- Malta’s FIAU has imposed a €1.05 ($1.2 million) million fine on OKX’s European arm for serious AML compliance failures
- The fine followed a 2023 compliance review that uncovered systemic deficiencies in risk assessment, monitoring, and reporting
- OKX has launched extensive remediation efforts but remains under supervisory follow-up
Malta’s Financial Intelligence Analysis Unit (FIAU) has levied a €1.05 million ($1.2 million) penalty on OKCoin Europe Ltd., a local entity of crypto exchange OKX, citing major lapses in anti-money laundering and counter-financing of terrorism (AML/CFT) practices. The ruling stems from a 2023 compliance inspection that identified serious breaches in customer due diligence, transaction monitoring, and suspicious activity reporting. The fine comes a month after OKX operator Aux Cayes FinTech Co. Ltd pleaded guilty to operating an unlicensed money-transmitting business in the United States.
A History of Inadequate Controls
OKCoin Europe obtained its Virtual Financial Assets (VFA) Service Provider License from the Malta Financial Services Authority (MFSA) in November 2021, receiving a Class 4 VFA license authorizing the company to offer a comprehensive range of virtual financial asset services within Malta’s regulatory framework. In July last year, OKX moved its European base to Malta following a clampdown on crypto companies in France.
The company underwent an onsite compliance review in April 2023, where the FIAU identified deficiencies going back several years with regard to AML/CFT practices. While the company has not faced criminal charges, the administrative findings signal significant regulatory risks:
Despite the Company’s strategy adopted to only service European-based customers, it was essential to also consider the potential ML/FT exposure emanating from other jurisdictions.
Inadequate Risk Assessment and Monitoring
The FIAU criticized OKX’s Business Risk Assessment methodology for failing to assess the risks tied to specific categories of digital assets, such as privacy coins and decentralized exchange tokens. The report emphasized that OKCoin Europe had access to customer data but did not analyze it meaningfully, noting, “Without such statistical information, it is impossible to truly understand risks and ensure that resources are effectively targeting the areas of highest concern.”
Additionally, the company failed to perform Customer Risk Assessments (CRAs) for nearly half of the files reviewed. In one instance, clients deposited “thousands of dollars before a CRA was completed, with such assessment being conducted several months following onboarding.”
OKCoin Europe’s transaction monitoring was also criticized in the report; in one case, over $1.8 million was deposited within four months by a customer initially assessed as low risk. The FIAU noted that “transactions were not being scrutinised by the Company,” and that follow-ups often relied on “short, generic replies that were not corroborated.”
OKCoin Europe Ignored Risks
The FIAU also flagged OKCoin Europe for not submitting a Suspicious Transaction Report despite internal risk indicators and investigator concerns. “These concerns did not translate into the submission of an external report with the FIAU,” the report states bluntly.
While the FIAU acknowledged improvements in OKCoin Europe’s systems, it imposed a Follow-Up Directive requiring an action plan and regular updates. “The Committee commends the Company on the significant improvements undertaken… however… could not ignore that the Company had past failures… some of which were deemed to be serious and systematic.”
In February, OKX operator Aux Cayes FinTech Co. Ltd pleaded guilty to operating an unlicensed money-transmitting business in the United States and was fined $500 million, so the OKCoin Europe fine is at least far smaller than this.
The penalty is not yet final and may be appealed.
