If you wish to become or are providing cryptoasset services in the UK, then you must register with the FCA for the MLRs (money laundering regulations). If you are a cryptoasset business, in the UK from 10th January 2020, you will be required to register with the FCA.
The FCA is the new anti-money laundering and counter-terrorist financial (AML/CTF) supervisor of cryptoasset businesses based in the UK under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
What is a Cryptoasset?
A cryptoasset is a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically, and includes a right to, or interest in, the cryptoasset (Regulation 14A(3)(a) and (c) Money Laundering Regulations).
Some cryptoassets may be deemed as specified investments and fall under the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001, whilst they can also fall under electronic money and therefore the scope of the Electronic Money Regulations 2011.
If your cryptoasset business provides regulated investment or electronic money services, you must ensure that it has the appropriate regulatory permissions to comply with regulatory requirements, particularly those concerning anti-money laundering and countering terrorist financing.
What are cryptoasset activities?
Cryptocurrency exchange providers
A cryptocurrency exchange provider is a firm creating or issuing cryptoassets when providing the following services:
(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine that utilises automated processes to exchange cryptoassets for money or money for cryptoassets (Regulation 14A(1) Money Laundering Regulations).
The following activities will require assessment on a case-by-case basis:
b. escrow services into cryptoasset activities,
c. issuance of cryptoassets or their acceptance in return for goods or services.
Custodian wallet providers
A custodian wallet provider is a firm providing services to safeguard or administer:
(a) cryptoassets on behalf of its customers, or
(b) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets when providing such services (Regulation 14A(2) Money Laundering Regulations).
Custodian wallet providers may also offer other services. Firms merely holding and storing cryptographic keys, but not involved in their transfer are not likely to be in the scope of the definition. This includes hardware wallet manufacturers and cloud storing service providers. These are regarded as ‘non-custodian wallet providers’.
The FCA's approach to regulating cryptoasset businesses
The FCA has adopted a risk-based approach with regards to supervising cryptoasset businesses. This means that businesses posing the greatest money laundering and terrorist financing risk will be subjected to a more detailed registration assessment and ongoing supervision. The same applies to the FCA's approach towards taking enforcement action against your firm where misconduct or breach have taken plan.
The FCA will assess your business and expect you to demonstrate that you have adequate and relevant policies and procedural documents in place, as well as internal controls, to effectively manage the risk of money laundering and terrorist financing. Your business will be expected to understand its risks and mitigation measures to reduce the risk of money laundering and terrorist financing.
You are required to adopt a risk-based approach. Your approach should reflect the size and nature of your business. For example, if your firm is providing a number of payment services, e-money, and cryptoasset-related services, then the requirement will be higher compared to providing a single regulated service.
You should appoint a nominated officer, preferably a member of your board or management, to be responsible for the compliance, particularly, money laundering regulations. The nominated individual will be responsible for reporting suspicious activity to the National Crime Agency (NCA), where appropriate.
Do the money laundering regulations apply to your cryptoasset business?
The application of the money laundering regulations will be considered by the FCA on a case-by-case basis and is likely to differ for different business models. Generally, the regulations are applicable if you have a physical presence in the UK through which the cryptoasset business is conducted, although other factors may also be considered. However, merely having UK customers does not in itself mean that such a firm would fall within the jurisdictional scope of the ML Regulations. However, a cryptoasset exchange provider that has an ATM located in the UK will be within the scope of the ML Regulations irrespective of which jurisdiction the operator is established in or where its offices are based.
Examples of high-risk money laundering factors concerning cryptoassets
The following are some factors that increase the risk of money laundering and/or terrorist financing:
a. Privacy - the ability for the user to transact without being fully identified.
b. Cross-border nature - if your firm operates across multiple countries, this may reduce your ability to have complete oversight and hinder your ability to identify all money laundering risks and their mitigation measures.
c. Decentralised nature - here, as there is no central server, transactions and individuals may not be subject to risk assessment and mitigation measures, as required by the regulations.
d. Digital nature - given the digital nature of cryptoassets, the lack of face-to-face contact presents a risk.
e. The ability of the user to make or accept payments in money from/to unknown third parties, or to operate multiple accounts.
f. The customer is involved in cryptoasset mining operations
g. The customer is a money remittance provider and is unable to produce the required KYC information.
h. The customer uses VPN, TOR or anonymous services.
i. The customer sends cryptoassets to newly-created addresses.
j. The customer regularly avoids the KYC thresholds by making smaller transactions.
k. The cryptoassets are held or used for transactions with privacy-enhancing features or products that obfuscate effective anti-money laundering and/or counter-terrorist financing controls, such as stealth addresses, atomic swaps, privacy coins, ring signatures, and IP anonymisers.
l. The cryptoasset originates from or is linked with, the darknet, unregulated exchange, fraud or other high-risk websites, such as gambling.
Examples of low-risk money laundering factors concerning cryptoassets
The following are some factors that reduce the risk of money laundering and/or terrorist financing:
a. Low-risk nature e.g. small value savings or storage.
b. Low-risk nature and scope of the payment channel e.g. open-versus closed-loop systems or systems intended for micro-payments.
c. Imposed parameters e.g. restrictions in place for transaction amounts or account balance.
d. The source of the payment is the customer's own account or is to a jurisdiction regarded as being low risk.
e. The payment is of a low value.
Cryptoasset risk assessment & management
a. Customer risk - a customer's profile would determine the level and type of ongoing monitoring and form part of your decision-making in assessing their application.
b. Product risk - this should focus on the features your firm is offering to the customer.
c. Transaction risk - the risk can be analysed by assessing the transaction information. The transaction should be risk-scored.
d. Delivery channel - This involves looking at how the customer can access your product or service. Where an intermediary exists, you should also assess the risks associated with them.
e. Geographical risk - This can relate to the customer's place of establishment. Information relating to the destination of funds will help the risk assessment of the geographical risk. Another risk could involve the cryptoasset firm understanding the cryptoasset regulations of the destination country.
Cryptoasset risk mitigation measures
The following is an overview of some measures firms can implement to mitigate the risk of money laundering and terrorist financing:
a. Impose product and/or service restrictions:
i. Imposing transaction limits
ii. imposing limits on the total value privacy coins that may be held, stored, transferred or exchanged.
iii. Impose a time delay before a transaction is processed.
iv. Prohibiting transfers to certain third parties
b. Carry out customer due diligence (CDD)
i. CDD measures must be applied to all business relationships, including those relating to occasional transactions of EUR 15,000 or more. However, this threshold does not apply to cryptoasset exchange providers operating an ATM, in which case CDD must be applied to all transactions. CDD measures must also be applied where the cryptoasset firm suspects money laundering or terrorist financing or doubts the veracity or adequacy of the documents or information provided by the customer. CDD must also be applied where the risk profile of the customer has changed.
i. Simplified due diligence ('SDD')
Where the cryptoasset exchange or custodian wallet provider determines that the business relationship or transaction presents a low risk of money laundering and terrorist financing, the firm may apply simplified due diligence.
ii. Enhanced due diligence (‘EDD’)
Measures for enhanced due diligence include:
i. Verifying the identity information received from the customer, such as a passport, with information in third-party official/government databases or other reliable sources,
ii. Assessing publicly available information on the customer e.g. from the internet, for verifying activity information and ensuring it is consistent with the customer’s transaction profile,
iii. Tracing the customer’s IP address, and,
iv. Requesting data relating to transaction and trading history.
c. Blockchain analysis
d. Assessing the source and destination of the funds
e. Conducting KYC (know your customer)
i. This involves identifying and verifying the customer's identity, assessing the purpose and intended use of the account and taking reasonable steps to identify the beneficiary owners (where business clients are concerned).
ii. The information collected as part of the KYC process could include the wallet address and the transaction hashes.
f. Conducting ongoing monitoring
i. Ongoing monitoring is required and will help firms to monitor suspicious behaviour and indicators of suspicious activity. Furthermore, ongoing monitoring enables firms to reassess the risk profile of the customer.
g. Record keeping
Cryptoasset firms are required to keep adequate records. Records held should include:
- The information relating to the identification and verification of relevant parties,
- The public keys (or equivalent identifiers) of relevant parties,
- The addresses or accounts involved (or equivalent identifiers),
- The nature (e.g., deposit, transfer, exchange) and date of transactions, and
- The amounts transferred.
h. Sanction screening
Sanctions obligations apply to cryptoasset exchanges and custodian wallet providers.
Managing and reporting suspicious transactions
Both cryptoasset exchanges and custodian wallet providers are required to report suspicious activities.
Where a suspicious activity is detected, under POCA, in relation to an incoming transfer of cryptoassets from an external party that cannot be stopped due to processes associated with the blockchain, the cryptoasset firm should restrict the actions that can be performed by its customer in relation to the suspicious funds, freeze the assets/funds (where possible) and report the suspicious activity.
Where the cryptoasset provider provides a service involving the facilitation of the trading of cryptoassets on behalf of a natural or legal person’s customers, and suspicious activity related to market abuse is identified, the firm should file a suspicious transaction and order report (STOR).
You should implement adequate measures to manage suspicious activities. For example, where incoming cryptoassets are deemed suspicious, the cryptoasset firm may wish to hold/pause those funds into a pooled account until adequate checks have taken place and clearance has been provided by the firm.
Cryptoasset business compliance requirements
1. Identifying money laundering and terrorist financing risks.
2. Assessing ML/TF risks related to new technologies.
3. Have in place appropriate policies, systems and controls to mitigate ML/TF risks.
4. Where appropriate and depending on your firm’s size and nature of its business, appoint a member of the board or senior management team to be responsible for compliance with the money laundering regulations as your nominated officer.
5. Where appropriate, depending on the size and nature of your business, establish an independent internal audit function.
6. Conduct screening of employees.
7. Conduct customer due diligence when entering into a business relationship or transaction.
8. Apply enhanced due diligence measures where a customer presents a higher ML/TF risk. A higher risk would be presented by a person deemed as a politically exposed person (PEP).
9. Conduct ongoing monitoring of all customers.
Registration fees for cryptoasset AML registration
£2,000 – for businesses with a cryptoasset income of up to £250,000
£10,000 – for businesses with a cryptoasset income of greater than £250,000
The cryptoasset registration information you will need to provide
The FCA will need some key information about your business. This includes:
Programme of operations: setting out the specific cryptoasset activities for the business.
Business Plan: setting out the business objectives, customers, employees, governance, plans and projections. You should provide enough detail to show that the proposal has been carefully thought through and that the adequacy of financial and non-financial resources has been considered. You should also include details on the volume and value of transactions, number and type of clients, pricing and the main lines of income and expenses.
Marketing plan: including a description of customers and distribution channels.
Structural organisation: a description of how your business is structured and organised. You must include a description of relevant outsourcing arrangements if any.
Systems and controls: provide details of the key IT systems you will use to run the business, including details of IT security policies and procedures.
Details of individuals, beneficial owners and close links: directors and any other persons who are or will be responsible for the management must satisfy the regulator they have a good reputation and have the appropriate knowledge and experience to act in this capacity. A business will have to appoint a person to be responsible for MLRs compliance, monitor and manage compliance with policies, procedures and controls relating to money laundering and terrorist financing and act as the nominated officer under the Proceeds of Crime Act 2002. The person you appoint to carry out any of these functions can be the same person, but the FCA will expect them to have the knowledge, experience and training as well as a level of authority and independence as well as sufficient access to resources and information, to enable them to carry out that function.
Governance arrangements and internal control mechanisms: as part of registration, you will need to provide details of governance arrangements, the internal control mechanisms in place to identify and assess risks and a description of money laundering and counter-terrorist financing control measures in place.
Anti-Money Laundering/Counter-terrorist Finance framework and risk assessment: this should highlight the risks specific to your business model activities and provide details on how you mitigate those risks. You should also include Anti-Money Laundering/Counter-Terrorist Finance staff training material.
Business-wide risk assessment: with monitoring and mitigation policy.
All cryptoassset public keys/wallet addresses: this includes all of the cryptoasset addresses controlled by the business and used in the activity of the business for each cryptoasset that the business deals with.
Customer onboarding agreements and process.
Customer due diligence and enhanced due diligence procedures, meeting the minimum standards required in the regulations.
Transaction monitoring procedures.
Record-keeping and recording procedures.
Business continuity plan.
Outsourcing arrangements policy and service license agreements.
Budget forecasts and financials for the first three financial years.
Money Laundering Reporting Individual forms for all directors, executives and officers.
Beneficial Owner forms for shareholders.