FIAU imposes €1 million fine on crypto exchange OKCoin Europe for AML breaches

The Financial Intelligence Analysis Unit (FIAU) has imposed a €1,054,269 administrative fine on OKCoin Europe Limited, a virtual asset service provider (VASP) operating in Malta, following serious failures in its anti-money laundering (AML) and counter-financing of terrorism (CFT) obligations. The decision follows an onsite compliance examination carried out in April 2023.

This penalty, one of the highest imposed on a VASP in Malta to date, is accompanied by a Follow-Up Directive requiring OKCoin Europe to demonstrate full compliance with AML/CFT rules and implement remedial actions across its operations.

Deficiencies in risk assessment and due diligence

At the core of the FIAU’s concerns were systemic issues in the company’s Business Risk Assessment (BRA) and Customer Risk Assessment (CRA). OKCoin Europe was found to lack a robust methodology to identify and quantify money laundering (ML) and terrorism financing (TF) risks related to its products and services. Specifically, the company failed to assess risks associated with privacy coins, decentralised exchanges, and stablecoins – all of which are known to heighten the risk of illicit transactions.

Moreover, although OKCoin had access to extensive customer data, it did not utilise this to gain insights into jurisdictional exposure, customer activity, or transactional patterns. Approximately half of the customer files reviewed lacked a CRA at the onboarding stage, with some clients depositing substantial funds months before any form of risk assessment was conducted.

Weak transaction monitoring and delayed escalation

According to the FIAU, transaction monitoring processes were either insufficient or improperly executed. For instance, OKCoin discounted a significant number of transaction alerts – some involving customers who deposited hundreds of thousands of dollars – without adequate scrutiny or documented rationale.

In one highlighted case, a client deposited nearly $1.8 million within a few months despite being classified as low risk. Another customer exhibited high-volume activity and suspicious transaction patterns, such as converting cryptocurrency to fiat and withdrawing funds within hours – yet this activity failed to trigger meaningful investigation or external reporting.

In total, over $20 million in transactions from various customers were reviewed, revealing patterns of high-risk behaviour that were neither escalated nor adequately explained with supporting documentation.

Failure to report suspicious activity

The FIAU further criticised OKCoin for failing to submit a Suspicious Transaction Report (STR) for a high-risk customer whose deposits exceeded $1.2 million within three months. Although internal concerns were raised by compliance staff, no report was submitted, despite red flags such as unclear sources of funds, contradictory documentation, and non-cooperation from the client.

Improvements acknowledged, but not enough to avoid sanction

While the FIAU commended the company for taking corrective action after the compliance examination – including improved transaction monitoring tools, better data collection, and updated customer profiling – these efforts were deemed insufficient to offset the gravity of the breaches identified.

“The Committee could not ignore that the Company had past failures… some of which were deemed to be serious and systematic,” the FIAU stated in its official publication notice. It warned that such failures could have led to the unintentional facilitation of money laundering or terrorist financing activities.

What’s next for OKCoin Europe?

As part of the Follow-Up Directive, OKCoin is now required to present an action plan and undergo ongoing supervision to ensure its compliance framework meets regulatory expectations. This includes improvements to its risk assessment models, onboarding documentation, transaction monitoring systems (for both on-chain and off-chain transactions), and staff AML training.

Failure to comply with the Directive may result in further administrative penalties.

The administrative fine is not yet final and may be appealed before the Court of Appeal. If unchallenged, the penalty becomes definitive once the appeal window closes.

This enforcement action serves as a clear warning to the virtual financial assets sector in Malta. The FIAU reiterated that VASPs are expected to adopt a risk-based approach and maintain a high standard of vigilance, especially in handling customer onboarding, transaction monitoring, and the identification of suspicious activities.