Checklist for a successful crypto-provider registration application
07 March 2023
Any business that intends to operate in the UK as a cryptoasset exchange provider or custodian wallet provider is required to register, but many are at risk of falling short at the first hurdle: the application for registration.
Since early 2020, the FCA has acted as the anti-money laundering and counter-terrorist financing (AML/ CTF) supervisor of UK businesses conducting or intending to conduct cryptoasset activity. In an article published in January 2023, the FCA detailed statistics which indicate a need for further guidance. Out of the 265 applications determined, just 15% were approved and registered; 74% were refused or withdrawn; and the remaining 11% were rejected. The FCA has, somewhat belatedly for some, now issued feedback to the growing number of businesses looking to venture into the cryptoasset industry.
To ensure registrations are completed correctly, cryptoasset provider applicants should take care to consider the following:
Step 1: Before preparing an application
- Review the MLRs: Applicants are expected to demonstrate an understanding of the UK AML registration regime as set out in the MLRs.
- Consider whether you will be carrying out in-scope cryptoasset activity: The FCA suggests referring to this flowchart, which prompts you to evaluate your business and assess whether FCA registration is likely to be required. Key provisions under the MLRs to consider are Regulation 14A (will you be carrying on relevant cryptoasset activities?) and Regulations 8 and 9 (will this be by way of business within the UK?).
- Review FCA guidance: Applicants should familiarise themselves with the FCA’s guidance and the cryptoasset registration form to understand the level of detail and range of information required.
- Seek independent legal advice: The FCA recommends applicants seek independent advice in preparation and carefully consider the nature of the products and applicable regulations. If you would like further advice, please contact Wendy Saunders, Head of Financial Services Regulatory.
- Appoint a Money Laundering Reporting Officer (MLRO): It’s expected that applicants appoint an MLRO with the relevant knowledge, experience, training, level of authority, and independence required to monitor and manage compliance with the relevant policies. The FCA will assess the suitability of your MLRO and refuse applications where they lack “fitness and propriety”.
Step 2: Preparing an application
There are numerous areas your application should cover:
- Business plan: The FCA request details of an applicant’s business model, business partner responsibilities, sources of liquidity, and “detailed customer journey and flow of funds charts”. You’re advised not to submit plans that fail to provide forecasts, or include forecasts which are deemed unrealistic. It’s also asked that you consider the commercial aspects of your business plan along with compliance oversight, risk mitigation and financial controls – especially where cryptoasset holdings are considered.
- Description of products and services: This description must be “comprehensive and accurate”, including (where applicable) a cryptoasset token vetting policy, underlying smart contracts, and analysis of how dependent it is on external ecosystems for liquidity.
- Risk assessment and management: It’s crucial that any applicant demonstrates an awareness of the risks from dealing with cryptoassets. You’ll be asked to design a Business Wide Risk Assessment (BWRA) which identifies any proliferation financing risks in addition to AML and CTF risks and how they may be mitigated.
- Policies, controls and systems: The FCA warns that it will not approve applications with underdeveloped AML frameworks or weak governance structures. You should have the policies, controls and systems in place to manage and mitigate any risks identified in the BWRA – and they should align with your business model rather than generic policies. The FCA will ask for evidence of your assessment of the strength of any control, and you should be prepared to explain your rationale if certain standard controls are deemed not to apply.
- Transaction monitoring and blockchain analysis coverage: An applicant should demonstrate it has adequate transaction monitoring and blockchain analysis for its size and complexity. Sufficient compliance resources are required, and any compliance staff should be able to carry out blockchain investigations efficiently when using these tools.
- Group structure and group policies: Your application should focus on your business model and how any proposed cryptoasset activities relate to – and how they will comply with - the MLRs. You should provide a clear and complete description of the proposed management structure, including the details of key individuals, their expertise, and their responsibilities -recent CVs outlining recent qualifications may help illustrate this point. Importantly, firms may not rely on group policies and procedures without being clear that they comply with the MLRs and that they will be followed by the applicant.
- Outsourcing: Any outsourcing arrangements, both within and outside the group, and within and outside the UK, should be listed. An applicant should demonstrate there is oversight to ensure outsource providers comply with the requirements of the MLR and acknowledge that they will remain responsible.
- Training: You should evidence staff training materials tailored towards your company’s business model and associated AML/CTF risks. Any application lacking a training plan or adequate resources to deliver the training plan will not be approved.
- Suspicious Activity Reporting (SAR): Your SAR policy must fully cover any cryptoasset-related activities. Applications referring to generic SAR policies will not be approved.
- Disclosures: Applicants are expected to be proactive. Before establishing any business relationship with a customer, they must disclose that their cryptoasset activities will not fall within the scope of the Financial Ombudsman Service and that they will not benefit from the Financial Services Compensation Scheme.
- Already authorised for other activities?: If you’re already registered or authorised with the FCA, you must demonstrate that you recognise the requirements of the AML regime for a cryptoasset business. Any existing AML framework should be extended to cover risks associated with cryptoasset activities.
- Sanctions: You should be able to demonstrate that there are adequate and current sanctions-specific controls within your control framework. This should include any cryptoasset-specific ‘red flag’ indicators for potential sanctions breaches. You should also show that you will run checks consistently across various processes, ranging from onboarding to periodic reviews to transaction monitoring.
- Website: Your website and marketing materials must contain an “accurate and fair” representation of your products and services. Do not include any misleading information. The FCA also expects you to demonstrate that you have clear oversight and accountability for how third parties – such as social media influencers – use your marketing material.
Step 3: Submitting your application
- Does the application meet the required standards?: A number of factors are considered by the FCA, including your business’ financial promotions and “financial soundness”. But the key thing to demonstrate is that you understand your obligations to comply with the MLRs and that your business is ready and prepared to meet these requirements.
- Have you included everything?: It may go without saying, but the FCA expects full and complete applications. Information should be up to date on the date of submission, and any documents should be final versions – drafts will be disregarded.
Step 4: Awaiting the outcome
- Keep up to date: Applicants are expected to be “agile and prepared to deal with a rapidly evolving framework”, so be aware of any emerging risks or changes within the industry. Even if your application is under review, the FCA requires you to share any relevant changes or new information in a timely manner.
- Don’t treat your application as registration: Applicants must not use their application to promote their products or services. Make sure your website and marketing materials do not suggest that making an application for registration equates to FCA endorsement.
The FCA is keen to emphasise that being registered is an ongoing obligation, not a one-off, box ticking exercise. If you would like support with your application or with navigating the requirements once registered, the Lewis Silkin team will be happy to assist.