Community
In June 2024, the Financial Conduct Authority (FCA) published feedback on good and poor quality applications under the existing cryptoasset anti-money laundering (AML) and counter-terrorist financing (CTF) regime (Feedback). This four-part blog series will aim to provide crypto firms and their compliance personnel (including Money Laundering Reporting Officers (MLROs) and Nominated Officers (NOs)) with some additional guidance and clarification on the Feedback that may assist firms.
It will cover relevant issues concerning money laundering (ML), terrorist financing (TF), proliferation financing (PF), and The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). PART III will address sub-areas 8-13 previously identified, namely:
8. training; 9. suspicious activity reporting (SAR); 10. disclosures; 11. applicant is already authorised for other activities; 12. sanctions; and 13. website.
SUB-AREA 8: TRAINING
With regards to training requirements, the FCA states that:
Is this requirement problematic for crypto firms? Yes, most definitely. The problem is that nearly all crypto AML/CTF training courses (TCs) are standardised. Online learning will almost certainly be standardised. This means such TCs do not offer different substantive content for different crypto firm types, such as crypto exchanges, crypto payment processors, crypto wallet providers, decentralised finance (DeFi) liquidity providers, or DeFi lenders.
In addition, there is a very limited choice of advanced and comprehensive TCs available for firms. This means crypto firms may face a choice of either having an existing crypto AML/CTF TC customised to their specific requirements, or having a TC created specifically for the firm. Either option may prove to be both complex and costly, as firms may operate across diverse countries, industries, markets, and sectors, and may also employ different or multiple business model types (e.g., crypto investments, decentralised exchanges (DEXs), smart contracts, stablecoins, staking, synthetic assets, yield harvesting).
This becomes even more problematic when dealing with firms that operate across DeFi business models and sectors, such as decentralised autonomous organisations (DAOs), DeFi applications (DApps), DeFi borrowing and lending, and DeFi derivatives. In addition, the FCA notes that where a firm has hired external consultants (Consultants) to develop its AML framework, the firm must:
Consequently, it is not enough for firms to hire Consultants to develop and implement an AML framework, as all relevant staff must be trained in how the newly developed AML framework operates as well. So, we can see that the training costs for crypto firms very quickly start to escalate. For example, firms may be required to pay fees for:
There is a significant risk that crypto firms either underestimate the complexity and costs that training requirements may raise, or they may try to cut corners to save costs (e.g., hiring a junior MLRO with little to no crypto AML experience to ‘learn on the job’). The position adopted by the FCA is clear, as it states:
“We will not approve an application where the applicant has an inadequate training plan or lacks the resources to deliver that training” (FCA, June 2024).
The faulty examples provided by the FCA include:
SUB-AREA 9: SAR
SAR concerns disclosure of ‘Suspicious Activity Reports’ to the National Crime Agency (NCA) in the United Kingdom (UK). For applications, the FCA advises firms that:
With respect to the SAR policy, it must:
The relevant tipping-off provisions are set out in sections 333A-E of the Proceeds of Crime Act 2002 (POCA). In short, they make it an offence to reveal information likely to prejudice any law enforcement investigation once a Suspicious Activity Report has been submitted. The SAR policy should cover in detail how tipping-off will be addressed and dealt with within the firm. If there are suspicions within a firm that cryptoassets are in some way criminal, the firm risks committing a ML offence under POCA by dealing with such cryptoassets. In such circumstances, firms can seek a DAML to provide a defence at law (POCA, s. 335).
Crypto firms should note that SAR is one of the most problematic areas within traditional finance (TradFi) AML/CTF frameworks. It involves complicated legislative frameworks and interpretation of legal cases (e.g., R v Da Silva [2006] EWCA Crim 1654; Anwoir and others [2008] EWCA Crim 1354; Shah v HSBC [2012] EWHC 1283); interpretation and application of guidance from the NCA and UK Financial Intelligence Unit (UKFIU); and contextual application within AML/CTF frameworks. SAR in relation to cryptoasset-related activities has quickly become a challenging area for firms, especially since no official cryptoasset SAR guidance provided by the NCA or UKFIU exists.
To put this into context, in the United States (US), the Financial Crimes Enforcement Network (FinCEN) reported that there were over 92,000 crypto-related Suspicious Activity Reports filed in 2021 (compared to 58,951 filed by futures and securities firms (Jimenez, 20 May 2022). The number of Suspicious Activity Reports filed by US crypto exchanges is growing rapidly (Jiminez, 2 February 2022). For cryptoassets, firms must engage in a difficult assessment of suspicion. They must set the threshold for suspicion and why cryptoassets are suspected of being criminal property. SAR policies, procedures, and rules should therefore be as detailed as possible to provide absolute clarity to a firm’s staff and the FCA.
SUB-AREA 10: DISCLOSURES
The FCA states that it will expect to receive evidence that the firm will proactively:
Where customers deal with regulated financial products or services (e.g., bank account, credit card, loan), they are entitled to raise a complaint or dispute with the FOS. In practice this allows them to seek a resolution without having to pay significant legal costs (i.e., instead of commencing a legal claim in court). The FSCS provides protection for customers of certain regulated financial products for up to £85,000 held in deposits across all accounts held within a bank/banking group.
Many customers in the UK now take these protections for granted. However, cryptoassets are not directly regulated financial products or services in the UK. What this means is that if a crypto firm customer deposits £50,000 in a crypto account, the crypto firm customer is NOT entitled to use the FOS, and is NOT entitled to FSCS protection (e.g., if the crypto firm becomes insolvent) (even though the firm may be FCA authorised).
This is why the FCA requires crypto firms to provide evidence that they will proactively inform customers about the lack of legal rights under the FOS and FSCS. Consequently, the disclosures made by the crypto firm need to be clear and brought to the attention of the customer. This area is particularly problematic for crypto firms, because there has been a very significant rise in fraud and scam complaints in recent years (FOS, September 2021).
If crypto firm customers are subject to crypto fraud or scams, they do not have the same legal rights that they might have when dealing with accounts held by banks, nor can they initiate claims with the FOS. Consequently, there is an increased likelihood that customers will seek to raise complaints directly with the FCA that the disclosures provided by the crypto firm were inadequate.
SUB-AREA 11: APPLICANT IS ALREADY AUTHORISED FOR OTHER ACTIVITIES
If crypto firms are already registered or authorised (e.g., e-money institution (EMI)), they must demonstrate that they understand the requirements of the FCA AML registration regime for cryptoasset businesses. This might occur where an EMI that is authorised to deal with regulated currencies and payments, wishes to obtain additional authorisation under the cryptoassets AML/CTF regime. There are two points to note in this regard.
First, crypto firms must extend any existing AML framework to fully cover the new and unique risks of the firm’s new cryptoasset-related activities. Here, there is a significant risk that firms may adopt a somewhat blasé approach to extension of existing AML frameworks, because they may already have a TradFi AML/CTF regime in place. They may think that because the firm is already experienced with implementing ML/TF/PF controls, they can very quickly and easily extend these controls to cryptoasset-related activities. This is not the case.
In this regard, note that in 2023, crypto and financial technology (FinTech) groups were fined a total of $5.8 billion in penalties for lax AML controls, customer checks, and other financial crime and sanctions issues (Noonan and Smith, 9 January 2024). Crypto firms should bear in mind that these penalties reflect regulatory fines imposed on crypto firms that were already authorised, and that were supposed to have effective crypto ML/TF/PF controls in place.
Second, crypto firm applicants will need to very closely and realistically assess any previous regulatory issues or problems that have arisen. The FCA notes that when assessing applications, it will take into consideration any history of compliance failings by the applicant firm, such as:
Firms should seek to identify all previous regulatory issues or problems that have arisen, and to ensure that they have been addressed and effectively dealt with. Firms should not attempt to dismiss these as simply historic failings. Instead, firms should explain how these types of issues will be monitored, identified, and escalated in the future, and what improvements were made as a result of prior compliance failings.
SUB-AREA 12: SANCTIONS
The FCA states that a firm must:
In practice, some examples of RFIs that may suggest an increased risk of sanctions evasion in the cryptoasset sector include:
As we can see from just a few examples of cryptoasset RFIs, configuring a firm’s sanctions framework may prove to be a challenging area for crypto firms. This is because operational requirements will invariably reflect a firm’s customer types (e.g., high-net-worth individuals (HNWIs), institutional, retail), the geographic locations and markets in which it operates, and the firms’ particular business model.
Consequently, some sanctions frameworks may be simple, whilst others may be convoluted and complex to operate. Crypto firms must prove to the FCA that their sanctions-specific controls are both adequate and current. Lack of necessary controls will result in the FCA rejecting applications (e.g., no procedure on how to deal with funds of a designated person, or no provisions to identify transactions linked to higher risk wallet addresses).
SUB-AREA 13: WEBSITE
The FCA states that:
Firms should note that marketing materials will cover any type of communications channel (i.e., emails, mobile applications, newspapers, physical mail, posters, radio, SM, television, websites). In relation to accuracy and fairness, crypto firms should note that this is not simply about making sure that descriptions and information provided by a firm are clear, realistic, and understandable.
It is also about making sure that a crypto firm is not hiding anything (whether intentionally or unintentionally). Therefore, crypto firms must ensure that:
A clear case in point in relation to misleading information, is promotions that (wrongly) state or imply the FCA has approved or endorsed a product. For example:
One particularly problematic area is third party promotions, as was highlighted only recently when the FCA charged a number of finfluencers for promoting an unauthorised trading scheme (FCA, May 2024). Cryptoasset financial promotions are regulated by the FCA. As such, crypto firms must ensure there are systems in place to supervise third parties, and to hold them accountable when using the firm’s marketing materials. Three common issues with cryptoasset financial promotions identified by the FCA are:
This is an area which is still highly problematic and which many firms still do not fully understand. To put this into context, in 2023 the FCA reported that over 10,000 financial adverts and other promotions were changed or withdrawn (FCA, February 2024). Between 8 October 2023 and 31 December 2023 alone, the FCA issued 450 consumer alerts relating to illegal cryptoasset promotions to consumers in the UK (FCA, February 2024).
TO BE CONTINUED
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Elaine Mullan Head of Marketing and Business Development at Corlytics
12 August
Abhinav Paliwal CEO at PayNet Systems- A Neo Banking Software Platform
Donica Venter Marketing coordinator at Traderoot
Dmytro Spilka Director and Founder at Solvid, Coinprompter
11 August
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.