Crypto and the FCA’s Authorisation Gateway: lessons for firms

07th June 2022 | Blogs , News

Crypto and the FCA’s Authorisation Gateway: lessons for firms

Rachel Waggott, Head of Regulatory Affairs at Innovate Finance

7 June 2022

 

Over the last year, arguably the biggest regulatory challenge facing crypto asset providers in the UK has been FCA registration for anti-money laundering (“AML”) and counter-terrorist financing (“CTF”).  Industry has been critical of the speed and process. 

Given many firms continue to apply for these authorisations, we thought it would be helpful to share the FCA side of the story to provide an insight which may help firms prepare and understand the regulator’s perspective.

Context

The FCA is the AML and CTF supervisor of UK cryptoasset businesses under the 2017 Money Laundering Regulations (“MLR”), having taken on this remit from 10 January 2020. All new cryptoasset businesses that intend to begin to trade in the UK must be registered with the FCA before conducting business. 

The FCA’s Temporary Registration Regime (‘TRR’) – created to allow crypto firms that applied for registration before 16 December 2020, and whose applications were still being assessed, to continue trading – has now ended as of 31 March 2022. All but a handful of firms have been granted an extension to their temporary registration status.

The FCA has received c. 220 applications that qualify for assessment via its AML/CTF authorisation gateway, to date. Ninety percent of applications reviewed by the FCA fell below standards expected of firms under the MLR, which has led to an unprecedented number of applications being withdrawn or rejected. 

Given the UK Government recently unveiled its ambitious vision for the crypto sector in the UK, Innovate Finance sat down with the FCA’s Supervisory team to unpack lessons learned to inform firms’ applications. The FCA is keen to support more crypto firms to become registered in the UK; the regulator recognises the potential benefits that this can deliver to domestic competition in the payments sector and the broader international competitiveness of the UK as a place to do business.

Wider public and regulatory policy backdrop

The AML/CTF authorisation gateway marked the first stage in the UK’s attempts to mitigate the financial crime risks associated with a largely unregulated cryptoasset industry. More recently HM Treasury and the FCA have announced a proposed extension of the financial promotions regime to certain cryptoassets – the second stage to introduce consumer protections (see our blog for further information). And at the Innovate Finance Global Summit in April, the Government articulated its vision for the UK to become a leading, global hub for crypto with further proposed amendments to the regulatory and legislative framework to support this ambition (see this blog for more information).

General observations and lessons learned

The FCA’s general observations on the makeup of unsuccessful applications is that they pointed to the immaturity of firms, rather than anything more untoward (though there is a small percentage of applications submitted by bad actors). There are no public-facing examples of successful applications as the regulator has concerns that these would be replicated – the FCA stressed there is not a ‘one size fits all’ approach, and the Supervisory team can detect if firms are mirroring others’ applications.

The FCA undertakes a holistic assessment of firms presenting themselves at the authorisation gateway – this assessment includes but is not limited to:

  • business model, programme of operations and regulatory history;
  • AML/CTF and enterprise-wide risk assessments;
  • systems and controls, including governance arrangements;
  • firm structure; and
  • fitness and propriety of management, including their knowledge, skills and experience.

Note that this does not just focus on the specific AML/CTF safeguards. In terms of assessing risks of facilitating money laundering, the FCA also looks at corporate governance, management capability and the wider control framework – to provide confidence in the effective application of specific AML and CTF controls.

Business model, programme of operations and regulatory history

A number of firms perform wide-ranging activities, some falling inside and outside of the current regulatory perimeter – however, these activities are not clearly outlined in applications. Firms should take care to present a complete and accurate picture of the products and services offered.  

Where firms undertake a range of activities, taking e-money activities as an example, it can be challenging to pinpoint where these activities stop and where crypto begins. In these instances, the regulator looks through the lens of the consumer to identify where potential harms can arise (e.g. at what point are funds no longer safeguarded). The FCA has seen good examples from firms that recognise the distinction in their business models and utilise in-app pop ups to create ‘boundary markers’, which enables consumers to make informed decisions.

Firms’ business models often set out ambitious growth plans, and financial resilience is a key consideration for the regulator. Firms should articulate well considered back-up plans, in the event that growth does not match projected forecasts

The FCA would also encourage firms to submit an application only when the business model and the full suite of products and services are finalised: changes to business plans and offerings during the course of the regulator’s assessment of an application causes delays to the process, and firms will be requested to re-submit their applications with up-to-date information.

Risk Assessments, Systems and Controls, and Governance

The trend amongst unsuccessful applications is a failure to evidence robust systems and controls in place with respect to AML and CTF. Immaturity of firms’ systems and controls often sits alongside underdeveloped risk assessments, which creates the perception that regulatory obligations are not being taken seriously (the FCA cited the example of a risk assessment being one paragraph in length).

Successful applications describe the AML/CTF framework and risk assessment alongside an enterprise-wide risk assessment with monitoring and mitigation policy. Additionally, applications should detail governance arrangements, which act as effective internal control mechanisms to identify and assess risks.

Firm structure 

Firms should set out how the business is structured and organised, including the details of any outsourcing arrangements with third parties (if applicable). 

Fit and proper test for employees and senior management

Persons responsible for the management of the firm must satisfy the FCA that they have a good reputation as well as the appropriate knowledge and skills. A firm must appoint someone to be responsible for compliance with the UK’s Money Laundering Regulations, to monitor a​​nd manage compliance with policies, procedures and controls relating to AML and CTF and to act as the Nominated Officer under the Proceeds of Crime Act 2002.

Unsuccessful applications have included cases where the regulator uncovered criminal backgrounds or other adverse information regarding employees.

The FCA will also complete due diligence on beneficial owners and others with close links to the firm.

FCA commitments to improve service delivery and create proportionate regulatory policy

The FCA’s senior leadership team is cognisant of criticisms levelled against the regulator in relation to the time taken to process crypto firms’ registration applications. In light of this, the regulator is actively recruiting for additional staff in the Authorisations department – there will be a net increase of 100 FTE across the department.

Additionally, earlier this month the FCA hosted its first CryptoSprint on 10 and 11 May. This  focused on informing regulatory policy changes based on evolving technologies. This policy hackathon brought together the regulators and industry to work collaboratively on three specific problem statements (including crypto asset disclosure requirements for investors and how to regulate custodial activities), to explore the challenges facing the industry and provide an opportunity to collaborate on policy developments. 

Further reading

The FCA has a crypto-asset business registration flowchart, here, which provides signposting on whether registration is or is not likely to be required. Where registration is required, applicants must fill out an online form and submit this via Connect as well as pay a registration fee. 

At present, fewer than 35 crypto asset firms are registered with the FCA for anti-money laundering and counter-terrorist financing purposes. The FCA also maintains a list of those UK businesses who appear to be carrying on cryptoasset activity and are not registered with the FCA for anti-money laundering purposes (and are therefore not authorised by the FCA)

The FCA’s 2020/21 Perimeter Report has more information (see page 32 ff) about possible changes to the regulatory perimeter. 

At Innovate Finance we are working with responsible crypto firms who wish to operate within a regulated environment as a way of providing trust and confidence in innovative products and services. We are working to strengthen the understanding between firms and policy makers and identify what further steps can be taken to create a supportive environment for crypto innovation in the UK, in ways that support competition and protect consumers.

If you would like to get updates on this and other FinTech-related policy issues and insights, you can sign up here to our policy newsletters.

  1. https://register.fca.org.uk/servlet/servlet.FileDownload?file=0154G0000062BtF
  2. https://register.fca.org.uk/s/search?predefined=CA
  3. https://register.fca.org.uk/s/search?predefined=U
  4. https://www.fca.org.uk/publication/annual-reports/perimeter-report-2020-21.pdf