Cryptoasset AML/CTF regime: Meeting the FCA’s expectations to register as a Cryptoasset Service Provider (“CASP”)

The popularity of Cryptoasset Service Providers (“CASPs”) has surged in recent years, driven by a combination of technological advancements, growing interest in cryptocurrencies and increased adoption by both retail and institutional investors. The role of the Financial Conduct Authority (“FCA”), the UK’s financial regulatory watchdog, in overseeing cryptoasset service providers in the UK has become increasingly significant as the popularity of these services grows. This article explores the FCA’s approach to the registration of CASPs and summarises the main requirements for a successful CASP application.

Background

Since January 10, 2020, the FCA has required all UK-based cryptoasset businesses, including exchanges and wallet providers, to register and comply with anti-money laundering (“AML”) and counter-terrorist financing (“CTF”) regulations, also known as the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”). This requirement aims to enhance transparency and reduce the risks associated with financial crimes.

In the latest FCA statistics, as of June 1, 2024, only 14% of all the applications received have been successfully registered with the FCA since 2020. So, what does the FCA look for in a CASP application?

Main requirements

  1. Regulated activities: As a first step, establish which of the following regulated cryptoasset activities the applicant will be carrying out by way of business in the UK:
  • The exchange of fiat currency for cryptoassets or vice versa
  • Providing custodian wallets for storing cryptoassets on behalf of customers
  • The exchange of one cryptoassets for another
  • Operating cryptoasset ATMs
  • Facilitating the peer-to-peer exchange of fiat currencies and cryptoassets (both fiat-to-crypto and crypto-to-crypto)
  • Participation in Initial Coin Offerings (“ICO”)

Applicants should also take into consideration the following factors in determining whether the activities will be carried out by way of business in the UK:

  • Commercial element: Do you promote or conduct activities that imply you are offering cryptoasset services as part of your business operations?
  • Commercial benefit: Do you receive a direct or indirect benefit from providing this service?
  • Relevance to other business: How important is the cryptoasset activity in relation to the business’s other operations (cryptoasset activities might just be one segment of the business)?
  • Regularity/frequency: How often do you carry out this activity? Does the regularity of the activity indicate that it is being conducted as a business?

FCA registration may not be required if applicants do not intend to carry out cryptoasset activities by way of business in the UK.

  1. Appoint a Money Laundering Reporting Officer/Nominated Officer (“MLRO/NO”): The FCA expects the MLRO/NO to have a sufficient understanding of cryptoasset-related technologies and demonstrate adequate skills and experience to manage the money laundering, terrorist financing, and proliferation financing risks specific to the applicant’s business model.
  2. Business Plan: The applicant’s business plan must detail the business model, roles and responsibilities of business partners (e.g. sub-custodians), provide a comprehensive customer journey, flow-of-funds charts for both fiat and cryptoassets and realistic financial forecasts.
  3. Risk Assessment: A Business Wide Risk Assessment (“BWRA”) must also be prepared in accordance with the applicant’s business model. The BWRA should identify and assess the inherent risks of money laundering, terrorist financing and proliferation financing and include an exhaustive assessment of risk factors relating to the applicant’s customers, the countries in which it operates, its products/services, its transactions and its delivery channels.
  4. Policies, systems and controls: Applicants should demonstrate that they have appropriate policies, systems and controls in place to manage and mitigate the risks included in the BWRA. An AML Policy must also be submitted detailing the internal control mechanisms (e.g. customer risk assessment, due diligence procedures, transaction monitoring, suspicious activity reporting and training) established to ensure compliance with the MLRs.

How can Complyport help?

As experienced and leading Authorisation Consultants, we can assist you in identifying the right regulated cryptoasset activities based on your business model. Upon identification of the cryptoassets services, we can help you navigate the complex application requirements and guide you in the preparation of the required policies and procedures that need to be submitted.

Contact our team of Authorisation Consultants for personalised support. Complete the form below to book a free consultation

Facebook
Twitter
LinkedIn
COntact us for assistance

Please fill our free consultation form and a member of our team will get in contact with you.