New U.K. Anti-Money Laundering and Counter Terrorist Financing Requirements for Cryptoasset Businesses – Are You Ready?
By Nina Moffatt, Arun Srivastava & Lara Kaplan
The U.K. Financial Conduct Authority (“FCA”) will become the supervisor of anti-money laundering (“AML”) and counter terrorist financing (“CTF”) requirements for cryptoasset businesses from 10 January 2020. The Money Laundering, Terrorist Financing, Transfer of Funds (Information on the Sender) Regulations 2017 (the “MLRs”) have been amended to bring certain crypto-related business within scope. These businesses will need to comply with the range of regulatory obligations other regulated entities such as banks and money service businesses must presently comply with. These amendments to the MLRs implement the EU’s fifth Money Laundering Directive (EU) 2018/843 (“5MLD”) in the U.K.
Crypto businesses have operated outside of the regulatory perimeter. Applying these AML/CTF requirements is a first step towards bringing cryptoassets within the ambit of regulation. While the introduction of regulation may be limited at this time, crypto-businesses will need to overcome operational obstacles in their customer journeys and will need to satisfy the “fit and proper” threshold in order to carry on business. Businesses, which are already operating as of 10 January 2020, have a transitional period in which to become compliant and register. New start-ups will, however, need to complete the registration process with the FCA prior to commencing business.
Cryptoassets have become increasingly more prevalent and integrated into global payment system. Alongside financial crime concerns, global regulators and governments have increasingly come to see cryptoassets as posing a prudential risk to financial systems. The U.K. Cryptoasset Taskforce highlighted evidence of illicit activity in the cryptoasset sector as posing market and consumer risks and that mitigating these risks should be an “immediate priority”.
In the U.K., in April 2019, HM Treasury published a Consultation Paper on implementing 5MLD, which indicated the U.K. would go beyond the minimum requirements of 5MLD to state any businesses carrying out a relevant activity involving cryptoassets would be within scope of regulation in the U.K. HM Treasury has not yet published its response to this consultation. The FCA has stated that those cryptoasset businesses carrying out the activities listed below should assume that they must comply with the MLRs despite the fact that HM Treasury may decide still to reduce or extend the range of activities.
HM Treasury has stated the providers of the following activities could be within the scope of its AML/CTF regime:
Crypto-to-crypto exchange service providers (covers both exchange services between one cryptoasset and another and services allowing value transactions within one cryptoasset);
Peer-to-peer exchange service providers, i.e., firms that facilitate the exchange of fiat currencies and cryptoassets (both fiat-to-crypto and crypto-to-crypto);
Cryptoasset ATMs (i.e., physical kiosks that allow users to exchange cryptoassets and fiat currencies);
Issuance of new cryptoassets such as through initial coin offerings; and
Publication of open-source software that includes, but is not limited to, non-custodian wallet software and other types of cryptoasset-related software.
Until now, these providers have largely not had to apply know-your-customer obligations in the U.K. However, whether the foregoing cryptoasset activities are likely to fall within scope will not definitely be known until HM Treasury publishes its 5MLD Policy Statement.
What Are the New Requirements and What Is Changing?
Those cryptoasset businesses within scope currently include “crypto exchange providers” or “custodian wallet providers” as those terms are defined under the MLRs. For the purpose of the MLRs, a “custodian wallet provider” means a firm or person who by way of business provides services to safeguard, or to safeguard and administer (i) cryptoassets on behalf of customers or (ii) private cryptographic keys on behalf of customers in order to hold, store or transfer cryptoassets.
A “crypto exchange provider” means a firm or person who by the way of business provides one or more of the following services, including whether the firm or person does so as creator or issuer of any of the cryptoassets involved when providing such services:
Exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money (i.e., Pounds Sterling or any other currency or money in any other medium of exchange) or money for cryptoassets;
Exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another; or
Operating a machine, which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.
A “cryptoasset” is defined as “cryptographically secured digital representation of value or contractual rights that use a form of distributed ledger technology and can be transferred, stored and traded electronically”.
By way of contrast, under 5MLD the definition is quite narrow as it defines ‘virtual currencies’ as “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically.” This focuses on those cryptoassets, which are part of facilitating a business relationship.
The FCA is now responsible for the supervisory and enforcement aspects of AML/CTF in the U.K. cryptoasset industry. All cryptoasset businesses carrying on regulated activities in the U.K. in scope of the MLRs will need to register with the FCA. When cryptoasset businesses apply for registration, the FCA will have three months to assess their complete application including whether they meet the conditions for registration under the MLRs. As part of this assessment, the cryptoasset business will be assessed to see whether they are fit and proper as well as the adequacy of their systems and controls. In other words, a crypto exchange provider and custodian wallet provider and any officer, manager or beneficial owner must satisfy the “fit and proper’’ test.
A cryptoasset business that wants to register for a cryptoasset activity needs to complete the online application form found on the FCA’s Connect System, provide the FCA with any and all information they may request and pay the registration fee. The FCA has consulted on cryptoasset registration fees and has stated that the agreed charges are £2,000 for businesses with U.K. cryptoasset income up to £250,000 and £10,000 for businesses with U.K. cryptoasset income greater than £250,000.
A three-month assessment period begins when the FCA has received a complete application, and this includes the fee. Further, the FCA has the ability to stop the clock where it finds an incomplete application and can request further information where they believe necessary; thus, firms should begin preparing early.
Cryptoasset businesses that intend to carry on a cryptoasset activity after 10 January 2020 must be registered before they can carry on the activity. Existing cryptoasset businesses that are already carrying out cryptoasset activity before 10 January 2020 may continue their business, in compliance with the MLRs, but must register by 10 January 2021 or stop all cryptoasset activity. To reduce the administrative burden on the FCA, early applications received by 3 June 2020 will be given priority treatment. The FCA has stated that those applications received by 10 October 2020 will be determined prior to the 10 January 2021 deadline.
Once registered, the FCA’s supervisory approach to cryptoasset businesses is in line with the other financial institutions and firms it supervises. The supervisory assessment as outlined in the FCAs consultation paper includes a requirement for a business to demonstrate “that it has policies, controls and procedures in place to effectively manage AML/ CTF risks in line with the nature, scale and complexity of the activities; and that it is able to identify, assess, monitor and effectively manage the financial crime risks to which it is exposed”.
The cryptoasset business should itself take steps to identify AML/CFT risks and carry out regular assessments of its policies and procedures to ensure that they are still adequate and relevant.
Customer Disclosure Obligations
Crypto exchange providers and custodian wallet providers will be required to disclose to customers whether or not their activities are covered by the jurisdiction of the Financial Ombudsman Service (“FOS”) and/or subject to the protection under the Financial Services Compensation Scheme (“FSCS”).
The FOS is a forum in which customers can refer complaints about firms they are dealing with. It is not a judicial body, but seeks to achieve outcomes that are fair and reasonable. The FSCS is a compensation scheme whose objective is to provide compensation to customers in the event of the insolvency of a firm.
Crypto businesses generally will fall outside the scope of both the FOS and FSCS unless they are regulated for other reasons. This is because the majority of cryptoassets are not considered specified investments under the Financial Services and Markets Act 2000 (“FSMA”). Hence, it is unlikely that customers will have access to Financial Ombudsman Service or FSCS and cryptoasset businesses will need to clearly state this to consumers.
Each crypto exchange provider and custodian wallet provider must provide to the FCA such information as the FCA may direct about compliance by the business with AML/CTF regulations. This is to allow the FCA to calculate supervision charges and so that the FCA can effectively carry out its supervisory and enforcement functions.
The implementation of 5MLD in the U.K. brings a new source of regulations to cryptoasset businesses, which previously went unregulated. It provides these firms with regulatory obligations relating to AML/CTF akin to other firms the FCA supervises, including the need to seek registration and make clear customer disclosures such as whether or not the FSCS applies. Cryptoasset businesses are now within the purview of the FCA and should be prepared for scrutiny over their AML policies and procedures. More regulation or enforcement action in this cryptoasset area could follow.