenarios to malfunction, contributing to over 30m transactions, valued at €176bn, not being properly monitored over a year.
Beyond monitoring configuration, the CBI pointed to governance and operating control weaknesses, including findings that Coinbase Europe “neglected to develop and implement internal policies, controls and procedures” sufficient to identify and mitigate illicit finance risk. It also failed to “conduct additional monitoring” on a subset of ~185,000 transactions that warranted closer review. The CBI’s Deputy Governor said any system failure must be “reported to the Central Bank without delay” so risk can be mitigated, reinforcing that transparency and escalation are part of supervisory expectations, not optional extras.
So what does “best-in-class” look like under tightening EU standards? The baseline starts with real-time (or near real-time) transaction monitoring that is comprehensive, continuously tested, and operationally embedded, rather than periodic or heavily backlogged. That also means dynamic risk scoring that evolves with customer behaviour and new information, supporting timely escalation and better triage.
Regulators and auditors also expect firms to be “audit ready”, with documentation and evidence that allow stakeholders to reconstruct decisions across onboarding, alert handling, case outcomes, and reporting. In practice, that is supported by robust workflows and artefacts that show how policies are applied, not just what they say. As one RegTech commentary notes, having “end-to-end, governed workflows” that “demonstrate audit readiness” is crucial for proving controls are effective.
To reach that maturity, many firms are moving away from patchwork tools towards a unified risk infrastructure that connects onboarding risk assessment, transaction monitoring, case management, and reporting in a cohesive system. With crypto’s 24/7 operating model, real-time alerting becomes central: suspicious patterns should trigger immediate notification and structured investigation, not days later.
Some providers are positioning integrated platforms to support this approach, including Flagright, which offers an infrastructure that unifies AML monitoring, risk scoring, case management and reporting with real-time capabilities and end-to-end workflows designed to reduce false positives and speed investigations. For firms scaling across products and jurisdictions, a unified approach is also a practical way to avoid the silo problem, where risk signals in one line of business are invisible to another.
Ultimately, the enforcement action against Coinbase in Ireland signals a new phase of regulatory maturity for crypto in Europe. Firms that want to operate sustainably will need controls that are demonstrably “active” in real time, “adaptive” to new typologies and growth, and “transparent” in how issues are documented, escalated, and communicated. Conversely, firms that delay modernisation risk enforcement, restrictions, and loss of essential partnerships.
The warning is hard to miss, particularly as EU oversight tightens: innovation may be welcomed, but it remains “essential that Europe is adequately protected from the risks of money laundering and terrorist financing stemming from this sector.” Coinbase’s €21.5m fine is a stark reminder that, in the MiCA era, compliance excellence is no longer a differentiator — it is a condition of survival.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
