FCA offers tips for crypto registration as it continues to show teeth

24 February 2023 | UK & Europe | Articles

The combined action by the Yorkshire police force and the FCA to shut down illegal crypto ATMs is another reminder of the regulator’s concern around the unregulated crypto sector.  And with only 15% of applicants successful for registration under 5MLD, becoming part of the UK regulated sector is no easy feat. The FCA has shared its views on what it’s looking for in an application: essential reading for anyone considering regulation in this area.

The FCA has been the anti-money laundering and counter-terrorist financing supervisor of UK cryptoasset businesses since January 2020. As of January, they had received over 300 applications for registration of which they approved just 41.

The potential dangers of crypto assets in the UK frequently feature in both newspaper headlines and FCA communications. The recent FCA press release on unlawful ATMs in Leeds took care to add a number of reminders of the risks around crypto products in general and the unregulated nature of the sector.

The future regulation of cryptoassets in the UK is currently under an extensive consultation. In the meantime, the FCA have published its feedback on good and poor quality applications, hoping to help improve the process, and, we hope, the success rate. There are useful points to keep in mind before, during and after your submission.

Getting your application ready

Is registration under the money laundering regulations required?

First, it’s important to understand how the proposed cryptoasset activity falls within the activity specified in regulation 14A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR).

Firms seeking cryptoasset registration in the UK may already have an established cryptoasset entity elsewhere in the globe. This cross-border element can sometimes blur the lines. Therefore, the next step is to confirm where the proposed cryptoasset activity will be carried out from. Some key considerations on this, as per regulation 9 of the MLRs, include determining whether you have a physical presence in the UK (a registered or head office) and whether you have resources in the UK (staff) to undertake the day-to-day management of the business.

Firms are also advised to review the list of exclusions set out under regulation 15 of the MLRs to confirm whether any may be applicable. This emphasises the importance of completing detailed analysis before investing significant time, money and resources.

Showing you are ready, willing and organised

To show that you’re taking regulation seriously, it’s worth investing sufficient time and resources to understand the relevant regulations. The regulatory landscape is constantly evolving with best practises and interpretations maturing over time. The FCA acknowledges the value in firms seeking independent legal or compliance advice. As regulatory consultants, we are able to draw upon our interactions with the regulator and other cryptoasset firms to help not only explain this regulatory minefield in a simple manner but also enhance your application.

The FCA’s webpages can help firms gain a rudimentary understanding of the UK’s cryptoasset framework. This helps us have informed and structured conversations with firms as they build their regulatory framework and cryptoasset application.

Appointing a Money Laundering Reporting Officer (MLRO)

According to the regulator, all firms must identify a suitable candidate to act as MLRO. Although the MLRO will not be an approved person, they are subject to a fit and proper assessment.

Here are a few things to consider before appointing an MLRO:

• Do they posses cryptoassetspecific experience and knowledge?
• Have they completed any cryptoasset related professional qualifications?
• Have they previously been approved by the FCA or registered with an Annex 1 financial institution?
• Will they be appropriately placed within the firm’s governance structure to enable suitable challenge?
• Have you conducted due diligence on the candidate to identify any regulatory disclosures (for exampleCivil, criminal or other regulatory matters)?
• Does the individual have a track record of moving from firm to firm following regulatory approval?

FCA assessment of your application

Regulatory business plan

The Regulatory Business Plan (RBP) ties in all the key aspects of your proposed cryptoasset offering. It should be written in plain English, allow the regulator to clearly pinpoint what you intend to do, how you intend to do it and the regulatory framework you have put in place to manage the risk.

It is paramount to understand this is not a business plan drafted to attract investors which places greater emphasis on commercial elements or the firms unique selling points. The purpose of the RBP is to paint a clear picture of your business model to enable the FCA to secure the reassurances they are looking for to approve your application.

Financials

Although there are no specific capital requirements set for firms operating cryptoasset business, the messaging from the regulator is that firms should have adequate capital and liquidity in place. You are required to provide detailed financials covering the first three years post registration.

The financials should:

• explain how they have quantified material risks.
• detail what capital may be allocated to deal with such risks.
• explain how the firm is positioned to remain financially viable throughout the economic cycle (i.e. stressed events).
• provide an indication of the firm’s growth strategy.

Risk management

Risk management policies and procedures should include granular details of how day to day management of risk will be performed. Too many firms have identified generic risks, failing to delve deeper in to assessing material risks bespoke to their proposed business model and even wider group offering.

Risk management frameworks will need to evolve to adapt to new regulation. It’s therefore important to identify material risks based on your current business model while having controls in place to identify new emerging risks as part of your horizon scanning.

Transaction monitoring, suspicious activity reporting and sanctions

The FCA expects firms to have adequate controls and resources allocated to conduct transaction monitoring of customer accounts. This is likely to comprise of a combination of automated alerts raised by implementing a Know-Your-Transaction blockchain analysis tool and manual four eyes checks completed by dedicated compliance resources at the firm. Where you are reliant upon third-party software, it’s important that monitoring parameters, risk alert thresholds and underlying data references are periodically reviewed to ensure they remain fit for purpose.

Leveraging the information gleaned from your transaction monitoring can help identify suspicious activity on an ongoing basis. This information can be combined with periodically assessing  customers on a risk-sensitive basis. The FCA also mentions that firms with generic SAR policies will likely be invited to withdraw or have their application refused.

The world of blockchain transactions is synonymous with freedom of location. This emphasises the significance of completing sanctions checks consistently throughout the lifecycle of the business relationship. Where using automated compliance software, staff should possess the relevant knowledge to interrogate and investigate potential sanctions breaches.

Training

All staff should understand the obligations on them as they discharge their day-to-day responsibilities. This includes:

• what training is needed.
• how it will be monitored, who will deliver it.
• how the firm will ensure it goes far enough and at what frequency.

At a minimum, your staff should receive training at onboarding, annual refresher training and ad hoc training following any regulatory developments or changes to the business.

Post submission

Being responsive, open and cooperative

Where new information comes to light after-submission, the FCA advises firms to proactively make disclosures. The regulator will ask questions as it conducts its assessment, so it’s crucial to respond promptly to information requested and provide as much information as possible. This links back to the FCA principle 11, which sets out the FCA’s expectations of firms to deal with them in an open and cooperative way.

Regulatory developments

The cryptoasset sector, and associated regulatory landscape continues to evolve at pace. It’s vital to keep abreast of all relevant developments and adapt your risk management framework and or offering where required.

How we can help

We supported the UK’s first ever digital securities exchange secure FCA regulatory approval. We are currently working with a number of clients as they prepare their cryptoassets applications. We also work with firms operating within the regulated space who have exposure to cryptoassets. This has allowed us to gain an appreciation of the specific risks posed by cryptoassets and a deeper understanding of what a robust risk management framework looks like for a cryptoasset business.

If you are looking to enter the cryptoasset space in the UK, or are a registered cryptoasset firm and need assistance with enhancing your risk management framework, do get in touch.