Lessons from OKCoin Europe’s €1M AML Penalty

In April 2025, Malta’s Financial Intelligence Analysis Unit (FIAU) imposed a €1,054,269 penalty on OKCoin Europe Limited, a Virtual Asset Service Provider (VASP), following a 2023 compliance examination.

The enforcement notice outlines a series of failings. But beneath the headlines lies a more familiar challenge: maintaining effective, responsive compliance in fast-moving, resource-constrained environments.

What Went Wrong?

This case is not about ignoring obligations. It reflects how difficult it can be to operationalise AML frameworks at scale, particularly in sectors like crypto and fintech. These are businesses where products evolve quickly, data is complex, and customer behaviour does not always fit clearly into predefined risk categories.

The FIAU identified systemic weaknesses across multiple areas of AML/CFT compliance, including business and customer risk assessments, onboarding, transaction monitoring, and reporting.

Some of the findings:

1. The business risk assessment did not reflect product-specific risks.

The company did not properly assess the financial crime risks linked to the products and services it offered. This included gaps in evaluating privacy coins, decentralised exchanges, mixers, and stablecoins. These features carry well-documented money laundering risks, but the firm did not address them individually in its risk framework.

2. Customer risk assessments were delayed and reactive.

For about half of the customer files reviewed, the company completed risk assessments after the customers had deposited, in some cases, allowing the deposit significant amounts of funds. For some customers, the delay lasted several months. This meant that some customers were actively using the platform without an initial risk rating in place.

3. Onboarding data lacked the detail needed to assess risk.

During onboarding, the company collected generic information such as “employment” or “business” without asking for further context or documentation. The drop-down menu offered only few selections per data point. As a result, customer profiles lacked the information needed to understand source of funds, occupation, or expected activity levels.

4. The transaction monitoring system generated alerts, but they were not properly followed up.

The company had an automated monitoring system in place, but in more than 80% of the files reviewed, alerts were dismissed or closed without adequate investigation. This included over $20 million in customer activity that was not analysed in line with the expected risk-based approach.

5. The firm did not apply enhanced due diligence to high-risk customers.

For several customers who displayed high-risk behaviours or were classified as high-risk, the company did not collect additional information or documentation to understand the source of wealth or the purpose of transactions. In some cases, the company also failed to verify whether the customer controlled the wallet from which large cryptocurrency deposits were made.

6. A suspicious customer was not reported to the FIAU.

One high-risk customer deposited nearly $1.2 million and withdrew over $1.4 million within a few months. The company had minimal onboarding information and received vague, unsupported documents during EDD. Although internal concerns were raised, no Suspicious Transaction Report was submitted to the FIAU.

7. AML training was not tailored to the company’s business model.

Although the company provided training to its staff, the content did not reflect the specific products, services, or risks associated with its operations. The FIAU expects training to be aligned with how the business actually functions, not just general AML theory.

What crypto and fintech firms can learn from OKCoin Europe's penalty

The FIAU acknowledged that OKCoin Europe made real efforts to address the issues. The company improved its transaction monitoring systems, revisited its onboarding and risk assessment processes, and delivered additional training. That progress is important.

This case highlights a broader issue: in fast-paced, product-driven environments like fintech and crypto, it is easy for controls to fall behind the business. Even when policies are in place, execution is what truly matters.

For firms preparing for a compliance examination, here are several practical steps to consider:

• Align your risk assessment with the reality of your product: Generic risk models are not enough. Your business risk assessment should reflect the specific features you offer, such as privacy coins, decentralised exchanges, or stablecoins. These carry different levels of exposure and must be considered separately.

• Complete the customer risk assessment before activity begins: Customers should not be allowed to transact before their risk profile is assessed. If your process allows deposits before a proper review, it introduces avoidable risk.

• Gather meaningful information at onboarding: Dropdown menus can simplify data collection, but they should not replace proper profiling. Make sure your team collects enough information to understand the customer's background, source of funds, and expected behaviour.

• Ensure transaction monitoring alerts lead to appropriate action: Alerts can be a real problem, but ignoring or dismissing alerts without investigation weakens the entire system. Review the quality of alerts, your escalation process, and how follow-ups are handled.

• Apply enhanced due diligence when behaviour warrants it: EDD should not depend solely on a risk score. If activity looks unusual or inconsistent with the customer’s profile, take further steps. Request documents, ask for explanations, and pause activity when needed.

• Strengthen your approach to suspicious transaction reporting.When concerns are raised internally, there should be a clear process to evaluate whether a report to the FIAU is needed. Decisions should be well-documented and based on a structured assessment, not left unresolved.

• Tailor your training to your actual risk exposure.Staff should understand the risks specific to your products, services, and customer base. Training should go beyond theory and include practical examples from your business context.

Compliance does not fail because firms don’t care. It fails when processes are not adapted to the pace, complexity, and risks of the business. Let us know if you need help to improve your AML program!