New regulatory requirements, including registration and customer disclosure requirements, apply to regulated and unregulated persons carrying on relevant cryptoasset business.
On 20 December 2019, the UK government published the Money Laundering and Terrorist Financing Regulations (Amendment) Regulations 2019 (the Amending Regulations). The Amending Regulations update the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLRs) to meet the UK’s obligation to transpose Directive (EU) 2018/843 (5MLD) into UK law. A key element of the Amending Regulations is that they bring Cryptoasset Exchange Providers (CEP) and Custodian Wallet Providers (CWP) — including persons making an initial coin offering (ICO) — within the scope of UK money laundering regulations. Therefore, from 10 January 2020 CEPs and CWPs are required to comply with the requirements of the MLRs (subject to limited transitional provisions for existing cryptoasset businesses relating to registration with the FCA). Significantly, the Amending Regulations will impact any UK person conducting cryptoasset business of a kind that is captured by the new definitions of CEPs and CWPs (including, for example, existing UK authorised financial services firms that carry on cryptoasset business which will be subject to new requirements relating specifically to cryptoasset business).
HM Treasury consulted on its proposed changes in April 2019 in its paper Transposition of the Fifth Money Laundering Directive: Consultation (the Consultation Paper). As the UK has not yet formally withdrawn from the EU, its approach to implementing the changes introduced by 5MLD is not impacted by Brexit and it is anticipated that the UK will continue to apply EU financial regulatory standards (including anti-money laundering (AML) requirements) immediately post-Brexit through “onshored” legislation.
Which cryptoasset businesses are in scope?
The Amending Regulations define CEPs, CWPs and cryptoassets as follows:
CEP: “a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services—
(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.”
CWP: “a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer—
(a) cryptoassets on behalf of its customers, or
(b) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services.”
Cryptoasset: “a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically”.
Significantly, a person may be a CEP or CWP regardless of whether they are otherwise regulated in the UK if they carry on cryptoasset business of a kind that is captured by the new definitions. This means that the new requirements relating to cryptoasset business introduced by the Amending Regulations apply to both regulated and unregulated cryptoasset businesses in the UK. Additionally, it is worth noting that the definition of a CEP may also capture market participants that would not ordinarily be regarded as exchanges in the strict sense — i.e., cryptoasset brokers that buy and sell cryptoassets for their customers or for their own account are likely to be captured by the definition, in addition to exchanges that facilitate interactions between buyers and sellers of cryptoassets.
Notably, these definitions also “gold-plate” the requirements of 5MLD in three significant ways:
The Consultation Paper indicated that the government was also considering extending the scope of UK money laundering regulations to persons involved in the publication or provision of open-source software relating to cryptoassets (which would have included, for example, non-custodial wallet providers). However, this does not appear to have been implemented in the Amending Regulations with only CWPs being captured in line with the requirements of 5MLD.
No cross-border application
The Consultation Paper also sought views on potential solutions to the cross-border risks posed by cryptoasset businesses operating outside the UK, suggesting that the government may have been considering applying UK money laundering regulations to offshore cryptoasset business providing services to UK customers. However, no such provisions feature in the Amending Regulations, suggesting that cross-border / extra-territorial application of UK money laundering regulations has not been implemented for the time being. Indeed, the UK Financial Conduct Authority (FCA) as the designated supervising authority for AML in relation to cryptoasset business has clarified that where a business has no UK office or other activity in the UK, beyond simply having a client in the UK, it is likely to consider that the business is not carrying on UK business for the purposes of the MLRs. For example, if a CEP, registered in a jurisdiction other than the UK, and which has no offices or agents in the UK but nevertheless permits UK customers to open trading accounts and permits them to buy/sell/hold cryptoassets, the FCA would not automatically consider that as business being carried on in the UK.
Unusually, HM Treasury has not yet published its formal response to the Consultation Paper with the Amending Regulations, but has stated that it expects to do so soon. When published, the formal response may further clarify the government’s proposed approach to cross-border risks.
When do the Amending Regulations come into force?
The Amending Regulations come into force from 10 January 2020. This is subject to limited transitional provisions for cryptoasset businesses carrying on business in the UK immediately before 10 January 2020 relating to registration with the FCA. The transitional provisions mean that existing CEPs and CWPs will not be required to register with the FCA until 10 January 2021 (although the FCA is encouraging existing businesses to have submitted applications for registration by 30 June 2020).
However, new CEPs and CWPs are subject to all of the requirements of the MLRs from 10 January 2020, and the FCA has confirmed that existing CEPs and CWPs will also be expected to comply with all other requirements from this time, even if they choose not to register immediately. In a statement on its website, the FCA has stated it will “proactively supervise firms’ compliance with the new regulations, and will take swift action where firms fall short of desired standards and cause risks to market integrity”.
What are the requirements with which firms must comply?
From 10 January 2020, CEPs and CWPs must comply with the existing requirements in the MLRs, and are also subject to new requirements and powers vested in the FCA relating specifically to cryptoasset business.
CEPs and CWPs are required to register with the FCA before carrying on relevant cryptoasset business in the UK (subject to the transitional provisions discussed above). The FCA has clarified that existing UK authorised persons (including existing UK banks, investment firms, electronic money institutions, and payment services businesses) undertaking relevant cryptoasset business must apply for registration.
Registration must be completed via the FCA’s online system, Connect, and applicants must provide a significant amount of information to the FCA relating to their business and all key individuals who hold a relevant function to assess whether or not the applicant is fit and proper. Under the Amending Regulations, in order for a firm to be successfully registered by the FCA, it must show that the firm, any officer or manager of the firm, and any beneficial owner of the firm, is a fit and proper person to carry on the business of a CEP or a CWP. The FCA has up to 3 months to assess an application for registration from the date it considers the application to be complete.
The information the FCA will require from applicants will include:
The person appointed to carry out any of these functions can be the same person, but the FCA expects them to have the knowledge, experience, and training, as well as a level of authority and independence and sufficient access to resources and information, to enable them to carry out that function. For businesses already authorised by the FCA for other activities, the relevant officer can be the same individual as for those other activities, subject to the person having appropriate knowledge, experience, and probity for the cryptoasset business.
Registration fees will be charged by the FCA as follows:
The FCA defines income for these purposes as the gross inflow from economic benefits (that is, cash, receivables, and other assets) recognised in the UK business’ accounts during the reporting year relating to the provision of relevant cryptoasset business.
Further information about the registration process can be found on the relevant FCA webpage.
Disclosures to customers
The Amending Regulations introduce a requirement that CEPs and CWPs must make a disclosure to their customers in circumstances where the cryptoasset business they conduct is not subject to the protections of the Financial Ombudsman Service and/or the Financial Services Compensation Scheme.
In this regard, the FCA has made its expectations clear stating that registration under the MLRs is not a licence, or a recommendation or endorsement of the business by the regulator. Registered businesses should, therefore, be careful to avoid using language in this context that might give the impression that registration is a form of endorsement or recommendation. Cryptoasset businesses should ensure that they do not mislead customers as to what protections apply and the status of their FCA registration.
Existing cryptoasset business may, therefore, need to update their terms of business or other customer-facing materials.
Customer due diligence
The MLRs require in-scope firms to carry out customer due diligence (CDD) when engaging in an “occasional transaction” or setting up “a business relationship”. This means a firm is required to obtain and verify certain information about a customer (including, for example, a customer’s name, date of birth and residential address). Additional information relating to the source of a customer’s funds is also required in circumstances prescribed by the MLRs as presenting a higher risk of money laundering or terrorist financing (including, for example, if the customer is a politically exposed person).
A business relationship is a relationship entered into with a customer that is expected to be ongoing. When a business relationship is established, a firm undertaking CDD must obtain information on the purpose of the relationship and the intended nature of the relationship. Occasional transactions are transactions that are not carried out within an ongoing business relationship subject to certain de minimis value thresholds (although CEPs operating a machine which uses automated processes to exchange cryptoassets for money or money for cryptoassets — such as operators of Crypto ATMs — must apply CDD measures for all exchanges of money for cryptoassets, whatever the amount).
Firms must also ensure that they have adequate internal controls and monitoring systems. These should alert the firm if criminals attempt to use the firm for money laundering. These steps include:
Firms subject to the MLRs must also keep a record of all customer due diligence measures, including:
New powers for the FCA
The Amending Regulations create additional reporting requirements for CEPs and CWPs. CEPs and CWPs are required to provide to the FCA information about their compliance with the MLRs, or as is otherwise reasonably required by the FCA. This is intended to improve the information available to the FCA about compliance with the MLRs by cryptoasset businesses at both the firm and market level.
The FCA has also been given the power to appoint a “skilled person” to carry out a report concerning the AML controls of CEPs and CWPs, and to recommend actions for the relevant person to reduce AML risks. This measure is intended to create a supervisory step before the FCA is forced to resort to enforcement or suspension of activities for firms that are new to AML regulation.
Furthermore, the Amending Regulations give the FCA the ability to give a direction in writing to a CEP or a CWP to remedy a failure to comply with a requirement under the MLRs, or to prevent a future failure. This power already existed for the majority of the firms supervised by the FCA for AML purposes and is intended to harmonise the provisions available to the FCA to deal swiftly with potential breaches.
The FCA and the Joint Money Laundering Steering Group (JMLSG) are expected to consult in early 2020 on updates to the FCA Financial Crime Guide and the JMLSG guidance on compliance with the MLRs, respectively, taking into account the changes introduced by the Amending Regulations.
HM Treasury is expected to publish its formal response to the Consultation Paper in early 2020. HM Treasury will also review the regulatory provisions within the Amending Regulations. It is required to publish its first report before 26 June 2022, aligning with the first review of the MLRs.