In June 2024, the Financial Conduct Authority (FCA) published feedback on good and poor quality applications under the existing cryptoasset anti-money laundering (AML) and counter-terrorist financing (CTF) regime (Feedback). The Feedback identified that out of 347 applications from crypto firms received by the FCA since January 2020, only 47 applications (n=14%) were ultimately accepted and registered. So, in effect, the overwhelming majority consisting of hundreds of crypto firm applications failed.

Whilst the FCA’s Feedback is certainly helpful, in reality, it is nowhere near close to the type of detailed guidance that is actually required by crypto firms in practice. Consequently, this four-part blog series will aim to provide crypto firms and their compliance personnel (including Money Laundering Reporting Officers (MLROs) and Nominated Officers (NOs)) with some additional guidance and clarification on the Feedback that may assist firms. It is intended to be used in conjunction with the Feedback and not to supplant it. There are six parts set out in the Feedback:

1. Background and registration statistics;
2. Who this is for;
3. Before preparing an application;
4. When preparing an application;
5. When submitting an application; and
6. While we are assessing the application.

This blog series will focus on the most important area, part four, ‘When preparing an application’. Part four itself covers thirteen different sub-areas, namely:

1. business plan (BP);
2. comprehensive description of products and services;
3. risk assessment and management;
4. policies, systems, and controls (PSCs);
5. transaction monitoring and blockchain analysis coverage;
6. group structure and reliance on group policies and procedures;
7. outsourcing;
8. training;
9. suspicious activity reporting;
10. disclosures;
11. applicant is already authorised for other activities;
12. sanctions; and
13. website.

The full list of requirements for cryptoasset AML/CTF registrations is much longer (Registering with the FCA, Information for applicants, Preparing your firm's financial information). However, given space constraints only these thirteen sub-areas will be covered here. PART I of this blog series will address sub-areas 1-3, PART II will address sub-areas 4-7, and PART III will address sub-areas 8-13. PART IV will then set out critical assessment and commentary on crypto firm applications, and regulatory requirements relating to money laundering (ML), terrorist financing (TF), and proliferation financing (PF).

SUB-AREA 1: BUSINESS PLAN (BP)

The FCA states that the BP should include details of the following:

1. a description of a firm’s compliance oversight, financial controls, and risk mitigation;
2. detailed customer journey chart(s);
3. detailed flow-of-funds (cryptoassets, fiat) chart(s);
4. details of liquidity sources;
5. responsibilities of business partners (e.g., brokers, introducers, outsourcing partners, service providers, sub-custodians); and
6. the business model.

The implication seems to be that these are the minimum details required (i.e., this list is not exhaustive). The BP is somewhat tricky. This is because BPs are normally prepared for a broad range of objectives, such as to convince business investors or to secure third party financing. It is the objective that generally dictates the BP’s substantive content. Here, however, there is no BP objective expressly stated by the FCA. Still, firms need to understand that the FCA is NOT seeking to authorise the firm based on how good its prospects of commercial success are.

At present, the FCA does not have regulatory oversight over direct investments in cryptoassets. What the FCA seems to be looking for is comprehensive analysis, assessment, and documentation of all current and near-future business operations. It wants to see how the business works, but most importantly, it wants to ensure that the persons involved in operating the firm also comprehensively know and understand in detail how the business operates.

AML/CTF frameworks do not operate in a vacuum, but rather they should operate holistically within existing business operations. If business operations are highly problematic, AML/CTF frameworks will likely fail. Therefore, the BP should map out how the business operates and what operational risks it may be exposed to. This then provides a clear blueprint over which a firm’s AML/CTF framework can be superimposed and assessed.

In terms of the description of a firm’s compliance oversight, financial controls, and risk mitigation, questions that firms may ask themselves include:

• does the firm have arrangements to segregate its customers’ cryptoassets/fiat with its own cryptoassets/fiat;
• is the customer flow of funds and cryptoassets unambiguous; and
• is there a clarity on the firm’s responsibilities regarding its custodial holdings and transparency around its reserves.

Customer journey charts should show how different customers will interact with a firm’s products and services, what decisions customers may make, what information will be provided to customers, and when that occurs. Firms can use details of existing marketing and sales funnels to create such charts. Such charts should enable the customer onboarding process to be identified, and to what extent this has incorporated key AML/CTF obligations such as customer risk scoring (CRS), customer risk assessment (CRA), and due diligence (enhanced, regular, simplified).

The flow-of-funds (cryptoassets, fiat) chart should show how cryptoassets flow in and out of the business, and it should explain transaction and transaction flows. It should show which types of cryptoassets will be dealt with, how fiat deposits and payments will be dealt with, and how the business and customers interact with cryptoassets and fiat currencies (e.g., crypto accounts, crypto wallets, exchange pools, liquidity pools, third party payment processors).  

Crypto firms should understand that the BP should be dynamic and NOT static in nature. This means that the BP should not simply be a static snapshot of how the business theoretically operates, but rather it should be dynamic by including forecasts of how the business is intended to evolve (i.e., forecasts covering customer breakdown, financials, marketing plans, staffing). The BP must also include financial forecasts of 3 years for the full range of products provided covering:

1. financial accounts (if applicable);
2. forecast cashflow;
3. forecast profit and loss (P&L);
4. opening and closing balance sheet; and
5. sole traders appendix (if applicable);

The FCA has provided a ‘Financial Analysis Template’ that can be used by firms. It also points out that firms should NOT provide forecasts that are unrealistic. The FCA points this out because in all likelihood crypto firms have been providing forecasts that are unrealistic (e.g., forecasts may reflect highly ambitious business targets that are not evidence-based). Consequently, firms should think about adopting conservative forecasts, providing a range of forecasts, or obtaining independent expert opinions on the accuracy of forecasts provided.

The details of liquidity sources may list and explain how a firm intends to maintain adequacy of liquidity resources at all times, in terms of both amount and quality (e.g., how is the firm funded, what assets (marketable, otherwise realisable) does the firm hold, what liquidity facilities can the firm access, what types of capital does the firm hold).

The responsibilities of business partners listed should be accurate, clear, and detailed. The aim is to provide a map which shows which business partners a firm has, and which business responsibilities have been passed on to such partners. This will enable the FCA to identify how the firm interacts with such partners and in what capacity, and where operational risks and liabilities may arise (e.g., risks and liabilities with regards to third party outsourcing firms or crypto service providers). 

The business model described by the firm should enable the FCA to understand how the firm intends to operate, and how the business will likely develop in the near future (i.e., in the next 1-3 years). For example, centralised exchange (CEX), crypto artificial intelligence (AI) investing, crypto payments processing, decentralised exchange (DEX), decentralised finance (DeFi) investments, DeFi staking, or running stablecoin operations.

SUB-AREA 2: COMPREHENSIVE DESCRIPTION OF PRODUCTS AND SERVICES

The FCA states that crypto firms must provide an accurate and comprehensive description of products and services. This will likely be a lot more complicated for crypto firms as compared to traditional finance (TradFi) firms. I will elucidate upon the list provided by the FCA to illustrate why this may be the case. As part of this comprehensive description, crypto firms should include:

1. a cryptoasset token vetting policy (CTV Policy) (where applicable);
2. a description of any cryptoassets associated with the firm;
3. a description of any native cryptoassets;
4. a detailed description of custodian services;
5. a detailed description of how dependent a firm is on external ecosystems for liquidity;
6. a detailed description of underlying implementations of DeFi and/or smart contracts; and
7. token classification and functionalities assigned within the business.

In relation to financial instruments (FIs), a TradFi vetting policy might set out the background checks to be carried out to examine and assess their feasibility or risk potential. FI characteristics and features would be cross-checked against a pre-defined list of requisites. For instance, to ensure FIs are sufficiently creditworthy or liquid, or to ensure they fall within the parameters of existing investment mandates.

The CTV Policy applies a somewhat similar process to the vetting of cryptoasset tokens, and it will cover a broad range of token types, such as exchange tokens, security tokens, utility tokens, and stablecoins (e.g., USD Coin (USDC), Tether (USDT)). It sets out the vetting process that is to be applied by a crypto firm to determine which cryptoassets are deemed to be ‘eligible’ (i.e., accepted and used by the firm). The eligibility criteria and requirements may vary significantly, and might for instance cover:

• circulation of token supply;
• convertibility (fiat) (e.g., convertible into (€) EUR, (£) GBP, ($) USD);
• convertibility (stablecoin) (e.g., convertible into USDC, USDT);
• market capitalisation;
• minimum number of exchanges traded on;
• the integrity of trading activities;
• the use of compliant crypto custodians;
• token liquidity; and
• token turnover consistency.

The CTV Policy is important for the FCA because it shows what potential cryptoasset token risks a firm may be exposed to. For example, a crypto firm that accepts any type of Altcoin would be exposed to a much greater number of risks compared to a firm that accepts only a very limited number of major cryptocurrencies (e.g., bitcoin (BTC), ether (ETH)) and major stablecoins (e.g., USDC, USDT). Crypto firms are required to provide details of cryptoassets that are ‘native’, which means tokens that derive their value directly from a blockchain or distributed ledger technology (DLT) platform.

So, for example, if a crypto firm had created a blockchain that issued tokens that were native to that specific blockchain, like BTC and ETH. Native cryptoassets are different to cryptoassets associated with a firm. These refer to tokens that are connected or linked to a firm in some way. For example, a crypto firm’s products may reference the value of a particular stablecoin, or a crypto firm may engage in DeFi staking activities which are linked to specific ‘liquid staking derivatives’ (LSDs). Such LSDs and stablecoins would be associated with the firm.

In practice, custodian services for crypto firms might cover a broad range of:

• crypto key features (e.g., key recovery, key storage, private keys, transaction signing);
• cryptoasset custody providers (e.g., crypto custodian firms, crypto exchanges, TradFi custodian banks); and
• custody solutions (e.g., custodial wallets, hardware wallets, software wallets).

It is not enough for crypto firms to briefly list what custodian services the firm will use and rely on. They must identify in detail how custodian services will operate and what crypto custody risks and controls exist. The same detailed approach is required to identify and describe a crypto firm’s reliance on external ecosystems for liquidity. This line of enquiry might cover questions such as:

• “Does the firm rely on market makers”;
• “Is the firm involved in liquidity mining”;
• “What crypto exchanges does a firm operate on”; and
• “What token liquidity pools does a firm operate or use”.

What the FCA is looking for is to identify how reliant a firm is on external ecosystems to maintain liquidity. Heavily reliant crypto firms may be significantly negatively impacted by heavy volatility in crypto markets. At this point, we can start to see that the description of products and services for crypto firms seems to be a great deal more complex than for TradFi firms. TradFi firms might simply be listing the range and characteristics of sovereign bonds traded by the firm, based on information that is readily available.

By comparison, it becomes more complicated for crypto firms, as they must engage with the underlying technologies and infrastructure at a much more granular level. For example, crypto firms must provide a detailed description of how a firm interacts with, uses, or has implemented DeFi and smart contracts. These are complex areas and so they need to be explained accurately and clearly.

This will not always be easy to do, as they cover so many different features, functionalities, and technologies (e.g., custody, DeFi protocols, governance mechanisms, interoperability, liquidity mining, liquidity pools, security, yield farming). In addition, crypto firms must set out how they have classified the tokens they use (e.g., whether a token is an exchange, security, or utility token), and how tokens are used within the firm (e.g., as investments, to facilitate payments, to represent real life (tokenised) assets).

SUB-AREA 3: RISK ASSESSMENT AND MANAGEMENT

A crypto firm’s risk assessment and management is intended to address all potential cryptoassets, AML/CTF, and PF risks that it may be subject to. It should reference The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692) (MLRs), and the ‘risk factors’ (RFs) set out in Regulation 18(2)(b) MLRs. These RFs include factors relating to a firm’s:

(1) customers (MLRs, Reg. 18(2)(b)(i));
(2) countries or geographic areas in which it operates (MLRs, Reg. 18(2)(b)(ii));
(3) products or services (MLRs, Reg. 18(2)(b)(iii));
(4) transactions (MLRs, Reg. 18(2)(b)(iv)); and
(5) delivery channels (MLRs, Reg. 18(2)(b)(v)).

Because a crypto firm applicant is not yet authorised by the FCA, it should essentially seek to carry out a risk assessment and management as if it were FCA authorised, and therefore subject to the MLRs. Crypto firms will be required to assess the risks inherent in their business taking into account the MLRs RFs. Such risks may be inherent within certain products and services (e.g., cryptoassets, trust and company services), within certain industry sectors (e.g., arms trade, casinos), or within certain ‘high risk’ countries (e.g. Democratic People's Republic of Korea (DPRK), Iran, Syria, Yemen).

Therefore, crypto firms should seek to identify the particular risk environment faced by the firm. The Senior Management Arrangements, Systems and Controls (SYSC) within the FCA Handbook are instructive in this regard. SYSC 6.3.6G (01/04/2009) states that in identifying ML risks, firms should consider a range of factors including:

• its customer, product, and activity profiles;
• its distribution channels;
• the complexity and volume of transactions;
• its processes and systems; and
• its operating environment.

For authorisation applications, the FCA notes that crypto firms must:

1. demonstrate a thorough understanding of the risks from dealing in cryptoassets;
2. design a Business-Wide Risk Assessment (BWRA) tailored to its business model;
3. ensure the BWRA identifies all AML/CTF/PF risks a firm is subject to;
4. ensure the BWRA sets out an exhaustive assessment of MLRs RFs; and
5. provide their risk assessment methodology (RAM).

A crypto firm’s RAM must set out the steps taken to produce the firm’s risk assessment, including appropriate risk weightings, conclusion of residual risk, evaluation of applied controls, and identification of inherent risks. Overall, it is easy to see why risk assessment and management is likely to be a sub-area where many crypto firms fail. It requires an extremely comprehensive and systemic approach to identification of AML/CTF/PF risks arising from dealing in cryptoassets.

It is little wonder that the FCA found that many crypto firms did NOT effectively identify and assess the inherent risks of ML, TF, and PF to which businesses were subject to. Worse still, the FCA found that crypto firms were making basic AML/CFT risk management mistakes, such as identifying control failings as inherent risks. Inherent risk exists independent of internal controls, it is NOT a control failing. For example, say a crypto firm puts in place AML/CTF due diligence procedures to collect adequate customer identification.

If a crypto firm employee fails to obtain adequate customer identification, this is a control failing NOT an inherent risk. The employee has failed to properly implement AML/CTF controls. Yet, the FCA found that crypto firms thought this was simply an inherent risk (i.e., the risk that employees would mess up and not apply AML/CTF controls was wrongly viewed as being a naturally occurring risk). The fact that some crypto firms were making such basic AML/CTF mistakes highlights how problematic risk assessment and management may really be in practice for crypto firm applicants.

The FCA expressly stated that it will NOT approve crypto firm applications where:

1. a firm demonstrates an incorrect understanding of risks associated with cryptoasset products;
2. a firm has not considered additional risks from combining new cryptoasset-related products or services with its ongoing business model; and
3. the BP and RAM do not adequately explain the firm’s cryptoasset-related activities, the risks, and how these are mitigated through corresponding controls.

TO BE CONTINUED