In January 2020, the EU’s fifth Anti-Money Laundering Directive (5MLD) came into force, expanding the sectors that will now become obliged entities to include Virtual Assets and Virtual Asset Service providers, otherwise known as “Cryptoasset businesses”. 5MLD obliges Cryptoasset businesses to implement robust risk-based policies and procedures to comply with Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Regulations, just like banks and other traditional financial institutions.
The UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) transition the 5MLD, and a wider range of activities as recommended by the Financial Action Task Force, into UK law (whilst the UK formally left the EU on 31 January 2020 it is still bound by EU laws and regulations until the transition period ends at the end of 2020). The MLRs established the UK Financial Conduct Authority (FCA) as the AML/CTF supervisor of UK Cryptoasset businesses.
Who must register?
Individuals and businesses who perform Cryptoasset activities within the scope of the MLRs Regulations 8 and 9 must register with the FCA for AML/CTF purposes (refer to Section B for details on geographic scope). The MLRs state:
- New businesses carrying out Cryptoasset activity in scope of the MLRs must be registered with the FCA before conducting business.
- Existing businesses already conducting Cryptoasset activity before 10 January 2020 may continue their business but will need to ensure they are compliant with the MLRs with immediate effect.
- All existing businesses undertaking Cryptoasset activities must be registered by 10 January 2021. To ensure this deadline is met, these businesses must submit a completed application for registration via Connect, the FCA’s online portal, by 30 June 2020.
- Existing Financial Services and Markets Act (FSMA) firms, e-money institutions or Payment Services businesses undertaking Cryptoasset activity will also be required to apply for registration.
- Businesses that are already registered or authorised with the FCA for other activities (e.g., E-Money institutions, payment services and FSMA firms) will also have to register with the FCA if they are carrying on relevant Cryptoasset activities.
The FCA urges businesses to seek advice over whether they are required to register.
The FCA Assessment
Assessments on whether an institution is doing business in the UK will be determined on a case-by-case basis. The FCA has set out some of the factors they will consider when making this decision, including whether:
- The individual or organisation advertises, acts or holds itself out in such a way that suggests that they are providing services related to Cryptoasset activities (the “commercial element”);
- The individual or organisation receives direct or indirect benefit from business related to Cryptoasset activities (the “commercial benefit”);
- Cryptoasset activities are a significant part of the business activities in relation to its other activities (the “relevance to other business”); and
- The frequency of carrying on a Cryptoasset activity suggests that it is being carried on as a business (the “regularity/frequency”).
The FCA will also use other factors to decide whether business is being carried on in the UK:
- Where the business has a UK office or its head office is in the UK may indicate that the activity is being carried on in the UK (MLRs, Regulation 9);
- The presence of a UK ATM will be considered business carried on in the UK, requiring the operator to register; and
- Where the business has no UK office or other activity in the UK, beyond simply having a client in the UK, the FCA is likely to consider that the business firm is not carrying on UK business.
What information is required?
The FCA requires Cryptoasset businesses to provide the following information at registration:
- Programme of operations: setting out the specific Cryptoasset activities for the business;
- Business plan: setting out the business objectives, customers, employees, governance, plans and projections. It should provide enough detail to show that the proposal has been carefully thought through and that the adequacy of financial and non-financial resources has been considered. It should also include details on the volume and value of transactions, number and type of clients, pricing and the main lines of income and expenses;
- Structural organisation: a description of how the business is structured and organised, a description of relevant outsourcing arrangements, if any, as well as a copy of any applicable outsourcing contract(s);
- Systems and controls: providing details of the key IT systems that will be used to run the business, including details of IT security policies and procedures;
- Individuals, beneficial owners and close links: directors and any other persons who are or will be responsible for the management of the business must satisfy the FCA they have a good reputation and the appropriate knowledge and experience to act in this capacity. A business will have to appoint a person to be responsible for compliance with the MLRs, to monitor and manage compliance with policies, procedures and controls relating to money laundering and terrorist financing, and to act as the nominated officer under the Proceeds of Crime Act 2002; and
- Governance arrangements and internal control mechanisms: details of governance arrangements, the internal control mechanisms in place to identify and assess risks, and a description of money laundering and counter-terrorism financing control measures in place.
The FCA will also require information on all key individuals who hold a relevant function in the business in order to assess if these individuals are “fit and proper” under Regulation 58A.
What is the cost of registration?
The FCA Board has agreed that the charges will be £2,000 for businesses with UK Cryptoasset income up to £250,000 and £10,000 for businesses with UK Cryptoasset income greater than £250,000 per reporting year.
What should firms consider?
All businesses falling within scope of the MLRs will need to consider their compliance with the requirements by making sure they:
- Identify and assess the risks of money laundering and terrorist financing that their business is subject to;
- Have policies, systems and controls to mitigate the risk of the business being used for the purposes of money laundering or terrorist financing;
- Appoint an individual who is a member of the board or senior management to be responsible for compliance with the MLRs;
- Undertake customer due diligence when entering into a business relationship or occasional transactions;
- Apply more detailed enhanced due diligence when dealing with customers who may present a higher money laundering/terrorist finance risk. This includes customers who meet the definition of a politically exposed person; and
- Undertake ongoing monitoring of all customers to ensure that transactions are consistent with the business’s knowledge of the customer and the customer’s business and risk profile.
How can Guidehouse help?
Guidehouse professionals who collectively combine industry and consulting experience, including in relation to Cryptoassets, can help you to:
- Determine how the MLRs apply to Cryptoasset businesses;
- Prepare and manage your FCA application;
- Develop and implement the systems, controls, policies, and procedures required of a regulated business;
- Assist with vendor selection for know your customer, transaction monitoring and token tracing tools; and
- Deliver targeted training to senior management and staff so that all stakeholders understand the relevant regulations and their responsibilities, including Approved Person responsibilities where relevant.
Our Digital Assets and Digital Payments experience
Guidehouse professionals have extensive experience in relation to Digital Assets, Trading Venues and Digital Payments. We help clients address their toughest challenges with a focus on markets and clients facing transformational change, technology-driven innovation, and significant regulatory pressure. Specifically, we have been engaged by initial coin issuers and administrators, trading platforms, virtual commodity associations, digital asset exchanges and money service agents. Our projects have included designing and developing AML/sanctions compliance framework documentation, conducting and remediating customer due diligence, performing independent testing, monitoring and investigations, and delivering training. We have also been engaged to act as special advisors and to provide outsourced AML transaction monitoring and fraud investigations services to Cryptoasset businesses.
Special thanks to Galajo Bah for contributing to this article.