Cryptoassets: AML / CTF regime

From 10 January 2020, we are the anti-money laundering and counter-terrorist financing (AML/CTF) supervisor of UK cryptoasset businesses under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (MLRs).

Please visit our pages on registration for more information on applying. You will need to use our online system, Connect, to submit applications.

 

The MLRs apply to businesses in a range of sectors at risk of facilitating money laundering or terrorist financing. From 10 January 2020, businesses carrying on certain cryptoasset activities will be in scope of these regulations and will need to register with us. 

We have highlighted some specific new areas that firms regulated by us under the MLRs, including cryptoasset businesses, need to comply with from 10 January 2020. Read more about these changes to our webpage: Money Laundering Regulations.  

Scope of cryptoasset activities

The Treasury has published the Statutory Instrument which covers the activities specified in the EU’s 5th Money Laundering Directive (5MLD) and a wider range of activities as recommended by the Financial Action Task Force (FATF).

Cryptoasset businesses carrying on the activities listed below must comply with the MLRs from 10 January 2020.

Cryptoasset activity As described in the Statutory Instrument
Cryptoasset exchange provider (including Cryptoasset Automated Teller Machine (ATM), Peer to Peer Providers, Issuing new cryptoassets, e.g Initial Coin Offering (ICO) or Initial Exchange Offerings).

a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services.

(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.

Custodian Wallet Providers

a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer

  • cryptoassets on behalf of its customers, or
  • private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services.

Compliance with MLRs

From 10 January 2020, UK cryptoasset businesses must comply with the MLRs.

You may also want to consider guidance from:

Joint Money Laundering Steering Group (JMLSG)

FCA Financial Crime guide for firms

FCA Guidance (FG17/6) on the treatment for Politically Exposed Persons (PEPs)

FATF Guidance on a risk-based approach

FATF VASP Guidance

Registration

All UK cryptoasset businesses carrying on activities in scope of the MLRs will need to register with us from 10 January 2020. 

Our responsibility under this regime will be limited to AML/CTF registration supervision and enforcement only. Registration under the MLRs does not mean that customers will benefit from the protections of the Financial Ombudsman Service or the Financial Services Compensation Scheme (FSCS). As most cryptoassets are not specified investments under the Financial Services and Markets Act 2000 (FSMA), it is unlikely that customers will have access to the Financial Ombudsman Service or FSCS.

Customers and firms may wish to consider our guidance, where we have set out our position on the types of cryptoassets which will fall within our regulatory remit and the implications this has on consumer protection.

  • Cryptoasset activity involving security tokens, for example, are regulated tokens which will provide the same protections as specified investments set out in the Regulated Activities Order.
  • Cryptoasset activity which falls in the unregulated space, as defined in the guidance on Cryptoassets, will not have the same consumer protections.

For any customer that considers Financial Ombudsman Service and FSCS protection important, we recommend that you check with the business as to whether this protection applies to the cryptoasset transaction.  

A business must register with us as set out by the MLRs. It is not a license or a recommendation or endorsement of the business. A business may not carry on cryptoasset activities in the UK within the scope of the MLRs unless they are registered in line with specified timelines and requirements.

Registered businesses should be careful to avoid using language in this context that might give the impression that registration was a form of endorsement or recommendation. Cryptoasset businesses should ensure that they do not mislead customers as to what protections apply and the status of their FCA registration.

All applications for registration will be considered carefully to make sure they meet the conditions for registration set out in the MLRs. Applications will be refused if the conditions are not met.

Timeline and payment

Businesses must comply with the MLRs from 10 January 2020, irrespective of whether they are registered or not with the FCA. 

  • New cryptoasset businesses that intend to carry on a cryptoasset activity after 10 January 2020 must be registered before any activity can be carried out.
  • Existing cryptoasset businesses which were already carrying on cryptoasset activity immediately before 10 January 2020 may continue with that business, in compliance with the MLRs, but must be registered by 10 January 2021, or stop all cryptoasset activity. We encourage businesses to consider the table below setting out the timeline for registration.

When making a business application, please consider the points below: 

  • We may refuse to register the applicant where any information or document required in the registration form is missing. We may also ask for additional information supplementary to that set out in the registration form if it is reasonably considered necessary to enable us to determine the application.
  • Once we have received all the required information, there is a 3 month period to make a registration assessment.
  • To avoid delays or the application being rejected, we should be notified of material changes and inaccuracies to the application as soon as possible. This is a legal obligation under the MLRs.
  • We will not consider your registration application  until the registration fee is paid. There is more information in the fees section on this page.
  • Businesses will need to apply for registration early in case we require further information, and to ensure the registration deadline is met.

Please read the registration process for more information on applications and what we expect from cryptoasset applications.

Step 1: 10 January 2020

FCA Gateway opens for businesses to submit applications for entry to the register. A business must comply with the MLRs in relation to cryptoasset activities. FCA have powers to supervise and enforce under the MLRs. New businesses need to be registered before they can carry on cryptoasset activity.

Step 2: 30 June 2020

Latest date for applications from existing businesses to be received for priority review to check that they are complete and ready to be determined.

Step 3: 10 January 2021

Any existing business not registered must cease trading.

 

Supervision

All businesses will need to comply with the MLRs from 10 January 2020. We will start supervising businesses from 10 January 2020, irrespective of whether they have applied to be registered or not.

Our supervisory approach to cryptoasset businesses will be in line with our approach to other businesses under the MLRs. It will be risk based so that businesses who pose the greatest money laundering and terrorist financing risk will receive an increased level of supervisory focus. If we have reason to believe serious misconduct has taken place, we may decide to commence an enforcement investigation.

Our supervisory assessment will include a requirement for a business to demonstrate that it has policies, controls and procedures in place to effectively manage money laundering and terrorist financing risks proportionate to the size and nature of the business’ activities. Businesses should also carry out regular assessments of their policies, controls and procedures to ensure that these remain relevant and appropriate.  Businesses should be alert to any change in their operating model that may have an impact on the way they conduct their business.

We expect cryptoasset businesses in scope of the regulations to comply with the MLRs from 10 January 2020. A summary of some of these requirements are set out below, however this is not an exhaustive list. It also does not include the wider rules and guidance that an FCA authorised business under FSMA must adhere to (which FSMA authorised firms must comply with in addition to the MLRs):

  • take appropriate steps to identify and assess the risks of money laundering and terrorist financing which the business is subject to,
  • assess the ML/TF risks related to any new technologies prior to launch and take appropriate measures to manage and mitigate those risks,
  • have in place policies, systems and controls appropriate to mitigate the risk of the business being used for the purposes of money laundering or terrorist financing. This risk-based approach should seek to mitigate the risks identified in the business’s risk assessment,
  • where appropriate with regard to the size and nature of its business, appoint an individual who is a member of the board or senior management to be responsible for compliance with the MLRs and the nominated officer. The nominated officer is also the person responsible for reporting suspicious activity to the National Crime Agency (NCA) under part 7 (money laundering) of the Proceeds of Crime Act 2002,
  • where appropriate, with regard to the size and nature of its business, establish an independent internal audit function with responsibility for examining and evaluating the adequacy and effectiveness of the policies, controls and procedures, and making recommendations, as well as monitoring the controls,
  • undertake screening of employees,
  • undertake customer due diligence (CDD) when entering into a business relationship or occasional transactions,
  • apply more intrusive due diligence, known as enhanced due diligence (EDD), when dealing with customers who may present a higher ML/TF risk. This includes customers who meet the definition of a politically exposed person (PEP), 
  • undertake ongoing monitoring of all customers to ensure that transactions are consistent with the business’ knowledge of customer, the customer’s business and risk profile.

Additional supervisory powers

The MLRs include additional powers for the FCA to maintain a robust AML/CTF cryptoasset supervisory regime. A summary of some of those additional powers are listed below (for the detail see the relevant references to the regulations):

Power

Summary

Skilled Person Review

Regulation 74B permits the FCA to appoint, or require the cryptoasset business to appoint, a skilled person to prepare a report for the FCA concerning a matter under the MLRs.  

Power of direction

Regulation 74C, permits the FCA to give a direction (which is similar to the requirement power under section 55L(3) of FSMA) to a business before, on or after registration to a business for the purpose of;

  • Remedying a failure to comply with the MLRs;
  • Preventing a failure to comply or continued non-compliance under the MLRs, or;
  • Preventing the business from being used for ML/TF.

This power of direction allows us to require or prohibit certain action.

Disclosure

Regulation 60A requires a business, whose cryptoasset activity does not fall within the scope of the Financial Ombudsman Services (FOS) or the Financial Services Compensation Scheme (FSCS), to inform customers of this fact before they enter into a business relationship or transaction. (see ‘Disclosure’ section for more information).

Reporting requirements

Regulation 74A grants us the power to require businesses to provide us with information, as we may direct, and at a frequency and form that we may specify, and which could include information to assist us to calculate our charges under the MLRs.

Disclosure

Businesses whose cryptoasset activity does not fall within the scope of the Financial Ombudsman Services (FOS) or the Financial Services Compensation Scheme (FSCS) will be required to inform customers of this before they enter into a business relationship or transaction.

We remind businesses that in relation to cryptoasset activities within the scope of the Financial Services and Markets Act (FSMA), for example relating to securities tokens that are financial instruments, these might be in the scope of FOS and/or FSCS. Businesses might need to make this fact clear to consumers under requirements set out in the FCA Handbook. We remind businesses of the recent Policy Statement addressing guidance on cryptoassets.

We expect businesses to provide a clear disclosure to customers where FOS/FSCS does not apply. It will be up to each business to decide how best they meet this requirement.

We are not expecting a business to make several disclosures of this fact but that it is made where it is relevant and in an appropriate manner to the consumer.

We set out below some factors a business may wish to consider:

  • timing: the disclosure should be prior to carrying on activities in relation to the business or before concluding a transaction. It is down to the business to consider their business model and consider when it is best to make this disclosure.
  • where: it is down to the business to consider how they target and sell to consumers, and whether these are repeat or one-off clients, or a mix. The purpose of the obligation is that investors are aware of this information before deciding to proceed. In considering where to make this disclosure a business may wish to consider:
  • is there key information or regulatory information that a business discloses to the consumer, and where it may be appropriate to include this information, with equal prominence.
  • how are consumers targeted and should this information be included with key marketing information, its main website or terms and conditions (as long as it is clear to consumers).

A business will need to decide how best to disclose this information, particularly if it is doing a mix of FSMA regulated and unregulated cryptoasset or other activity. For businesses only carrying on activities in relation to unregulated cryptoassets, we would suggest wording along the following lines:

‘The Financial Ombudsman Service or the Financial Services Compensation Scheme do not apply to the cryptoasset activities carried on by [Name of cryptoasset business].’

Enforcement

Our enforcement staff work closely with our authorisation and supervision functions as well as with other regulators and law enforcement agencies, to detect serious misconduct, including money laundering and terrorist financing. 

We already have enforcement powers under the existing MLRs and the Enforcement Guide sets out our general approach to using these powers. The amended MLRs have extended our powers in relation to cryptoasset businesses. 

  • Our Enforcement Guide sets out our approach to enforcement and how we use our powers of investigation, gather information and conduct an investigation. It also sets our approach to imposing financial penalties and other disciplinary sanctions, explaining how we will use our powers under the money laundering regulations. 
  • Approach to Enforcement explains how we address harm and add public value through our statutory powers to investigate, take relevant civil, criminal and / or disciplinary action.  
  • Enforcement Information Guide - this short guide includes a flowchart showing the process of a typical FCA enforcement case. It sets out the options to contest or resolve a case, the opportunities to make representations, and who the decision-makers are.

Contact us

For any queries regarding the new regime, please email us.

Page updates

28/10/2019: Link added Added link to CP19/29 under Timeline and payment section