Regulation of the UK cryptoasset sector for AML and counter-terrorist financing (AML/CTF)

From 10 January 2020, UK cryptoasset businesses must comply with the UK’s updated Money Laundering and Terrorist Financing (Amendment) Regulations 2019 and now fall into the Financial Conduct Authority’s (FCA) supervisory responsibility for the first time.

27 January 2020

This significant milestone in the regulation of the cryptoasset market follows the implementation of the EU’s 5th Anti-Money Laundering Directive (5AMLD).

Cryptoasset businesses that fall within the scope of the regulations must:

  • register with the FCA
  • comply with the full scope of the regulations

On 23 December 2019, the FCA published a summary of the key changes stemming from the updated regulations. In relation to cryptoasssets, the FCA said businesses must comply with the regulations from 10 January 2020, irrespective of whether they are registered or not with the FCA. Supervision will start from this date.

The FCA also launched a dedicated webpage for the market to provide relevant information and updates.

Our perspective

The inherently anonymous nature of coin wallets has historically led to crypto currency being considered a high risk area which requires deep knowledge to safely navigate.

With the implementation of 5AMLD, and the FCA’s new regulatory responsibility, you could say that crypto’s position as a legitimate market currency is gaining recognition. This legitimacy may well result in more risk adverse participants exploring the possibility of incorporating crypto into investment strategies. This has been pre-empted in the FCA’s consultation on banning the sale, marketing and distribution of derivatives and exchange traded notes referencing cryptoassets to all retail consumers. Nonetheless, firms looking to invest in this space will need to think about important compliance considerations and of course, the associated cost.

In general, the FCA’s approach to firms that are not compliant from implementation date, is to take into account evidence that they have taken sufficient steps before that date to comply during its supervisory visits. However, the FCA did not explicitly mention this in respect of cryptoasset businesses. Does this indicate that the FCA is planning to take a more hard lined approach to the market? It’s clear from FCA consultations and communications to date on crytoassets that it views the potential harm to consumers and market integrity as high. Therefore an aggressive supervisory approach can be expected. 
Here is a summary of what you need to know if you are a cryptoasset business now regulated by the FCA.

Definition of cryptoasset activity falling within the scope of the regulations

The definition of activities that are subject to the regulations are set out in the associated statutory instrument.

These are set out in the table below for ease of reference:

CRYPTOASSET ACTIVITY

AS DESCRIBED IN THE STATUTORY INSTRUMENT

Cryptoasset exchange provider (including Cryptoasset Automated Teller Machine Peer to Peer Providers, Issuing new cryptoassets, e.g Initial Coin Offering or Initial Exchange Offerings).

A firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services.

  • exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
  • exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
  • operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.
Custodian Wallet Providers

A firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer

  • cryptoassets on behalf of its customers, or
  • private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services.

What firms must do

The registration process

New cryptoasset businesses that intend to carry on a cryptoasset activity after 10 January 2020 must be registered with the FCA before any activity can be carried out

Existing cryptoasset businesses which were already carrying on cryptoasset activity immediately before 10 January 2020 may continue with that business, in compliance with the regulations. However, they must be registered by 10 January 2021, or stop all cryptoasset activity.

Supervisory expectations

The FCA set out a summary of some of the requirements that a firm is expected to comply with, in addition to the other more general obligations of an FCA authorised business under Financial Services and Markets Act 2000. A firm must:

HEADLINE

CONSIDERATION

Conduct a business risk assessment to understand inherent AML risks within the business
  • Take appropriate steps to identify and assess the risks of money laundering and terrorist financing which the business is subject to
  • Assess the money laundering / terrorist financing (ML/TF) risks related to any new technologies prior to launch and take appropriate measures to manage and mitigate those risks
Develop risk-based policies and procedures 
  • Put policies, systems and controls in place to mitigate the risk of the business being used for the purposes of money laundering or terrorist financing. This risk-based approach should seek to mitigate the risks identified in the firm’s risk assessment
  • Importantly procedures should be developed to support the customer identification and due diligence process and suspicious activity reporting to the National Crime Agency (NCA) under part 7 (money laundering) of the Proceeds of Crime Act 2002
Ensure Senior management ownership of ML/TF risk
  • Where appropriate with regard to the size and nature of its business, appoint an individual who is a member of the board or senior management to be responsible for compliance with the regulations and the nominated officer. The nominated officer is also the person responsible for reporting suspicious activity to the NCA
Establish an internal audit function
  • Where appropriate, with regard to the size and nature of its business, establish an independent internal audit function with responsibility for examining and evaluating the adequacy and effectiveness of the policies, controls and procedures, and making recommendations, as well as monitoring the controls
Undertake screening of employees
  • Undertake screening of employees at time of recruitment and at regular intervals thereafter. The UK money laundering regulations define ‘screening’, which is essentially ensuring that employees are suitable and competent to carry out their roles
Carry out due diligence on customers
  • Undertake customer due diligence (CDD) when entering into a business relationship or occasional transactions
Apply extra scrutiny and checks on customers with higher ML/TF risk
  • Apply more intrusive due diligence, known as enhanced due diligence (EDD), when dealing with customers who may present a higher ML/TF risk. This includes customers who meet the definition of a politically exposed person (PEP)
Undertake ongoing and transaction monitoring
  • Undertake ongoing monitoring of all customers to ensure that transactions are consistent with the firm’s knowledge of customer, the customer’s business and risk profile

In addition, there are various requirements for ensuring all management and employees receive appropriate training so that they can identify ML/TF risk and suspicious activity, as well, as obligations for record keeping.

An effective anti-money laundering framework needs to be established to include components such as those outlined above by ‘supervisory expectations’. 
However, the road to compliance can be a long one, and certainly does not end once a compliant framework has been achieved. A well-coordinated strategy must be put in place, not just to get to a state of compliance, but to maintain that state indefinitely.

Get in touch

Our Financial Crime Risk and Compliance team can address any questions or queries you may have, so please feel free to get in touch.

National contact