Two years on from the FCA’s AML/CTF registration regime, how are firms managing?
In January 2020, the Financial Conduct Authority (FCA) implemented an anti-money laundering and counter-terrorism registration process for cryptoasset exchange providers and custodian wallet providers who want to operate in the UK.
Two years on from this, we consider the progress that firms have made in navigating the process, and the key aspects of the FCA’s approach to the supervision of UK cryptoasset businesses.
Overview of the FCA’s cryptoasset registration regime
The UK’s Money Laundering and Terrorist Financing (Amendment) Regulations 2019 amended the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLR), so as to bring “cryptoasset exchange providers” and “custodian wallet providers” within the scope of the MLR.
Broadly, firms that exchange (or arrange for the exchange of) cryptoassets for fiat currency and/or other cryptoassets; operate a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets; and/or safeguard cryptoassets or private cryptographic keys on behalf of customers in the course of business in the UK are required to register with the FCA.
Put simply, crypto firms must navigate the somewhat daunting registration process if they want to trade cryptoassets in the UK.
Notably, firms that are already registered or authorised with the FCA or Prudential Regulatory Authority (PRA) for other regulated activities will also have to go through this registration process if they carry on relevant cryptoasset activities in the UK.
Registration process
Pre-existing cryptoasset firms that operated in the UK before 10 January 2020 should either be registered or be on the FCA’s list of firms with temporary registration to continue operating in the UK.
The FCA introduced a Temporary Registration Regime (TRR) for pre-existing cryptoasset firms that applied for registration before 16 December 2020, which granted such firms a temporary MLR registration, pending the FCA’s determination of their application. However, this ended on 31 March 2022.
At the time of writing, 31 firms have successfully obtained MLR registrations, while 33 firms have temporary registration, and a staggering 233 firms are still unregistered.
The FCA has underlined the importance of managing regulatory risks at the authorisation stage and has stated that it will place “greater focus on scrutinising applicants’ financials and business models… where the firm is operating in a high-risk business, such as crypto firms applying for anti-money laundering registration”.
It has also stressed that it will “only register firms where it is confident that processes are in place to identify and prevent [money laundering and terrorist financing] activity”.
Firms should therefore prepare for a thorough assessment of their applications, and factor in the possibility of follow-up questions from the FCA. It should be noted that the onus is on applicants to disclose all necessary information, and while the FCA may seek additional information for clarification purposes, it will not generally advise on the detail of what is sufficiently comprehensive to achieve registration.
The FCA’s no-nonsense approach
Risk-based approach
Cryptoasset firms will be expected to demonstrate that they have adequate and relevant policies and procedures in place, as well as internal controls, to effectively manage AML/CTF risks. Firms’ policies and practices will vary, depending on the size and nature of their business, and the nature of the money laundering risks they face.
Business Wide Risk Assessment
Cryptoasset firms must have a documented Business Wide AML/CTF Risk Assessment that has been signed off by the governing body. This is a detailed exercise that must explore several risk factors, including those related to the specific services being offered in addition to those that are inherent in the underlying customer base.
The FCA will expect to see quantitative analysis to justify any assertions that residual risks (the assessment of risk after controls have been considered) are low. Cryptoasset firms must also be able to demonstrate that there is an ongoing programme that includes regular reporting to the governing body as to changes in the risk profile, risk acceptance where appropriate, and event-driven investigations.
Registration requirements
Cryptoasset firms must provide the FCA with various information relating to their business (e.g. terms of business and charges, business plan, and information on key individuals in the business).
AML/CTF-related information
Cryptoasset firms will also need to provide certain AML/CTF-related information.
Firms will need to document their risk appetite and put in place clear management structures and governance arrangements that incorporate reporting structures and roles and responsibilities. Firms should monitor the growth of the business and ensure that their procedures and resources are adequate for the complexity of business being undertaken.
Firms should also consider the risks specific to their activities, and detail how they mitigate those risks. Relevant measures may include: undertaking regular risk assessments to ensure their policies and controls are aligned with their risk appetite; ongoing transaction monitoring and surveillance; and clear decision-making and escalation processes for suspected money laundering or terrorist financing. Firms are also required to provide the FCA with their AML/CTF staff training material.
Both the risk assessment and monitoring and mitigation policy should take into account specific features of the firm’s business, for example: types of customers or counterparties (retail / professional, regulated / unregulated, crypto ATMs); the geographical scope of its business and where its customers or counterparties are based; and types of cryptoassets being offered (e.g. exchange, utility, or security tokens).
As part of the customer onboarding and due diligence process, firms should assess the money laundering and terrorist financing risk posed by customers and record the basis of assessment. The customer risk assessment should be reviewed periodically and when there are material changes to the customer’s risk profile.
With respect to transaction monitoring procedures, firms should be able to articulate the basis for closing false positives and be able to provide that information to the FCA on request.
The FCA has placed emphasis on getting applications right and ensuring that various aspects of the application process are adhered to. The process to register with the FCA is exhaustive, so we advise that firms start taking steps to begin the process as soon as possible.