By Rodrigo Zepeda, CEO, Storm-7 Consulting

INTRODUCTION

In June 2024, the Financial Conduct Authority (FCA) published feedback on good and poor quality applications under the existing cryptoasset anti-money laundering (AML) and counter-terrorist financing (CTF) regime (Feedback) (FCA, 4 June 2024). The Feedback identified that out of 347 applications received by the FCA since January 2020, only 47 firms (n=14%) were ultimately registered.

A further 36 (n=11%) applications were rejected, 13 applications (n=4%) were refused, and 236 (n=71%) applications were withdrawn. This four-part blog series aims to provide crypto firms and their compliance personnel (including Money Laundering Reporting Officers (MLROs) and Nominated Officers (NOs)) with some additional guidance and clarification on the Feedback that may assist firms.

It covers relevant issues concerning money laundering (ML), terrorist financing (TF), proliferation financing (PF), and The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). It focuses on part four of the Feedback (When preparing an application), which covers thirteen different sub-areas:

1. business plan (BP);
2. comprehensive description of products and services;
3. risk assessment and management;
4. policies, systems, and controls (PSCs);
5. transaction monitoring (TM) and blockchain analysis (BA) coverage;
6. group structure and reliance on group policies and procedures (GPPs);
7. outsourcing;
8. training;
9. suspicious activity reporting (SAR);
10. disclosures;
11. applicant is already authorised for other activities; 
12. sanctions; and
13. website.  

PART I addressed sub-areas 1-3. PART II addressed sub-areas 4-7, and PART III addressed sub-areas 8-13. PART IV will set out some brief critical assessment and commentary on crypto firm applications and ML/TF/PF regulatory requirements. This will explore the massive application failure rate that exists overall (n=86%), and the huge application withdrawal rate (n=71%). PART IV will cover five areas:

1. AML/CTF/PF framework;
2. complexity;
3. costs;
4. expertise; and
5. FCA guidance.

1. AML/CTF/PF FRAMEWORK 

Where cryptoasset firms intend to carry out cryptoasset activity in the United Kingdom (UK), and that activity falls within scope of the MLRs, such firms must register with the FCA before carrying out any cryptoasset activity. This ensures that they are deemed to be compliant with the cryptoassets AML/CTF regime. The FCA acts as the AML/CTF supervisor of UK cryptoasset businesses under the MLRs. On the face of it, the objective for crypto firms is AML/CTF authorisation, so it seems obvious that crypto firms will focus on AML/CTF compliance.

Nevertheless, our analysis so far would tend to indicate that this in itself will not be enough. To be sure, implementing an effective AML/CTF framework is a core requirement. However, firms will also need to produce a very comprehensive BP, which should include a comprehensive description of products and services. They also need to undertake firmwide risk assessment and management, devise highly extensive PSCs, and implement TM and BA coverage which is adequate for the firm’s size and complexity.

A firm’s AML/CTF framework must also be specifically configured to reflect cryptoassets, cryptoasset-related risks, PF, and sanctions-specific controls to reflect the nature of the firm’s cryptoasset-based business model, as well as cryptoasset-specific ‘red flag’ indicators (RFIs) for potential sanctions breaches. On top of this, the crypto firm needs to adhere to highly demanding staff training requirements, and will be required to address disclosures, outsourcing, and SAR in its risk assessment and management, PSCs, and AML/CTF framework.

All of these requirements may very likely not be immediately obvious to crypto firms from the outset. What is more, in our analysis we saw that each of these areas individually was complex. For example, a firm’s description of products and services is not simply made up of descriptive statements. Crypto firms must identify types of native and associated cryptoassets, classify tokens, and set out token functionalities assigned within the business.

They must also create a cryptoasset token vetting policy. They must explain in detail how cryptoasset custodian services operate, how dependent a firm is on external ecosystems for liquidity, and how the firm has implemented the use of decentralised finance (DeFi) and/or smart contracts. So, what may be happening with applications in relation to the AML/CTF/PF framework, is that crypto firms may be:

1. focusing too narrowly on the AML/CTF framework, and marginalising or excluding other important areas (e.g., BA, PSCs, sanctions, SAR, TM, training); 
2. significantly underestimating the extensive requirements for AML/CTF compliance that go beyond the core AML/CTF framework.

2. COMPLEXITY 

Our analysis has shown us that each of the thirteen different sub-areas covered is complex in nature, especially technologically complex areas such as cryptoasset SAR, PSCs, TM and BA coverage, and cryptoasset and AML/CTF risk assessment and management. The more innovative and novel the underlying business model, the more complex that each of these individual areas will be, and the more cumulatively complex crypto firm applications will be. Moreover, it is not just the fact that the sub-areas are complex, but also that they each cover different skill sets, such as:

• blockchain technologies and BA;
• business management;
• cryptoassets and token management;
• financial crime (ML, TF, PF, sanctions);
• law and legal;
• outsourcing operations;
• risk assessment and management;
• systems management;
• technical documentation;
• technology systems; and
• training (BA, crypto risks, legal, operations, TM).

Crypto firm applications may therefore demand a very broad range of professional expertise and skills. This complexity may end up posing a significant challenge for many smaller crypto firms. This is because they may not have all the staff with relevant expertise needed to address all these different areas. Or it may be that they discover the staff that they do have are not sufficiently qualified in terms of the expectations set by the FCA.

For example, to save costs a crypto firm may have hired a junior MLRO to ‘learn on the job’ about crypto, BA, and TM, and to deliver in-house crypto AML/CTF training. However, the firm will have learned that this was not acceptable to the FCA. So, what may be happening with applications in relation to complexity, is that crypto firms may:

1. be significantly underestimating the complexity of sub-area requirements (individually or cumulatively); 
2. find that they do not have the internal professional expertise necessary to meet the sub-area requirements; 
3. subsequently realise it will be too costly to meet sub-area requirements by employing external consultants.  

3. COSTS

Our analysis has shown that crypto firm applications will incur significant costs. This is one of the areas that may prove to be the most problematic for firms. Each of the thirteen sub-areas will require significant time and effort to be addressed properly by firms. One issue is that firms may not have sufficient professional expertise internally, so they may be required to hire external consultants, law firms, technology firms, and training providers to provide necessary services.

Another issue for firms is that they may not initially recognise that they will have to do this. It may only become apparent to firms once they have embarked upon the application process. Firms may not have developed an accurate estimate of overall costs, or their estimate of costs may prove to be deficient because they have missed out a number of areas which they subsequently had to address.

Costs estimates may have been based on a 3-month FCA authorisation process, which then turns out to be a 9-12-month authorisation process. In practice, the crypto firm application requires a highly efficient project management (PM) approach to be adopted. However, given the high application failure rate, it is highly likely that firms have not adopted such an approach.

We previously saw how developing and implementing PSCs was very documentation heavy. It will require a great deal of effort to implement an effective internal AML/CTF framework that covers a Business-Wide Risk Assessment (BWRA), Customer Risk Assessment (CRA), Customer Risk Scoring (CRS), Due Diligence procedures, risk controls, SAR, screening, TM, and training.

All of these areas may require comprehensive and detailed technical documentation, legal documentation, and firm policies. What is more, all these areas are not based on well-established circumstances present in traditional finance (TradFi) firms. Instead, they need to reflect areas, business models, factors, risks, and situations particular to crypto and DeFi (e.g., higher risk cryptoassets, native token trading, product interoperability, sub-custodian crypto services).

Any lack of accuracy or underestimation in these areas may lead to increased costs. If crypto firms seriously underestimate the amount of work required, costs may very quickly start to spiral upwards. This may take crypto firms beyond the point of commercial viability of the firm’s initial business model. So, what may be happening with applications in relation to costs, is that crypto firms may significantly underestimate:

1. costs; 
2. the amount of work required; 
3. the firm’s professional staff expertise;
4. the amount of external services that may be required.  

4. EXPERTISE

Another significant problem that may arise with respect to applications, is that the professional expertise that is required by crypto firms may prove to be too extensive. For example, for certain types of crypto or DeFi business models, TM and BA coverage may need to be highly advanced. This may require the use of a range of sophisticated blockchain analytics tools and techniques to be put in place.

A firm’s risk assessment and management will also extend beyond the core AML/CTF framework. Risk assessment and management will need to address all crypto operational areas, such as asset and token management, collateral management, crypto payments, custodian and sub-custodian services, cyber security, third party outsourcing arrangements, and third party technology providers.

Consequently, a firm’s MLRO/NO may not have sufficient expertise to cover AML/CTF, risk management, and TM/BA altogether. Also, the FCA may find that a firm’s MLRO/NO does not have sufficient crypto AML/CTF expertise to provide staff with in-house training. As a result, a firm would need to implement a range of new hires to cover additional risk management, TM/BA, and training requirements, or to hire external consultants.

At this point we can start to see that all the four areas identified so far (AML/CTF/PF framework, complexity, costs, expertise) are interrelated. If crypto firms underestimate any of these areas, they may impact upon the other areas. If the complexity of sub-areas is underestimated, this may require additional professional expertise which increases costs.

If deficiencies in a firm’s AML/CTF/PF framework are identified, these may lead to increased complexity, the need for additional expertise, and significant additional costs. All these interrelated areas may act together to make the firm’s application more difficult and beyond the firm’s existing staff expertise. So, what may be happening with applications in relation to expertise, is that crypto firms may:

1. harbour false expectations about staff expertise (e.g., staff may not be able to cover something they were expected to cover such as AML/CTF training or TM and BA coverage); 
2. realise the professional expertise required renders the application commercially unviable; 
3. underestimate the amount of additional professional expertise (external consultants) required;
4. underestimate the professional expertise (internal staff) required.

5. FCA GUIDANCE

When you identify an 86% application failure rate you know something is going seriously wrong with crypto firm AML/CTF FCA authorisation applications. In 11% of cases, firm applications were either incomplete or of such poor quality, that the submission was deemed invalid by the FCA. It is possible these 36 firms either did not at all understand the FCA crypto AML/CTF requirements, or they simply did not have the technical expertise and competence to submit applications that contained the minimum information requested.

In 4% of cases, firm applications were refused. This means the application reached the final stage of the decision-making process, at which point the application was refused. This may have been because a firm did not meet the regulatory standard required, or the firm intentionally withheld information, or provided false or incomplete information. The FCA will have provided these 13 firms with reasons for the refusal.

However, in 71% of cases firm applications were withdrawn. This means that 236 crypto firms applied for AML/CTF authorisation, but then subsequently withdrew their applications. This may have occurred either intentionally (e.g., the firm decided to withdraw) or unintentionally (e.g., a firm did not respond to a request for more information within 20 business days). In addition to the potential reasons for this identified above, this may have occurred where:

• the application was incomplete;
• the application process took too long for firms (e.g., between 6-12 months);
• the firm failed to meet FCA expectations at some point;
• the firm failed to respond adequately to FCA follow-up information requests;
• the firm failed to recruit key internal positions (e.g., MLRO/NO with significant crypto AML/CTF experience and skills);
• there were material errors in the application;
• there were significant deficiencies in financial resources identified; 
• there were significant deficiencies in non-financial resources identified.

This figure shows that there are real problems in crypto firm applications that are still not been addressed and remedied. The point that I make here in relation to FCA guidance is that it is insufficient for crypto firms. I will provide three illustrative examples below.

FCA guidance on sub-area 2 is set out below, it totals 78 words.

FCA guidance on sub-area 3 is set out below, it totals 52 words.

FCA guidance on sub-area 13 is set out below, it totals 51 words.

This is the type of guidance that crypto firms have to draw upon. This is the information that has been provided by the national regulatory authority of a country to guide firms, in what we have now established, are highly complex and extremely challenging regulatory applications. What crypto firms actually need is an application guide manual. What crypto firms actually get is a small paragraph. In the previous PARTS of the blog series, we saw how I had to describe the meaning of these sub-areas in detail to make them understandable, and to show how they related to crypto firm operations.

We also saw that in some areas, firms do not even have objective regulatory standards or guidance that they can rely on and draw upon (e.g., to establish what exactly constitutes effective TM and BA coverage which is adequate for the firm’s size and complexity). This is the official guidance provided to crypto firms, with the expectation that they will turn the UK into a world-leading crypto hub.

CONCLUSION

The FCA authorisation process for crypto firms is not the same as for TradFi firms. We have seen that crypto firm applications are highly complex and have virtually no comprehensive regulatory guidance provided that they can employ. In some areas, there are no objective regulatory standards or guidance which firms can rely upon, such as the adequacy of TM and BA coverage required. There is no official guidance provided to firms in relation to cryptoasset SAR.

Overall, crypto firm applications at the moment clearly seem like a huge waste of resources, in terms of time and money, for both crypto firm applicants and the FCA. I know lots and lots of ways that these problems could be remedied, but at present I do not think they will be. Some people may see these simply as failed applications, but what they really represent to the UK are lost potential. That is, they represent millions and perhaps billions in future revenues that could potentially be contributed to the UK economy.

This could prove to be a vital contribution to the UK’s future economic recovery. Yet, we will never know, because these firms were never really given a chance on an equal footing to TradFi firms. The UK government is seeking to turn the country into a world-leading crypto hub. The 86% application failure rate shows us that if we do not support crypto firms this will never happen. Application failure rates remain too high, and the clear problems in the crypto application process have not yet been addressed.