Disingenuity, Part 2: Ireland Banishes the Coinbase Snake

There is an Irish myth that St Patrick banished snakes from the Emerald Isle. But the Central Bank of Ireland did recently fine, and seemingly throw out, a shockingly disingenuous Coinbase Europe operation for comical reasons that harken back to some great government settlements with Gemini in 2023 and Paxos just a few months ago. Around the same time Coinbase submitted a comment to the US Treasury requesting legal protections for almost-precisely the same software that Coinbase screwed up in Ireland.

In describing that recent Paxos action we introduced a new word, disingenuity, to describe the disingenuous use of dishonest and unjustified self-praise and appeals to potential future innovation to evade responsibility for transparent and obvious current failures. Coinbase is doing the same thing. And, as Coinbase is a public company making a lot of public statements, this is almost certainly a bigger legal problem. Whatever it is – it is not a good look.

Paxos: Defining Disingenuity

For years, the crypto company Paxos peddled a “regulatory-first” image to lawmakers and the public while, according to a recent settlement with the New York Department of Financial Services (NYDFS), its internal compliance operations were a “catastrophic shambles.”

BlockheadJon Reiter

So now we will explore Coinbase's recent requests for legal protection and then see what got them in trouble in Ireland. This exploration shows them to be something of a snake that, frankly, deserved the banishment it got.

Coinbase's Irish Fines

But first we need to set the stage regarding the Irish action. Coinbase was fined €21.5 million, or just over $25 million. This is the fourth-largest fine ever handed down by Ireland's regulator. And the culture of surveillance and enforcement is different in Europe vs the US. EU regulators do not, generally, hand down a long stream of small-to-medium fines for bad behaviour. The entire EU system is built more around getting licenses and pre-approvals and doing well-trodden things. Fines are not "business as usual" in Europe to the degree they are in the US.

You can argue that is good or bad from an economic or political or social or whatever perspective. But it is definitely true. The UK system is generally closer to the US – this is part of that whole UK leaving the EU thing– and Ireland is closer to the UK than most of the EU. Point being: it is hard to get fined in Ireland.

It is, however, possible. But because this sort of action is generally rarer when there is a problem it is relatively likely to be ridiculous and gigantic. Apple, famously, had to pay over €13 billion in back taxes amid issues related to their illegal tax structuring massively distorted Ireland's GDP. Europe does not do slaps on the wrist as often as the US. And so what might look like a fine that should be taken in stride deserves more attention. Ireland's domestic market is small so Coinbase cannot be doing terribly much domestic business there. And this is certainly not Coinbase's main entity. So a fine over €20 million is large. Quite large.

The whole point here is that the European regulatory style tends to require a lot more work upfront and then gives you a lot more space to operate. Or cause yourself trouble as the case may be. And since things are nailed down in detail upfront the shape of problems is different. We are not saying this style is better or worse or anything like that. We are just saying it is hard to get fined this much money in Ireland. It is also hard to get kicked out of Ireland. Note that Apple still has a big presence in Ireland.

Coinbase's US Requests

Coinbase submitted a comment to the US treasury that includes the following request:

And elsewhere in the comment Coinbase describes their experiences in the area as:

There are plenty of other examples in there. But we recommend you finish this column first and then read the Irish settlement before reading the comment in detail. Why? Because they harp on over and over about how wonderful these tools are. And as we are about to see Coinbase's real experience in these areas is riddled with a range of problems that look completely inconsistent with the tone of the comment. Coinbase looks like it is trying to declare victory while it bleeds out on the battlefield surrounded by legions of hale and hearty opposition troops.

Coinbase's Irish Conduct

Coinbase Europe failed to properly monitor about 30 million of transactions over several years. These made up 31% of the business and amounted to roughly €173 billion in volume. Read that again. They failed to monitor roughly one third of the total volume over a period of years. Tens of billions of euros per year in unmonitored transactions. Obviously that is a catastrophic failure.

The structure of the monitoring processes and tools is also laid bare in the settlement document. To start with, Coinbase Europe outsourced all this work to the US parent:

Coinbase, the US bit, built some thing called TMS that did scanning and the Europe operation relied on the parent to use the parent's TMS system to do the work. Except:

There are five key facts here:

1. TMS is built around a discrete set of 21 patterns. These can be simple "if a then b" rules or complex AI schemes.
2. Whatever they are, Coinbase decided what to screen for and built a tool that supposedly did it. 21 sounds like a not-huge number. In effect it was only 16 for a while and when they managed to fix it the number went back to 21. There is no discussion of this set of patterns growing over the years other than by fixing the errors at issue.
3. TMS was clearly not well tested because roughly one quarter of the scenarios did not work.
4. Fixing the problem was relatively easy and seems to have been done same-day. This strongly suggests no serious effort was made to audit or test or really probe the system on a ongoing basis.
5. Rescreening the missed transactions was incredibly slow. That feels weird for a company focused on automating the financial system and making it more efficient.

Take the last one first. Was it slow because it was technically difficult? Or:

So it was slow because of some blend of "nobody knew" and "nobody cared." The tools used by Coinbase Europe were "ineffective" and notice the use of "should have" in the quote. Well:

So the "should have" means some kind of negligence or incompetence. It is not entirely clear if Coinbase Europe was willfully blind here, or ignored obvious signs, or if the staff there just never considered the possibility their parent company was failing horribly to provide surveillance services the parent promised to Coinbase Europe.

We have sympathy for the Coinbase Europe folks in that a reasonable person might have assumed Coinbase Inc was competent in this area given it operates a giant exchange and, you know, promised to do this whole surveillance thing well to the Coinbase Europe wholly owned subsidiary. But was there no internal audit or other control procedure? Did nobody check the miracle software worked? Or was this entire thing run on faith as a "set it and forget it" style of compliance?

If your mother promises to pick you up at the airport after a long time away it is not necessary to chase her to ensure she will be there. There is no need for a reminder email. She will be there. Three days before your flight. Right after filling the fridge. You do not need to audit any of that. Or reconfirm the timing. A new person will not step into the role and need to be caught up on the processes. But surveillance software and procedures? Grow up. These are different levels of reliability.

And in the Coinbase Europe case, this lack of proper process had a serious consequence:

There is more detail elsewhere in the document but in short Coinbase left important information about these problems out of the VASP applications that the regulator eventually approved. That misrepresentations likely material to that VASP license approval were made is stated explicitly by the Central Bank of Ireland:

Eventually, post-license-approval, the problems discussed above were conveyed to the regulator and:

Eventually Coinbase got this fine and a fresh license in Luxembourg via a different process and:

It is not precisely true to say this proves they lied to the regulator and when the regulator founds out they got fined and kicked out. But whatever exactly happened does sort of seem to rhyme with that narrative.

At this point it is not possible to tell from the outside if a conscious effort was made to hide these problems from the regulator to get the VASP approval in place. Certainly that is a possibility worthy of some investigation. The Central Bank's narrative including such damning information does imply bad things happened here.

Blaggard is Too Kind, Touched is Too Gentle

One way to read the requests for clarity and safe harbours up at the top is that Coinbase knows it is not competent to build, maintain and operate a compliance system so it wants to find a way to pass that legal responsibility off to someone else. Ask yourself: if these external blockchain analytics providers they talk about so much in their comment are so wonderful, why did they build the TMS?

Are we going to find out that TMS was just a bunch of wrappers around analytics services and Coinbase is asking for those external API calls to serve as shields against enforcement action? Is there system just 21 different queries passed to external vendors? It is surely suspicious to get booted from Ireland for failures in your automated surveillance systems and ask the US government to provide you a free pass as long as you rely on those systems. And that is frightfully close to what is happening here.

Now before anyone claims this is historical, one of the prescribed contraventions (i.e. charges) to which Coinbase has admitted is:

March 2025 for a November 2025 settlement with specific numbers. That counts as current conduct.

Coinbase's comment quoted above is signed by the company's chief legal officer. Surely that same person was aware of the ongoing negotiations for this Irish settlement too. Legal was clearly involved in the Irish VASP application and all the other conduct discussed above throughout 2022 and 2023. So the CLO is asking for a safe harbour that may have absolved the company from liability for current failures and possibly help them cover up those failures? This is more brazen than Paxos' conduct!

It is hard to understand why any special treatment is warranted for anything anywhere near the conduct discussed here. This is about internal system failures and lack of candor with the regulator. And that's being kind. Further, none of this is web3-specific at all. Coinbase built some software to meet a compliance obligation. It did not work. They were not upfront with the regulator about those problems. And they took far longer than promised to close out the problems. No blockchain was involved. None of this was unclear. Nowhere does Coinbase dispute that it knew about these obligations and failed to do the job properly.

There is no demonstrated need for new rules. Coinbase's comment somewhat oddly states that they:

Why is the word "offshore" in there? Just enforce against non-compliant entities without regard to their incorporation. Onshore entities will be easier in many ways as governments have leverage. But it is also suspicious that Coinbase, like an errant pup, thinks bawling, blagging and begging are the answers to their problems. Quite a few countries should look at clearing their gardens of this kind of snake.