We are the anti-money laundering and counter-terrorist financing (AML/CTF) supervisor of UK cryptoasset businesses under the money laundering regulations. Learn more about the regime.
Cryptoasset businesses must register with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017[2] (MLRs), and comply with these regulations, if they intend to provide certain cryptoasset services by way of business, and if this service will be in the course of business carried on by them in the UK.
This includes cryptoasset businesses who communicate financial promotions in the UK, since the Government extended the financial promotions regime[3] in 2022.
Scope of cryptoasset services
Cryptoasset businesses who, by way of business, provide one or more of the following services summarised in the table below and set out in Regulation 14A[4] of the MLRs must comply with the MLRs.
Registration
Cryptoasset businesses must register with the FCA before starting any in-scope services while acting in the course of business carried on by them in the UK.
Find o[5]ut [5]m[6]or[7]e [8]a[9]b[10]o[11]ut[12] registration[13], including what information you need to provide and how to submit your application.
Registration under the MLRs is a legal requirement to carry on business. It is not a recommendation or endorsement of your business.
Registered cryptoasset businesses should avoid using language that suggests that FCA registration is an endorsement or recommendation.
Change in control for registered cryptoasset firms
A person who decides to acquire or increase control over an FCA-registered cryptoasset firm – so that they become a beneficial owner within the meaning of Regulation 5[-39] or Regulation 6[-38] of the MLRs – must submit a change in control notification and await FCA approval before completing the transaction.
It is a criminal offence to acquire control of an FCA-registered cryptoasset firm without FCA approval.
For further information see Schedule 6B[-37] of the MLRs and our change in control[-36] pages.
A person that decides to acquire or increase control in an FCA-authorised firm, which has FSMA and cryptoasset permissions, will be assessed under Part XII[-35] of FSMA.
Supervision
Our supervisory approach to cryptoasset businesses is in line with our approach to other businesses under the MLRs[-34].
It is risk based, so businesses that pose the greatest money laundering and terrorist financing risk receive an increased level of supervisory focus. If we have reason to believe serious misconduct has taken place, we may decide to start an enforcement investigation.
Our assessment
When we assess firms, a business must show that it has policies, controls and procedures in place to effectively manage money laundering and terrorist financing risks proportionate to the size and nature of its services.
Businesses should also carry out regular assessments of their policies, controls and procedures to make sure these remain relevant and appropriate. Businesses should be alert to any change in their operating model that may affect how they conduct their business.
Some requirements are set out below.
This is not an exhaustive list. It does not include the wider rules and guidance that a cryptoasset business, which is also authorised under FSMA by the FCA, must adhere to in addition to the MLRs.
Businesses must:
- Screen employees.
- Carry out customer due diligence when entering into a business relationship or occasional transactions.
- Continously monitor all customers to make sure transactions are consistent with the business’ knowledge of its customer, the customer’s business and risk profile.
For the risks of money laundering, proliferation financing and terrorist financing, businesses must:
- Take appropriate steps to identify and assess the risks that the business is subject to.
- Assess the risks related to any new technologies before launch and take appropriate measures to manage and mitigate those risks.
- Have in place policies, systems and controls appropriate to mitigate the risk of the business being used for the above. This risk-based approach should seek to mitigate the risks identified in the business’ risk assessment.
- Apply more intrusive due diligence, known as enhanced due diligence, when dealing with customers who may present a higher risk. This includes customers who meet the definition of a politically exposed person.
Where appropriate for their size and nature, businesses must also:
- Appoint an individual who is a member of the board or senior management to be responsible for compliance with the MLRs and the nominated officer. The nominated officer is also the person responsible for reporting suspicious activity to the National Crime Agency under Part 7[-33] (Money Laundering) of the Proceeds of Crime Act 2002.
- Set up an independent internal audit function with responsibility for examining and evaluating the adequacy and effectiveness of the policies, controls and procedures, and making recommendations, as well as monitoring the controls.
Additional supervisory powers
The MLRs include additional powers for the FCA to maintain a robust AML/CTF cryptoasset supervisory regime.
Here are summaries of some of those powers.
For full details, please see the relevant regulations.
Consumer protections and disclosure
Our responsibility under this regime is limited to AML/CTF registration, supervision and enforcement only.
Registration does not mean customers of cryptoasset businesses will benefit from the protections of the Financial Ombudsman Service[-28] or the Financial Services Compensation Scheme[-27] (FSCS) and cryptoasset businesses should ensure they do not mislead customers about what protections apply and the status of their FCA registration.
As most cryptoassets are not specified investments under the Financial Services and Markets Act 2000 (FSMA), it is unlikely that customers will have access to the Financial Ombudsman or the FSCS.
You may wish to consider our guidance setting out our position on the types of cryptoassets which will fall within our regulatory remit and the implications this has on consumer protection:
- Cryptoasset services involving security tokens, for example, are regulated tokens which will provide the same protections as specified investments set out in the Regulated Activities Order[-26].
- Cryptoasset services which fall in the unregulated space, as defined in our guidance[-25], will not have the same consumer protections.
You should consider whether your business’s cryptoasset services are within the scope of the jurisdiction of the Financial Ombudsman and/or are subject to protection under the FSCS.
Where a cryptoasset service is not subject to these protections, we expect businesses to provide a clear disclosure to customers where the scope of the Financial Ombudsman or FSCS does not apply before establishing a business relationship or entering into a transaction with a customer. It will be up to each business to decide how best it meets this requirement.
We do not expect a business to make several disclosures of this fact. But we do expect you to disclose this fact where it is relevant and in a manner appropriate to the consumer.
Here are some disclosure-related factors you should consider:
You will need to decide how best to disclose this information, particularly if your business is doing a mix of FSMA regulated and unregulated cryptoasset or other service. For businesses only carrying on services in relation to unregulated cryptoassets, we would suggest wording along the following lines:
'The Financial Ombudsman Service or the Financial Services Compensation Scheme do not apply to the cryptoasset services carried on by [Name of cryptoasset business].’
Reporting requirements
Each year, all registered cryptoasset businesses must submit a REP-CRIM return (Annual financial crime reporting) via our RegData system[-24].
You should submit the report within 60 business days of the business's Accounting Reference Date (ARD).
Find out more in the Cryptoasset Direction[-23] with guidance notes[-22] for completing the return.
Enforcement
Our enforcement staff work closely with our authorisation and supervision teams, as well as with other regulators and law enforcement agencies, to detect serious misconduct, including money laundering and terrorist financing.
We have enforcement powers under the existing MLRs.
- Our Enforcement Guide[-21] sets out our approach to enforcement and how we use our powers of investigation, gather information and investigate. It also sets our approach to imposing financial penalties and other disciplinary sanctions, explaining how we will use our powers under the MLRs.
- Approach to Enforcement[-20] explains how we address harm and add public value through our statutory powers to investigate, take relevant civil, criminal and/or disciplinary action.
- Enforcement Information Guide[-19] – this short guide includes a flowchart showing the process of a typical FCA enforcement case. It sets out the options to contest or resolve a case, the opportunities to make representations, and who the decision-makers are.
Contact us
For any questions about the regime, email [email protected].
28/10/2019: Link added Added link to CP19/29 under Timeline and payment section
