FCA rejection of crypto firm application shows importance of effective risk assessments

In a relatively rare crypto-related decision notice, the Financial Conduct Authority has chosen not to register a cryptoasset exchange provider due to poor anti-money laundering controls.

Learning the lessons from this decision:

• other crypto firms should note the importance of maintaining a comprehensive business-wide risk assessment as part of their implementation of the UK Money Laundering Regulations (MLRs), and
• applicants for registration should not underestimate the importance of submitting a well-developed business-wide risk assessment to the FCA as part of their application.

Why the FCA refused to register

Zeux Limited applied for registration under the MLRs in 2022. According to the FCA, the applicant’s anti-money laundering controls fell short of legislative requirements.

For example, the MLRs require cryptoasset exchange providers to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject. This business-wide risk assessment must consider the size, complexity and nature of the business.

Learning points for firms: Assessing risks

In this case the FCA identified several failings relating to the applicant's business-wide risk assessment, including in relation to:

• Comprehensive consideration of risk factors: The FCA indicates that it expects firms to consider all the risk factors listed in Regulation 18 MLRs as part of their business-wide risk assessment. For example, firms should show they have considered risks posed by:
  • their products and services, including the risk that cryptoassets could be used to transfer or disguise funds obtained from criminal activities, and
  • their target market, including if certain retail clients are subject to sanctions.
• Methodology: Firms should have a methodology for the business-wide risk assessment which includes the sources used, how to test the effectiveness of controls and how residual risk is calculated.
• Understanding risks: The FCA indicates that it expects firms to have a clear linear mapping of inherent risks, applicable controls and residual risk ratings.
• Identifying risks: Firms should take a systematic approach. Risk assessments should identify relevant risks, following which controls are implemented to mitigate those risks.
• National Risk Assessment: Firms should consider the National Risk Assessment requirements for cryptoassets in their business-wide risk assessments, including the risk that cryptoassets may be used to finance terrorist activity.

Other lessons to learn

On customer risk assessments, don’t take a one-dimensional approach, such as classifying all low-value deposits as low-risk. Instead, assess a customer against all relevant attributing risk factors (e.g. industry and geography). It may be helpful to adopt a scoring and weighting methodology.

For the pointier end of your AML policies – like enhanced due diligence and suspicious activity reporting to the National Crime Agency – double check that your policies precisely track the regulatory requirements and procedures.

Though previous regulatory action was not mentioned in this decision, realistically the more chequered a firm’s regulatory history the more difficult it may be to secure registration. In this case the firm agreed a VREQ in 2020 preventing it promoting or onboarding customers to an app-based yield-bearing “Easy Access Money Pot” which it then offered alongside crypto services. And in September 2023 the FCA imposed requirements preventing the firm carrying on any further regulated activities.

Registration for crypto firms

UK cryptoasset exchange providers and custodian wallet providers must register with the FCA and comply with the MLRs.

Since Zeux submitted its application in 2022, there is now more FCA guidance and more industry experience on the expected standards for cryptoasset registration applications. The FCA has also recently pledged to provide more pre-application support. Even so, applicant firms still frequently find that the FCA's expectations for elements of the application (for example, the business-wide risk assessment) appear to go beyond what is set out in public guidance.

Though made in January 2024, the decision was only published this month. The publication is welcome: it provides further insight into the FCA's thinking on this element of the MLRs and gives other firms an important opportunity to reassess their own standards against some of the FCA’s key AML compliance concerns.