As you may be aware, cryptoasset exchange providers and custodian wallet providers have been included in the AML supervisory regime by virtue of 5MLD. This inclusion was implemented in the UK by virtue of The Money Laundering and Terrorist Financing (amendments) Regulations 2019 which came into force on the 10 January this year.
Cryptoasset exchanges and custodian wallet providers are now therefore subject to the full range of AML obligations under the Money Laundering Regulations 2017 (MLRs), including customer due diligence, suspicious activity reporting, transaction monitoring obligations, etc.
Furthermore, the UK government has given the FCA powers to supervise and enforce the requirements laid out within the MLRs. As such, these firms must now register with the regulator.
The FCA gateway opened for businesses to submit applications for entry to the register on 10 January 2020. While new businesses must register prior to their launch, businesses that carried on cryptoasset activity before 10 January 2020 have a grace period until the 10 January 2021 to complete the registration process.
In order to facilitate this, the FCA provided a priority review system which would ensure that firms already providing cryptoasset services could meet the requirement of being registered by January 2021. In order to make use of this, firms must make an application prior to the 30 June. In the event firms were to miss this date, they would potentially be subject to the FCA’s case management queue. Due to the large number of firms registering this year (the FCA have estimated 150 firms), there is likely to be a large backlog and therefore firms submitting after 30 June run the risk that they will have to cease trading between the 10th January 2021 and the time at which they have been successfully registered.
With the 30 June deadline fast approaching, we take a look below at the application process and its requirements.
The application process follows a similar format to applications for authorisation and as such firms will be expected to provide detailed documents and information pertaining to their operational structure, business plans, structural organisation, systems and controls as well as the governance and internal control mechanisms.
Firms should complete applications using the Connect system by starting a new application. Below we provide an overview of the various sections of the application.
While the programme of operations is less detailed than that of an e-money or payments application, it still requires a high-level outline of the relevant services the firm will offer, including those not related to cryptoassets. A high-level funds flow and details of the expected volume and value of the activities must also be provided.
Like other applications, the business plan is intended to provide an understanding of the ‘types’ of customers you want to attract. This will include the firm’s placement within the existing cryptoasset market, unique selling points, an outline of the marketing plan and distribution channels and an explanation of the main lines of income and expenses, the financial debts, and the capital assets. In addition, three years of financial forecasts with accompanying stress tests should be provided. These are intended to provide the FCA with a breakdown of the types of assets the firm deals with and how they intend to become and remain profitable even in the event of economic downturn or similar situation.
Corporate structure charts clearly showing ownership holdings and voting rights of all shareholders over 25% should also be provided, as well as a list of all cryptoasset public keys and addresses associated with the firm.
In this section the FCA will want to see the firm’s assessment of the money laundering and terrorist financing risks associated with its business. This should include an overview of the risks associated with the applicant firm’s customer base, the services provided, transactions, the delivery channels used and the geographic areas of operation.
You must also include the identity of your MLRO and provide evidence that their anti-money laundering and counter-terrorism expertise is sufficient to enable them to fulfil this role. You must also demonstrate the procedures implemented to mitigate risks of breach under their obligations under the Money Laundering Regulations 2019. This should detail the policies and procedures the firm has to monitor fiat currency transactions and cryptoassets and an outline of the systems put in place to train staff and ensure that policies and training is constantly reviewed and kept up to date.
You must also include the anti-money laundering and counter terrorism manual for the firm’s staff.
C) Systems and controls
The FCA ask about the firm’s IT systems. This will include administrative systems, transaction analysis systems, AML tools and any other off the shelf products or platforms that form a part of your IT framework. Where the company uses bespoke internal IT systems, the FCA will want evidence of this in the form of the firm’s IT security policy.
This section should include a detailed organisational chart, an overall forecast of the staff numbers for the next three years and a description of relevant operational outsourcing arrangements including a copy of all outsourcing agreements.
Key details on outsourcing providers are required, including their location and the functions they will perform on the firm’s behalf.
Lastly firms are required to disclose the details of all individuals, beneficial owners and close links of the firm i.e parent or sister companies, subsidiaries or firms with shared ownership of over 20%.
Applications for a fitness and propriety assessment for any person who is an officer, manager or a beneficial owner as per Regulation 58A of the MLRs must be submitted alongside the above application. While many of these individuals may have already been vetted by the FCA where the firm provides other regulated activities, it is important to ensure that this process has been replicated for cryptoasset supervision.
In making its assessment, the FCA will consider:
With 30 June deadline approaching fast, firms providing cryptoasset activity prior to 10 January have just over a week left to apply or run the risk of having to stop their cryptoasset activity after 10 January 2021. If you have any queries regarding the process or would like guidance in compiling your application, please do not hesitate to get in contact with me or one of my colleagues.
Get in touch with fscom today!
[1] Which amended regulation 8(2) of the Money Laundering Regulations 2017 to include cryptoasset exchange providers and custodian wallet providers.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
