New regulatory requirements, including registration and customer disclosure requirements, apply to regulated and unregulated persons carrying on relevant cryptoasset business.
On 20 December 2019, the UK government published the Money Laundering and Terrorist Financing Regulations (Amendment) Regulations 2019 (the Amending Regulations). The Amending Regulations update the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLRs) to meet the UK’s obligation to transpose Directive (EU) 2018/843 (5MLD) into UK law. A key element of the Amending Regulations is that they bring Cryptoasset Exchange Providers (CEP) and Custodian Wallet Providers (CWP) — including persons making an initial coin offering (ICO) — within the scope of UK money laundering regulations. Therefore, from 10 January 2020 CEPs and CWPs are required to comply with the requirements of the MLRs (subject to limited transitional provisions for existing cryptoasset businesses relating to registration with the FCA). Significantly, the Amending Regulations will impact any UK person conducting cryptoasset business of a kind that is captured by the new definitions of CEPs and CWPs (including, for example, existing UK authorised financial services firms that carry on cryptoasset business which will be subject to new requirements relating specifically to cryptoasset business).
HM Treasury consulted on its proposed changes in April 2019 in its paper Transposition of the Fifth Money Laundering Directive: Consultation (the Consultation Paper). As the UK has not yet formally withdrawn from the EU, its approach to implementing the changes introduced by 5MLD is not impacted by Brexit and it is anticipated that the UK will continue to apply EU financial regulatory standards (including anti-money laundering (AML) requirements) immediately post-Brexit through “onshored” legislation.
Which cryptoasset businesses are in scope?
The Amending Regulations define CEPs, CWPs, and cryptoassets as follows:
CEP: “a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services—
(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.”
CWP: “a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer—
(a) cryptoassets on behalf of its customers, or
(b) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets,
when providing such services.”
Cryptoasset: “a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically”.
Significantly, a person may be a CEP or CWP regardless of whether they are otherwise regulated in the UK if they carry on cryptoasset business of a kind that is captured by the new definitions. This means that the new requirements relating to cryptoasset business introduced by the Amending Regulations apply to both regulated and unregulated cryptoasset businesses in the UK. Additionally, it is worth noting that the definition of a CEP may also capture market participants that would not ordinarily be regarded as exchanges in the strict sense — i.e., cryptoasset brokers that buy and sell cryptoassets for their customers or for their own account are likely to be captured by the definition, in addition to exchanges that facilitate interactions between buyers and sellers of cryptoassets.
Notably, these definitions also “gold-plate” the requirements of 5MLD in three significant ways:
- 5MLD defines CEPs as providers engaged in exchange services between cryptoassets and fiat currencies, whereas the Amending Regulations also capture providers engaged in crypto-to-crypto exchange services.
- The Amending Regulations broaden the definition of a CEP to include persons offering exchange services “as creator or issuer of any of the cryptoassets involved”. As such, persons conducting an ICO will need to comply with the requirements in the MLRs if their offering otherwise falls within the CEP definition. For example, an issuer who exchanges tokens for money or other cryptoassets as part of their offering (such as by selling the tokens on the issuer’s own platform) would be caught by the new regime. However, if an issuer listed the tokens on an exchange and the exchange performs the role of selling the tokens, the exchange would fall within the scope of the new regime but the issuer may not.
- The definition of a CEP in the Amending Regulations expressly captures persons “operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets” including, for example, operators of cryptoasset automated teller machines (Crypto ATMs).
The Consultation Paper indicated that the government was also considering extending the scope of UK money laundering regulations to persons involved in the publication or provision of open-source software relating to cryptoassets (which would have included, for example, non-custodial wallet providers). However, this does not appear to have been implemented in the Amending Regulations with only CWPs being captured in line with the requirements of 5MLD.
No cross-border application
The Consultation Paper also sought views on potential solutions to the cross-border risks posed by cryptoasset businesses operating outside the UK, suggesting that the government may have been considering applying UK money laundering regulations to offshore cryptoasset business providing services to UK customers. However, no such provisions feature in the Amending Regulations, suggesting that cross-border / extra-territorial application of UK money laundering regulations has not been implemented for the time being. Indeed, the UK Financial Conduct Authority (FCA) as the designated supervising authority for AML in relation to cryptoasset business has clarified that where a business has no UK office or other activity in the UK, beyond simply having a client in the UK, it is likely to consider that the business is not carrying on UK business for the purposes of the MLRs. For example, if a CEP, registered in a jurisdiction other than the UK, and which has no offices or agents in the UK but nevertheless permits UK customers to open trading accounts and permits them to buy/sell/hold cryptoassets, the FCA would not automatically consider that as business being carried on in the UK.
Unusually, HM Treasury has not yet published its formal response to the Consultation Paper with the Amending Regulations, but has stated that it expects to do so soon. When published, the formal response may further clarify the government’s proposed approach to cross-border risks.
When do the Amending Regulations come into force?
The Amending Regulations come into force from 10 January 2020. This is subject to limited transitional provisions for cryptoasset businesses carrying on business in the UK immediately before 10 January 2020 relating to registration with the FCA. The transitional provisions mean that existing CEPs and CWPs will not be required to register with the FCA until 10 January 2021 (although the FCA is encouraging existing businesses to have submitted applications for registration by 30 June 2020).
However, new CEPs and CWPs are subject to all of the requirements of the MLRs from 10 January 2020, and the FCA has confirmed that existing CEPs and CWPs will also be expected to comply with all other requirements from this time, even if they choose not to register immediately. In a statement on its website, the FCA has stated it will “proactively supervise firms’ compliance with the new regulations, and will take swift action where firms fall short of desired standards and cause risks to market integrity”.
What are the requirements with which firms must comply?
From 10 January 2020, CEPs and CWPs must comply with the existing requirements in the MLRs, and are also subject to new requirements and powers vested in the FCA relating specifically to cryptoasset business.
CEPs and CWPs are required to register with the FCA before carrying on relevant cryptoasset business in the UK (subject to the transitional provisions discussed above). The FCA has clarified that existing UK authorised persons (including existing UK banks, investment firms, electronic money institutions, and payment services businesses) undertaking relevant cryptoasset business must apply for registration.
Registration must be completed via the FCA’s online system, Connect, and applicants must provide a significant amount of information to the FCA relating to their business and all key individuals who hold a relevant function to assess whether or not the applicant is fit and proper. Under the Amending Regulations, in order for a firm to be successfully registered by the FCA, it must show that the firm, any officer or manager of the firm, and any beneficial owner of the firm, is a fit and proper person to carry on the business of a CEP or a CWP. The FCA has up to three months to assess an application for registration from the date it considers the application to be complete.
The information the FCA will require from applicants will include:
- Programme of operations: Setting out the specific cryptoasset activities for the business.
- Business Plan: Setting out the business objectives, customers, employees, governance, plans and projections. It should provide enough detail to show that the proposal has been carefully thought through and that the adequacy of financial and non-financial resources has been considered. It should also include details on the volume and value of transactions, number and type of clients, pricing and the main lines of income and expenses.
- Structural organisation: A description of how the business is structured and organised. A description of relevant outsourcing arrangements must be included and the FCA may ask for a copy of the outsourcing contract(s).
- Systems and controls: Details of the key IT systems that will be uses to run the business, including details of IT security policies and procedures.
- Individuals, beneficial owners, and close links: Directors and any other persons who are or will be responsible for the management, must satisfy the FCA they have a good reputation, and have the appropriate knowledge and experience to act in this capacity. A business will have to appoint a person to be responsible for compliance with the requirements of the MLRs, to monitor and manage compliance with policies, procedures and controls relating to money laundering and terrorist financing and to act as the nominated officer under the Proceeds of Crime Act 2002.
The person appointed to carry out any of these functions can be the same person, but the FCA expects them to have the knowledge, experience, and training, as well as a level of authority and independence and sufficient access to resources and information, to enable them to carry out that function. For businesses already authorised by the FCA for other activities, the relevant officer can be the same individual as for those other activities, subject to the person having appropriate knowledge, experience, and probity for the cryptoasset business.
- Governance arrangements and internal control mechanisms: Details of governance arrangements, the internal control mechanisms in place to identify and assess risks, and a description of money laundering and counter terrorist financing control measures implemented.
Registration fees will be charged by the FCA as follows:
- £2,000 for businesses with UK cryptoassets income of up to £250,000
- £10,000 for businesses with UK cryptoassets income greater than £250,000
The FCA defines income for these purposes as the gross inflow from economic benefits (that is, cash, receivables, and other assets) recognised in the UK business’ accounts during the reporting year relating to the provision of relevant cryptoasset business.
Further information about the registration process can be found on the relevant FCA webpage.
Disclosures to customers
The Amending Regulations introduce a requirement that CEPs and CWPs must make a disclosure to their customers in circumstances where the cryptoasset business they conduct is not subject to the protections of the Financial Ombudsman Service and/or the Financial Services Compensation Scheme.
In this regard, the FCA has made its expectations clear stating that registration under the MLRs is not a licence, or a recommendation or endorsement of the business by the regulator. Registered businesses should, therefore, be careful to avoid using language in this context that might give the impression that registration is a form of endorsement or recommendation. Cryptoasset businesses should ensure that they do not mislead customers as to what protections apply and the status of their FCA registration.
Existing cryptoasset business may, therefore, need to update their terms of business or other customer-facing materials.
Customer due diligence
The MLRs require in-scope firms to carry out customer due diligence (CDD) when engaging in an “occasional transaction” or setting up “a business relationship”. This means a firm is required to obtain and verify certain information about a customer (including, for example, a customer’s name, date of birth and residential address). Additional information relating to the source of a customer’s funds is also required in circumstances prescribed by the MLRs as presenting a higher risk of money laundering or terrorist financing (including, for example, if the customer is a politically exposed person).
A business relationship is a relationship entered into with a customer that is expected to be ongoing. When a business relationship is established, a firm undertaking CDD must obtain information on the purpose of the relationship and the intended nature of the relationship. Occasional transactions are transactions that are not carried out within an ongoing business relationship subject to certain de minimis value thresholds (although CEPs operating a machine which uses automated processes to exchange cryptoassets for money or money for cryptoassets — such as operators of Crypto ATMs — must apply CDD measures for all exchanges of money for cryptoassets, whatever the amount).
Firms must also ensure that they have adequate internal controls and monitoring systems. These should alert the firm if criminals attempt to use the firm for money laundering. These steps include:
- Appointing a “nominated officer” and ensuring that employees know to report any suspicious activity to them
- Appointing a compliance officer in a more complex business
- Identifying the responsibilities of senior managers and providing them with regular information on money laundering risks
- Training relevant employees on their anti-money laundering responsibilities
- Documenting and updating anti-money laundering policies, controls and procedures
- Introducing measures to make sure that the risk of money laundering is taken into account in the day-to-day running of the firm.
Firms subject to the MLRs must also keep a record of all customer due diligence measures, including:
- Customer identification documents that have been obtained
- Risk assessments
- Policies, controls, and procedures
- Training records
New powers for the FCA
The Amending Regulations create additional reporting requirements for CEPs and CWPs. CEPs and CWPs are required to provide to the FCA information about their compliance with the MLRs, or as is otherwise reasonably required by the FCA. This is intended to improve the information available to the FCA about compliance with the MLRs by cryptoasset businesses at both the firm and market level.
The FCA has also been given the power to appoint a “skilled person” to carry out a report concerning the AML controls of CEPs and CWPs, and to recommend actions for the relevant person to reduce AML risks. This measure is intended to create a supervisory step before the FCA is forced to resort to enforcement or suspension of activities for firms that are new to AML regulation.
Furthermore, the Amending Regulations give the FCA the ability to give a direction in writing to a CEP or a CWP to remedy a failure to comply with a requirement under the MLRs, or to prevent a future failure. This power already existed for the majority of the firms supervised by the FCA for AML purposes and is intended to harmonise the provisions available to the FCA to deal swiftly with potential breaches.
The FCA and the Joint Money Laundering Steering Group (JMLSG) are expected to consult in early 2020 on updates to the FCA Financial Crime Guide and the JMLSG guidance on compliance with the MLRs, respectively, taking into account the changes introduced by the Amending Regulations.
HM Treasury is expected to publish its formal response to the Consultation Paper in early 2020. HM Treasury will also review the regulatory provisions within the Amending Regulations. It is required to publish its first report before 26 June 2022, aligning with the first review of the MLRs.