Cryptoassets: AML / CTF regime

We are the anti-money laundering and counter-terrorist financing (AML/CTF) supervisor of UK cryptoasset businesses under the MLRs. 

Since 10 January 2020, existing businesses (operating immediately before 10 January 2020) carrying on cryptoasset activity in the UK have needed to be compliant with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (MLRs) including the requirement to be registered with the FCA by 9 January 2021 in order to continue to carry on business. 

If you are a new cryptoasset business (who intends to begin to trade in the UK), you must be registered with the FCA before you begin conducting business. 

Please visit our pages on registration for more information on applying. You will need to use our online system, Connect, to submit applications.

Update 

We are extending the end date of the Temporary Registration Regime (TRR) for existing cryptoasset businesses from 9 July 2021 to 31 March 2022. The TRR was established last year to allow existing cryptoasset firms, which applied for registration before 16 December 2020, and whose applications are still being assessed, to continue trading.

A significantly high number of businesses are not meeting the required standards under the Money Laundering Regulations resulting in an unprecedented number of businesses withdrawing their applications.

The extended date allows cryptoasset firms to continue to carry on business whilst the FCA continues with the robust assessment being undertaken. Anti-money laundering and counter terrorist financing legislation are aimed at protecting against enabling the transfer and disguise of funds from criminal activity, or funding of terrorist groups.

While this is not the only element that the FCA will assess in relation to an applicant, the FCA will only register firms where we are confident that processes are in place to identify and prevent this activity. Only firms that are registered with us or on our list of firms with temporary registration can continue trading. We have contacted these firms directly.

Other firms must have ceased trading from 10 January 2021. Firms that have not ceased trading are at risk of being subject to the FCA’s criminal and civil enforcement powers. 

Temporary Registration Regime

On 16 December 2020, we introduced a Temporary Registration Regime for firms which applied for FCA registration before this date, whose applications we are still processing.

By placing firms on our list of firms with temporary registration, this does not mean that the FCA has assessed them as fit and proper, nor that we have determined their application for the purposes of the MLRs.

Those firms eligible for the Temporary Registration Regime will be registered, in compliance with Regulation 56 of the MLRs, until either their application to register has been determined or the Temporary Registration Regime ends.

Firms that did not submit an application by 15 December 2020 are not eligible for the Temporary Registration Regime. 

Unregistered cryptoasset businesses

You can find a list of unregistered cryptoasset businesses on the Financial Services Register.

The list details UK businesses that appear to be carrying on cryptoasset activity without being registered with us for anti-money laundering purposes. 

Please note, this isn’t a complete list of all unregistered cryptoasset businesses operating in the UK. It contains the details of unregistered businesses that we are aware of.

Scope of cryptoasset activities

The Treasury has published the Statutory Instrument which covers the activities specified in the EU’s 5th Money Laundering Directive (5MLD) and a wider range of activities as recommended by the Financial Action Task Force (FATF).

Cryptoasset businesses carrying on the activities listed below must comply with the MLRs since 10 January 2020.

Cryptoasset activity As described in the Statutory Instrument
Cryptoasset exchange provider (including Cryptoasset Automated Teller Machine (ATM), Peer to Peer Providers, Issuing new cryptoassets, e.g Initial Coin Offering (ICO) or Initial Exchange Offerings).

a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services.

(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.

Custodian Wallet Providers

a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer

  • cryptoassets on behalf of its customers, or
  • private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services.

Compliance with MLRs

Since 10 January 2020, UK cryptoasset businesses must comply with the MLRs.

You may also want to consider guidance from:

Joint Money Laundering Steering Group (JMLSG) PART II, Chapter 22 (Sectoral Guidance applicable to cryptoasset businesses) - this must be read in conjunction with the main guidance set out in JMLSG Part I (applicable to all relevant firms including cryptoasset businesses)

FCA Financial Crime guide for firms

FCA Guidance (FG17/6) on the treatment for Politically Exposed Persons (PEPs)

FATF Guidance on a risk-based approach

FATF VASP Guidance

Registration

This flowchart sets out which firms need to be registered with us.

Our responsibility under this regime is limited to AML/CTF registration supervision and enforcement only. Registration under the MLRs does not mean that customers will benefit from the protections of the Financial Ombudsman Service or the Financial Services Compensation Scheme (FSCS). As most cryptoassets are not specified investments under the Financial Services and Markets Act 2000 (FSMA), it is unlikely that customers will have access to the Financial Ombudsman Service or FSCS.

Cryptoassets businesses may wish to consider our guidance, where we have set out our position on the types of cryptoassets which will fall within our regulatory remit and the implications this has on consumer protection.

  • Cryptoasset activity involving security tokens, for example, are regulated tokens which will provide the same protections as specified investments set out in the Regulated Activities Order.
  • Cryptoasset activity which falls in the unregulated space, as defined in the guidance on Cryptoassets, will not have the same consumer protections.

Firms should consider whether their cryptoasset activities are within the scope of the jurisdiction of the Financial Ombudsman Service and/or are subject to protection under the FSCS. Where an activity is not subject to such protection, cryptoasset businesses must inform the customer of that position, before establishing a business relationship or entering into a transaction with the customer. 

A business must register with us as set out by the MLRs. It is not a license or a recommendation or endorsement of the business. A business may not carry on cryptoasset activities in the UK within the scope of the MLRs unless they are registered in line with specified timelines and requirements.

Registered businesses should be careful to avoid using language in this context that might give the impression that registration was a form of endorsement or recommendation. Cryptoasset businesses should ensure that they do not mislead customers as to what protections apply and the status of their FCA registration.

We are considering all applications carefully to make sure they meet the conditions for registration set out in the MLRs. Applications will be refused if the conditions are not met.

Timeline and payment

Existing cryptoasset businesses which were already carrying on cryptoasset activities in scope of the MLRs prior to 10 January 2020, must have been complying with the MLRs since 10 January 2020, irrespective of whether they are registered or not with the FCA. 

  1. New cryptoasset businesses that intend to carry on a cryptoasset activity after 10 January 2020 must be registered before any activity can be carried out.
  2. Existing cryptoasset businesses may be in the following categories: 

- If they are registered with the FCA, they may continue trading and will appear on our Register. 

- If they have applied for registration by 15 December 2020 and we are still assessing their application, they will have temporary registration. This will enable them to continue trading after 9 January 2021 until 31 March 2022, pending determination of their application.  

If you have not applied for registration

From 10 January 2021, if a firm is not registered or on the list of firms with temporary registration, they must not carry on any cryptoasset activities, which includes (among other things) exchanging and holding custody of cryptoassets on a customer’s behalf.

We expect firms to act in the best interests of their customers and should seek their own legal advice on how to do this as firms may be committing a criminal offence from 10 January 2021 by continuing to provide services involving cryptoassets. If so, they are at risk of being subject to the FCA’s criminal and civil enforcement powers.

Supervision

All businesses need to have complied with the MLRs from 10 January 2020. 

Our supervisory approach to cryptoasset businesses will be in line with our approach to other businesses under the MLRs. It will be risk based so that businesses who pose the greatest money laundering and terrorist financing risk will receive an increased level of supervisory focus. If we have reason to believe serious misconduct has taken place, we may decide to commence an enforcement investigation.

Our supervisory assessment will include a requirement for a business to demonstrate that it has policies, controls and procedures in place to effectively manage money laundering and terrorist financing risks proportionate to the size and nature of the business’ activities. Businesses should also carry out regular assessments of their policies, controls and procedures to ensure that these remain relevant and appropriate.  Businesses should be alert to any change in their operating model that may have an impact on the way they conduct their business.

Some requirements are set out below, however this is not an exhaustive list. It also does not include the wider rules and guidance that an FCA authorised business under FSMA must adhere to (which FSMA authorised firms must comply with in addition to the MLRs):

  • take appropriate steps to identify and assess the risks of money laundering and terrorist financing which the business is subject to,
  • assess the ML/TF risks related to any new technologies prior to launch and take appropriate measures to manage and mitigate those risks,
  • have in place policies, systems and controls appropriate to mitigate the risk of the business being used for the purposes of money laundering or terrorist financing. This risk-based approach should seek to mitigate the risks identified in the business’s risk assessment,
  • where appropriate with regard to the size and nature of its business, appoint an individual who is a member of the board or senior management to be responsible for compliance with the MLRs and the nominated officer. The nominated officer is also the person responsible for reporting suspicious activity to the National Crime Agency (NCA) under part 7 (money laundering) of the Proceeds of Crime Act 2002,
  • where appropriate, with regard to the size and nature of its business, establish an independent internal audit function with responsibility for examining and evaluating the adequacy and effectiveness of the policies, controls and procedures, and making recommendations, as well as monitoring the controls,
  • undertake screening of employees,
  • undertake customer due diligence (CDD) when entering into a business relationship or occasional transactions,
  • apply more intrusive due diligence, known as enhanced due diligence (EDD), when dealing with customers who may present a higher ML/TF risk. This includes customers who meet the definition of a politically exposed person (PEP), 
  • undertake ongoing monitoring of all customers to ensure that transactions are consistent with the business’ knowledge of customer, the customer’s business and risk profile.

Additional supervisory powers

The MLRs include additional powers for the FCA to maintain a robust AML/CTF cryptoasset supervisory regime. A summary of some of those additional powers are listed below (for the detail see the relevant references to the regulations):

Power

Summary

Skilled Person Review

Regulation 74B permits the FCA to appoint, or require the cryptoasset business to appoint, a skilled person to prepare a report for the FCA concerning a matter under the MLRs.  

Power of direction

Regulation 74C, permits the FCA to give a direction (which is similar to the requirement power under section 55L(3) of FSMA) to a business before, on or after registration to a business for the purpose of;

  • Remedying a failure to comply with the MLRs;
  • Preventing a failure to comply or continued non-compliance under the MLRs, or;
  • Preventing the business from being used for ML/TF.

This power of direction allows us to require or prohibit certain action.

Disclosure

Regulation 60A requires a business, whose cryptoasset activity does not fall within the scope of the Financial Ombudsman Services (FOS) or the Financial Services Compensation Scheme (FSCS), to inform customers of this fact before they enter into a business relationship or transaction. (see ‘Disclosure’ section for more information).

Reporting requirements

Regulation 74A grants us the power to require businesses to provide us with information, as we may direct, and at a frequency and form that we may specify, and which could include information to assist us to calculate our charges under the MLRs.

Disclosure

Businesses whose cryptoasset activity does not fall within the scope of the Financial Ombudsman Services (FOS) or the Financial Services Compensation Scheme (FSCS) will be required to inform customers of this before they enter into a business relationship or transaction.

We remind businesses that in relation to cryptoasset activities within the scope of the Financial Services and Markets Act (FSMA), for example relating to securities tokens that are financial instruments, these might be in the scope of FOS and/or FSCS. Businesses might need to make this fact clear to consumers under requirements set out in the FCA Handbook. We remind businesses of the recent Policy Statement addressing guidance on cryptoassets.

We expect businesses to provide a clear disclosure to customers where FOS/FSCS does not apply. It will be up to each business to decide how best they meet this requirement.

We are not expecting a business to make several disclosures of this fact but that it is made where it is relevant and in an appropriate manner to the consumer.

We set out below some factors a business may wish to consider:

  • timing: the disclosure should be prior to carrying on activities in relation to the business or before concluding a transaction. It is down to the business to consider their business model and consider when it is best to make this disclosure.
  • where: it is down to the business to consider how they target and sell to consumers, and whether these are repeat or one-off clients, or a mix. The purpose of the obligation is that investors are aware of this information before deciding to proceed. In considering where to make this disclosure a business may wish to consider:
  • is there key information or regulatory information that a business discloses to the consumer, and where it may be appropriate to include this information, with equal prominence.
  • how are consumers targeted and should this information be included with key marketing information, its main website or terms and conditions (as long as it is clear to consumers).

A business will need to decide how best to disclose this information, particularly if it is doing a mix of FSMA regulated and unregulated cryptoasset or other activity. For businesses only carrying on activities in relation to unregulated cryptoassets, we would suggest wording along the following lines:

‘The Financial Ombudsman Service or the Financial Services Compensation Scheme do not apply to the cryptoasset activities carried on by [Name of cryptoasset business].’

Enforcement

Our enforcement staff work closely with our authorisation and supervision functions as well as with other regulators and law enforcement agencies, to detect serious misconduct, including money laundering and terrorist financing. 

We already have enforcement powers under the existing MLRs and the Enforcement Guide sets out our general approach to using these powers. The amended MLRs have extended our powers in relation to cryptoasset businesses. 

  • Our Enforcement Guide sets out our approach to enforcement and how we use our powers of investigation, gather information and conduct an investigation. It also sets our approach to imposing financial penalties and other disciplinary sanctions, explaining how we will use our powers under the money laundering regulations. 
  • Approach to Enforcement explains how we address harm and add public value through our statutory powers to investigate, take relevant civil, criminal and / or disciplinary action.  
  • Enforcement Information Guide - this short guide includes a flowchart showing the process of a typical FCA enforcement case. It sets out the options to contest or resolve a case, the opportunities to make representations, and who the decision-makers are.

Contact us

For any queries regarding the new regime, please email us.

Page updates

03/06/2021: Information added Extension of end date of the TRR from 9 July 2021 to 31 March 2022.
31/03/2021: Editorial amendment Anchor link added
19/03/2021: Information added Unregistered cryptoasset businesses.
11/01/2021: Information added Update TRR
16/12/2020: Information added Temporary registration regime

28/10/2019: Link added Added link to CP19/29 under Timeline and payment section