SwanFS: Key Considerations for Crypto Asset Service Providers, arising from recent developments
- James Ross
- Nov 9
- 15 min read
I. Executive Summary
This week’s developments signal an evolution in the regulatory environment, shifting from theoretical risk to tangible enforcement actions and notable strategic divergence among key jurisdictions. For Crypto Asset Service Providers (CASPs), the global landscape now presents three primary areas of focus that merit careful consideration for our operational, product, and legal strategies.
Enforcement and AML/CTF Scrutiny. The €21.46 million fine imposed by the Central Bank of Ireland (CBI) on Coinbase Europe sets an important precedent. This action underscores the critical importance of robust engineering and governance for Anti-Money Laundering (AML) Transaction Monitoring Systems (TMS).
Strategic Divergence in Stablecoin Regulation. A noteworthy divergence has emerged between the world’s three largest regulatory blocs, creating distinct product-offering regimes for stablecoins:
United States: The Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act, along with supportive commentary from the Federal Reserve, is shaping a clear federal framework for stablecoins.
United Kingdom: The Bank of England (BoE) is advancing its own framework while also proposing holding caps, introducing a point of difference from US and EU approaches.
European Union: The European Systemic Risk Board (ESRB) has issued a significant recommendation. It suggests that major “third-country multi-issuer stablecoin schemes”—the legal term for many USD-denominated stablecoins—could be viewed as “not permitted within the current MiCAR framework”.
Operational & Rulemaking Delays in the U.S. The ongoing US federal government shutdown, which began on October 1, has resulted in a pause in many non-emergency functions at the SEC and CFTC. This has resulted in a suspension of most rulemaking activities, including the implementation of the FIT 21 Act, the issuance of new guidance, and the review of new product filings, such as spot crypto ETPs.
The global regulatory landscape, therefore, is converging on process (e.g., FATF-driven AML and IMF-driven data reporting) while simultaneously diverging on the fundamental regulation of products (stablecoins). This suggests that a move toward a more nuanced, jurisdiction-specific approach to compliance and product offerings may be warranted.
II. Enforcement Analysis: The €21.46 Precedent and AML System Integrity
This week’s enforcement action by the Central Bank of Ireland provides valuable insights into evolving operational, technical, and governance expectations for AML compliance.
A. Deep-Dive: The Central Bank of Ireland’s €21.46 Sanction Against Coinbase Europe
On November 6, 2025, the Central Bank of Ireland (CBI) fined Coinbase Europe Limited €21,464,734 for significant breaches of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (CJA 2010). This figure reflects a 30% discount for early settlement; the original penalty was €30.66 million.
The sanction was related to fundamental “faults in the configuration of their transaction monitoring system” (TMS). This technical issue led to a significant gap in oversight:
Scope: A failure to “fully and properly monitor” 30,442,437 transactions over 12 months.
Value: These unmonitored transactions were valued at over €176 billion.
Scale: The unmonitored activity represented approximately 31% of all Coinbase Europe transactions during the period the faults existed.
The root cause was technical. Coinbase’s own disclosure and the CBI’s findings attribute the failure to “three coding errors” in its TMS. These errors caused five of the 21 TMS scenarios to “not fully screen all transactions”.
Compounding this technical issue was an operational one: the time lag. The CBI noted in its assessment that it took Coinbase Europe “almost three years” to fully complete the retrospective monitoring of the impacted transactions.
The regulator noted this delay resulted in the filing of 2,708 new Suspicious Transaction Reports (STRs). The regulator linked these late STRs to “serious criminal activities,” including money laundering, fraud/scams, drug trafficking, cyber-attacks (malware/ransomware), and child sexual exploitation.
B. Key Compliance Considerations and the Importance of System Validation
This enforcement action highlights three key compliance considerations for all CASPs.
First, the integrity of AML systems is a core consideration in both engineering and governance. The CBI’s action was not for a lack of policies on paper; it was a sanction for a technical, code-level failure. The regulator’s specific focus on “technological risk and system integrity” and “faults in the configuration” signals a high supervisory standard. A “set-and-forget” approach to a TMS may no longer be sufficient. The Compliance and Risk functions should have close oversight of the engineering and change management processes for their compliance systems. This includes rigorous, independent testing and validation of all TMS rules (“scenarios”) before and after deployment to ensure they are “fully and properly” monitoring 100% of the transaction flow as intended.
Second, the importance of timely retrospective review is underscored. The CBI’s repeated emphasis on the “almost three years” it took Coinbase to complete the look-back review indicates this was a key factor in the penalty’s severity. The breach was not just a system failure, but the delayed remediation of the resulting data gap. Regulators may have a quantifiable expectation that upon discovery of any TMS or monitoring fault, a CASP has an immediate duty to conduct a full retrospective review. This creates a contingent liability that merits inclusion in operational risk planning.
Third, the “Global Systems, Local Accountability” principle was reinforced. Coinbase, a US-headquartered firm, was sanctioned via its Irish-authorised subsidiary, Coinbase Europe Limited. The key takeaway is that “Irish-authorised firms remain accountable for ensuring compliance within their jurisdiction, even when relying on global systems”. A centralised, global compliance tech stack, while efficient, is a potential single point of failure. A single “coding error” in a worldwide system could now trigger a cascade of penalties from multiple jurisdictions in which the firm operates an authorised entity.
C. Broader AML/CTF Supervisory Trends
This enforcement action aligns with broader global and domestic trends in AML/CTF supervision.
On the global front, the Financial Action Task Force (FATF) published its new Asset Recovery Guidance and Best Practices on November 4, 2025. This guidance explicitly warns that countries must have the capability to confiscate virtual assets (VAs). It demands law enforcement develop “operational awareness” of crypto-specific evidence and the ability to act “swiftly”. This creates a chain of regulatory expectations. FATF’s demands are the reason behind the CBI’s fine. The CBI is ensuring its regulated CASPs are capable of supporting law enforcement’s new asset-seizure mandate.
Domestically in the UK, HM Treasury published its consultation on “Reforming Anti-Money Laundering and Counter-Terrorism Financing Supervision” on 6 November 2025. The plan confirms the decision to consolidate AML/CTF supervision for 22 professional services supervisory bodies and place this function with a "Single Professional Services Supervisor” (SPSS), which will be the Financial Conduct Authority (FCA). While this specific reform does not directly apply to CASPs (who are already supervised by the FCA for AML/CTF purposes), it is a notable signal. The FCA is becoming the central hub for complex AML/CTF supervision in the UK, which will likely lead to a cross-pollination of expertise and a more stringent supervisory environment.
D. Imminent Compliance Deadline: UK OFSI Frozen Asset Reporting
A tactical compliance reminder: the Office of Financial Sanctions Implementation (OFSI) has confirmed its annual frozen asset reporting requirements. All reports must be submitted to OFSI by Sunday, November 30, 2025. This report must detail all funds or economic resources owned or controlled by a designated person as of September 30, 2025. Firms that previously submitted a report but no longer hold the assets must submit a nil return. Failure to comply can result in civil penalties or criminal prosecution.
III. Strategic Considerations: The Divergence on Stablecoin Regulation (US vs. UK vs. EU)
This week’s developments have highlighted the diverging paths in the Western regulatory approach to stablecoins. What was a harmonised goal has now split into three distinct and operationally significant regimes.
A. The U.S. Framework: The GENIUS Act as the New Baseline
The “Guiding and Establishing National Innovation for U.S. Stablecoins” (GENIUS) Act, passed in July 2025, has established a clear federal baseline. The U.S. Treasury is now actively engaged in rulemaking.
The Act mandates:
Reserves: 100% backing with liquid assets (U.S. dollars or short-term Treasuries).
Transparency: Monthly, public disclosures of reserve composition.
AML/Sanctions: Explicitly subjects issuers to the Bank Secrecy Act (BSA) and requires the technical capability to “seize, freeze, or burn” stablecoins upon a lawful order.
No Yield: A ban on issuers paying interest or yield.
Crucially, a November 7 speech by Federal Reserve Governor Stephen Miran signalled a strong acceptance of this framework. Miran argued that stablecoins pose no risk to bank deposits but are beneficial to the U.S. economy by bolstering the dollar’s dominance and increasing demand for U.S. Treasury securities. This macroeconomic endorsement establishes the US as a supportive environment for stablecoins.
B. The UK Framework: The Bank of England’s “Stability First” Holding Caps
The UK is accelerating its own regime, with a formal Bank of England (BoE) consultation paper scheduled for release on November 10, 2025. While the framework is expected to align with the US on reserve requirements (e.g., high-quality government debt), it contains a notable point of divergence: “temporary holding caps”.
These proposed caps are:
Individuals: £10,000 to £20,000.
Businesses: £10 million.
This “friction-by-design” approach, which Deputy Governor Sarah Breeden noted is to protect the UK’s “bank-dependent mortgage system” from deposit outflows, creates a potential competitive challenge. Neither the US GENIUS Act nor the EU’s MiCA impose such caps. This could render UK-regulated stablecoins less commercially viable for high-value commerce and risk signalling that the UK “is unfriendly to crypto businesses”, potentially pushing scaled activity to other jurisdictions. While the BoE is signalling “waivers” for entities like crypto exchanges, this may create a more complex, two-tiered system.
C. The EU Framework: The ESRB’s Systemic Risk Alert and MiCA Compatibility
A significant development emerged from the EU. While MiCA is law, the European Systemic Risk Board (ESRB) issued a report on October 20, 2025, that presents a significant challenge to the current global stablecoin market.
The ESRB is “concerned by financial stability risks from stablecoins, especially those issued jointly in EU and third countries”—a precise legal description of a global USD stablecoin (like USDC or USDT) that has an EU-licensed entity. The identified risk is a “cross-border run”. The ESRB fears that in a crisis, holders of tokens from a third-country issuer (e.g., the US) could redeem them via the EU entity, which is prohibited under MiCA from charging redemption fees. This, they argue, could drain the EU-based reserves and leave EU holders vulnerable.
The ESRB’s recommendation is noteworthy: it urges the European Commission to “not consider the schemes as being permitted within the current MiCAR framework”. While the US GENIUS Act is built on reciprocity and “comparable regimes”, the ESRB is recommending a divergence from this model. It is a clear macroprudential argument to restrict the dominant USD-denominated stablecoins from the EU market, thereby creating a vacuum for euro-denominated stablecoins and the Digital Euro.
D. The Harmonisation Effort: Assessing the UK-US “Transatlantic Taskforce for Markets of the Future”
This high-level task force, established in September 2025 and co-chaired by HM Treasury and the U.S. Treasury, was created to “harmonise policies” and establish a “transatlantic corridor for stablecoins”. However, the diverging paths taken by the BoE (holding caps) and the US (GENIUS Act) mean the Taskforce’s role will now likely shift from proactive harmonisation to reactive de-confliction. Its recommendations, due within 180 days, are now the critical channel for resolving the operational conflicts between the UK’s “holding cap” model and the US’s “open” model.
Table 1: Comparative Analysis of Emerging Stablecoin Frameworks (US vs. UK vs. EU)
Feature | United States (GENIUS Act) | United Kingdom (Proposed) | European Union (MiCA / ESRB) |
Legal Status | Law (July 2025). Rulemaking in progress. | In Development. BoE Consultation due Nov 10, 2025. | Law (MiCA). Subject to new macroprudential challenge. |
Reserve Req’s | 100% in cash or short-term U.S. Treasuries. | 100% in high-quality assets (e.g., short-term gov’t debt). Aligned with the US. | 100% in high-quality liquid assets. 30% must be held in cash. |
Yield/Interest | Prohibited for issuers. | Assumed Prohibited (to align with US/MiCA). | Prohibited for Issuers of ARTs/EMTs. |
Holding Caps | None. | Yes (Proposed).Individuals: £10k-£20k. Businesses: £10M. | None on holding. Caps on transactions for non-Euro stablecoins. |
Cross-Border | Permitted (via Reciprocity). The GENIUS Act allows foreign issuers from “comparable regimes”. | Permitted. Aims for alignment with the US. | Significant Challenge. The ESRB recommends that “third-country multi-issuer schemes” be declared “not permitted ” under MiCA. |
Regulatory Risk | Low-Medium. The framework is set; the focus is on implementation. | Medium-High. “Holding caps” may create commercial friction and fragmentation. | High. ESRB poses a significant challenge to global USD stablecoins, potentially creating a vacuum for the Digital Euro. |
IV. EU Supervisory & Competitive Landscape: Centralisation and New Frameworks
Within Europe, two parallel trends are emerging: the centralisation of supervision at the European level and the maturation of national and non-EU jurisdictional frameworks.
A. The Proposal for Direct ESMA Supervision for “Significant CASPs”
The European Commission is drafting proposals, with strong backing from ESMA and the national regulators of France (AMF/ACPR), Italy (CONSOB), and Austria (FMA), to move to direct, centralised supervision of “significant” CASPs by the European Securities and Markets Authority (ESMA).
The rationale is to end the “fragmented” supervision by 27 different National Competent Authorities (NCAs), prevent “regulatory arbitrage” or “forum shopping”, and create a truly “integrated” capital market.
The “Significant CASP” Threshold: The primary criterion identified for significance is having at least 15 million active users within the EU.
ESMA’s Powers: This would grant ESMA direct powers of approval, supervision, and direct sanction over these large entities, similar to the EBA’s role for significant stablecoin issuers and the ECB’s “Single Supervisory Mechanism” for banks.
This proposal would meaningfully alter the core “passporting” premise of MiCA for all major market players. A large CASP currently domiciled in Ireland, Malta, or Luxembourg, which holds an EU passport, would be “uplifted” from local supervision to direct supervision by ESMA in Paris. This presents a noteworthy trade-off:
Pro: It addresses the compliance challenge of managing 27 different NCA interpretations of MiCA, creating a “single rulebook, single supervisor.”
Con: The single supervisor (ESMA) could be perceived as more stringent or bureaucratic, potentially increasing costs, particularly for smaller firms, and it creates a two-tier system.
B. Jurisdictional Framework Maturation: Gibraltar’s Transition from VASP Registration to the DLT “10 Core Principles”
Agile, non-EU jurisdictions are updating their frameworks to compete in a post-MiCA world. As of October 27, 2025, Gibraltar enacted the Financial Services (Regulated Activities) (Amendment) Regulations 2025.
This regulation moves Virtual Asset Arrangements (VAAs), i.e., VASPs, from a simple AML-only registration (under the Proceeds of Crime Act) to being a fully “regulated activity” under the Financial Services Act 2019.
Firms must now apply for a full “Part 7 permission”. This brings them under the jurisdiction of Gibraltar’s principles-based “10 Core Principles” DLT framework. Existing VASPs have a short transition period: they must notify the GFSC within 14 days and apply for the new permission within 6 months. For CASPs with a Gibraltar entity, compliance costs will increase; however, the value of the Gibraltar license also increases, as it now encompasses a complete prudential and conduct framework.
Table 2: Gibraltar DLT Regime: The 10 Core Principles and VASP Compliance Actions
Core Principle | Key Compliance Action Required for VASP (Transitioning to Part 7 Permission) |
1. Honesty and Integrity | Review and approve all marketing/promotional materials for fairness and clarity. |
2. Customer Interests & Communication | Audit all client communications (e.g., terms of service, risk warnings) to ensure they are “fair, clear and not misleading.” |
3. Adequate Financial Resources | Conduct and document a new internal capital and financial resource adequacy assessment (ICARA-equivalent) based on business risks. |
4. Effective Management & Due Skill | Formalise and document all risk management, control, and governance frameworks; ensure the “four eyes” principle is embedded. |
5. Protection of Client Assets | Commission an independent audit of all client asset segregation, custody protocols (hot/cold storage), and key management procedures. |
6. Effective Corporate Governance | Document and implement a formal corporate governance structure, including board committees (Risk, Audit) and clear lines of responsibility. |
7. Systems & Security Protocols | Conduct and provide results of third-party penetration testing and a complete systems audit (IT, cybersecurity) to the GFSC. |
8. Financial Crime Prevention | (Already in place via POCA). Re-validate the TMS (see Sec II.B) and ensure financial crime systems are fully documented. |
9. Resilience & Wind-Down Plans | Develop and submit a formal, funded contingency and orderly wind-down plan to the GFSC, as required for a full-license holder. |
10. Market Integrity | Implement a market-abuse monitoring system (similar to MiCA’s MAR) to detect and prevent insider dealing or manipulation on the platform. |
C. The Long-Term Horizon: ECB’s Digital Euro Project Enters Next Phase
On October 30, 2025, the ECB Governing Council approved moving to the “next phase” of the digital euro project. This new phase lays the technical groundwork, with an anticipated timeline of legislation in 2026, a pilot exercise in 2027, and a potential first issuance in 2029.
The ECB’s justification is explicit: the project is about “monetary sovereignty” and “economic security”. Speeches from the ECB executive board warn that foreign-denominated stablecoins could “undermine monetary sovereignty”, and the goal is to reduce Europe’s “dependence on non-European payment giants”.
This state project has received significant feedback from the private sector. A group of 14 central European banks (including Deutsche Bank, BNP Paribas) issued a statement warning the digital euro could “undermine private sector payment systems” and offers “no clear added value for consumers” over private solutions like the new “Wero” wallet.
These two EU developments—the ESRB’s recommendation against third-country stablecoins (Sec III.C) and the acceleration of the Digital Euro project—appear to be part of a coordinated strategic direction. The ESRB’s recommendation to restrict third-country stablecoins creates a strategic market vacuum. The ECB’s project is the state-backed competitor being built to fill that vacuum.
V. U.S. Operational Delays: The Federal Shutdown Impact
A notable business continuity consideration has arisen from the ongoing US federal government shutdown, which began on January 22, 2025. Both the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have furloughed the vast majority of their staff.
This has paused all non-emergency, non-exempted activities. For CASPs, this means a hard stop on:
Rulemaking: All work on new rules, including the implementation of the Financial Innovation and Technology for the 21st Century Act (FIT 21), is paused.
Guidance & Relief: No new interpretive guidance, no-action letters, or exemptive orders will be issued.
Product Approvals: SEC and CFTC staff are not available to review or approve new or pending registration statements. This pauses the entire pipeline for new, regulated products, including spot crypto ETPs.
Filings: While filing systems like EDGAR remain open to accept filings, no staff are available to review or act on them.
The shutdown creates a “product innovation pause.” This has paused the entire US product pipeline, creating a potential competitive disadvantage for US-based initiatives, as other jurisdictions (like the UK) are actively accelerating their rulebooks. The primary challenge for US-focused CASPs has shifted from regulatory action to regulatory inaction, which presents its own set of operational hurdles.
VI. Key Compliance Recommendations and Strategic Outlook
This analysis provides a prioritised and actionable roadmap for consideration.
1. (HIGH Priority) – AML/Tech: Initiate Privileged Review of TMS Governance.
Action: In light of the €21.46 fine imposed by Coinbase, legal and compliance should initiate a privileged, independent review of the firm’s Transaction Monitoring System (TMS).
Scope: This review should validate (1) the governance around TMS scenario/code changes, (2) the technical integrity and back-testing of all scenarios, and (3) the data integrity of the feeds into the TMS.
Contingency: Develop and resource a formal “Retrospective Review” plan to be activated immediately upon the discovery of any future monitoring fault, addressing the three-year lag criticised by the CBI.
2. (HIGH Priority) – Strategy/Product: Assess Tri-Lateral Stablecoin Scenarios.
Action: It is recommended that the strategy team re-evaluate any “one-size-fits-all” global stablecoin plan. The analysis in Section III demonstrates that a single product cannot be offered compliantly in the US, UK, and EU.
Implication: The firm may need to plan for and resource three distinct product streams:
US Market: Full integration and scaling based on the GENIUS Act.
UK Market: A “friction-based” offering, building systems to enforce holding caps while engaging with the Transatlantic Taskforce on exemptions.
EU Market: A Contingency Plan for the Potential Prohibition of Third-Country USD Stablecoins. This plan should include pivoting all EU-facing liquidity to euro-denominated stablecoins and building technical readiness to integrate the Digital Euro.
3. (MEDIUM Priority) – EU Compliance/Strategy: Prepare for Potential ESMA Oversight & Track User Count.
Action: It is recommended to begin tracking “active EU users” against the 15-million-user threshold.
Implication: If the firm is near or expects to cross this threshold, it may be prudent to scope an “ESMA-Ready” program. This involves building a new regulatory relations function for Paris and re-budgeting for direct ESMA supervisory fees.
4. (MEDIUM Priority) – US Strategy/Product: Re-evaluate US Product Timelines.
Action: All product roadmaps dependent on SEC or CFTC approval (e.g., ETPs) should be reviewed and potentially revised to “pending shutdown resolution.”
Implication: The firm could consider reallocating engineering and legal resources to non-US markets (e.g., UK, Gibraltar) that are not operationally delayed and are actively finalising their rulebooks.
5. (LOW Priority / Long-Term) – Data/Engineering: Plan for the Global Data Gaps Initiative (DGI-3).
Action: Monitor the output of the IMF’s G20 DGI-3, specifically Recommendation 11 on “Digital Money”.
Implication: The IMF’s Third Progress Report confirms the development of a “common data collection framework” and “three data templates” to “capture who holds what type of digital assets and where”. This is the blueprint for a new, more detailed wave of compliance reporting. Engineering and data architecture teams should be advised to build systems capable of tracking and reporting on client holdings at this granular, global level.
6. (IMMEDIATE) – UK Compliance: Confirm OFSI Frozen Asset Report Filing.
Action: Confirm the UK compliance officer has filed the mandatory OFSI report by the November 30, 2025, deadline.
Table 3: Actionable Compliance Roadmap (Week of Nov 7, 2025)
Development | Priority | Recommended Internal Action | Affected Business Units | Relevant Sources |
CBI €21.4M Fine vs. Coinbase | HIGH | Initiate privileged review of Transaction Monitoring System (TMS) for technical integrity, governance, and change management. | Legal, Compliance, Engineering/Tech, Internal Audit | |
Stablecoin Divergence (US vs. UK vs. EU) (Sec III) | HIGH | Re-evaluate “one-size-fits-all” stablecoin strategy. Assess three distinct product/compliance roadmaps for the US (GENIUS), UK (Holding Caps), and EU (ESRB Prohibition Threat). | Strategy, Product, Legal, Compliance | |
EU ESMA Centralisation | MEDIUM | Begin tracking “active EU users” against the 15M threshold—scope resources for an “ESMA-Ready” program (direct supervision, higher fees). | EU Compliance, Strategy, Finance | |
US Gov’t Shutdown | MEDIUM | Review and revise all US product launch timelines (e.g., ETPs) to “pending.” Consider reallocating product/legal resources to non-US markets. | US Strategy, Product, Legal | |
UK OFSI Reporting | IMMEDIATE | Confirm the Uthe K compliance team has submitted the annual frozen asset report. | UK Compliance | |
Gibraltar VASP Change | IMMEDIATE | (For firms with a GI entity) File 14-day notification. Begin Part 7 application, mapping compliance to all “10 Core Principles” (Table 2). | GI Compliance, Legal | |
FATF Asset Recovery | LOW | Review new guidance. Brief legal/compliance on enhanced expectations for law enforcement cooperation (e.g., speed of freeze/seize). | Compliance, Legal, Security | |
IMF G20 DGI-3 | LOW (Long-Term) | Task data/engineering leads to review DGI-3’s “common data templates” and build future reporting capabilities for client/asset data. | Data Architecture, Engineering, Compliance |
