On 6 October 2023, the Financial Conduct Authority (“FCA”) updated its anti-money laundering (“AML”) and counter terrorist financing (“CTF”) regime webpage (“Webpage”) with useful feedback on good and poor quality applications – based on real-life applications submitted to the FCA by UK cryptoasset businesses (“CBs”) for registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR”).
The FCA has been the AML and CTF supervisor of CBs since 10 January 2020. The updated Webpage announces that in the last 12 months, it has determined 79 applications. Amazingly, just five of these applications (6% of applicants) have resulted in the applicant firms becoming registered CBs, with the remainder being rejected, withdrawn, or outright refused. The Webpage has been updated to reflect further examples of good and poor practice detected by the FCA in applications for registration. With regards to the latter, the Webpage observes mistakes made by applicants when preparing an application for registration, including:
- Not effectively identifying and assessing the risks of money laundering, terrorist financing and proliferation financing, which their business is subject to. When firms draft their firm’s business-wide risk assessment (“BWRA”), the Webpage provides that applicants should include an exhaustive assessment of risk factors highlighted in regulation 18(2)(b) of the MLRs. It is stated that applicants should also provide the FCA with their risk assessment methodology outlining the steps taken to produce their risk assessment.
- Mistakenly identifying control failings as inherent risks. The FCA provides examples of both on the Webpage.
- Not adequately explaining within their business plan and risk management framework the applicant’s cryptoasset-related activities, associated risks and how these are mitigated through corresponding controls.
- Not sufficiently demonstrating how AML policies and procedures operate on a daily basis, including the BWRA, customer risk assessment, due diligence, screening, transaction monitoring, suspicious activity reporting and training. The Webpage expressly provides that the FCA will not approve an application where applicants have an ‘underdeveloped’ AML framework or a ‘weak’ governance structure.
The Webpage also sets out guidance to assist applicants regarding what should be included in their application for registration. Most notably, that applicants should:
- Include complete information regarding its outsourcing arrangements. Both within or outside the group, as well as within and outside the United Kingdom.
- Ensure that they submit a comprehensive and accurate description of their products and services, including a cryptoasset token vetting policy, detailed description of how dependent it is on external ecosystems for liquidity, custodian services and underlying smart contracts implementation, where applicable.
- Provide a clear methodology used for risk-scoring their customers, which drives the level of due diligence the applicant firm is required to conduct.
- Consider enhanced due diligence triggers, as well as levels of ongoing monitoring and the frequency of periodic reviews within their AML framework.
- Demonstrate that it has effective transaction monitoring and blockchain analysis, adequate for its size and complexity, including both fiat and cryptoasset transactions (where appropriate). The Website states that transaction monitoring tools should be tailored to the applicant's business offering and customer population, and reviewed regularly to ensure all rules, thresholds and scenarios remain appropriate.
- Have compliance staff with skills to carry out blockchain investigations, even if they have blockchain analytics tools.
- Ensure that its suspicious activity reporting (“SAR”) policy showcases a clear route of escalation internally to the money laundering officer or nominated officer, as well as externally to the National Crime Agency. The Webpage further provides that the SAR policy should refer to tipping off, and the circumstances where the applicant firm may need to consider a defence against money laundering SAR.
The Webpage is available here.