Assessing firms’ compliance with ‘back end’ cryptoasset financial promotions rules

Firms must allow a cooling-off period for new consumers who request a Direct Offer Financial Promotion (DOFP). This must be a minimum of 24-hours from the point that a consumer requests to see the DOFP and it being shown. The cooling-off period allows consumers time to reflect on the investment and decide whether to proceed to purchase the assets. At the end of the cooling-off period, consumers must be given the option to either proceed with or leave the journey at that point, with each of these options being given equal prominence.

We found that all firms had implemented a minimum 24-hour cooling-off period before consumers were able to view a DOFP, or to commit to any investments. However, multiple firms had either not included an express option to proceed with or leave the investment journey at the end of the period, or the options to leave or proceed were not given equal prominence.

Providing clear and timely information about the cooling off period can help consumers more easily navigate the process and reduce frustration. However, some firms gave consumers limited or no information on why they must wait before committing to an investment, which could lead to consumer confusion. Additionally, some firms did not inform consumers about the cooling-off period until they were a significant way through the investment journey, which could lead to consumers becoming frustrated.

We saw that some firms allowed consumers to deposit funds to their account during the cooling-off period. However, where this included a fee for withdrawing these funds, the firm did not explain the nature or extent of these fees before the consumer deposited. Good practice would be to clearly explain fees that could impact the decision of whether to proceed at the end of the cooling-off period.

Several firms gave consumers clear information on the reason for the cooling-off period, the time remaining until the cooling-off period expires and gave consumers relevant information on the products available as well as the risks of those products. They gave this information at the start of the investment journey, so consumers knew what to expect.

Firms must provide a personalised risk warning to new consumers before they receive a DOFP.

This must be tailored to include the client’s name, and include both a risk warning and link to a risk summary. Behavioural research has shown that personalised messages and prominent directions to further information were the most effective way to get consumers to click on the risk summary. Consumers must be given the option to proceed with or leave the investment journey, with each option given equal prominence.

We saw that one firm gave the personalised risk warning later in the journey, after the consumer’s client categorisation had been established and appropriateness of the product assessed. This approach incorrectly combined the separate requirements for consumers to specify if they wish to proceed to the DOFP or leave the journey at the end of the cooling-off period with the personalised risk warning.

This is in breach of COBS 4.12A.20R, which requires the personalised risk warning to be given before the client categorisation and appropriateness assessment conditions are completed. An additional warning to remind consumers of the risks of the investment at the point of committing to the investment may be helpful, but firms must give a personalised risk warning at the required point of the onboarding journey.

In some instances, the personalised risk warning did not meet the prominence requirements or did not present the options to proceed with or leave the investment journey with equal prominence. In some cases, firms had inappropriately used language that encouraged consumers to proceed. Using neutral and non-influential language could help ensure that invitations to proceed are presented with equal prominence and allow consumers to decide whether to proceed.

A good example displayed the warning on one page, followed by a separate page with the options to proceed with, or leave, the journey. Presenting the warning in this way highlighted the importance of the wording and encouraged engagement with the options, as they were prominently displayed without any other information diluting the message.

Firms must take reasonable steps to establish that a consumer is certified as either a Restricted, High Net Worth or Certificated Sophisticated investor before communicating a DOFP. This requires consumers to sign a declaration stating that they meet the relevant criteria to be categorised as such, as well as stating why. This rule is important for ensuring that only consumers who can absorb potential losses invest in cryptoassets, by limiting ordinary retail consumers to investing no more than 10% of their net assets in high-risk investments (including cryptoassets).

The client categorisation is only valid for a 12-month period, meaning firms will need to categorise consumers again after the 12-month period has expired if they wish to make further DOFPs.

Most firms had implemented a process for ensuring consumers were able to self-categorise appropriately and provided correctly worded categorisation statements. We saw that in most cases, consumers are given clear and accurate information to help them select the most appropriate category.

However, we saw poor examples where firms are guiding consumers through the process by telling consumers what they need to enter to proceed. In some instances, if a consumer entered a value that did not meet the requirements of their selected category, a warning message would appear on screen. This wording encouraged the consumer to change their response to fit the permitted range. The system did not record whether consumers changed their response, or what values they originally entered. When done inappropriately, this might steer consumers towards a category that does not appropriately reflect their circumstances and could be in breach of COBS 4.12A.26R.

In better examples, firms gave clear explanations of the purpose of the categorisation process and a clear description of the available categories. They would then allow consumers to complete the relevant statement and submit their responses including relevant values. Consumers would only be informed if they entered values that were outside the permitted range for that category after they had submitted. Consumers could then choose to restart the categorisation process, but were not unduly encouraged or pressured to do so. This also enabled the firm to track whether consumers had changed their responses in the categorisation process.

Some firms had changed the title or description of the investor categories in a way that inappropriately downplayed the risk of investing in cryptoassets. Firms should use the investor categories and related statements specified in our rules.

Our rules allow firms to give consumers the option to categorise as a certified sophisticated investor by confirming that they have received a certificate of sophistication from an FCA authorised firm within the last 3 years. We have seen that some firms do not offer this category, as they are concerned that no firm is able to provide a certificate of sophistication relating to cryptoassets. Some firms thought this option was likely to confuse consumers. There is no requirement for firms to offer this category.

We also saw that some firms who offered this category did not take reasonable steps to establish that the consumer met the criteria as the firm did not ensure the authorised firm named on the certificate was genuine. Firms should, at a minimum, establish that the consumer has given the name of an FCA authorised firm when completing their investor statement. Some of the submissions from consumers were clearly jokes or not relevant, and firms had not checked these certificates.

In one instance, a firm offered the option to select a self-certified sophisticated investor category. This category is not applicable to cryptoassets and firms should not offer this category.

Firms have taken differing approaches on how investor statements are presented to consumers, particularly with mobile apps that have limited screen space. The COBS 4 Annexes in FCA’s Handbook set out the certificates to be signed in relation to each category. Diverging from the way the statements are set out can present challenges to how it is delivered to the consumer. However, done well, these challenges can be managed, and can highlight key information to the consumer. In the best example of this, we saw that one firm split the statement into sections, showing each section on a separate page in the app to help consumers understand the different elements.

However, we saw a poor example where in addition to splitting the statement over different screens, the firm had amended the wording and combined some sections of the statement. This reduced the impact and clarity of the information. More significant changes to how the statement is presented to the consumer may increase the risk the statement will be non-complaint with our rules.

Firms should not ignore information from the consumer suggesting that they may be incorrectly categorised.

Firms must assess whether the qualifying cryptoasset is appropriate for the consumer before they process an application or order in response to a DOFP.

This requires the firm to assess that the consumer has the necessary experience and knowledge to understand the risks involved in relation to the specific cryptoasset. Guidance in the handbook on the topics we would expect firms to include is intended to set a baseline standard and help firms understand their obligations. Firms may need to ask additional or alternative questions to ensure that the retail client has the necessary knowledge to understand the risks involved in the specific type of cryptoasset offered.

Our rules are not prescriptive about how the appropriateness assessment should be conducted. As a result, firms have a variety of approaches.

We’ve split our feedback into 2 sections:

• How the assessment is designed, including format and questions.
• The processes for consumers who fail assessments.

Design of the assessment

The appropriateness assessment should request information about the consumer’s knowledge and experience in order to assess whether investing in qualifying cryptoassets is appropriate for the consumer. If a firm considers, based on the assessment, that investing in qualifying cryptoassets is not appropriate for the consumer, the firm must not allow the consumer to proceed with the investment journey. The purpose of this rule is to prevent consumers investing in qualifying cryptoassets where they have not shown the necessary knowledge and experience to understand the risks of investing in the offered cryptoassets.  

Poor practice included firms using the assessments as an educational tool, rather than an assessment of a consumer's current knowledge. For example, with questions providing information to consumers rather than assessing their knowledge or experience of the products. Whilst firms can provide information and support prior to taking the assessment, this should not be done within the assessment as it undermines the purpose of assessing a consumer’s understanding of the risks of the product. 

We found some firms had features which worked to guide consumers to what the ‘correct’ answer was. For example, assessments included clearly implausible answers in multiple choice questions. Others included ‘all of the above’ as an answer, which was the correct answer in all questions where it was present. In another example, the correct answer was always significantly longer than the incorrect alternatives. These features could guide consumers to the correct answer without them understanding the question or genuinely knowing the correct answer. As a result, we felt these assessments would not adequately assess the product’s appropriateness for their consumers. Firms can refer to COBS 4.12A.34.G for guidance.

In some cases, firms included questions which asked the consumer to self-assess their own level of knowledge or experience. Positive scores were awarded for consumers who claimed to have high levels of knowledge without having to show it. Firms should not simply rely on a consumer to state whether they understand something, as their understanding may be incorrect. Questions should objectively test consumers’ knowledge and experience. In other cases, questions were included which were not relevant to the products and included obvious answers. Firms should ensure that all questions in the assessment are relevant to the products and assets offered. 

Many of the assessments we have seen do not cover all relevant topics outlined in COBS 10 Annex 4G or are randomly selected questions from a question bank where the selected questions may not cover all topics. We have also seen that most firms will allow consumers to invest in specific cryptoasset products despite not demonstrating that these are appropriate for them. Several firms claimed that limitations in their appropriateness assessment were mitigated by providing information elsewhere, such as the risk summary or a ‘learn’ section of the website. Providing information to consumers elsewhere is not substitute for robustly assessing consumer's knowledge of the features and risks of the products. 

As outlined in COBS 10 Annex 4G, firms may need to ask additional or alternative questions to ensure that the consumer has the necessary knowledge to understand the risks relevant to the specific product being offered. This may include stablecoins, commodity backed tokens, complex yield products and memecoins.  

In the best examples, each iteration of the assessment covered all relevant features of the cryptoassets that the consumer can purchase following successful completion of the assessment, including the specific risks of different products and asset types. Consumers should only be able to invest in specific assets and products once they have shown that they have the knowledge and experience to understand the risks of these. We saw an effective approach adopted by a firm that implemented 2 appropriateness assessments. Each assessment relating to a specific type of asset, and covered the risks relevant to that asset type. Consumers were only able to access an asset type if they had passed the relevant appropriateness assessment for that asset. 

Most of the firms have produced assessments which allow consumers to answer one or more questions incorrectly and still consider the cryptoassets to be appropriate for them. Our rules do not specify a particular pass mark. However, when considering the requirements to pass the assessment, firms should consider whether there are any particular questions, or combinations of questions, where incorrect answers would suggest a fundamental misunderstanding of a key risk of the product. This will ensure that the consumer is not able to display a lack of knowledge of a key feature or risk of the cryptoassets and still be considered as appropriate to invest.  

The most robust assessments ensure that each time a consumer takes an assessment, that assessment covers all relevant topic areas. In some cases, this was achieved by having several fixed, predetermined question sets. In other cases, questions were allocated to specific topic areas, with each iteration of the test randomly selecting 1 question from each topic area. Both options also ensure that the consumer does not face the same set of questions if they need to retake the assessment. Less robust approaches included where the firm had a bank of questions, and each test randomly selected a predetermined number of questions from the bank. This meant a test could include multiple questions on one topic, but not include any questions on another topic that was important to understanding the products’ risks.

Failing the assessment

Most firms have created question banks that allow for multiple assessments to be undertaken without re-using the same questions, ensuring that they comply with COBS 4.12A.31R(3). However, we have seen some firms use the same questions on multiple assessments, usually with different answer options or answers in a different order.

Most firms are only telling consumers whether they have passed or failed. However, where firms allow consumers to answer one or more questions incorrectly and pass the assessment, they might consider informing consumers that passed the test, of any topics they answered incorrectly and what the correct answers were. This will ensure that consumers who pass the assessment do not have any misconceptions that the incorrect answers provided were correct and gives them the opportunity to improve their knowledge.

All of the firms we reviewed have a minimum 24-hour lock out for consumers who have failed 2 or more consecutive assessments, as required by COBS 4.12A.32R. Most firms have implemented longer lock outs for consumers who have failed multiple assessments. However, we found that few firms notify consumers facing longer lock-outs of this before they start the assessments.

Some firms have limited the number of assessments a consumer can take before being permanently locked out and informed that cryptoassets are likely not appropriate for them. Firms that allow consumers an unlimited number of attempts, may wish to consider whether there is a point at which repeated failures indicate that the product is not appropriate for that consumer.

Our rules require firms to record specific information captured during the customer journey, and we found that all firms were doing so. Some firms are going beyond the requirements and recording additional data during the onboarding journey. This allows them to further understand how consumers interact with their platform. This includes comparing purchase volumes and asset types of consumers in different categories. 

The best firms that we saw have a clear and defined plan of how they will use the data captured. We saw that one firm used this data to identify misleading wording in the onboarding journey and amended it to remove ambiguity. However, most firms were not able to detail how they would use the captured data to improve the customer journey.

Most firms we reviewed had processes to conduct due diligence before they promoted the cryptoassets.

Most firms’ approach to due diligence considered the topics covered in FG23/3. The best firms had carefully considered the topics covered in FG23/3 and also considered additional topics relevant to the specific cryptoassets they were promoting. For example, developing their own risk taxonomies for cryptoassets to identify material risks or issues of concern.

For some firms due diligence seemed unduly focused on whether the cryptoasset amounted to a security in certain jurisdictions, rather than being tailored to UK regulatory requirements. The best firms considered a wider range of factors as part of their due diligence, such as consumer protection, financial crime and operational risks. A few firms had a thorough approach to considering operational and technological risks, such as having specialist teams review smart contract code and network stability.

One firm believed, incorrectly, that it did not need to conduct due diligence on cryptoassets. Another firm believed, incorrectly, that it did not need to consider environmental, social or governance factors when conducting due diligence.

The best firms clearly showed how and when they would reject and not promote a cryptoasset for failing to meet their due diligence requirements and their risk appetite for promoting cryptoassets. For example, one firm was able to clearly explain the various stages of their due diligence process and how this resulted in them promoting less than 10% of the cryptoassets they reviewed. The least effective firms were unable to explain how and when a cryptoasset would fail their due diligence requirements and were unable to explain their risk appetite for promoting cryptoassets.

Most firms primarily relied on publicly available information when conducting due diligence. For example, information in the white paper, provided by the issuer/foundation behind the cryptoasset, or gathered from news services. The best firms considered information from a wide range of sources, combining on-chain and off-chain information with information from specialist third parties. Firms should consider the suitability of relying on information provided by specialist third parties on a case-by-case basis.

The least effective firms were unable to clearly show how they verified information and appeared to take information at face value.

Most firms we reviewed primarily focused due diligence at the point when first deciding whether to promote the cryptoasset. There was a risk that these firms considered due diligence to be a ‘once and done’ process. Firms had given less thought to how they would conduct due diligence on an ongoing basis. For example, what systems and controls would be required to monitor cryptoassets for market events that would materially impact the fairness of promotions including in light of the risk profile of the cryptoasset.

Due diligence has a purpose. It is not a tick box exercise but should be a key tool in guiding firms’ decision making regarding a cryptoasset.

The weakest aspect of most firms we reviewed was their inability to clearly show how they used their due diligence to inform their decision making.

Most firms primarily used their due diligence to inform a binary decision on whether to promote the cryptoasset. The best firms also showed how they used information gained in the due diligence process to inform consumers about the specific cryptoasset being promoted. For example, creating detailed risk disclosure documents specific to each cryptoasset. One firm was in the process of developing a system that would automatically scan the news for information that could materially affect the fairness of promotions, and automatically identify which promotions may need to be amended.

The firms that displayed the poorest practice did not appear to consider that the information gained during the due diligence process would be relevant to disclose to consumers to ensure compliance with our rules. For example, information gained on the concentration of token holdings. These firms were often unable to show how they used the information gathered in the due diligence process, such as how due diligence could inform the following decisions:

• How the cryptoasset should be promoted.
• Whether certain communication mediums, such as social media, are appropriate for promoting the cryptoasset.
• How to disclose information gained during the due diligence process and the most effective way of doing so to help consumers make informed investment decisions.
• Whether their appropriateness assessment needs to be changed to assess consumers’ knowledge and understanding of specific risks identified by due diligence.

Firms that displayed the poorest practice did not appear to consider that omitting information, including that gained during due diligence, can result in financial promotions being non-compliant with our rules.

Given their unique risk profile, we specifically reviewed firms’ approach to due diligence on cryptoassets that claim a form of stability.

The best firms had considered the risks specific to this type of cryptoasset and carried out thorough due diligence to assess any claims of stability. For example, conducting due diligence on the nature of the stabilisation mechanism, the quality of backing assets, how any backing assets are custodied, the regulated status of the issuer and the issuer’s redemption policy.

Firms that displayed the poorest practice did not appear to have robust processes for conducting due diligence on this type of cryptoasset. For example, they were promoting certain cryptoassets as stable despite them not maintaining a stable value, this is in breach of our rules. These firms did not appear to be actively monitoring the stability of these cryptoassets or considering a range of information sources, including reports by specialist third parties, that highlighted significant weaknesses in the stability mechanism of the cryptoassets they were promoting.

Firms that displayed the poorest practice were also promoting cryptoassets whose stability mechanism primarily relied on an algorithm or reserves of other cryptoassets as stable. These firms did not appear to consider that this could result in their promotions being non-compliant with our rules.

The good and poor practice previously noted is also relevant to this type of cryptoasset. In particular, regarding monitoring for market events that could affect the fairness of promotions or risk profile of the cryptoasset.