At a glance
- It may appear that obtaining Anti-Money Laundering (AML) registration with the UK Financial Conduct Authority (FCA) for cryptoasset business should be a lighter-touch process than seeking full authorisation to perform regulated activities. But in many ways, the FCA application process for MLR registration is almost as onerous as a full authorisation.
- Guidance published by the FCA in late January 2023 sets out FCA expectations for cryptoasset firm registration applications made under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).
- The FCA expects an applicant to be able to show, at the time of application, that it has in place all the arrangements, systems, controls, contracts, people and processes that it will need in order to be able to run its business in a way that complies with every relevant aspect of UK regulation.
- The size of this task should not be underestimated: as the FCA highlights, of over 300 applications received since January 2020, the vast majority (195) have either been refused by the FCA or been withdrawn, and a further 29 rejected. The FCA have approved and registered only 41 firms to date.
What are the key takeaways from the FCA’s recent feedback?
Preparation is key
A key takeaway from the recent guidance is that a firm’s senior management must understand the environmental and regulatory context in which their business will operate and be able to clearly articulate this to the regulator. Taking the time to develop a comprehensive and structured application is central in creating a successful application.
The FCA is alert to ongoing global developments such as the use of cryptoassets by designated persons to circumvent sanctions (see the specific reference to proliferation financing risks), the collapse of FTX due to lack of governance and controls, and the recent New York Department of Financial Services' fine of Coinbase for AML-related control failings. In line with the FCA’s strategic objective to ensure that relevant UK markets function well, the regulator actively takes such developments into account as it reviews applications for MLR registration by cryptoasset firms.
As such, firms looking to register with the FCA as a cryptoasset firm need to be cognizant of all relevant laws and regulations that apply to their business. These go beyond those relating to AML, and include, for example:
- analysis of products and services and their interaction with the regulatory perimeter (e.g. collective investment schemes, derivatives and securities); and
- obligations to ensure that customer communications and marketing materials are accurate, fair and not misleading, with clear and proactive warnings that cryptoasset activities do not benefit from FSCS and FOS protections. (Note HM Treasury’s recent statement on crypto-related financial promotions).
The FCA expect a comprehensive and coherent business plan, including business-wide risk framework
“We will not approve an application, where the business plan and risk management framework do not adequately explain the applicant’s cryptoasset-related activities, the risks and how these are mitigated through the corresponding controls.”
When developing their application, firms must provide a comprehensive picture of their profile and business activities. A challenge for many firms, from newly established crypto-natives through to established institutions exploring cryptoasset products and services, is in establishing a common thread through their application in terms of what their cryptoasset operations are, what risks they are exposed to and how they in turn manifest for their business, the controls they have employed to mitigate identified risks, and the effectiveness of these controls. While many clients have been able to succinctly articulate aspects of this (e.g. their business operations), they often struggle to create that thread from end-to-end. This in turn has often meant that senior management are unable to clearly articulate what their risks are and how they mitigate them to the regulator.
While establishing the thread is crucial in articulating the end-to-end view of a firm to the regulator, it is important that firms effectively evaluate and evidence their risk exposure and subsequently the management of risk. When establishing their risk exposure, firms should calculate their residual risk and determine any mitigants. The risks covered by the assessment should include the risks that the business may pose to UK financial markets and customers, including investor protection concerns (in particular, customer asset segregation arrangements, and transparency on reserves) as well as any relevant financial crime considerations. As noted above, it is interesting to note that the FCA calls out specifically proliferation financing risks and expects firms to be able to clearly express how their arrangements monitor for and are effective in avoiding the firm being used for such purposes. Ultimately, the key takeaway with respect to the risk assessment, is that it should reflect the nature of the firms business and the products and services that it offer. It is likely that generic risk assessments that are not sufficiently granular in nature will be subject to scrutiny and challenge.
Systems and arrangements must be adapted to the specific business
Beyond the evaluation of risk, another key area of note within the guidance surrounds the articulation of the policies, systems and controls employed by the organisation to mitigate identified risks. Importantly the FCA have highlighted that they expect all relevant policies, controls and procedures to be tailored to the firm, fully approved and operational; draft or standardised group-wide arrangements are likely to cause an application to be challenged, and potentially rejected. This expectation of comprehensive, fully-implemented and more importantly, tested arrangements is challenging for many organisations but particularly new firms who are undergoing the registration process prior to being fully operational. For these firms, balancing quality with cost can be difficult, however, rushing the process can lead to protracted applications and greater long-term costs and implications.
In addition the FCA highlighted that all outsourcing arrangements (within the group or with third parties) must be in place and have been risk assessed. The FCA expects to see (and read) the service level agreements – so these must be properly negotiated and allow sufficient oversight and assurance testing of outsourced service providers, including assurance testing of the outsourced activities.
Finally, the FCA have explicitly highlighted their expectations that firms employ effective transaction monitoring and blockchain analysis systems with adequate coverage of various types of currencies and transactions. In addition, staff must have the skills to carry out blockchain investigations. Of note is that the FCA expects to see demonstration of this, including that these controls are operational, in the application.
People are vital (in particular Compliance and an experienced MLRO)
The FCA expects an applicant to have sufficient compliance and risk management staff, all with appropriate knowledge to be able to perform their responsibilities in the context of blockchain technology-based products and activities. The firm must have an appropriate ongoing training programme with supervision to ensure completion, including consequence management.
The FCA requires applicants to appoint a Money Laundering Reporting Officer (MLRO) with relevant knowledge, experience and training (including in relation to cryptoasset-related technologies). The FCA will assess their fitness and propriety, skills and experience. Where the MLRO lacks fitness and propriety, the FCA will reject the application. The MLRO must be fully involved in the preparation of the application.
MLROs (particularly those with sufficient knowledge and understanding of the risks associated with cryptoassets) are a scant resource. We have observed that many newly formed crypto natives have struggled to identify and allocate an MLRO prior to the commencement of the application process. Whilst the firm may choose to explore having an overseas MLRO as an alternative operating model, FCA will “look carefully” at such arrangements.
Within the confines of its present authority, the FCA appears to be flexing every muscle it can to protect UK financial markets and customers. In line with the government’s appetite to attract crypto technology-based businesses to the UK, the FCA offers support to applicants with innovative business models. But firms that want the reputational benefit that comes from having an FCA MLR registration have to work hard to achieve it - and to maintain it.
While the registration process can appear daunting, preparation is key and where necessary the FCA has noted that applicants should seek the support of an experienced adviser who can provide comprehensive and integrated support on legal, regulatory, financial crime, business strategy, systems implementation and risk management frameworks, to ensure that the eventual application is comprehensive and stands the best possible chance of success.