We are reminding all regulated firms of their existing obligations when they are interacting with or exposed to cryptoassets and related services.
While cryptoassets and their underlying technologies can offer benefits to financial services firms e.g., reduce costs and increase efficiencies, they also present risks to market integrity and consumers, particularly when used as a speculative investment. This is additional to significant risks in relation to financial crime and money laundering.
Below we have set out some areas of risk that firms need to consider. This is not a complete list and firms should consider any further controls and requirements which apply to them. They should read this statement together with our latest guidance[1] on how firms should manage financial crime risks associated with cryptoassets in the ongoing Russia/Ukraine conflict.
We also recommend that firms read the Letter from Sam Woods on existing or planned exposure to cryptoassets[2] published today by the Prudential Regulation Authority (PRA), as well as today’s publications[3] from the Bank of England and the Financial Policy Committee (FPC), which focus on cryptoassets and new forms of digital money.[4]
Being clear with customers
As stated in our Perimeter Report 2021[5], much of the cryptoasset sector continues to sit outside of the FCA’s current regulatory remit. When firms assess the risks cryptoassets pose, they should use a similar approach to that for the regulated activities they conduct. There is a risk of consumer confusion where regulated firms provide services involving cryptoassets. We expect firms to ensure that consumers understand the extent of business that is regulated and to clearly distinguish those elements which are unregulated business. At all times, firms remain responsible for identifying and managing potential risks related to cryptoassets.
Financial Crime and registration of cryptoasset business
Since January 2020, firms carrying on cryptoasset activity in the UK have had to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the ‘MLR’s). This includes the requirement to be registered with the FCA to continue to carry on business. Providing cryptoasset business in the UK by way of business, as set out in Regulation 9[6] of the MLRs, without registration (or temporary permission under the Temporary Registration Regime[7] (TRR)) is a criminal offence.
Having appropriate systems and controls in place
We expect all authorised and registered firms to have appropriate systems and controls to counter the risk of being misused for financial crime. As part of this, all firms should be reviewing whether cryptoasset businesses they interact with are listed on the FCA’s Unregistered Cryptoasset Businesses page[8]. We expect firms doing business with cryptoasset firms to check against this list and to make sure that they have sufficient due diligence and money laundering controls in place to manage the risks posed by their customers.
Assessing the risks
Our 2018 Dear CEO letter[9] gave firms guidance on how to achieve best practice where clients and customers may be using cryptoassets, or providing services to customers offering cryptoassets. That guidance remains relevant – with some key elements outlined in this notice.
Where firms’ clients and customers are using cryptoassets or offering related services, firms are given the flexibility to adapt their actions to the perceived risks. Firms should assess the risks posed by a customer whose wealth or funds derive from the sale of cryptoassets, or other cryptoasset related activities, using the same criteria that would be applied to other sources of wealth or funds. One way cryptoassets differ from other sources of wealth is that the evidence trail behind transactions may be weaker. This does not justify applying a different evidential test on the source of wealth and we expect firms to exercise particular care in these cases.
Prudential considerations
While there are currently no specific prudential treatments that explicitly mention cryptoassets, we remind FCA regulated firms that there are still regulatory obligations in this area. Firms subject to our new investment firm prudential regime (IFPR), have obligations (under MIFIDPRU 7[10]) to assess and mitigate the potential for harm to clients, to the markets in which the firm operates and to itself, that could arise from all of their business. This applies whether or not that business consists of Markets in Financial Instruments Directive (MiFID) investment business, other regulated activity or is unregulated. It also applies irrespective of operating on an agency basis, principal basis, or in some other capacity. This therefore includes cryptoassets business, however firms conduct that business.
Other firms subject to FG20/1: Assessing adequate financial resources[11] should consider that guidance when assessing and managing risks and exposures from cryptoassets. Where a firm accounts for a cryptoasset as an intangible asset, it will likely need to deduct this asset from its regulatory capital.
If we find that there is a need for updated prudential requirements for cryptoassets, we will consider what further steps we may need to take to ensure firms have adequate financial resources to address the potential for harm from conducting business involving cryptoassets.
Custody considerations
All FCA regulated firms must observe our Principles for Business,[12] which all firms must comply with to be authorised by us. Principle 10 requires a firm to arrange adequate protection for clients’ assets. As part of these protections, the FCA’s Client Assets Sourcebook[13] (CASS) provides detailed rules for firms to follow when holding regulated assets in custody, as part of their investment business. Where cryptoassets are specified investments[14] (ie, security tokens), firms carrying out regulated activities involving custody of these assets are likely to be subject to the CASS regime. If firms have any questions about how the CASS rules may apply, they should speak to their relevant FCA supervisory contact.
We continue to develop our understanding of how cryptoasset technology affects custody arrangements. We will continue to monitor the use of cryptoassets in custody arrangements and act where appropriate, supporting responsible innovation, while protecting consumers and ensuring market integrity.
Domestic and international engagement
As effective regulation of a digital world requires international cooperation and common standards, we will continue working closely with our international partners, both bilaterally and through multilateral fora, including the International Organization of Securities Commissions (IOSCO), the Financial Stability Board (FSB) and the Financial Action Task Force (FATF). Domestically we will work closely with Government and other parties through the Cryptoassets Taskforce (CATF) on a UK approach that balances innovation and competition, alongside orderly markets and consumer protection. We will also be engaging with industry participants to seek insights as we further develop our views.