How should you classify cryptoasset firms for anti-money laundering and customer due diligence?
By Michelle Bailey
What did the FCA have to say about the AR regime?
The FCA want to improve the Appointed Representative regime
I recently listened to a webinar discussing the complexities of cryptocurrency and AML/CDD checks completed when onboarding a Cryptoasset exchange provider. During the webinar one of the speakers suggested that in order to tighten controls around cryptocurrency firms, that they should be subject to specific AML onboarding requirements. This got me thinking, should cryptocurrency firms have their own AML category? Should guidance be created specifically for the customer due diligence documentation requirements for Crypto firms and if so, what could be included?
Some background (firms in the UK)
“From 10 January 2020, the FCA became the anti-money laundering and counter terrorist financing (AML/CTF) supervisor for these types of firms, which includes firms that exchange money to and from cryptoassets and those that safeguard their customers’ cryptoassets. From this date, ‘existing cryptoasset businesses’ (ie firms operating immediately before 10 January 2020) have had to comply with the Money Laundering Regulations; such firms were required to be registered with the FCA by 10 January 2021. The FCA have granted temporary registration to these firms and an extension from 9 July 2021 to 31 March 2022 for existing cryptoasset firms who were granted this temporary registration and whose application is currently pending.
New businesses (who began operating after 10 January 2020), are required to obtain full registration with the FCA before conducting business. “ [Source: FCA, December 16th , 2020]
So, what does this mean in practice?
Many cryptocurrency firms in the UK are currently undergoing this registration process. Once they are approved are they then classed as a regulated entity for AML purposes and subject to simplified due diligence? What about firms that decide to go the route of an e-money license? What happens if the firm is refused registration?
Cryptoasset exchange providers aren’t listed exchanges therefore could be put into the AML category ‘corporate body’ which depending on the risk category could lead to a long list of requirements, from incorporation documents to evidence of directors, shareholders and even requiring ID documents. JMLSG guidance outlines the following Enhanced Due Diligence measures applicable to cryptoasset exchange providers:
Corroborating the identity information received from the customer, such as a national identity number, with information in third-party databases or other reliable sources;
Searching the Internet for corroborating activity information consistent with the customer’s transaction profile, provided that the data collection is in line with UK privacy legislation;
Tracing the customer’s IP address; and
Requesting data relating to transaction and trading history
[Source: JMLSG Prevention of money laundering/ combating terrorist financing 2020 REVISED VERSION GUIDANCE FOR THE UK FINANCIAL SECTOR PART II: SECTORAL GUIDANCE June 2020 (amended July 2020)]
But many of the Cryptoasset exchange providers are newly incorporated and therefore won’t yet have standard documents like audited financials, so how reliable is their documentation if they can’t show evidence of longevity? Something else that came up in the webinar was the importance of obtaining a cryptoasset client’s AML policy or an AML statement in order to ensure that the firm adheres to UK/EU money laundering and terrorist financing standards or equivalent. In my opinion this document is essential for ATM clients, where a firm won’t know the clients of the ATM provider nor do they have an obligation to do so. But, should it be necessary for Cryptoasset exchange providers, due to the very nature of Cryptoasset business being high risk? Should there be any differences? It’s hard to see a reason for differences. Although each firm is taking its own risk based approach, the risks are ostensibly the same if you are on-boarding an ATM provider; the key risk being that you cannot know for sure whether the source of funds for the ATM providers transactions with you are the proceeds of crime or not.
This also opens another question- what risk category should be applied to a cryptoasset firm? The UK national risk assessment 2021 upgraded cryptoasset risk to Medium compared to 2017 when it was Low. As a result, should all firms onboarding a cryptoasset client categorise them as medium risk at a minimum? What about firms in the UK mentioned above who are going through the registration process, should they also be medium risk, or low risk once they are authorised?
What are the FCA saying about this?
We cannot know for sure, but…
We understand that the FCA won’t accept that a cryptoasset firm can fall into a lower risk/simplified due diligence category. With this in mind, should there be some specific guidance from the FCA outlining what they believe to be the AML requirements for cryptoasset firms?
We understand that the FCA take the view that all but the largest of cryptoasset firms are high risk, and albeit anecdotal, the evidence for this is in the very low number of firms that have managed to get registered. Looking closely at the list at least one firm was already an authorised e-money firm and there do not seem to be many new entrants. To date, the FCA have only approved 19 applications for full registration and there are 46 firms still on a temporary registration with around 60 firms withdrawing their application altogether.
This got me thinking…
What about gambling? The UK risk assessment classes gambling as low risk (really?, the financial services sector seems to take a different view) and JMLSG guidance states that there is a higher level of risk associated with this type of entity, however doesn’t outline any clear guidance for document requirements. None of the firms we are speaking to will onboard a gambling firm and at the moment only remote and non-remote casinos are subject to the Money Laundering Regulations, all other gambling is subject to the Gambling Act 2005 regulations. Gambling presents a very simple way to launder the proceeds of crime, especially if as a criminal or criminal advisor you are familiar with the CDD process in that sector. You can be a customer up to a certain amount without going through what any financial services professional would recognise as real CDD. The CDD threshold is triggered by transactions of €2,000 or more, whether in a single transaction or across several operations which appear to be linked. It should be noted that the UK gambling commission does provide guidance on CDD measures, so begs the question, does the UK need an organisation like this to help define AML requirements for Cryptoasset firms, or due to the fact that these firms are now required to be registered with the FCA, should existing guidance be updated to be more inclusive of this onboarding type?
You may be thinking…
This blog asks more questions than it answers. Perhaps, but that’s ok if gets people thinking… In the last 5 years there has been an enormous increase in the number of Cryptoasset exchange providers and just general interest in crypto. To date the FCA have approved less than 20% of UK firms undergoing authorisation, so with this in mind it appears that more guidance needs to be put in place to help firms who want to onboard Cryptoasset exchange providers and those firms who are undergoing their FCA authorisation process, as this area of business is only likely to increase in popularity and scrutiny in the future
If risk categories become prescriptive rather than ‘risk based’ then decisions made now about AML requirements for Cryptoasset firms can have a knock on effect on other areas of the business and should they need to be revised or reversed in the future due to regulation changes, then we need to make sure we are getting it right from the start so as to not affect business continuity.
And finally…
Is the industry spending too much time on anti-financial crime compliance, rather than thinking about what measures they need to put in place to starve criminals of resources? Does a tick box approach to anti-financial crime work? We don’t think so, and a subject of a future blog perhaps.