Ireland’s first crypto enforcement case highlights the growing regulatory focus on AML systems and governance
A €176 billion blind spot
The Central Bank of Ireland has imposed a €21,464,734 penalty on Coinbase Europe Limited for breaching transaction-monitoring duties under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The failings ran from 23 April 2021 to 19 March 2025 and were significant in both scale and impact.
A configuration fault meant 30,442,437 transactions were not properly monitored over a twelve-month period. Those transactions, worth more than €176 billion, represented about 31% of all Coinbase Europe activity while the fault existed. Coinbase then spent almost three years completing a retrospective review, which ultimately triggered 2,708 suspicious transaction reports (STRs) to Ireland’s Financial Intelligence Unit, with a combined value exceeding €13 million.
The Central Bank stressed that real-time monitoring and prompt STRs are critical to the AML/CFT regime. Delays can hinder the detection and disruption of criminality, particularly in sectors where transactions move instantly across borders.
A first for crypto enforcement in Ireland
This case marks the Central Bank’s first enforcement action in the crypto sector, as well as one of the earliest uses of the “undisputed facts” settlement route under Ireland’s Individual Accountability Framework.
The Central Bank’s Settlement Notice sets out the mechanics behind the penalty. Investigators began with a turnover-based starting point of €417 million, applying a 7% severity level and aggravating the base penalty to reflect delays in notifying the regulator once senior managers became aware of the issue. The final monetary penalty of €30.6 million was reduced by 30% under the settlement scheme to reach €21.46 million.
Coinbase has since stated that it upgraded its monitoring tools and confirmed that its Irish virtual asset service provider registration will lapse at the end of 2025 as operations move to a Luxembourg entity authorised under MiCAR.
Earlier warnings for the crypto sector
Coinbase’s compliance shortcomings have been under scrutiny for years. Earlier regulatory actions against the firm revealed weaknesses in governance, transaction monitoring and risk escalation that were already viewed as sector-wide problems. By 2025, crypto was already facing growing structural risks, from fragmented oversight to insufficient accountability at board level. The Central Bank’s action in Ireland shows how those warnings have now materialised in practice.
When technology failures become governance failures
For compliance leaders, the implications extend well beyond crypto. The case underlines that technology failures are governance failures when they block or delay risk detection.
Crypto’s inherent characteristics: speed, anonymity, and cross-border liquidity, amplify the need for precise monitoring rules and well-calibrated thresholds. A single misconfigured rule can skip millions of events before detection, creating what the Central Bank called “an opportunity for criminals to evade detection, and criminals will take that opportunity.”
The result is not just a backlog of alerts, but a long tail of operational, legal, and reputational exposure that can eclipse the original fault.
A shared enforcement direction across Europe
Ireland’s action is part of a broader regulatory pattern. Germany’s BaFin has spent 2025 signalling tougher expectations on suspicious activity reporting and control design, issuing headline penalties to J.P. Morgan and Deutsche Bank. The message is consistent: late or missing reporting is a systemic breach, not an administrative lapse.
That shift aligns with enforcement momentum across the UK and EU, where supervisors are tightening expectations around ongoing monitoring and STR quality.
What this means for your AML programme
For firms outside crypto, the takeaway is clear. Failures in transaction-monitoring logic, data ingestion or workflow management will be treated as policy and control breaches, not IT errors.
The same regulatory pressure is building elsewhere. In the UK, the transfer of AML supervision to the FCA signals a move toward more centralised, data-driven oversight, while Scotland’s recent SARs thematic review has reinforced expectations around report quality and escalation. Together, these developments show that supervisors want proof that monitoring systems work in practice, and that weaknesses are identified and fixed quickly.
The Coinbase case illustrates how fast a monitoring gap can grow, and why regulators now expect firms to disclose issues proactively and demonstrate full remediation. The Central Bank’s message was unambiguous: notify without delay, remediate completely, and prove it.
Now more than ever, crypto and financial firms need AML systems that actually work in practice, not just on paper. Transaction-monitoring failures like Coinbase’s show how quickly control gaps can escalate. VinciWorks’ AML training and monitoring tools help firms strengthen governance, detect risks early, and stay fully compliant. Try it now.
