There is an Irish myth that St Patrick banished snakes from the Emerald Isle . But the Central Bank of Ireland did recently fine, and seemingly throw out, a shockingly disingenuous Coinbase Europe operation for comical reasons that harken back to some great government settlements with Gemini in 2023 and Paxos just a few months ago . Around the same time Coinbase submitted a comment to the US Treasury requesting legal protections for almost-precisely the same software that Coinbase screwed up in Ireland.
In describing that recent Paxos action we introduced a new word, disingenuity , to describe the disingenuous use of dishonest and unjustified self-praise and appeals to potential future innovation to evade responsibility for transparent and obvious current failures. Coinbase is doing the same thing. And, as Coinbase is a public company making a lot of public statements, this is almost certainly a bigger legal problem. Whatever it is – it is not a good look.
So now we will explore Coinbase's recent requests for legal protection and then see what got them in trouble in Ireland. This exploration shows them to be something of a snake that, frankly, deserved the banishment it got.
Coinbase's Irish Fines
But first we need to set the stage regarding the Irish action. Coinbase was fined €21.5 million, or just over $25 million. This is the fourth-largest fine ever handed down by Ireland's regulator . And the culture of surveillance and enforcement is different in Europe vs the US. EU regulators do not, generally, hand down a long stream of small-to-medium fines for bad behaviour. The entire EU system is built more around getting licenses and pre-approvals and doing well-trodden things. Fines are not "business as usual" in Europe to the degree they are in the US.
You can argue that is good or bad from an economic or political or social or whatever perspective. But it is definitely true. The UK system is generally closer to the US – this is part of that whole UK leaving the EU thing– and Ireland is closer to the UK than most of the EU. Point being: it is hard to get fined in Ireland.
It is, however, possible. But because this sort of action is generally rarer when there is a problem it is relatively likely to be ridiculous and gigantic. Apple, famously, had to pay over € 13 billion in back taxes amid issues related to their illegal tax structuring massively distorted Ireland's GDP . Europe does not do slaps on the wrist as often as the US. And so what might look like a fine that should be taken in stride deserves more attention. Ireland's domestic market is small so Coinbase cannot be doing terribly much domestic business there. And this is certainly not Coinbase's main entity. So a fine over €20 million is large. Quite large.
The whole point here is that the European regulatory style tends to require a lot more work upfront and then gives you a lot more space to operate. Or cause yourself trouble as the case may be. And since things are nailed down in detail upfront the shape of problems is different. We are not saying this style is better or worse or anything like that. We are just saying it is hard to get fined this much money in Ireland. It is also hard to get kicked out of Ireland. Note that Apple still has a big presence in Ireland.
Coinbase's US Requests
Coinbase submitted a comment to the US treasury that includes the following request:
Treasury should publish supervisory guidance that explicitly recognizes and incentivizes the use of Know Your Transaction ("KYTˮ) screening and blockchain analytics clustering as a more effective means of enhancing AML/CFT compliance than is available in traditional finance. Legislation and guidance should also be updated to specifically list such technology as an example of proper, risk-based ongoing monitoring and sanctions screening.
And elsewhere in the comment Coinbase describes their experiences in the area as:
By enabling seamless integration across systems and platforms, APIs enhance the effectiveness of Coinbase’s AML and sanctions compliance programs. These tools are leveraged for real-time transaction monitoring, dynamic risk scoring, secure data sharing, and integration with advanced analytics solutions, ensuring Coinbase remains at the forefront of compliance innovation.
APIs allow financial institutions to connect to blockchain analytics platforms, sanctions screening databases, and transaction monitoring systems, creating a unified compliance ecosystem. This interoperability is critical in an increasingly complex compliance environment, where institutions must process vast amounts of data quickly and accurately to detect illicit activity.
There are plenty of other examples in there. But we recommend you finish this column first and then read the Irish settlement before reading the comment in detail. Why? Because they harp on over and over about how wonderful these tools are. And as we are about to see Coinbase's real experience in these areas is riddled with a range of problems that look completely inconsistent with the tone of the comment. Coinbase looks like it is trying to declare victory while it bleeds out on the battlefield surrounded by legions of hale and hearty opposition troops.
Coinbase's Irish Conduct
Coinbase Europe failed to properly monitor about 30 million of transactions over several years. These made up 31% of the business and amounted to roughly €173 billion in volume. Read that again. They failed to monitor roughly one third of the total volume over a period of years. Tens of billions of euros per year in unmonitored transactions. Obviously that is a catastrophic failure.
The structure of the monitoring processes and tools is also laid bare in the settlement document. To start with, Coinbase Europe outsourced all this work to the US parent:
Coinbase Europe outsourced significant aspects of its transaction monitoring to a sister entity, Coinbase Inc, which is based in the United States. Specifically, Coinbase Inc. operated the transaction monitoring system (TMS) which monitored transactions and flagged any that required further review. While Coinbase Europe was permitted to do this, it was obliged to oversee this transaction monitoring and remained responsible for compliance with the CJA 2010.
Coinbase, the US bit, built some thing called TMS that did scanning and the Europe operation relied on the parent to use the parent's TMS system to do the work. Except:
As a result of data configuration issues, 5 out of 21 high risk TMS scenarios did not operate fully as intended, which meant that the TMS failed to fully and properly monitor 30,442,437 transactions (the Non-Monitored Transactions) for Coinbase Europe for certain high-risk scenarios from 23 April 2021 until 29 April 2022 (the Non-Monitoring Issue). When these issues were detected by Coinbase Inc. they were rectified promptly so that the TMS operated properly from 29 April 2022.
As a consequence of the Non-Monitoring Issue, it was then necessary to rescreen the Non-Monitored Transactions (the Transaction Rescreening)...The completion of the above process took almost three years, undermining the efficacy of the STRs ultimately submitted as a result.
There are five key facts here:
- TMS is built around a discrete set of 21 patterns. These can be simple "if a then b" rules or complex AI schemes.
- Whatever they are, Coinbase decided what to screen for and built a tool that supposedly did it. 21 sounds like a not-huge number. In effect it was only 16 for a while and when they managed to fix it the number went back to 21. There is no discussion of this set of patterns growing over the years other than by fixing the errors at issue.
- TMS was clearly not well tested because roughly one quarter of the scenarios did not work.
- Fixing the problem was relatively easy and seems to have been done same-day. This strongly suggests no serious effort was made to audit or test or really probe the system on a ongoing basis.
- Rescreening the missed transactions was incredibly slow. That feels weird for a company focused on automating the financial system and making it more efficient.
Take the last one first. Was it slow because it was technically difficult? Or:
Although Coinbase Europe was responsible for ensuring proper transaction monitoring, it was unaware of the above issues for an extended period of time because Coinbase Europe’s systems and controls were, at the time, ineffective to oversee the work of Coinbase Inc.
The first time that Coinbase Europe was provided with information that should have alerted it to the issues with the TMS was in February 2023 when Coinbase Inc. provided Coinbase Europe with a document that described the Non-Monitoring Issue.
So it was slow because of some blend of "nobody knew" and "nobody cared." The tools used by Coinbase Europe were "ineffective" and notice the use of "should have" in the quote. Well:
It was only in May 2023, when Coinbase Inc. provided further details of its remediation efforts that Coinbase Europe probed for more specific details regarding the potential impact on Coinbase Europe. By this point, senior managers in Coinbase Europe were aware of the problem with transaction monitoring which could have a material impact on Coinbase Europe.
So the "should have" means some kind of negligence or incompetence. It is not entirely clear if Coinbase Europe was willfully blind here, or ignored obvious signs, or if the staff there just never considered the possibility their parent company was failing horribly to provide surveillance services the parent promised to Coinbase Europe.
We have sympathy for the Coinbase Europe folks in that a reasonable person might have assumed Coinbase Inc was competent in this area given it operates a giant exchange and, you know, promised to do this whole surveillance thing well to the Coinbase Europe wholly owned subsidiary. But was there no internal audit or other control procedure? Did nobody check the miracle software worked? Or was this entire thing run on faith as a "set it and forget it" style of compliance?
If your mother promises to pick you up at the airport after a long time away it is not necessary to chase her to ensure she will be there. There is no need for a reminder email. She will be there. Three days before your flight. Right after filling the fridge. You do not need to audit any of that. Or reconfirm the timing. A new person will not step into the role and need to be caught up on the processes. But surveillance software and procedures? Grow up. These are different levels of reliability.
And in the Coinbase Europe case, this lack of proper process had a serious consequence:
As Coinbase Europe was unaware of the Non-Monitoring Issue during the process of registering as a VASP with the Central Bank of Ireland, which was finalised in December 2022, the Non-Monitoring Issue was not disclosed during the process.
There is more detail elsewhere in the document but in short Coinbase left important information about these problems out of the VASP applications that the regulator eventually approved. That misrepresentations likely material to that VASP license approval were made is stated explicitly by the Central Bank of Ireland:
In September 2022, Coinbase Europe met with representatives from the Central Bank to discuss its application for registration as a VASP. At that meeting, Coinbase Europe advised that plans were in place to resolve the Backlog.
On 21 November 2022, in response to specific queries on progress in resolving the Backlog,...
The assurances provided by Coinbase Europe in September and November were relevant to the Central Bank’s decision to grant Coinbase Europe’s VASP registration in December 2022.
Eventually, post-license-approval, the problems discussed above were conveyed to the regulator and:
Following this notification the Central Bank began a programme of enhanced supervisory scrutiny on Coinbase Europe and took various supervisory steps including to require that Coinbase Europe make significant enhancements and investments in its Anti Money Laundering (AML) framework and compliance function.
Eventually Coinbase got this fine and a fresh license in Luxembourg via a different process and:
Coinbase Europe’s registration as a VASP with the Central Bank will therefore lapse at the end of 2025 and Coinbase Europe will cease conducting business in Ireland.
It is not precisely true to say this proves they lied to the regulator and when the regulator founds out they got fined and kicked out. But whatever exactly happened does sort of seem to rhyme with that narrative.
At this point it is not possible to tell from the outside if a conscious effort was made to hide these problems from the regulator to get the VASP approval in place. Certainly that is a possibility worthy of some investigation. The Central Bank's narrative including such damning information does imply bad things happened here.
Blaggard is Too Kind, Touched is Too Gentle
One way to read the requests for clarity and safe harbours up at the top is that Coinbase knows it is not competent to build, maintain and operate a compliance system so it wants to find a way to pass that legal responsibility off to someone else. Ask yourself: if these external blockchain analytics providers they talk about so much in their comment are so wonderful, why did they build the TMS?
Are we going to find out that TMS was just a bunch of wrappers around analytics services and Coinbase is asking for those external API calls to serve as shields against enforcement action? Is there system just 21 different queries passed to external vendors? It is surely suspicious to get booted from Ireland for failures in your automated surveillance systems and ask the US government to provide you a free pass as long as you rely on those systems. And that is frightfully close to what is happening here.
Now before anyone claims this is historical, one of the prescribed contraventions (i.e. charges) to which Coinbase has admitted is:
In the period from 23 April 2021 to 19 March 2025, Coinbase Europe contravened Section 39(1) of the CJA 2010 by failing to conduct additional monitoring in respect of 184,790 transactions.
March 2025 for a November 2025 settlement with specific numbers. That counts as current conduct.
Coinbase's comment quoted above is signed by the company's chief legal officer. Surely that same person was aware of the ongoing negotiations for this Irish settlement too. Legal was clearly involved in the Irish VASP application and all the other conduct discussed above throughout 2022 and 2023. So the CLO is asking for a safe harbour that may have absolved the company from liability for current failures and possibly help them cover up those failures? This is more brazen than Paxos' conduct!
It is hard to understand why any special treatment is warranted for anything anywhere near the conduct discussed here. This is about internal system failures and lack of candor with the regulator. And that's being kind. Further, none of this is web3-specific at all. Coinbase built some software to meet a compliance obligation. It did not work. They were not upfront with the regulator about those problems. And they took far longer than promised to close out the problems. No blockchain was involved. None of this was unclear. Nowhere does Coinbase dispute that it knew about these obligations and failed to do the job properly.
There is no demonstrated need for new rules. Coinbase's comment somewhat oddly states that they:
urge Treasury and Congress to prioritize enforcement efforts against non-compliant offshore entities
Why is the word "offshore" in there? Just enforce against non-compliant entities without regard to their incorporation. Onshore entities will be easier in many ways as governments have leverage. But it is also suspicious that Coinbase, like an errant pup, thinks bawling, blagging and begging are the answers to their problems. Quite a few countries should look at clearing their gardens of this kind of snake.
