Coinbase Europe, the Dublin-based arm of the US crypto exchange, has received a €21.5m penalty from the Central Bank of Ireland (CBI) after the regulator found serious shortcomings in the firm’s AML controls.
According to Flagright, the sanction, agreed as part of a November 2025 settlement, relates to breaches of Ireland’s Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 between April 2021 and March 2025, and is intended to underline the need for effective, real-time monitoring and prompt escalation of suspicious activity.
At the centre of the case was a transaction monitoring setup that the CBI said was misconfigured, leaving more than 30m transactions — valued at €176bn — unmonitored over a 12-month period. The regulator also highlighted the impact on suspicious transaction reporting, stating that Coinbase Europe did not file Suspicious Transaction Reports (STRs) in a timely way, taking almost three years to retrospectively review the affected activity and submit 2,708 suspicious transactions to authorities. Those delayed filings were linked to suspected money laundering, fraud, drug trafficking, cybercrime and child exploitation, reinforcing how monitoring gaps can quickly become material financial crime risks.
The CBI described the sanction as the largest AML-related penalty it has issued, with officials calling it “record-high” and pointing to the previous Irish AML fine benchmark of €4.5m imposed on Permanent TSB in 2016. The action is also significant because it is presented as the first CBI enforcement step against a crypto firm, adding to a wider pattern of European scrutiny of crypto businesses as regulators become more willing to apply traditional compliance expectations to digital asset platforms.
Elsewhere, the text points to an increasingly assertive enforcement backdrop, including the UK Financial Conduct Authority’s first crypto-platform fine in 2024, where a Coinbase affiliate was penalised £3.5m for AML control failings, and the Dutch central bank’s €3.3m fine against Coinbase in early 2023 for operating without registration. It also references action taken against Binance for similar violations, all of which signals that supervisory pressure is rising across multiple jurisdictions, not just in one market.
For crypto firms preparing for the EU’s evolving framework, the case is positioned as a warning shot ahead of MiCA and the broader AML reform package often referred to as AMLD6 alongside a new AML Regulation. Under MiCA, crypto-asset service providers are expected to meet baseline requirements around licensing, KYC and transaction monitoring, while the creation of the EU Anti-Money Laundering Authority (AMLA) is expected to lift oversight for high-risk, cross-border groups. The takeaway for compliance teams is that “good enough” controls are unlikely to satisfy regulators as expectations harden around consistency, timeliness and demonstrable effectiveness.
A second message is that crypto compliance can no longer be treated as a country-by-country exercise. The CBI’s description of Coinbase Europe as an “entry point” into the wider platform reflects the reality that weaknesses in one jurisdiction can create reputational and supervisory consequences elsewhere. The text also notes that regulators expect controls “from day one” of authorisation and that EU-wide operating models, including passporting under MiCA, raise the stakes for firms trying to scale quickly without equally scaling compliance governance.
The issues highlighted are also practical and familiar to many fast-growing platforms: delayed STR filing, scenario failures caused by technical misconfiguration, and insufficient internal policies, controls and escalation routes. In this account, the monitoring system’s problems meant that five out of 21 alert scenarios were not functioning properly, creating the kind of blind spot that can persist if testing, tuning and internal reporting lines are not mature enough to detect and remediate failures quickly.
In response, the text argues that “best-in-class” crypto AML now looks much closer to a bank-grade operating model: real-time or near-real-time transaction monitoring, dynamic risk scoring that updates as customer behaviour changes, and strong documentation so firms are “audit ready.” It also frames proactive escalation as essential, including rapid engagement with supervisors where a material control failure is identified, rather than attempting to fix issues quietly over long periods.
Finally, it points to regtech-led approaches that unify onboarding risk, transaction monitoring, case management and reporting into a single workflow, with real-time alerting designed for a 24/7 market. Flagright is cited as one example of a provider pushing “unified risk infrastructure” with “end-to-end, governed workflows,” positioning this kind of consolidation as a way to reduce gaps, speed investigations and support consistent standards across multiple jurisdictions as enforcement tightens.
Find more on RegTech Analyst
Copyright © 2026 FinTech Global
