Feedback on good and poor quality applications made to us under money laundering regulations. Read this feedback to help you prepare your application for registration.
This feedback is not exhaustive and should be viewed together with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017[1], as amended (MLRs), relevant guidance and the information on our website about registration applications[2] from cryptoasset businesses.
The FCA will take all relevant matters into account when assessing applications for registration.
The standards we hold firms to are important for protecting people and our markets, as well as supporting the industry's growth and competition. Read more about the harms we see in the market in our cryptoasset registration blog[3].
Background and registration statistics
The FCA has been the anti-money laundering and counter-terrorist financing (AML/CTF) supervisor of UK cryptoasset businesses since 10 January 2020.
See a summary of the applications for registration that we have received and the outcomes of the applications that have been determined, as at 1 November 2024.
| Last month | Previous 12 months | Since Jan 2020 | |
|---|---|---|---|
| Applications received | 1 | 32 | 365 |
| Applications determined | |||
| Registered | 0 | 3 (10%) | 48 (14%) |
| Rejected | 1 | 10 (32%) | 43 (12%) |
| Withdrawn | 1 | 15 (48%) | 241 (70%) |
| Refused | 0 | 3 (10%) | 13 (4%) |
| Total | 2 | 31 | 345 |
About the data
We have rejected submissions that didn’t include key components necessary for us to carry out an assessment, or the poor quality of key components meant the submission was invalid.
The table does not include information on any appeals following our decisions to refuse applications.
Who this is for
- current and potential cryptoasset applicants
- consultants and trade associations
Before preparing an application
What you need to do
Review the MLRs[4]
We expect applicants to demonstrate an understanding of the UK AML registration regime as set out in the MLRs[4].
Establish if the applicant will be carrying out in-scope cryptoasset activity
Refer to this flowchart[5] and consider if the applicant will be carrying on relevant cryptoasset activities by way of business, as set out in Regulation 14A of the MLRs[5].
Also consider if the applicant will be carrying on business in the UK as set out in Regulations 8 and 9 of the MLRs[7].
If any cryptoasset firm, based in the UK or overseas, intends to market to UK consumers from 8 October 2023, we expect them to them to lawfully communicate their promotions in line with our financial promotion rules for cryptoassets. More information can be found in PS23/6: Financial promotion rules for cryptoassets[3].
Consider seeking independent legal/compliance advice
Where relevant, applicants should consider seeking independent legal/compliance advice as part of preparing an application.
In particular, they should carefully consider the nature of the products and applicable regulations. For example, whether the products may be considered as a collective investment scheme, a derivative or a security.
Review the information on our webpages and the registration form
Applicants should review all of the information on our webpages[4], register[5] on our Connect[6] system (which will be used to submit an application) and review the cryptoasset registration form.
This will help them understand the information and documents that we require and the level of detail we expect in those documents.
For applicants with innovative business models, we provide support[7] to firms that meet the eligibility criteria.
Appoint an MLRO
Under Money Laundering Regulations 21(3) the applicant must appoint a Money Laundering Reporting Officer (MLRO)/Nominated Officer. We expect this individual to have relevant knowledge of UK regulation, experience and training as well as a level of authority, independence and sufficient access to resources and information, to enable them to monitor and manage compliance with policies, procedures and controls to carry out their roles and responsibilities under the MLRs. We expect the MLRO/Nominated Officer to receive disclosures under the Proceeds of Crime Act (POCA) and Terrorism Act (TA) and fulfil their legal obligation where knowledge or suspicion arises.
We will assess the fitness and propriety of the MLRO/Nominated Officer. This includes assessing whether they have acted and may be expected to act with probity. We will also assess whether the MLRO has adequate skills and experience to act in the role. We will refuse applications where the MLRO lacks fitness and propriety.
The MLRO/Nominated Officer should have a sufficient understanding of cryptoasset-related technologies. They should also demonstrate that they have adequate skills and experience to manage the particular money laundering, terrorist finance and proliferation finance risks inherent within the applicant’s business model.
We will look carefully at MLRO/Nominated Officers who are not based in the UK. Fitness and Propriety interviews are normally arranged at one of the FCA offices and we generally expect candidates to be able to attend these in person. We will also look carefully if they have a track record of regularly resigning from successful applicants once these applicants are registered or authorised and then joining another new applicant seeking authorisation or registration.
We expect that the MLRO will be fully involved in the preparation of the application.
When preparing an application
What you need to do
Business plan
The applicant’s business plan should include details of its business model, roles and responsibilities of business partners (such as service providers, brokers, introducers, sub-custodians and outsourcing partners), sources of liquidity, detailed customer journey and flow-of-funds (fiat and cryptoassets both) charts.
Applicants should not submit business plans that do not include forecasts or which provide unrealistic forecasts on financials, staffing, marketing plans, customer breakdown or any other component of the plan.
Applicants should also not submit business plans that focus only on the business model and commercial aspects without any description of its compliance oversight, risk mitigation and financial controls, especially for its cryptoasset holdings.
For example, does the applicant have arrangements to segregate its customers’ fiat or cryptoassets with its own fiat or cryptoassets, is the customer flow of funds and cryptoassets unambiguous, is there a clarity on the applicant’s responsibilities regarding its custodial holdings and transparency around its reserves?
Comprehensive description of products and services
An application should include a comprehensive and accurate description of the applicant’s products and services. This should include, where applicable, a cryptoasset token vetting policy, detailed description of how dependent it is on external ecosystems for liquidity, custodian services and underlying smart contracts/DeFi implementations.
This also includes a description of any cryptoassets native to or otherwise associated with the applicant and relevant whitepapers, token classification and functionalities assigned within the business.
Risk assessment and management
Applicants must demonstrate a thorough understanding of the risks from dealing in cryptoassets and design a Business-Wide Risk Assessment (BWRA) that is tailored to its business model. In addition to the AML/CTF risks, the BWRA should identify and assess any proliferation financing risks[8] to which the applicant’s business is subject.
We will not approve an application where the applicant has an incorrect understanding of the risks associated with cryptoasset products or it has not considered the additional risks from combining new cryptoasset-related services or products with its ongoing business model.
We have found that many applicants do not effectively identify and assess the inherent risks of money laundering, terrorist financing and proliferation financing to which their business is subject to. The BWRA should include an exhaustive assessment of risk factors highlighted in Regulation 18(2)(b) of the MLRs. Further information can be found in the JMLSG Guidance (Part 1 Sections 4.11-4.23).
Whilst sections 4.19 to 4.22 directly pertain to firms authorised under Part 4A of FSMA they will likely be useful to applicants seeking cryptoasset registration. We expect applicants to provide us with their risk assessment methodology outlining the steps taken to produce its risk assessment including appropriate risk weightings, the identification of inherent risks, evaluation of applied controls and conclusion of residual risk.
We have found that applicants often mistakenly identify control failings as inherent risks. For instance, we have seen applicant firms identify and document inadequate customer due diligence collected and performed by them as an inherent risk in their business. This is in fact a failure of the applicant firm’s controls. An example of an inherent risk might be transactions to or from a high-risk country where credible sources have identified that country as not having effective systems to counter money laundering, terrorist financing or proliferation finance.
We will not approve an application, where the business plan and risk management framework do not adequately explain the applicant’s cryptoasset-related activities, the risks and how these are mitigated through the corresponding controls.
Policies, systems & controls
Applicants should have policies, systems and controls in place to appropriately manage and mitigate the risks identified in the BWRA. We will also expect applicants to adequately evidence their assessment of the strength of these controls.
For example, controls regarding a reliance on external ecosystems for liquidity, considerations about the extent of interoperability of the applicant’s products, market-maker related risk mitigation, controls around native token trading, white labelling services, unusual B2B models, sub-custodian services or reliance on peer-to-peer platforms.
Applicants should also be prepared to explain the rationale if they consider certain standard controls do not apply (for instance, due to the limited scope of their business model).
Applicants’ policies and procedures should demonstrate how the AML framework operates on a day-to-day basis, including individual components such as, but not limited to; BWRA, Customer Risk Assessment, Due Diligence, Screening, Transaction Monitoring, Suspicious Activity Reporting and Training.
We will not approve an application where the applicant has an underdeveloped AML framework or a weak governance structure. For instance, where the applicant as part of its customer risk-scoring does not conduct a holistic assessment of the risk presented by a customer and does not take into account the risk-based approach highlighted in JMLSG Guidance (Part I Section 4.33).
An applicant should provide a clear methodology used for risk-scoring its customers, which drives the level of due diligence the applicant firm is required to conduct. Applicants should also consider enhanced due diligence triggers, levels of ongoing monitoring and the frequency of periodic reviews.
Applicants should not submit generic/off-the-shelf policies and procedures that do not align with their business model or that contain obsolete documents not designed for or adapted to the proposed cryptoasset activities.
For instance, we have seen some applicants refer in their documentation to Retail Customers when in fact its business model is just to onboard Institutional customers only.
Transaction monitoring and blockchain analysis coverage
The applicant should demonstrate that it has effective transaction monitoring and blockchain analysis, adequate for its size and complexity, this includes both fiat and cryptoasset transactions (where appropriate).
It must have sufficient compliance resources to monitor transactions, and to carry out alert escalation and treatment. It should demonstrate adequate coverage by its blockchain analysis and fiat based tools of various types of currencies and transactions.
The applicant should not have compliance staff that lack the skills to carry out blockchain investigations despite having blockchain analytics tools.
Transaction Monitoring tools should be tailored to the applicant’s business offering and customer population and should be reviewed on a regular basis to ensure all rules, thresholds and scenarios remain appropriate.
Group structure and reliance on group policies and procedures
The application must focus on the applicant’s business model and explain how its proposed cryptoasset activities relate to the MLRs. The application must demonstrate how the applicant, and any officer, manager and beneficial owner of the applicant, will comply with the MLRs.
It should provide a clear and complete description of its organisation and proposed management structure. It should include details of key individuals, their responsibilities and relevant expertise - providing individuals’ CVs, relevant qualifications and description of their responsibilities.
We will not approve an application where the applicant relies solely on group policies and procedures, but it is unclear how they apply to the applicant and where they do not demonstrate the applicant's compliance with the MLRs.
Where applicable, the applicant should include a clear description of the applicant’s group structure, ongoing activities, relevant jurisdictions and details of regulatory status.
Outsourcing
An applicant must provide complete information regarding its outsourcing arrangements. Both within and outside the group, as well as within and outside the UK.
There must be robust oversight to ensure that outsource providers comply with the requirements of the MLRs while recognising that the applicant remains ultimately responsible.
We will not approve an application where the applicant fails to provide its policies around outsourcing and the service level agreements in its submission. We will also not approve it if it fails to demonstrate sufficient oversight of the outsourced activities or fails to evidence that appropriate assurance testing of the outsourced activities will take place.
Training
The applicant must be able to evidence staff training material tailored to its particular business model and associated AML/CTF/PF risks along with its annual training plan.
Where the applicant hires external consultants to develop its AML framework, it must demonstrate a comprehensive understanding of this framework and that there is a comprehensive training plan that enables staff to effectively implement the framework.
We will not approve an application where the applicant has an inadequate training plan or lacks the resources to deliver that training. For example, training is not delivered on a regular basis to all staff including new joiners or where an MLRO/Nominated Officer with no AML experience is attempting to provide inhouse training to staff, or the staff training completion rates are unsatisfactory.
Suspicious Activity Reporting
The applicant’s Suspicious Activity Reporting (SAR) policy must fully cover all of its business including its cryptoasset-related activities. Staff should be made aware of how to recognise and deal with suspicious activity.
We will not approve an application where the SAR policy does not highlight a clear route of escalation internally to the MLRO/Nominated Officer as well as externally to the National Crime Agency (NCA). We would expect to see reference within the SAR policy to tipping off and the circumstances where the applicant firm may need to consider a Defence Against Money Laundering (DAML) SAR.
Disclosures
We will expect evidence that the applicant will proactively inform customers that the applicant’s cryptoasset activities will not be within the scope of the Financial Ombudsman Service[9] and will not benefit from the Financial Services Compensation Scheme[10]’s protection before establishing a business relationship or entering into a transaction with the customer.
Applicant is already authorised for other activities
If the applicant is already registered or authorised (such as an e-money institution, payments institution or a firm with Part 4A permissions under FSMA), it must demonstrate that it understands the requirements of the AML registration regime for cryptoasset businesses.
Any existing AML framework must be extended to fully cover the new and unique risks of its cryptoasset-related activities.
We will consider if the applicant has a history of compliance failings within the existing regime(s) it is subject to. For example, we will look to see if there are any ongoing investigations into the applicant, its compliance programme and any backlogs, any unresolved audit findings in its AML/CTF procedures and any regulatory concerns with its transaction monitoring capabilities.
Sanctions
An application must evidence adequate and current sanctions[11]-specific controls within the applicant’s control framework in line with its cryptoasset-based business model.
The control framework must also include cryptoasset-specific ‘red flag’ indicators for potential sanctions breaches and evidence that the applicant will apply checks consistently across various tools and processes (such as onboarding, periodic reviews, transaction monitoring and blockchain analysis).
We will not approve an application where the sanctions policy is generic and where there are no procedures to ensure that it is kept up to date with changes to the sanctions regime. For example, if there is no provision to identify transactions linked to higher risk wallet addresses that may be associated with a sanctioned entity, a customer transacting from a sanctioned jurisdiction or without a procedure on how to deal with the funds of a designated person.
Website
The applicant’s website or other marketing materials must contain an accurate and fair representation of the applicant’s products and services and must not contain misleading information.
The applicant must demonstrate that it has clear oversight and accountability for how third parties use its marketing material, for instance, social media influencers.
When submitting an application
What you need to do
Have you included everything?
Applicants should ensure that they have answered all the questions on the application form fully and that the application includes all the relevant information to support the application.
All the documents and information must be up to date as on the date of submission in adherence with the MLRs.
We expect all documents to be final versions that have been reviewed thoroughly and signed off before submission. We will not review and comment on draft documents as part of our application assessment.
Do you meet the standards for registration?
The application must demonstrate that the applicant understands its obligations to comply with the requirements of the MLRs and is ready, willing and organised to meet these requirements when they apply.
We will take into account all relevant factors when assessing fitness and propriety. This includes, among other things, a business’ financial promotions and its financial soundness within the context of the MLRs.
While we are assessing the application
What you need to do
Keep us up to date
Applicants should be proactive and self-reliant. They should not expect the FCA to act as an advisor in completing their application or to recommend solutions when we highlight some deficiencies.
They must ensure complete transparency and timely disclosures of relevant changes in circumstances and any new information that could affect our assessment.
Keep up to date
Applicants should demonstrate that they are agile and prepared to deal with a rapidly evolving regulatory framework (such as implementation of the travel rule), scanning for emerging risks and industry changes, tracking financial crime typologies and new rules that could affect their operations.
Do not
Applicants must not use their application to promote their products or services.
Applicants’ websites and marketing material must not include language that gives the impression that making an application for registration is a form of endorsement or recommendation by the FCA.
This is the start
Applicants must recognise that being registered is not a one-off formality or a tick-box exercise without any further obligations or interaction with the FCA. The applicant must continue to ensure that it complies with the requirements of the MLRs and the FCA will supervise this compliance.
