Date of Sanction: April 1, 2025
Entity: OKCoin Europe Limited
Sector: Virtual Asset Service Provider (VASP)
Supervisory Action: On-site compliance review conducted in April 2023
Penalty Imposed: €1,054,269 fine and a follow-up directive under Regulation 21 of the PMLFTR
Business Risk Assessment (BRA) Deficiencies:
- OKCoin failed to adequately assess the ML/FT risks posed by its products and services, particularly from privacy coins, mixers, and decentralized exchanges.
- The company did not use available quantitative data to form a clear understanding of the risks.
- There was insufficient evaluation of customer and jurisdictional risks based on transaction data.
Customer Risk Assessment (CRA) Failures:
- The CRA process was found to be incomplete, with inadequate classification of customer risk (e.g., low-risk vs. high-risk coins).
- Adverse media screenings were not integrated into the CRA methodology as required.
- The company failed to gather enough detailed information about customers’ sources of funds and wealth.
- CRA was not conducted for 50% of the customer files reviewed, even though deposits were made before the CRA was completed.
Customer Profile and Business Relationship Monitoring:
- The company’s customer profiling was overly simplistic, with generic terms used to describe customers’ occupations and sources of funds.
- The company did not update customer profiles as the business relationship evolved, especially when customers began engaging in higher-value transactions.
- Insufficient follow-up actions were taken on transactions that were inconsistent with customers’ established profiles.
Ongoing Monitoring and Enhanced Due Diligence (EDD) Issues:
- Transaction monitoring was not effectively executed, with many alerts being ignored or dismissed without proper review.
- The company failed to carry out appropriate EDD for higher-risk customers, such as verifying wallet addresses for clients who used private wallets.
- EDD measures were not applied to transactions that indicated higher risks, leading to a lack of scrutiny on potentially suspicious activities.
Failure to Report Suspicious Transactions:
- OKCoin failed to submit a Suspicious Transaction Report (STR) to the FIAU for a customer with significant red flags, including large, rapid transactions and non-cooperation with EDD requests.
- Despite multiple alerts and concerns raised by risk investigators, no STR was filed.
Training and Awareness Deficiencies:
- While staff received some AML/CFT training, it was not tailored to OKCoin’s specific policies and procedures.
- The company committed to improving its training program to align more closely with its internal requirements.