Central Bank of Ireland Finds Widespread Anti Money Laundering Failures at Coinbase Europe
The Central Bank of Ireland has issued one of the most significant enforcement actions to date against a virtual asset service provider. After a multi year review of Coinbase Europe Limited, the regulator concluded that Coinbase failed to meet core anti money laundering obligations for nearly four years. The investigation revealed that millions of high risk transactions went unmonitored, suspicious activity was not reported for years, and governance structures were inadequate to detect or prevent these failures.
This action underscores the scale of compliance challenges in the crypto asset sector and highlights the growing scrutiny international regulators are placing on major platforms. It also shines a sharp light on Coinbase’s internal systems and confirms the same types of breakdowns that many consumers have experienced firsthand.
Summary of the Enforcement Action
On November 5, 2025, the Central Bank of Ireland announced a reprimand and a financial penalty of €21,464,734 against Coinbase Europe. The penalty reflects a 30 percent settlement discount from an initial €30,663,906 assessment. The sanction will take effect once confirmed by the High Court.
Coinbase Europe admitted to several prescribed contraventions of the Criminal Justice Money Laundering and Terrorist Financing Act. These violations spanned April 23, 2021 through March 19, 2025 and related to the failure to monitor customer transactions, failure to adopt and operate adequate internal controls, and failure to conduct enhanced scrutiny of high risk activity.
How the Breakdown Occurred
The Settlement Notice reveals that Coinbase Europe outsourced critical transaction monitoring functions to Coinbase Inc. in the United States. Coinbase Group used a proprietary monitoring system that applied twenty one scenarios designed to detect suspicious activity. Five of these scenarios, identified as high risk or very high risk, were not functioning properly due to configuration errors that dated back to October 2020.
Because these scenarios were not active:
• 30,442,437 transactions were not fully or properly monitored
• These transactions represented roughly 31 percent of all Coinbase Europe activity during the affected window
• The total value of these transactions was approximately €176 billion
• More than 184,000 transactions were later found to require human review
• 2,708 suspicious transaction reports were eventually filed with authorities, years after the relevant activity took place
The Central Bank explained that some of the missed alerts involved transactions linked to ransomware risk, scams, darknet activity, illegal media services, controlled substances, malware and potential child abuse material. The regulator emphasized that delayed detection of such activity severely undermines any opportunity for law enforcement to take action.
Delays That Spanned Years
The timeline described in the Settlement Notice demonstrates an extended series of failures across the Coinbase organization. Coinbase Inc. identified the first configuration problem in August 2021 yet did not notify Coinbase Europe. Additional configuration failures were discovered in April 2022, but again Coinbase Europe was not informed.
A formal rescreening of all unmonitored transactions did not begin until 2022 and did not finish until March 2025. Even after Coinbase Inc. rescreened the transactions and generated alerts, Coinbase Europe and its group level teams did not begin investigating those alerts until May 2023.
As a result, suspicious activity that took place in 2021 did not generate reports to authorities until 2024 or 2025. The regulator stressed that this defeats the purpose of statutory reporting obligations and poses real risks to the integrity of the financial system.
Deficiencies in Oversight and Internal Controls
Coinbase Europe’s governance and supervisory oversight were central to the findings. The company had an obligation to supervise the outsourced monitoring functions and to ensure the effectiveness of the system. Instead, Coinbase Europe relied on group level structures that did not communicate essential information.
The Central Bank found:
• Coinbase Europe did not know the monitoring system had been malfunctioning for more than a year
• Coinbase Europe failed to ask basic questions even after receiving documents that mentioned a massive lookback review
• Senior management did not escalate the issue promptly to the board of directors
• Coinbase Europe failed to notify the regulator for months, even when internal communications acknowledged the seriousness of the problem
• Public explanations during Coinbase Europe’s registration process did not disclose the monitoring failure
• Policies and controls that were in place did not operate in a way that prevented or detected money laundering risks
The regulator also noted that Coinbase Europe was subject to the same shared compliance structure as other Coinbase entities that were already facing enforcement scrutiny in the United States. Coinbase Inc. had been under investigation by the New York State Department of Financial Services for related monitoring deficiencies, resulting in a one hundred million dollar settlement in early 2023. Yet Coinbase Europe was unaware of the severity of those issues even though they affected systems it depended on.
Regulatory Standards That Were Not Met
Ireland’s Anti Money Laundering and Countering the Financing of Terrorism Guidelines require designated firms to implement effective monitoring controls, test those controls regularly, and ensure that system rules detect suspicious activity relevant to the firm’s business model. The Central Bank emphasized that Coinbase Europe departed significantly from these standards.
The regulator noted:
• The failures persisted for nearly four full years
• The breaches involved the entire business operation
• The defects related to very high risk activity
• The delays in reporting significantly reduced the usefulness of the suspicious transaction reports
• The public’s confidence in the virtual asset sector could be harmed
• The contraventions revealed serious weaknesses in Coinbase Europe’s governance and risk management
Applying its sanctioning framework, the Central Bank determined that the conduct was negligent and merited a severity rating of seven on a scale of one to ten.
Impact on Consumers and the Broader Market
This enforcement action confirms that for years Coinbase Europe customers transacted on a platform that lacked functioning monitoring tools for core high risk scenarios. The customers most affected may include those who experienced unauthorized withdrawals, scams, account takeover activity or unusual patterns of transfers that Coinbase failed to detect.
The Settlement Notice also highlights the broader concern that crypto asset platforms, if not properly supervised, can serve as channels for laundering proceeds of crime. Regulators internationally have expressed similar concerns. As Europe transitions into the Markets in Crypto Assets Regulation framework in 2025, enforcement expectations are increasing.
Coinbase Europe to Exit Ireland
Under the new regulatory regime, all VASP registrations expire by December 31, 2025. Coinbase has announced plans to transfer its European business to an entity in Luxembourg that has received MiCAR authorization. Coinbase Europe will therefore cease operations in Ireland at the end of 2025.
What This Means for Clients Seeking Recovery or Legal Recourse
The Central Bank of Ireland’s findings mirror the same systemic failures that many injured consumers describe in legal claims. These include failure to detect unusual account behavior, failure to stop unauthorized transfers, lack of real time monitoring, and lack of timely or meaningful intervention when risk indicators are present.
The Settlement Notice provides authoritative confirmation that Coinbase’s internal systems did not function as represented and that key compliance safeguards were not in place for years. Individuals who experienced losses during this period may have claims strengthened by the regulator’s findings, especially where Coinbase asserts that its monitoring tools were effective or that customer behavior was the sole cause of loss.
