.svg)
Malta’s Financial Intelligence Analysis Unit (FIAU) has fined a subsidiary of crypto giant OKX €2.7m for significant anti-money laundering (AML) shortcomings, marking one of the largest enforcement actions to date against a virtual asset service provider (VASP) in the jurisdiction.
The watchdog said it imposed the fine and a formal follow-up following a supervisory visit to the company’s operations in April 2023.
The decision stems from “serious shortcomings” in the firm’s approach to risk management, customer due diligence and ongoing monitoring of potentially suspicious activity.
OKCoin is a subsidiary of the global cryptocurrency exchange OKX, one of the world’s largest digital asset trading platforms, offering services such as decentralised finance (DeFi) access and wallet custody.
In this instance, the FIAU said OKCoin’s internal controls were inadequate in identifying and mitigating money laundering and terrorist financing risks.
Poor risk assessments
Among the most significant findings were serious flaws in the company’s approach to risk assessments.
According to the regulator, the company’s business risk assessment (BRA) was found to lack sufficient analysis of key risk factors, including the company’s product offerings, such as privacy coins, mixers and the use of decentralised exchanges. It also failed to adequately consider customer funding sources or exposure to high-risk jurisdictions.
Customer profiling was also found to be weak, with OKCoin said to have incomplete and/or overly generic information about customers’ expected activity and source of funds, particularly during the onboarding process for basic accounts.
In half of the reviewed cases, for example, customer risk assessments were either missing or only completed after substantial transactions had already taken place.
Transaction monitoring controls were also inadequate. approximately 80 percent of the customer files examined showed transaction volumes exceeding $20m that were not properly scrutinised.
Meanwhile, risk indicators such as high-frequency deposits and immediate withdrawals went unflagged or were dismissed without appropriate investigation.
Lax due diligence
The company also failed to apply enhanced due eiligence (EDD) measures in high-risk cases.
In several instances involving large volumes of virtual assets, up to $1.3m, OKCoin did not verify control over private wallet addresses or gather sufficient information regarding the customer’s source of wealth.
Additionally, the company was found to have outdated documentation in several high-risk files and, in some instances, identity documents had expired for more than two years, with no evidence that re-verification had taken place.
Proactive improvements
Despite these failures, the FIAU acknowledged that OKCoin took “proactive remediation” after the examination, including overhauling its risk assessment frameworks, enhancing data gathering and migrating to an integrated system for evaluating customer risk.
The firm also eliminated its simplified onboarding tier and required all users to undergo full due diligence.
“The Committee commends the Company on the significant improvements undertaken and implemented over the past 18 months, through a self-imposed remediation exercise,” the report said.
Still, the FIAU said the severity and recurrence of breaches warranted a significant penalty.
When approached by Vixio for comment, a spokesperson for OKX acknowledged the fine. “Historical gaps were identified in our compliance framework. We took this as an opportunity to proactively enhance our internal processes and strengthen our AML/CFT controls.”
The spokesperson also defended the company’s actions, stating that in “the past two years, we have implemented a comprehensive compliance program, including technology upgrades, enhanced monitoring, and robust remediation efforts”.
“With this chapter behind us, OKX remains focused on the future, continuing to build a secure, transparent, and compliant platform for our users worldwide,” the spokesperson said.
