Enabling you to operate a crypto business in the UK by registering your cryptoasset business with the FCA
Cryptocurrency License, UK
FCA AML/CTF Cryptoasset Registration
Introduction to FCA AML/CTF Cryptoasset Registration
If you wish to provide crypto services in the UK, then you must register with the FCA for the cryptoasset (AML/CTF crypto Registration) in the UK, formally known as the FCA AML/CTF Cryptoasset Registration regime. If you are a crypto business, in the UK from 10 January 2020, you will be required to register with the FCA for the crypto license in the UK, formally known as the FCA AML/CTF Cryptoasset Registration regime.
The FCA is the new anti-money laundering and counter-terrorist financial (AML/CTF) supervisor of crypto businesses based in the UK under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. If you wish to provide crypto services in the UK you must register with the FCA as part of its AML/CTF Crypto Registration process.
We are helping crypto businesses that wish to provide crypto services in the UK, with the FCA's crypto license, formally known as the AML/CTF Cryptoasset Registration. The registration has been a challenging process for crypto businesses. Buckingham Capital Consulting is working with crypto firms in helping them understand their AML risks and addressing them, ensuring the FCA's registration process is as smooth as possible.
What is a Cryptoasset under the FCA's cryptoasset registration regime?
A cryptoasset is a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically, and includes a right to, or interest in, the cryptoasset (Regulation 14A(3)(a) and (c) ML Regulations).
Some cryptoassets may be deemed as specified investments and fall under the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001, whilst they can also fall under electronic money and therefore the scope of the Electronic Money Regulations 2011.
If your cryptoasset business provides regulated investment or electronic money services, you must ensure that it has the appropriate regulatory permissions to comply with regulatory requirements, particularly those concerning anti-money laundering and countering terrorist financing.
What are crypto activities under the FCA's cryptoasset registration supervision?
Cryptocurrency exchange providers
A cryptocurrency exchange provider is a firm creating or issuing cryptoassets when providing the following services:
(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine that utilises automated processes to exchange cryptoassets for money or money for cryptoassets (Regulation 14A(1) Money Laundering Regulations).
The following activities will require assessment on a case-by-case basis:
b. escrow services into cryptoasset activities,
c. issuance of cryptoassets or their acceptance in return for goods or services.
Custodian wallet providers
A custodian wallet provider is a firm providing services to safeguard or administer:
(a) cryptoassets on behalf of its customers, or
(b) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets when providing such services (Regulation 14A(2) Money Laundering Regulations).
Custodian wallet providers may also offer other services. Firms merely holding and storing cryptographic keys, but not involved in their transfer are not likely to be in the scope of the definition. This includes hardware wallet manufacturers and cloud storing service providers. These are regarded as ‘non-custodian wallet providers’.
The FCA's approach to regulating cryptoasset businesses
The FCA has adopted a risk-based approach with regard to supervising cryptoasset businesses. This means that businesses posing the greatest money laundering and terrorist financing risk will be subjected to a more detailed registration assessment and ongoing supervision. The same applies to the FCA's approach towards taking enforcement action against your firm where misconduct or breach have taken plan.
The FCA will assess your business and expect you to demonstrate that you have adequate and relevant policies and procedural documents in place, as well as internal controls, to effectively manage the risk of money laundering and terrorist financing. Your business will be expected to understand its risks and mitigation measures to reduce the risk of money laundering and terrorist financing.
You are required to adopt a risk-based approach. Your approach should reflect the size and nature of your business. For example, if your firm is providing a number of payment services, e-money, and cryptoasset-related services, then the requirement will be higher compared to providing a single regulated service.
You should appoint a nominated officer, preferably a member of your board or management, to be responsible for compliance, particularly, money laundering regulations. The nominated individual will be responsible for reporting suspicious activity to the National Crime Agency (NCA), where appropriate.
Do you need to register your crypto business under the cryptoasset registration regime?
The application of the money laundering regulations will be considered by the FCA on a case-by-case basis and is likely to differ for different business models. Generally, the regulations are applicable if you have a physical presence in the UK through which the cryptoasset business is conducted, although other factors may also be considered. However, merely having UK customers does not in itself mean that such a firm would fall within the jurisdictional scope of the ML Regulations. However, a cryptoasset exchange provider that has an ATM located in the UK will be within the scope of the ML Regulations irrespective of which jurisdiction the operator is established in or where its offices are based.
Examples of high-risk money laundering factors concerning cryptoasset businesses
The following are some factors that increase the risk of money laundering and/or terrorist financing:
a. Privacy - the ability for the user to transact without being fully identified.
b. Cross-border nature - if your firm operates across multiple countries, this may reduce your ability to have complete oversight and hinder your ability to identify all money laundering risks and their mitigation measures.
c. Decentralised nature - here, as there is no central server, transactions and individuals may not be subject to risk assessment and mitigation measures, as required by the regulations.
d. Digital nature - given the digital nature of cryptoassets, the lack of face-to-face contact presents a risk.
e. The ability of the user to make or accept payments in money from/to unknown third parties, or to operate multiple accounts.
f. The customer is involved in cryptoasset mining operations
g. The customer is a money remittance provider and is unable to produce the required KYC information.
h. The customer uses VPN, TOR or anonymous services.
i. The customer sends cryptoassets to newly-created addresses.
j. The customer regularly avoids the KYC thresholds by making smaller transactions.
k. The cryptoassets are held or used for transactions with privacy-enhancing features or products that obfuscate effective anti-money laundering and/or counter-terrorist financing controls, such as stealth addresses, atomic swaps, privacy coins, ring signatures, and IP anonymisers.
l. The cryptoasset originates from or is linked with, the darknet, unregulated exchange, fraud or other high-risk websites, such as gambling.
Examples of low-risk money laundering factors concerning cryptoasset businesses
The following are some factors that reduce the risk of money laundering and/or terrorist financing:
a. Low-risk nature e.g. small value savings or storage.
b. Low-risk nature and scope of the payment channel e.g. open-versus closed-loop systems or systems intended for micro-payments.
c. Imposed parameters e.g. restrictions in place for transaction amounts or account balance.
d. The source of the payment is the customer's own account or is to a jurisdiction regarded as being low risk.
e. The payment is of a low value.
Cryptoasset business risk assessment & management
a. Customer risk - a customer's profile would determine the level and type of ongoing monitoring and form part of your decision-making in assessing their application.
b. Product risk - this should focus on the features your firm is offering to the customer.
c. Transaction risk - the risk can be analysed by assessing the transaction information. The transaction should be risk-scored.
d. Delivery channel - this involves looking at how the customer can access your product or service. Where an intermediary exists, you should also assess the risks associated with them.
e. Geographical risk - this can relate to the customer's place of establishment. Information relating to the destination of funds will help the risk assessment of the geographical risk. Another risk could involve the cryptoasset firm understanding the cryptoasset regulations of the destination country.
Cryptoasset business risk mitigation measures
The following is an overview of some measures firms can implement to mitigate the risk of money laundering and terrorist financing:
a. Impose product and/or service restrictions:
i. Imposing transaction limits
ii. imposing limits on the total value privacy coins that may be held, stored, transferred or exchanged.
iii. Impose a time delay before a transaction is processed.
iv. Prohibiting transfers to certain third parties
b. Carry out customer due diligence (CDD)
i. CDD measures must be applied to all business relationships, including those relating to occasional transactions of EUR 15,000 or more. However, this threshold does not apply to cryptoasset exchange providers operating an ATM, in which case CDD must be applied to all transactions. CDD measures must also be applied where the cryptoasset firm suspects money laundering or terrorist financing or doubts the veracity or adequacy of the documents or information provided by the customer. CDD must also be applied where the risk profile of the customer has changed.
i. Simplified due diligence ('SDD')
Where the cryptoasset exchange or custodian wallet provider determines that the business relationship or transaction presents a low risk of money laundering and terrorist financing, the firm may apply simplified due diligence.
ii. Enhanced due diligence (‘EDD’)
Measures for enhanced due diligence include:
i. Verifying the identity information received from the customer, such as a passport, with information in third-party official/government databases or other reliable sources,
ii. Assessing publically available information on the customer e.g. from the internet, for verifying activity information and ensuring it is consistent with the customer’s transaction profile,
iii. Tracing the customer’s IP address, and,
iv. Requesting data relating to transactions and trading history.
c. Blockchain analysis
d. Assessing the source and destination of the funds
e. Conducting KYC (know your customer)
i. This involves identifying and verifying the customer's identity, assessing the purpose and intended use of the account and taking reasonable steps to identify the beneficiary owners (where business clients are concerned).
ii. The information collected as part of the KYC process could include the wallet address and the transaction hashes.
f. Conducting ongoing monitoring
i. Ongoing monitoring is required and will help firms to monitor suspicious behaviour and indicators of suspicious activity. Furthermore, ongoing monitoring enables firms to reassess the risk profile of the customer.
g. Record keeping
Cryptoasset firms are required to keep adequate records. Records held should include:
- The information relating to the identification and verification of relevant parties,
- The public keys (or equivalent identifiers) of relevant parties,
- The addresses or accounts involved (or equivalent identifiers),
- The nature (e.g., deposit, transfer, exchange) and date of transactions, and
- The amounts transferred.
h. Sanction screening
Sanctions obligations apply to cryptoasset exchanges and custodian wallet providers.
Managing and reporting suspicious transactions
Both cryptoasset exchanges and custodian wallet providers are required to report suspicious activities.
Where a suspicious activity is detected, under POCA, in relation to an incoming transfer of cryptoassets from an external party that cannot be stopped due to processes associated with the blockchain, the cryptoasset firm should restrict the actions that can be performed by its customer in relation to the suspicious funds, freeze the assets/funds (where possible) and report the suspicious activity.
Where the cryptoasset provider provides a service involving the facilitation of the trading of cryptoassets on behalf of a natural or legal person’s customers, and suspicious activity related to market abuse is identified, the firm should file a suspicious transaction and order report (STOR).
You should implement adequate measures to manage suspicious activities. For example, where incoming cryptoassets are deemed suspicious, the cryptoasset firm may wish to hold/pause those funds into a pooled account until adequate checks have taken place and clearance has been provided by the firm.
Cryptoasset business compliance requirements
1. Identifying money laundering and terrorist financing risks.
2. Assessing ML/TF risks related to new technologies.
3. Have in place appropriate policies, systems and controls to mitigate ML/TF risks.
4. Where appropriate and depending on your firm’s size and nature of its business, appoint a member of the board or senior management team to be responsible for compliance with the money laundering regulations as your nominated officer.
5. Where appropriate, depending on the size and nature of your business, establish an independent internal audit function.
6. Conduct screening of employees.
7. Conduct customer due diligence when entering into a business relationship or transaction.
8. Apply enhanced due diligence measures where a customer presents a higher ML/TF risk. A higher risk would be presented by a person deemed as a politically exposed person (PEP).
9. Conduct ongoing monitoring of all customers.
Registration fees for the FCA cryptoasset registration
£2,000 – for businesses with a cryptoasset income of up to £250,000
£10,000 – for businesses with a cryptoasset income of greater than £250,000
The UK cryptoasset registration information you will need to provide to the FCA
The FCA will need some key information about your business. This includes:
Programme of operations: setting out the specific cryptoasset activities for the business.
Business Plan: setting out the business objectives, customers, employees, governance, plans and projections. You should provide enough detail to show that the proposal has been carefully thought through and that the adequacy of financial and non-financial resources has been considered. You should also include details on the volume and value of transactions, number and type of clients, pricing and the main lines of income and expenses.
Marketing plan: including a description of customers and distribution channels.
Structural organisation: a description of how your business is structured and organised. You must include a description of relevant outsourcing arrangements if any.
Systems and controls: provide details of the key IT systems you will use to run the business, including details of IT security policies and procedures.
Details of individuals, beneficial owners and close links: directors and any other persons who are or will be responsible for the management must satisfy the regulator they have a good reputation and have the appropriate knowledge and experience to act in this capacity. A business will have to appoint a person to be responsible for MLRs compliance, monitor and manage compliance with policies, procedures and controls relating to money laundering and terrorist financing and act as the nominated officer under the Proceeds of Crime Act 2002.
The person you appoint to carry out any of these functions can be the same person, but the FCA will expect them to have the knowledge, experience and training as well as a level of authority and independence as well as sufficient access to resources and information, to enable them to carry out that function.
Governance arrangements and internal control mechanisms: as part of registration, you will need to provide details of governance arrangements, the internal control mechanisms in place to identify and assess risks and a description of money laundering and counter-terrorist financing control measures in place.
Anti-Money Laundering/Counter-terrorist Finance framework and risk assessment: this should highlight the risks specific to your business model activities and provide details on how you mitigate those risks. You should also include Anti-Money Laundering/Counter-Terrorist Finance staff training material.
Business-wide risk assessment: with monitoring and mitigation policy.
All cryptoassset public keys/wallet addresses: this includes all of the cryptoasset addresses controlled by the business and used in the activity of the business for each cryptoasset that the business deals with.
Customer onboarding agreements and processes.
Customer due diligence and enhanced due diligence procedures, meeting the minimum standards required in the regulations.
Transaction monitoring procedures.
Record-keeping and recording procedures.
Business continuity plan.
Outsourcing arrangements policy and service license agreements.
Budget forecasts and financials for the first three financial years.
Money Laundering Reporting Individual forms for all directors, executives and officers.
Beneficial Owner forms for shareholders.
Choosing the right consulting partner
1. Expertise and Specialism within Banking, Payments and E-money
Banking, e-money and payment services are a specialist field, requiring prior expertise, knowledge and a specialist focus. You should ensure that your consultant specialises in this area as opposed to generalising in it. They should be comfortable explaining the technical aspects of this field, such as providing technical and regulatory requirements for license authorisation. The financial regulator will have conditions and expectations regarding different aspects of the application. For example, shareholders and management should be fit & proper, of good repute and have relevant experience and knowledge. A good consultant should be able to advise you on the regulatory requirements early on in order to manage your time effectively and minimise any delays or wrong decisions. It should be your consultant’s role to guide and advise you on best practices and the regulatory requirements. For example, we spend time advising clients from an early stage, in fact during the initial meeting and prior to taking on their application, of such requirements so that they are able to make an informed decision before investing their time.
2. Ability to access banking products and services
Setting up an e-money, payment or banking fintech goes beyond the scope of obtaining a license. You will require specialist banking facilities, such as client safeguarding accounts, and access to payment systems, such as SEPA and Swift. Furthermore, you will require systems and software to manage your business. It is therefore important that your consulting partner has a strong network of connections with banks, technology partners and regulators. For example, by working closely with partners, such as Visa, Mastercard, Wirecard, and central banks, we are able to help clients by arranging banking facilities, such as safeguarding accounts, issuing cards, and access to payment infrastructures, such as SWIFT and SEPA.
Communication between a consultant and their client is extremely important. They should be open to meet with you if required or to discuss your project during an initial meeting and thereafter have regular conversations with their clients. For example, we have at least a weekly telephone or conference call with our clients to discuss the progress of their license authorisation application or related project. This helps the client to understand the progress on their application and being able to report key information and developments to their management team or board. At the same time, it enables us to understand how the client is coming along in developing the operational aspect of their business.
4. International approach
Banking, electronic money and payment services are international in their very nature. As our clients grow internationally their needs change. Firms, therefore, require licenses, banking facilities, infrastructure and partners in international markets. We often find firms working with multiple legal, accounting and related firms. This can be challenging for such firms and often slows down their international growth. Furthermore, firms then must work with multiple partners within each country to manage different requirements e.g. company formation, accounting, legal, systems & IT, banks, and software vendors. This is further problematic when entering new markets. To manage these problems, our services are offered on an international level with offices strategically located in key jurisdictions across Europe and Asia. Our clients enjoy one point of contact for all their national and international requirements. This helps to remove any language barriers which they would otherwise face. Our services include accounting, legal, administrative and banking, which means that our clients can centralise their requirements with us.
5. Prior authorisation applications experience and success rate
Firms should ensure that their consulting partner has good knowledge and experience within banking, e-money and payment services. They should be able to demonstrate strong knowledge and experience within this area and be comfortable with explaining the legal and regulatory framework concerning banking, payment services, and electronic money. Your consulting partner should be able to share a client reference or provide client testimonials for similar past successful projects. For example, our website provides details of our recent work as well as the names of some of our clients.
Our Blog & Insights
What our clients say
"Buckingham Capital Consulting has been a reliable and trusted partner. They spent time understanding our business, people and processes and worked closely with us throughout the process. They completed our licensing application to a high standard and in a timely and efficient manner. We were delighted with how smooth the entire process was from the application preparation and submission but also with the case officer at the FCA. Buckingham Capital Consulting ensured that our licence was obtained in an efficient and smooth manner. The value and expertise they provide became obvious early on in the process. We highly recommend Buckingham Capital Consulting."