We are the anti-money laundering and counter-terrorist financing (AML/CTF) supervisor of UK cryptoasset businesses under the money laundering regulations. Learn more about the regime.
On this page 
Cryptoasset businesses need to be registered with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017[1] (MLRs), and comply with the requirements the regulations, if they intend to provide certain cryptoasset services by way of business, and if this service will be in the course of business carried on by them in the United Kingdom.
Scope of cryptoasset services
Cryptoasset businesses who, by way of business, provide one or more of the following services summarised in the scope of services table below and set out in Regulation 14A[3] of the MLRs must comply with the MLRs.
Registration
Cryptoasset businesses that intend to provide in-scope services while acting in the course of business carried on by them in the United Kingdom must be registered with the FCA before they begin.
Find further information on registration[4], including details of the information you will need to provide and how to submit your application.
Registration under the MLRs is a legal requirement to carry on business. It is not a recommendation or endorsement of your business.
Registered cryptoasset businesses should be careful to avoid using language that might give the impression that registration is a form of endorsement or recommendation.
Change in control for registered cryptoasset firms
A person who decides to acquire or increase control over an FCA-registered cryptoasset firm – so that they become a beneficial owner within the meaning of Regulation 5[5] or Regulation 6[6] of the MLRs – must submit a change in control notification and await FCA approval before completing the transaction.
It is a criminal offence to acquire control of an FCA-registered cryptoasset firm without FCA approval.
For further information see Schedule 6B[7] of the MLRs and our change in control[8] pages.
A person that decides to acquire or increase control in an FCA-authorised firm, which has FSMA and cryptoasset permissions, will be assessed under Part XII[9] of FSMA.
Supervision
Our supervisory approach to cryptoasset businesses is in line with our approach to other businesses under the MLRs. It is risk based so that businesses which pose the greatest money laundering and terrorist financing risk receive an increased level of supervisory focus. If we have reason to believe serious misconduct has taken place, we may decide to commence an enforcement investigation.
Our supervisory assessment includes a requirement for a business to show that it has policies, controls and procedures in place to effectively manage money laundering and terrorist financing risks proportionate to the size and nature of the business’ services. Businesses should also carry out regular assessments of their policies, controls and procedures to ensure that these remain relevant and appropriate. Businesses should be alert to any change in their operating model that may have an impact on the way they conduct their business.
Some requirements are set out below. It is not an exhaustive list and does not include the wider rules and guidance that a cryptoasset business, which is also authorised under FSMA by the FCA, must adhere to in addition to the MLRs.
Businesses must:
- take appropriate steps to identify and assess the risks of money laundering, proliferation financing and terrorist financing which the business is subject to
- assess the money laundering, terrorist financing and proliferation financing risks related to any new technologies prior to launch and take appropriate measures to manage and mitigate those risks
- have in place policies, systems and controls appropriate to mitigate the risk of the business being used for the purposes of money laundering, terrorist financing and proliferation financing. This risk-based approach should seek to mitigate the risks identified in the business’ risk assessment
- where appropriate, for the size and nature of its business, appoint an individual who is a member of the board or senior management to be responsible for compliance with the MLRs and the nominated officer. The nominated officer is also the person responsible for reporting suspicious activity to the National Crime Agency under Part 7[10] (Money Laundering) of the Proceeds of Crime Act 2002
- where appropriate, for the size and nature of its business, establish an independent internal audit function with responsibility for examining and evaluating the adequacy and effectiveness of the policies, controls and procedures, and making recommendations, as well as monitoring the controls
- undertake screening of employees
- undertake customer due diligence when entering into a business relationship or occasional transactions
- apply more intrusive due diligence, known as enhanced due diligence, when dealing with customers who may present a higher money laundering, terrorist financing and proliferation financing risk. This includes customers who meet the definition of a politically exposed person
- undertake ongoing monitoring of all customers to ensure that transactions are consistent with the business’ knowledge of its customer, the customer’s business and risk profile
Additional supervisory powers
The MLRs include additional powers for the FCA to maintain a robust AML/CTF cryptoasset supervisory regime.
Here are summaries of some of those powers. For the details please see the relevant references to the regulations.
Consumer protections and disclosure
Our responsibility under this regime is limited to AML/CTF registration, supervision and enforcement only.
Registration does not mean customers of cryptoasset businesses will benefit from the protections of the Financial Ombudsman Service[15] or the Financial Services Compensation Scheme[16] (FSCS) and cryptoasset businesses should ensure they do not mislead customers about what protections apply and the status of their FCA registration.
As most cryptoassets are not specified investments under the Financial Services and Markets Act 2000 (FSMA), it is unlikely that customers will have access to the Financial Ombudsman or the FSCS.
You may wish to consider our guidance setting out our position on the types of cryptoassets which will fall within our regulatory remit and the implications this has on consumer protection:
- Cryptoasset services involving security tokens, for example, are regulated tokens which will provide the same protections as specified investments set out in the Regulated Activities Order[17].
- Cryptoasset services which fall in the unregulated space, as defined in our guidance[18], will not have the same consumer protections.
You should consider whether your business’s cryptoasset services are within the scope of the jurisdiction of the Financial Ombudsman and/or are subject to protection under the FSCS.
Where a cryptoasset service is not subject to these protections, we expect businesses to provide a clear disclosure to customers where the scope of the Financial Ombudsman or FSCS does not apply before establishing a business relationship or entering into a transaction with a customer. It will be up to each business to decide how best it meets this requirement.
We do not expect a business to make several disclosures of this fact but that it is made where it is relevant and in a manner appropriate to the consumer.
Here are some disclosure-related factors you may wish to consider:
You will need to decide how best to disclose this information, particularly if your business is doing a mix of FSMA regulated and unregulated cryptoasset or other service. For businesses only carrying on services in relation to unregulated cryptoassets, we would suggest wording along the following lines:
'The Financial Ombudsman Service or the Financial Services Compensation Scheme do not apply to the cryptoasset services carried on by [Name of cryptoasset business].’
Reporting Requirements
All registered cryptoasset businesses must submit a REP-CRIM return (Annual financial crime reporting) annually via our RegData system[19]. The report should be submitted within 60 business days of the business's Accounting Reference Date (ARD). More details can be found in the Cryptoasset Direction[20] with guidance notes[21] for completing the return.
Enforcement
Our enforcement staff work closely with our authorisation and supervision functions, as well as with other regulators and law enforcement agencies, to detect serious misconduct, including money laundering and terrorist financing.
We have enforcement powers under the existing MLRs.
- Our Enforcement Guide[22] sets out our approach to enforcement and how we use our powers of investigation, gather information and conduct an investigation. It also sets our approach to imposing financial penalties and other disciplinary sanctions, explaining how we will use our powers under the MLRs.
- Approach to Enforcement[23] explains how we address harm and add public value through our statutory powers to investigate, take relevant civil, criminal and/or disciplinary action.
- Enforcement Information Guide[24] - this short guide includes a flowchart showing the process of a typical FCA enforcement case. It sets out the options to contest or resolve a case, the opportunities to make representations, and who the decision-makers are.
Contact us
For any queries regarding the regime, please email [email protected].
28/10/2019: Link added Added link to CP19/29 under Timeline and payment section