The cryptocurrency industry has been making headlines, but often for the wrong reasons. From staggering fines and legal battles to accusations of facilitating illicit activities, crypto firms have found themselves in regulators' spotlight time and again. As a compliance consultant I've witnessed firsthand the challenges crypto startups face in their quest to establish legitimacy and adhere to evolving regulatory frameworks.
The consequences of non-compliance are severe – hefty penalties, executive arrests, reputational damage, and even the risk of losing operational licences. The $100 million fine slapped on BitMEX for violating anti-money laundering (AML) and know-your-customer (KYC) regulations was a wake up call, especially for the founders who found themselves the subject of legal action. Such incidents not only tarnish the company's credibility but also undermine trust in the broader crypto ecosystem, much of which is set up with the very best of intentions.
However, robust compliance measures can be a game-changer, transforming a firm's reputation from a regulatory risk to a reputation of legitimacy. By demonstrating a commitment to adhering to standards, crypto companies can please the regulator and attract investors who demand confidence in the security and legality of their investments.
Get the Basics Right
So, what steps can crypto firms take to enhance their compliance posture? First and foremost, with the adoption of the Fifth Money Laundering Directive (5MLD) into UK law, Crypto Asset firms are now required to be compliant with the MLRs and register with the FCA.
“cryptoasset” means a cryptographically secure digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically;" and “cryptoasset” includes a right to, or interest in, the cryptoasset." The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
Secondly, implementing robust AML and KYC procedures is essential. Leveraging decentralised identification (DID) systems and decentralised KYC solutions can be highly effective in preventing financial crimes and fraud while safeguarding user privacy.
The principal regulation that outlines the AML requirements and registration necessities for crypto companies in the UK is the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR).
Amended several times since its inception, it has been updated to implement the EU’s AMLD5 in 2019 and the Travel Rule in 2022.
Depending on the type of assets a crypto firm deals with, other relevant laws could include the Financial Services and Markets Act 2000 (FSMA), the Regulated Activities Order 2001 (RAO), and the Electronic Money Regulations 2011 (EMRs).
Crypto firms, under the MLR 2017 and its subsequent amendments, can be broadly classified into two categories:
The first includes ‘crypto asset service providers,’ which encompasses firms that exchange one form of crypto asset for another or operate automated machines to exchange these assets for money.
The second includes ‘custodian wallet providers,’ which safeguard and administer crypto assets or private cryptographic keys for clients.
What services require FCA registration?
As indicated by the flow chart above, Crypto Businesses offering the following services are subject to the FCA's AML registration requirements:
Exchange of fiat currency for crypto assets
Providing custodian wallets for storing crypto assets on behalf of customers
Exchange of one crypto asset for another
Operating crypto asset ATMs (or similar machinery)
Facilitating peer-to-peer exchange of crypto assets
Participation in 'Initial Coin Offerings' (ICO)
It is important to note that whilst the services described above are based on a vague definition of crypto asset captured virtually all forms of crypto assets, including stablecoins
Security token dealing companies must register with the FCA. However, firms dealing with exchange and utility tokens are exempt. Before registering, companies should ascertain whether their activities fall under the purview of the FCA by assessing the nature and significance of their activities, the benefits they receive from these services, and whether the day-to-day management of these services is conducted from a UK-based office.
Multi-Jurisdiction Challenges
Additionally, as crypto operations often span multiple jurisdictions, companies must adapt their compliance programs to meet diverse local requirements while maintaining global minimum standards. This balancing act demands continuous monitoring of regulatory changes and swift adjustments to practices.
The registration requirements have a territorial limit, meaning that firms without any presence in the UK will not be subject to registration requirements. Crypto firms should apply caution however. In today's environment, careful consideration should be given to working with a decentralised work-force, whereby the employees, suppliers or contractors would be based outside of the UK, however the business operation (and its assets) are within the UK. In such cases, it is likely that the Crypto Business will be subject to registration requirements, provided that other aspects are met too.
UK crypto regulations are still not strong enough to prevent cross-border money laundering, but they are slowly improving.
New Monitoring Methods
Traditional compliance methods may not always be suitable for the decentralised and anonymous nature of cryptocurrencies. As such, firms should leverage blockchain-specific approaches, such as automated transaction monitoring systems, blockchain analytics, and smart contracts programmed to automatically perform compliance checks and generate reports.
Data Security
To address these data security issues, crypto asset firms in the UK must adopt a comprehensive approach to data security, encompassing people, processes, and technology. This includes implementing robust data security policies and procedures, investing in appropriate security technologies, and fostering a strong security culture within the organisation.
Additionally, firms should actively engage with the FCA and other relevant regulatory bodies to ensure compliance with evolving regulations and best practices.
Staff Training
Moreover, investing in staff training and education initiatives is crucial to keeping employees updated on the latest technological advancements, regulatory requirements, and best practices. Platforms like Blockgeeks or B9lab can provide valuable resources in this regard.
In my role as a compliance consultant, I've witnessed the transformative impact of robust compliance frameworks on crypto startups. By prioritising regulatory adherence, these firms not only mitigate risks but also position themselves as trustworthy and reputable players in a rapidly evolving industry.
View of the Regulator - The FCA
We continue to remind people that despite these new rules, cryptoassets remain high-risk and people should be prepared to lose all the money they invest.
Consumers should check the Warning List before making any investment in crypto assets. The list will help consumers make more informed investment decisions by finding details of unauthorised firms we’re aware of. It also helps consumers understand which firms may be providing or promoting financial services or products in the UK without our permission.
Beware of Financial Promotions
Invitations or inducements to engage in certain activities relating to crypto assets will fall within the FCA FinProm regime. Inducements include the giving of "free" cryptocurrency as a reward for opening an account or investing a certain amount, as well as other common marketing tools such as "refer a friend"’ bonuses, whilst invitations cover communications to the consumer where there is an element of request or persuasion. The rules significantly reduce a crypto firm’s ability to run such promotions by restricting both the promotion's content and the method by which it can be presented to consumers in the UK.
Authorised firms now need express permission from the FCA to approve financial promotions. This means that crypto asset firms must ensure that any authorised firm approving their financial promotions has the correct authorisation.
How we can help
At RRCA we have been helping crypto asset firms in various ways, from assessing their exposure to FCA registration requirements (under 5 MLD) as well supporting internal AML/CTR processes. Our expert team is here to help firms:
Understand when and how a business needs to be regulated by the FCA and prepare and manage the FCA application
Prepare and manage the 5MLD registration application
Develop and implement the systems, controls, policies and procedures required of a regulated firm
Keep up to speed with regulatory developments with board briefings, and train executives to understand regulation and their responsibilities
Set up back-office processes and suppliers (e.g. banking, accounting, etc.)
Assess exposure to any other regulatory regimes (in case of cross-border trading)
As the regulatory landscape continues to shift, crypto companies must remain vigilant and proactive, embracing compliance not as a burden but as a catalyst for building a more secure and sustainable ecosystem. With the right expertise and guidance, navigating the crypto compliance labyrinth becomes a surmountable challenge, paving the way for innovation and growth.