Business plan
The applicant’s business plan should include details of its business model, roles and responsibilities of business partners (such as service providers, brokers, introducers, sub-custodians and outsourcing partners), sources of liquidity, detailed customer journey and flow-of-funds (fiat and cryptoassets both) charts.
Applicants should not submit business plans that do not include forecasts or which provide unrealistic forecasts on financials, staffing, marketing plans, customer breakdown or any other component of the plan.
Applicants should also not submit business plans that focus only on the business model and commercial aspects without any description of its compliance oversight, risk mitigation and financial controls, especially for its cryptoasset holdings.
For example, does the applicant have arrangements to segregate its customers’ fiat or cryptoassets with its own fiat or cryptoassets, is the customer flow of funds and cryptoassets unambiguous, is there a clarity on the applicant’s responsibilities regarding its custodial holdings and transparency around its reserves?
Comprehensive description of products and services
An application should include a comprehensive and accurate description of the applicant’s products and services. This should include, where applicable, a cryptoasset token vetting policy, detailed description of how dependent it is on external ecosystems for liquidity, custodian services and underlying smart contracts/DeFi implementations.
This also includes a description of any cryptoassets native to or otherwise associated with the applicant and relevant whitepapers, token classification and functionalities assigned within the business.
Risk assessment and management
Applicants must demonstrate a thorough understanding of the risks from dealing in cryptoassets and design a Business-Wide Risk Assessment (BWRA) that is tailored to its business model. In addition to the AML/CTF risks, the BWRA should identify and assess any proliferation financing risks to which the applicant’s business is subject.
We will not approve an application where the applicant has an incorrect understanding of the risks associated with cryptoasset products or it has not considered the additional risks from combining new cryptoasset-related services or products with its ongoing business model.
We have found that many applicants do not effectively identify and assess the inherent risks of money laundering, terrorist financing and proliferation financing to which their business is subject to. The BWRA should include an exhaustive assessment of risk factors highlighted in Regulation 18(2)(b) of the MLRs. Further information can be found in the JMLSG Guidance (Part 1 Sections 4.11-4.23).
Whilst sections 4.19 to 4.22 directly pertain to firms authorised under Part 4A of FSMA they will likely be useful to applicants seeking cryptoasset registration. We expect applicants to provide us with their risk assessment methodology outlining the steps taken to produce its risk assessment including appropriate risk weightings, the identification of inherent risks, evaluation of applied controls and conclusion of residual risk.
We have found that applicants often mistakenly identify control failings as inherent risks. For instance, we have seen applicant firms identify and document inadequate customer due diligence collected and performed by them as an inherent risk in their business. This is in fact a failure of the applicant firm’s controls. An example of an inherent risk might be transactions to or from a high-risk country where credible sources have identified that country as not having effective systems to counter money laundering, terrorist financing or proliferation finance.
We will not approve an application, where the business plan and risk management framework do not adequately explain the applicant’s cryptoasset-related activities, the risks and how these are mitigated through the corresponding controls.
Policies, systems & controls
Applicants should have policies, systems and controls in place to appropriately manage and mitigate the risks identified in the BWRA. We will also expect applicants to adequately evidence their assessment of the strength of these controls.
For example, controls regarding a reliance on external ecosystems for liquidity, considerations about the extent of interoperability of the applicant’s products, market-maker related risk mitigation, controls around native token trading, white labelling services, unusual B2B models, sub-custodian services or reliance on peer-to-peer platforms.
Applicants should also be prepared to explain the rationale if they consider certain standard controls do not apply (for instance, due to the limited scope of their business model).
Applicants’ policies and procedures should demonstrate how the AML framework operates on a day-to-day basis, including individual components such as, but not limited to; BWRA, Customer Risk Assessment, Due Diligence, Screening, Transaction Monitoring, Suspicious Activity Reporting and Training.
We will not approve an application where the applicant has an underdeveloped AML framework or a weak governance structure. For instance, where the applicant as part of its customer risk-scoring does not conduct a holistic assessment of the risk presented by a customer and does not take into account the risk-based approach highlighted in JMLSG Guidance (Part I Section 4.33).
An applicant should provide a clear methodology used for risk-scoring its customers, which drives the level of due diligence the applicant firm is required to conduct. Applicants should also consider enhanced due diligence triggers, levels of ongoing monitoring and the frequency of periodic reviews.
Applicants should not submit generic/off-the-shelf policies and procedures that do not align with their business model or that contain obsolete documents not designed for or adapted to the proposed cryptoasset activities.
For instance, we have seen some applicants refer in their documentation to Retail Customers when in fact its business model is just to onboard Institutional customers only.
Transaction monitoring and blockchain analysis coverage
The applicant should demonstrate that it has effective transaction monitoring and blockchain analysis, adequate for its size and complexity, this includes both fiat and cryptoasset transactions (where appropriate).
It must have sufficient compliance resources to monitor transactions, and to carry out alert escalation and treatment. It should demonstrate adequate coverage by its blockchain analysis and fiat based tools of various types of currencies and transactions.
The applicant should not have compliance staff that lack the skills to carry out blockchain investigations despite having blockchain analytics tools.
Transaction Monitoring tools should be tailored to the applicant’s business offering and customer population and should be reviewed on a regular basis to ensure all rules, thresholds and scenarios remain appropriate.
Group structure and reliance on group policies and procedures
The application must focus on the applicant’s business model and explain how its proposed cryptoasset activities relate to the MLRs. The application must demonstrate how the applicant, and any officer, manager and beneficial owner of the applicant, will comply with the MLRs.
It should provide a clear and complete description of its organisation and proposed management structure. It should include details of key individuals, their responsibilities and relevant expertise - providing individuals’ CVs, relevant qualifications and description of their responsibilities.
We will not approve an application where the applicant relies solely on group policies and procedures, but it is unclear how they apply to the applicant and where they do not demonstrate the applicant's compliance with the MLRs.
Where applicable, the applicant should include a clear description of the applicant’s group structure, ongoing activities, relevant jurisdictions and details of regulatory status.
Outsourcing
An applicant must provide complete information regarding its outsourcing arrangements. Both within and outside the group, as well as within and outside the UK.
There must be robust oversight to ensure that outsource providers comply with the requirements of the MLRs while recognising that the applicant remains ultimately responsible.
We will not approve an application where the applicant fails to provide its policies around outsourcing and the service level agreements in its submission. We will also not approve it if it fails to demonstrate sufficient oversight of the outsourced activities or fails to evidence that appropriate assurance testing of the outsourced activities will take place.
Training
The applicant must be able to evidence staff training material tailored to its particular business model and associated AML/CTF/PF risks along with its annual training plan.
Where the applicant hires external consultants to develop its AML framework, it must demonstrate a comprehensive understanding of this framework and that there is a comprehensive training plan that enables staff to effectively implement the framework.
We will not approve an application where the applicant has an inadequate training plan or lacks the resources to deliver that training. For example, training is not delivered on a regular basis to all staff including new joiners or where an MLRO/Nominated Officer with no AML experience is attempting to provide inhouse training to staff, or the staff training completion rates are unsatisfactory.
Suspicious Activity Reporting
The applicant’s Suspicious Activity Reporting (SAR) policy must fully cover all of its business including its cryptoasset-related activities. Staff should be made aware of how to recognise and deal with suspicious activity.
We will not approve an application where the SAR policy does not highlight a clear route of escalation internally to the MLRO/Nominated Officer as well as externally to the National Crime Agency (NCA). We would expect to see reference within the SAR policy to tipping off and the circumstances where the applicant firm may need to consider a Defence Against Money Laundering (DAML) SAR.
Disclosures
We will expect evidence that the applicant will proactively inform customers that the applicant’s cryptoasset activities will not be within the scope of the Financial Ombudsman Service and will not benefit from the Financial Services Compensation Scheme’s protection before establishing a business relationship or entering into a transaction with the customer.
Applicant is already authorised for other activities
If the applicant is already registered or authorised (such as an e-money institution, payments institution or a firm with Part 4A permissions under FSMA), it must demonstrate that it understands the requirements of the AML registration regime for cryptoasset businesses.
Any existing AML framework must be extended to fully cover the new and unique risks of its cryptoasset-related activities.
We will consider if the applicant has a history of compliance failings within the existing regime(s) it is subject to. For example, we will look to see if there are any ongoing investigations into the applicant, its compliance programme and any backlogs, any unresolved audit findings in its AML/CTF procedures and any regulatory concerns with its transaction monitoring capabilities.
Sanctions
An application must evidence adequate and current sanctions-specific controls within the applicant’s control framework in line with its cryptoasset-based business model.
The control framework must also include cryptoasset-specific ‘red flag’ indicators for potential sanctions breaches and evidence that the applicant will apply checks consistently across various tools and processes (such as onboarding, periodic reviews, transaction monitoring and blockchain analysis).
We will not approve an application where the sanctions policy is generic and where there are no procedures to ensure that it is kept up to date with changes to the sanctions regime. For example, if there is no provision to identify transactions linked to higher risk wallet addresses that may be associated with a sanctioned entity, a customer transacting from a sanctioned jurisdiction or without a procedure on how to deal with the funds of a designated person.
Website
The applicant’s website or other marketing materials must contain an accurate and fair representation of the applicant’s products and services and must not contain misleading information.
The applicant must demonstrate that it has clear oversight and accountability for how third parties use its marketing material, for instance, social media influencers.
