Crypto firms operating in the UK, prior to 10th January 2020, are required, in compliance with the 5th Anti-Money Laundering Directive (5MLD), to register with the FCA and be compliant with the MLRs 2017, as amended. There has been a number of extensions to the registration deadline. Director Philip Creed looks at what firms should be doing now to better prepare for their cryptoasset registration.
Initially, the deadline for firms to be registered was 10th January 2021. The Temporary Registration Regime (TRR) was offered to existing cryptoasset firms to allow them to continue to trade until 9th July 2021, providing they applied for registration prior to 16th December 2020. This was further extended in June to the new deadline of 31st March 2022.
At the time of this article, of the approximate 200 applications, only 9 firms have had their applications processed and accepted. A quote issued on the FCA’s website states:
"A significantly high number of businesses are not meeting the required standards under the Money Laundering Regulations resulting in an unprecedented number of businesses withdrawing their applications." - FCA
Many firms are found to not be reaching the standards set out by the FCA. Having worked with many crypto firms throughout the first half of 2021, this blog looks to provide our thoughts and advice on how crypto businesses can better place themselves to become successfully registered as a UK cryptoasset firm.
Key areas your cryptoasset firm should focus on
Know Your Customer (KYC) vs Customer Due Diligence (CDD)
Two terms which are often thought of as interchangeable, however, are very different in terms of their application towards your customer. KYC is the collection of up-to-date documentation on your client to understand who they are – for example by obtaining their ID, their proof of address (POA) and information on the intended nature and purpose of business. In general, KYC procedures are carried out to a sufficient standard by UK crypto firms.
CDD on the other hand, must be used on an ongoing basis to understand exactly what the KYC information collected tells us at onboarding versus what the client’s actual behaviour is potentially informing us otherwise. Ongoing monitoring of a client’s account is vital to an effective risk-based approach when considering financial crime prevention. If a firm onboards, risk assesses and performs due diligence on client X, are they still servicing client X a year or two down the line or has client X’s profile changed. If so, how can the firm be certain that the client’s activity is being effectively monitored?
While event driven triggers may require a client account review and capture any changes to a client’s profile, to ensure all client accounts are reviewed during the business relationship, implementation of a periodic, risk-based review of a client account should be undertaken by firms. Higher risk clients should be reviewed more frequently, and this formalised process should be documented within the firm’s policies and procedures.
Business Wide Risk Assessments
It has been highlighted by the FCA that the quality of the majority of firms’ business wide risk assessments are poor and this stems from a lack of detail which effectively helps firms to understand their risk exposure, set their risk appetite, and inform their mitigating controls including their customer risk assessment and CDD measures.
We advise clients to utilise this document as an overarching assessment of the AML risks the firm is potentially exposed to and utilise this analysis to build out an AML compliance framework accordingly. This must be presented to senior management and the Board and be a live document, subject to change as necessary.
Culture of Compliance Within the Firm
Crypto firms are primarily built as technology-based businesses which are required to build out and implement an effective AML Compliance framework. This can lead to the compliance function acting as a separate branch to the business’s other functions. This does not create a healthy culture of compliance within the firm. A culture of compliance is vital and must come from the top of the business and feed into all relevant areas of the organisation.
The compliance function is responsible for the implementation of policies and procedures as well as systems and controls to ensure a compliant risk-based approach is applied to mitigate a customer’s potential to utilise the firm to commit financial crime. This risk-based approach is enhanced when all areas of the firm have sufficient knowledge of the role of compliance and the senior people to whom they can communicate issues or queries.
Senior management and the Board should encourage compliance teams to meet with other business functions to explain their role and responsibilities. Clear governance and reporting lines must be set out for compliance issues to be presented and discussed at a senior management and Board level.
As set out in the MLRs 2017, employees of the firm should be adequately trained and made aware of the law relating to Money Laundering and Terrorist Financing. Under POCA 2002, there must be firm wide knowledge of the individual employee’s obligation to report potentially suspicious activity, who to report it to and how to do so.
What should cryptoasset firms on the TRR do now?
While firms can look at the TRR extension as breathing space to continue trading as before, we recommend this extension be used by firms to review their current AML programme and how it can be enhanced to aid in their registration process. As evidenced by the low number of firms which have successfully navigated the FCA’s registration process, as well as reading updates provided by the FCA, when deeming a firm ‘fit and proper’ and compliant with the MLRs 2017, required standards are not currently being met.
An internal or external audit function to review the firm’s policies and procedures as well as examine, test and evaluate the firm’s AML systems and controls can assist in identifying potential issues as well as providing best practice, industry standard recommendations to ensure applications made in Q3 and Q4 2021 as well as Q1 2022 produce an increase in successful registrations with the FCA.
How fscom can help with your cryptoasset registration
We work with many of the leading crypto firms in the world and have been at the forefront of the sector since its early stages. If you require any assistance with your application to the FCA, or any advice or guidance around cryptoasset regulation or registration, please do not hesitate to contact me, or any of the team, at fscom today.