A Guide to FCA Cryptoasset AML/CTF Applications for Crypto Firms: PART III

In June 2024, the Financial Conduct Authority (FCA) published feedback on good and poor quality applications under the existing cryptoasset anti-money laundering (AML) and counter-terrorist financing (CTF) regime (Feedback). This four-part blog series will aim to provide crypto firms and their compliance personnel (including Money Laundering Reporting Officers (MLROs) and Nominated Officers (NOs)) with some additional guidance and clarification on the Feedback that may assist firms.

It will cover relevant issues concerning money laundering (ML), terrorist financing (TF), proliferation financing (PF), and The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). PART III will address sub-areas 8-13 previously identified, namely:

     8. training;
     9. suspicious activity reporting (SAR);
    10. disclosures;
    11. applicant is already authorised for other activities;
    12. sanctions; and
    13. website.

SUB-AREA 8: TRAINING 

With regards to training requirements, the FCA states that:

1. the firm must be able to evidence staff training material that is tailored to its particular business model AND associated AML/CTF/PF risks; and
2. the firm must be able to evidence its annual training plan (ATP).

Is this requirement problematic for crypto firms? Yes, most definitely. The problem is that nearly all crypto AML/CTF training courses (TCs) are standardised. Online learning will almost certainly be standardised. This means such TCs do not offer different substantive content for different crypto firm types, such as crypto exchanges, crypto payment processors, crypto wallet providers, decentralised finance (DeFi) liquidity providers, or DeFi lenders. 

In addition, there is a very limited choice of advanced and comprehensive TCs available for firms. This means crypto firms may face a choice of either having an existing crypto AML/CTF TC customised to their specific requirements, or having a TC created specifically for the firm. Either option may prove to be both complex and costly, as firms may operate across diverse countries, industries, markets, and sectors, and may also employ different or multiple business model types (e.g., crypto investments, decentralised exchanges (DEXs), smart contracts, stablecoins, staking, synthetic assets, yield harvesting).

This becomes even more problematic when dealing with firms that operate across DeFi business models and sectors, such as decentralised autonomous organisations (DAOs), DeFi applications (DApps), DeFi borrowing and lending, and DeFi derivatives. In addition, the FCA notes that where a firm has hired external consultants (Consultants) to develop its AML framework, the firm must:

1. demonstrate a comprehensive understanding of this framework; and
2. demonstrate that there is a comprehensive training plan (CTP) that enables staff to effectively implement the framework.

Consequently, it is not enough for firms to hire Consultants to develop and implement an AML framework, as all relevant staff must be trained in how the newly developed AML framework operates as well. So, we can see that the training costs for crypto firms very quickly start to escalate. For example, firms may be required to pay fees for:

1. Consultants to develop the firm’s AML framework;
2. Consultants to train the firm’s staff in the AML framework;
3. Consultants to develop a CTP to enable staff to effectively implement the AML framework;
4. Consultants to develop an ATP; and
5. Consultants or third party TC providers to deliver a standardised AML/CTF/PF TC which has been customised, or to create a brand new customised AML/CTF/PF TC.

There is a significant risk that crypto firms either underestimate the complexity and costs that training requirements may raise, or they may try to cut corners to save costs (e.g., hiring a junior MLRO with little to no crypto AML experience to ‘learn on the job’). The position adopted by the FCA is clear, as it states:

“We will not approve an application where the applicant has an inadequate training plan or lacks the resources to deliver that training” (FCA, June 2024).

The faulty examples provided by the FCA include:

• where training is not delivered on a regular basis to all staff (including new joiners);
• where staff training rates are unsatisfactory; and 
• where an MLRO/NO with no AML experience (or no crypto AML experience) attempts to provide in-house training to staff.

SUB-AREA 9: SAR

SAR concerns disclosure of ‘Suspicious Activity Reports’ to the National Crime Agency (NCA) in the United Kingdom (UK). For applications, the FCA advises firms that:

1. the firm’s SAR policy must fully cover all of its business, including crypto-related activities (policy); and
2. staff should be made aware of how to recognise and deal with suspicious activity (training).

With respect to the SAR policy, it must:

1. identify a clear route of internal escalation within the firm to the MLRO/NO;
2. identify a clear route of external escalation to the NCA;
3. refer to ‘tipping off’; and
4. refer to the circumstances where the firm may need to consider a ‘Defence Against Money Laundering’ (DAML) SAR.

The relevant tipping-off provisions are set out in sections 333A-E of the Proceeds of Crime Act 2002 (POCA). In short, they make it an offence to reveal information likely to prejudice any law enforcement investigation once a Suspicious Activity Report has been submitted. The SAR policy should cover in detail how tipping-off will be addressed and dealt with within the firm. If there are suspicions within a firm that cryptoassets are in some way criminal, the firm risks committing a ML offence under POCA by dealing with such cryptoassets. In such circumstances, firms can seek a DAML to provide a defence at law (POCA, s. 335).

Crypto firms should note that SAR is one of the most problematic areas within traditional finance (TradFi) AML/CTF frameworks. It involves complicated legislative frameworks and interpretation of legal cases (e.g., R v Da Silva [2006] EWCA Crim 1654; Anwoir and others [2008] EWCA Crim 1354; Shah v HSBC [2012] EWHC 1283); interpretation and application of guidance from the NCA and UK Financial Intelligence Unit (UKFIU); and contextual application within AML/CTF frameworks. SAR in relation to cryptoasset-related activities has quickly become a challenging area for firms, especially since no official cryptoasset SAR guidance provided by the NCA or UKFIU exists.

To put this into context, in the United States (US), the Financial Crimes Enforcement Network (FinCEN) reported that there were over 92,000 crypto-related Suspicious Activity Reports filed in 2021 (compared to 58,951 filed by futures and securities firms (Jimenez, 20 May 2022). The number of Suspicious Activity Reports filed by US crypto exchanges is growing rapidly (Jiminez, 2 February 2022). For cryptoassets, firms must engage in a difficult assessment of suspicion. They must set the threshold for suspicion and why cryptoassets are suspected of being criminal property. SAR policies, procedures, and rules should therefore be as detailed as possible to provide absolute clarity to a firm’s staff and the FCA.

SUB-AREA 10: DISCLOSURES 

The FCA states that it will expect to receive evidence that the firm will proactively:

1. inform customers that the firm’s cryptoasset activities will NOT be within the scope of the ‘Financial Ombudsman Service’ (FOS); and
2. inform customers that they will NOT be able to benefit from protection under the ‘Financial Services Compensation Scheme’ (FSCS), prior to entering into a transaction with, or establishing a business relationship with, the customer.

Where customers deal with regulated financial products or services (e.g., bank account, credit card, loan), they are entitled to raise a complaint or dispute with the FOS. In practice this allows them to seek a resolution without having to pay significant legal costs (i.e., instead of commencing a legal claim in court). The FSCS provides protection for customers of certain regulated financial products for up to £85,000 held in deposits across all accounts held within a bank/banking group.

Many customers in the UK now take these protections for granted. However, cryptoassets are not directly regulated financial products or services in the UK. What this means is that if a crypto firm customer deposits £50,000 in a crypto account, the crypto firm customer is NOT entitled to use the FOS, and is NOT entitled to FSCS protection (e.g., if the crypto firm becomes insolvent) (even though the firm may be FCA authorised).

This is why the FCA requires crypto firms to provide evidence that they will proactively inform customers about the lack of legal rights under the FOS and FSCS. Consequently, the disclosures made by the crypto firm need to be clear and brought to the attention of the customer. This area is particularly problematic for crypto firms, because there has been a very significant rise in fraud and scam complaints in recent years (FOS, September 2021).

If crypto firm customers are subject to crypto fraud or scams, they do not have the same legal rights that they might have when dealing with accounts held by banks, nor can they initiate claims with the FOS. Consequently, there is an increased likelihood that customers will seek to raise complaints directly with the FCA that the disclosures provided by the crypto firm were inadequate.

SUB-AREA 11: APPLICANT IS ALREADY AUTHORISED FOR OTHER ACTIVITIES 

If crypto firms are already registered or authorised (e.g., e-money institution (EMI)), they must demonstrate that they understand the requirements of the FCA AML registration regime for cryptoasset businesses. This might occur where an EMI that is authorised to deal with regulated currencies and payments, wishes to obtain additional authorisation under the cryptoassets AML/CTF regime. There are two points to note in this regard.

First, crypto firms must extend any existing AML framework to fully cover the new and unique risks of the firm’s new cryptoasset-related activities. Here, there is a significant risk that firms may adopt a somewhat blasé approach to extension of existing AML frameworks, because they may already have a TradFi AML/CTF regime in place. They may think that because the firm is already experienced with implementing ML/TF/PF controls, they can very quickly and easily extend these controls to cryptoasset-related activities. This is not the case.

In this regard, note that in 2023, crypto and financial technology (FinTech) groups were fined a total of $5.8 billion in penalties for lax AML controls, customer checks, and other financial crime and sanctions issues (Noonan and Smith, 9 January 2024). Crypto firms should bear in mind that these penalties reflect regulatory fines imposed on crypto firms that were already authorised, and that were supposed to have effective crypto ML/TF/PF controls in place.

Second, crypto firm applicants will need to very closely and realistically assess any previous regulatory issues or problems that have arisen. The FCA notes that when assessing applications, it will take into consideration any history of compliance failings by the applicant firm, such as:

• any ongoing regulatory investigations;
• any regulatory concerns with transaction monitoring (TM) capabilities;
• any unresolved audit findings in the firm’s AML/CTF procedures; and
• the firm’s compliance programme and any backlogs.

Firms should seek to identify all previous regulatory issues or problems that have arisen, and to ensure that they have been addressed and effectively dealt with. Firms should not attempt to dismiss these as simply historic failings. Instead, firms should explain how these types of issues will be monitored, identified, and escalated in the future, and what improvements were made as a result of prior compliance failings.

SUB-AREA 12: SANCTIONS 

The FCA states that a firm must:

1. evidence adequate and current sanctions-specific controls within the firm’s control framework in line with the firm’s cryptoasset-based business model;
2. have a control framework that includes cryptoasset-specific ‘red flag’ indicators (RFIs) for potential sanctions breaches;
3. have procedures in place to ensure that its sanctions policy is kept up to date with changes to the sanctions regime;
4. NOT have a sanctions policy that is generic in nature; and
5. provide evidence that it will apply checks consistently across various processes and tools (e.g., blockchain analysis, onboarding, periodic reviews, TM).

In practice, some examples of RFIs that may suggest an increased risk of sanctions evasion in the cryptoasset sector include:

• a customer resident in, or carrying out transactions to/from, a sanctioned jurisdiction;
• a customer resident in, or carrying out transactions to/from, a jurisdiction which is on the UK’s ‘High Risk Third Countries’ (AML/CTF) list;
• the use of crypto privacy tools (e.g., internet protocol (IP) address associated with a virtual private network (VPN), IP anonymisers, mixers, tumblers);
• transactions connected with a crypto wallet associated with a sanctioned entity;
• transactions with a crypto wallet deemed to be high-risk (e.g., because of associated addresses, Customer Risk Scoring (CRS), transaction history); and
• transactions with crypto exchanges or custodian wallet providers identified as high-risk or which have poor customer due diligence (CDD) procedures (FCA, 11 March 2022).

As we can see from just a few examples of cryptoasset RFIs, configuring a firm’s sanctions framework may prove to be a challenging area for crypto firms. This is because operational requirements will invariably reflect a firm’s customer types (e.g., high-net-worth individuals (HNWIs), institutional, retail), the geographic locations and markets in which it operates, and the firms’ particular business model.

Consequently, some sanctions frameworks may be simple, whilst others may be convoluted and complex to operate. Crypto firms must prove to the FCA that their sanctions-specific controls are both adequate and current. Lack of necessary controls will result in the FCA rejecting applications (e.g., no procedure on how to deal with funds of a designated person, or no provisions to identify transactions linked to higher risk wallet addresses).

SUB-AREA 13: WEBSITE

The FCA states that:

1. a firm’s website and other marketing materials must contain an accurate and fair representation of the applicant’s product and services;
2. a firm’s website and marketing materials must NOT contain misleading information; and
3. a firm must demonstrate that it has clear oversight and accountability in place for how third parties use the firm’s marketing materials (e.g., social media (SM) influencers, financial influencers (finfluencers)).

Firms should note that marketing materials will cover any type of communications channel (i.e., emails, mobile applications, newspapers, physical mail, posters, radio, SM, television, websites). In relation to accuracy and fairness, crypto firms should note that this is not simply about making sure that descriptions and information provided by a firm are clear, realistic, and understandable.

It is also about making sure that a crypto firm is not hiding anything (whether intentionally or unintentionally). Therefore, crypto firms must ensure that:

• all costs to be charged or paid are identified and clearly explained;
• all features of products or services are themselves described in ways that are fair, clear, and not misleading (e.g., a product feature is not described as “guaranteed” when no such guarantee of the product feature exists);
• all promotions are balanced (i.e., negatives and positives clearly explained);
• all promotions do not create unrealistic expectations of products;
• all promotions have identified all risks clearly; and
• all promotions have not placed important information only in the small print.

A clear case in point in relation to misleading information, is promotions that (wrongly) state or imply the FCA has approved or endorsed a product. For example:

• “Our firm and its products and services are authorised and approved by the FCA”;
• “Our firm and its products and services have received official endorsement by the FCA”;
• “Our firm’s products and services have met the FCA’s high standards required for regulatory approval and endorsement”; and
• “The reliability and safety of our products and services has been recognised through FCA regulatory approval, authorisation, and endorsement”.

One particularly problematic area is third party promotions, as was highlighted only recently when the FCA charged a number of finfluencers for promoting an unauthorised trading scheme (FCA, May 2024). Cryptoasset financial promotions are regulated by the FCA. As such, crypto firms must ensure there are systems in place to supervise third parties, and to hold them accountable when using the firm’s marketing materials. Three common issues with cryptoasset financial promotions identified by the FCA are:

1. promotions that make claims about the ‘security’, ‘safety’, or ease of using cryptoasset services, but do not highlight the risk involved;
2. risk warnings lack clear visibility (e.g., small fonts, non-prominent positioning); and
3. firms fail to provide customers with adequate information on risks associated with cryptoasset products (FCA, October 2023).

This is an area which is still highly problematic and which many firms still do not fully understand. To put this into context, in 2023 the FCA reported that over 10,000 financial adverts and other promotions were changed or withdrawn (FCA, February 2024). Between 8 October 2023 and 31 December 2023 alone, the FCA issued 450 consumer alerts relating to illegal cryptoasset promotions to consumers in the UK (FCA, February 2024).

TO BE CONTINUED