UK FCA updates registration guidance for cryptoasset firms

The FCA has recently issued updated feedback on its expectations of cryptoasset firms applying for registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The FCA can require firms seeking registration under the MLRs to provide a broad range of information about their business and controls during the application process. Looking ahead at the evolving crypto market particularly, we would expect the scope of these information requests to grow and for the regulator to take an increasingly assertive and holistic approach during the assessment process. 

Cryptoasset firms and other potential applicants for registration with the FCA should also bear in mind the breadth and detail of the feedback when preparing their registration applications.

Legal framework

Regulation 57 of the MLRs sets out the basis for the FCA’s powers to gather information during the application process. In determining registration applications, the FCA will consider whether a firm, and its owners and directors, are “fit and proper”. The regulator will have regard to any previous failure to comply with the MLRs, the risk that the applicant’s business may be used for money laundering or terrorist financing, and whether the applicant’s staff and owner have adequate skills and experience and have acted and may be expected to continue to act honestly.

Recent guidance

The FCA’s feedback statement includes steps that firms must have taken before preparing an application. For example, the applicant needs to have an in-depth understanding of the MLRs and the nature of the relevant cryptoasset activities it proposes to carry out and must be able to demonstrate that it is carrying on its business in the UK (i.e. its registered/head office, with day-to-day management of its business, is in the UK). 

A key factor will be the knowledge, experience, training, seniority, and independence of the firm’s money laundering reporting officer (MLRO). The FCA will expect the MLRO to be familiar with the MLRs, the firm’s business model and technology, its risk assessment, and controls, and how to submit suspicious activity reports (SARs) to the National Crime Agency. The regulator recommends that firms should consider obtaining independent legal or compliance advice on their products in conjunction with their applications. Firms should also note that there are strict rules about cryptoasset promotions, including on risk warnings and cooling-off periods. 

When preparing an application, the FCA expects firms to submit detailed business plans, including realistic forecasts and details on financials, marketing/promotions and customers. The plan must include the firm’s compliance oversight, risk mitigation and financial controls, especially any custody/segregation and safeguarding arrangements for clients’ cryptoassets and any fiat currency held. The other key document for an applicant is the business-wide risk assessment (BWRA), which must cover all AML/CTF, sanctions and proliferation financing risks associated with the firm’s business model, along with a risk assessment methodology and risk mitigants. The application must cover risks related to customers, the countries and geographic areas in which the firm operates, and its products and services, transactions and delivery channels. 

Applicant firms must have detailed policies, systems and controls showing how risks are mitigated in practice, with a particular focus on customer due diligence, transaction monitoring, internal and external SAR reporting, outsourcing, and training. Applicant firms must be able to demonstrate that they have appropriate staff to implement effective controls by providing evidence of key individuals’ CVs, relevant qualifications, and responsibilities.

When applying, firms must ensure that all questions on the form are answered in full, the application contains all relevant supporting information, and documents provided with applications are final versions that have been reviewed thoroughly and signed off before submission. The feedback makes it clear that the FCA will not review draft documents. The regulator will be focused on determining that firms are financially sound and ready, willing, and organised to meet the requirements of the MLRs, so control documents, financial forecasts and details of promotions need to be accurate and up to date.

Firms must be agile, respond promptly to requests by the regulator for further information, and disclose relevant changes in circumstances while the FCA assesses an application. Applicants should also check for regulatory developments such as travel rule changes, updating risk assessments and control documents if necessary. Firms should not use the fact that they have applied for registration in their websites and marketing materials.

Best practice and strategy

The FCA continues to take an assertive approach at the gateway to applications by cryptoasset firms for registration. Only 14% of applicants since January 2020 have been successful, which is unsurprising given the regulator’s ongoing scrutiny of cryptoasset firms and their financial promotions. The FCA sees such firms as potential enablers of fraud and money laundering, and therefore has set a high bar for registration.

Applicant firms are now expected to provide a much greater amount of evidence in support of registration applications. For example, the FCA’s feedback states that firms’ business plans should include sources of liquidity, detailed customer journeys and flows of funds.

Firms should aim to provide as much information as possible with the initial application. The FCA will expect firms to proactively supply detailed business plans, risk assessments, AML/CTF policies and CVs for key staff. Firms that do not do this face having to answer information requests with tight deadlines or having their applications rejected.

Firms are more likely to succeed if they can show they are using established policies, for example, in relation to asset safeguarding and transaction monitoring, and show that staff have been trained in how to implement relevant controls. MLROs must have the expertise, seniority and independence to challenge management on AML/CTF issues, as well as the knowledge and ability to develop and maintain controls on enhanced customer due diligence, transaction monitoring and SAR reporting.

The FCA expects firms to show familiarity with the latest developments in cryptoasset regulation, updating policies where necessary. Firms should not be afraid to engage with the regulator’s innovation hub, any existing supervisory contacts and professional advisers, withdrawing and resubmitting applications if they are able to demonstrate they have made real efforts to improve their controls and resources following feedback from the regulator. Firms that fail to do this face damaging publicity, costs, and delays as the FCA is willing to defend application refusals in the Upper Tribunal and it is a criminal and civil breach to trade as a cryptoasset firm while unregistered. A cautious and advice-led approach is needed for firms wishing to operate in this area.

If the FCA rejects an application, it must give the applicant the opportunity to make representations. Any decisions to reject an application can be referred to the Upper Tribunal (Tax & Chancery Chamber) for a full and independent review.

Co-written by Nicholas Kamlish of Pinsent Masons.