Successful UK cryptobusiness registration
Five top tips
24 June 2021
The FCA announced on 3 June 2021 that it is extending the end date of the Temporary Registration Regime from 9 July 2021 to 31 March 2022 for existing cryptoasset businesses. This extension is welcomed as the FCA have registered only five cryptoasset businesses to date, and it is a criminal offence under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) to operate a cryptoasset business without such registration.
In its announcement, the FCA noted that many applicants are not meeting the standards required under the MLRs. This may be as a result of the FCA applying analogous high standards when assessing the fitness and propriety of a cryptoasset business as would be applied to in the context of applications under the Financial Services and Markets Act 2000 (FSMA).
For previously unregulated firms or start-ups this could be an unfamiliar assessment considering that cryptoasset services providers may not be accustomed to being scrutinised in this way. It is therefore important that those classed as cryptoasset exchange providers or custodian wallet providers under the MLRs seek trusted advisors who are well versed in assisting applicants with meeting the required FCA fit and proper standards.
Below we set out our top tips for a successful registration application:
- Strong programme of operations: The FCA requires applicants to submit corporate documentation such as articles of association and other general information. Importantly, the application also requires details of the proposed regulated cryptoasset activities the applicant intends to provide as well as the projected volumes and values of these activities. This may not be as easy to provide for where activities have not yet commenced. In this case, the use of assumptions and estimates or projections should always be underpinned by a clear description of these assumptions and, in particular, consideration of whether these assumptions would remain true in stressed market conditions.
- Regulatory business plan: The objective of the business plan is to demonstrate to the FCA that the proposal has been thought through in sufficient detail. Applicants may be tempted to rely on relatively general business plans provided by advisors.
In our experience, the business plan should be as tailored as possible to the applicant, reflecting its individual circumstances and, in particular, outline any perceived risks to operational systems and any anti-money laundering compliance processes.
It is important to remember that the business plan is being assessed in respect of the requirements of the MLRs. To this end, the FCA must be satisfied that the applicant has the right systems and controls in place to comply with the MLRs, including by reference to guidance such as that of the Joint Money Laundering Steering Group (JMLSG). However, the FCA must also be satisfied that the applicant is fit and proper to carry out its cryptoasset business, and so it is useful to consider guidance that is relevant to obtaining authorisation from the FCA as a regulated firm under FSMA and apply it by analogy.
For example, the FCA states that the business plan must demonstrate the adequacy of financial and non-financial resources. This means that the applicant must satisfy the FCA that all financial resources, non-financial resources and means of managing its resources (for example capital, provisions against liabilities, holdings of or access to cash and other liquid assets, human resources and all relevant systems and technology used to operate the business) are "adequate"; in other words, sufficient in terms of quantity, quality and availability. How this is demonstrated will depend on the size and complexity of each individual business. However, in all cases, it is important to show that systems and controls will be able to cope with the size of the business and projections.
- Governance arrangements and internal control mechanisms: The reason for including a description of governance arrangements and internal control mechanisms is so that the FCA can understand the internal processes of the cryptoasset business, in particular whether risk management frameworks and decision-making processes are adequate. The MLRs require that in addition to the applicant, the applicant's managers, its beneficial owners and its agents (Key Persons) are fit and proper.
Again, it is likely that some of the points set out under the FIT module of the FCA handbook would be relevant. Key Persons will be assessed for honesty, integrity and reputation as well as competence and capability (including financial soundness).
In respect of honesty, integrity and reputation, this is a factual consideration in respect of each applicant. The general principle is to be as transparent as possible. Generally, the FCA takes into account all disclosed matters and decides in light of the specific involvement of the individual whether, in the circumstances of the application and intended activities, something suggests that the Key Person is not fit and proper.
Regarding competence and capability, the FCA will consider the complexity of a particular business as a whole and consider whether, in light of the business plan, all Key Persons and their involvement allow the FCA to be satisfied that the applicant is fit and proper. This means that all persons must have requisite knowledge to perform their functions. However, it is also possible for applicants to supplement and enhance the competence and capability of the management body as a collective by bringing in additional Key Persons with sufficient decision-making authority.
- Internal controls: The FCA has a particular interest in understanding how the cryptoasset business relies on third-party providers, especially in the context of outsourcing and considerations of operational resilience. The application must provide sufficient detail in respect of any aspect of the business which relies on a third-party provider. In this context it is necessary to ensure that the applicant understands the service provided by any third party and is able to demonstrate that it has a proportionate risk management framework in place allowing it to manage or avoid the impact of any failure of third-party providers.
It will be important to develop and clearly demonstrate within the application itself how the cryptoasset business ensures there are adequate policies, procedures and protections that can effectively manage the risks posed to the applicant by making use of outsourcing or third-party providers. In our experience, including contingency measures in the event there are disruptions with a third-party provider is a good way of demonstrating this. In addition to this, where the cryptoasset business is outsourcing services or functions then it should ensure it has developed policies to adequately assess the standard to which these products or services are supplied and to ensure it has regular interaction with third-party providers to understand how these products or services are delivered to customers.
- Obligations under money laundering and terrorist financing legislation: This is a key area of the application and is perhaps the area most likely to be unfamiliar to previously unregulated firms or start-ups. The FCA is aiming to identify how the cryptoasset business recognises these risks and how they are mitigated. The application must first demonstrate what risks the cryptoasset business has identified in relation to this area and then outline the policies and procedures it has in place to address these risks. Details of the internal systems and controls used by the cryptoasset business, such as compliance measures, training materials used, and the details of the individual(s) responsible for these internal systems and controls must be included in the application.
A cryptoasset business may choose to use a third-party provider to handle its anti-money laundering obligations. However, as responsibility cannot be outsourced, ultimately the responsibility for any failings in this regard will rest with the cryptoasset business. When using these providers, it is important to consider how that particular arrangement will apply to the proposed regulated activities. This is important as the focus of the test in this context will be the ability of these arrangements to meet the requirements of the MLRs. The JMLSG provides guidance on how cryptoasset businesses can comply with the MLRs. The FCA is likely to assess the applicant's money laundering and counter terrorist proposals in light of the guidance set out by the JMLSG (the guidance having been approved by HM Treasury and the FCA being obliged to consider it when assessing firms' compliance with the MLRs). It is therefore important that all anti-money laundering processes and policies, whether these are developed internally or provided by a third-party, incorporate both general and cryptoasset specific guidance provided by the JMLSG. For example, having a requirement to obtain wallet addresses as part of the customer due diligence process.
In conclusion, the key to successful registration with the FCA for a cryptoasset business is to provide well thought through and detailed information that is tailored specifically to the applicant and that takes into account the specific circumstances of the proposed business model. The applicant should put forward a strong management team which on the whole is able to identify and effectively manage and mitigate any anticipated risks. Any dependency on third party providers must have been assessed by the applicant to identify, mitigate and manage potential risks and, where necessary, the applicant should be in a position to explain how any already identified issues will be addressed. Much of this work will require detailed internal consideration, but also careful consideration of the technical standards and guidance. A trusted advisor with experience in making applications for regulated businesses can identify potential issues upfront and help to tailor application packs so that the FCA is able to make its assessment in an efficient and expedient manner.