Assessing firms’ compliance with ‘back end’ cryptoasset financial promotions rules

Good and poor practice Published: 07/08/2024 Last updated: 07/08/2024

We outline our findings and identify good and poor practice for the wider sector to consider and make any necessary changes to their own practices.

1. Introduction

In June 2023, we set new requirements for promoting qualifying cryptoassets to retail clients (PS23/6 - Financial promotions rules for cryptoassets). We refer to these rules as ‘back end’ rules and they include:

  • 24-hour cooling-off period
  • personalised risk warnings
  • client categorisation
  • appropriateness assessments

For many UK cryptoasset firms, this is the first conduct regulation they have needed to comply with, and they have been required to invest in significant technical developments. We also understand that firms are having to implement this regime alongside other regulatory changes, such as the Travel Rule. That is why we have provided industry with extensive support to help them get this right, including allowing firms the option to delay implementation of the ‘back-end’ rules from October 2023 to January 2024. We published good and poor practice on firms' preparations for implementing the cryptoasset financial promotions regime, as well as good and poor practice on the High-Risk Investment rules which are substantially the same as the rules crypto firms are subject to. This extensive support was intended to help firms understand our expectations.

Following the implementation of these rules, we have reviewed a sample of crypto firms’ compliance. We recognised that firms were still adjusting to the new requirements. We identified good and poor practice in firms which we have shared in this publication, this will help firms to get it right for consumers and the market. There were instances where firms were not meeting the required standards and expected level of consumer protection, so we have worked extensively with firms to remedy their compliance failures. Some firms still needed to make significant improvements to reach the levels of compliance we have seen in other sectors. We have provided firms with detailed feedback and continue to work with them to improve standards.

We want to work collaboratively with the sector to raise standards and this publication will help firms in meeting their obligations. 

These rules are important for preventing harm to consumers. They help ensure that consumers understand the risks of purchasing crypto, and can absorb potential losses, before they decide to invest. They can, in turn, help to support the integrity of our financial system and build confidence in the UK crypto market. We urge all relevant firms to read our good and poor practice and work proactively with us to continue to improve standards across the crypto sector.

Who this applies to

This will be of interest to:

  • firms promoting qualifying cryptoassets to retail consumers
  • firms promoting restricted mass market investments (RMMI) to retail consumers
  • firms approving financial promotions for qualifying cryptoassets or RMMIs under section 21 (s21) Financial Services and Markets Act 2000 (FSMA)

Background

Following legislation passed by Parliament, qualifying cryptoassets were brought in scope of the financial promotions regime from October 2023. Ahead of this, in June 2023, we outlined new requirements for promoting qualifying cryptoassets to retail clients from 8 October 2023 (PS23/6).

The rules for cryptoasset promotions were incorporated into existing rules for Restricted Mass Market Investments (RMMIs). The rules, therefore, closely reflect those set out in PS22/10 for RMMIs. Our September 2023 good and poor practice examples helped firms to understand how to comply with those rules.  

Having discussed with industry the extent of work needed to comply with the ‘back end’ financial promotions rules, and firms’ preparedness for those rules, we implemented a modification by consent which gave firms additional time to comply if they requested it. The modification expired on 8 January 2024, at which point all firms had to be compliant.

Why we did this

We want to provide clarity and prevent harm to consumers from investing in cryptoassets that do not match their risk appetite. Our rules aim to raise the overall standard of cryptoasset promotions by ensuring:

  • consumers receive clear, high-quality information to enable them to understand the features and risks of the products
  • consumers have time to consider and reflect upon this information
  • that qualifying cryptoassets are only sold to consumers for whom they are appropriate and where consumers can absorb potential losses.

We clarify the implications of these rules in Finalised Guidance FG23/3.

What we looked at

We chose a sample of firms who are offering qualifying cryptoassets and are either:

  • registered with the FCA under Money Laundering Terrorist Financing and Transfer of Funds (information on the Payer) Regulations 2017 (‘MLRs’), or
  • authorised firms able to approve promotions for unregistered/unauthorised firms.

We asked them for information on their onboarding journey and visited each firm to review their approach to the following requirements:

  • cooling-off period
  • personalised risk warning
  • client categorisation
  • appropriateness
  • record keeping
  • due diligence

2. Our expectations

Our strengthened financial promotion rules set a minimum baseline for firms that promote qualifying cryptoassets and we give clear guidance on what is expected. The strengthened rules also support the approach of the Consumer Duty, where it applies. Firms should consider whether the needs of their customers mean they should take steps beyond those prescribed in our rules to deliver good outcomes.

The report findings are directed towards firms that communicate their own promotions, but the material is equally relevant to authorised firms that approve relevant financial promotions on behalf of unauthorised firms.

3. What we found

3.1. Cooling-off period

Firms must allow a cooling-off period for new consumers who request a Direct Offer Financial Promotion (DOFP). This must be a minimum of 24-hours from the point that a consumer requests to see the DOFP and it being shown. The cooling-off period allows consumers time to reflect on the investment and decide whether to proceed to purchase the assets. At the end of the cooling-off period, consumers must be given the option to either proceed with or leave the journey at that point, with each of these options being given equal prominence.

We found that all firms had implemented a minimum 24-hour cooling-off period before consumers were able to view a DOFP, or to commit to any investments. However, multiple firms had either not included an express option to proceed with or leave the investment journey at the end of the period, or the options to leave or proceed were not given equal prominence.

Providing clear and timely information about the cooling off period can help consumers more easily navigate the process and reduce frustration. However, some firms gave consumers limited or no information on why they must wait before committing to an investment, which could lead to consumer confusion. Additionally, some firms did not inform consumers about the cooling-off period until they were a significant way through the investment journey, which could lead to consumers becoming frustrated.

We saw that some firms allowed consumers to deposit funds to their account during the cooling-off period. However, where this included a fee for withdrawing these funds, the firm did not explain the nature or extent of these fees before the consumer deposited. Good practice would be to clearly explain fees that could impact the decision of whether to proceed at the end of the cooling-off period.

Several firms gave consumers clear information on the reason for the cooling-off period, the time remaining until the cooling-off period expires and gave consumers relevant information on the products available as well as the risks of those products. They gave this information at the start of the investment journey, so consumers knew what to expect.

Examples of good practice

  • Giving clear information that there is a cooling-off period, and explaining that it is there to ensure consumers take the time to consider if the product is right for them.
  • Giving clear information once the cooling-off period has ended.
  • Displaying information that factually indicates the time remaining before the cooling-off period ends, but does not pressurise or otherwise unduly influence consumers.

Examples of poor practice

  • Not providing information about the reason for the cooling-off period.
  • Not giving consumers the express option to proceed or leave the investment journey at the end of the cooling-off period.

3.2. Personalised risk warnings

Firms must provide a personalised risk warning to new consumers before they receive a DOFP.

This must be tailored to include the client’s name, and include both a risk warning and link to a risk summary. Behavioural research has shown that personalised messages and prominent directions to further information were the most effective way to get consumers to click on the risk summary. Consumers must be given the option to proceed with or leave the investment journey, with each option given equal prominence.

We saw that one firm gave the personalised risk warning later in the journey, after the consumer’s client categorisation had been established and appropriateness of the product assessed. This approach incorrectly combined the separate requirements for consumers to specify if they wish to proceed to the DOFP or leave the journey at the end of the cooling-off period with the personalised risk warning.

This is in breach of COBS 4.12A.20R, which requires the personalised risk warning to be given before the client categorisation and appropriateness assessment conditions are completed. An additional warning to remind consumers of the risks of the investment at the point of committing to the investment may be helpful, but firms must give a personalised risk warning at the required point of the onboarding journey.

In some instances, the personalised risk warning did not meet the prominence requirements or did not present the options to proceed with or leave the investment journey with equal prominence. In some cases, firms had inappropriately used language that encouraged consumers to proceed. Using neutral and non-influential language could help ensure that invitations to proceed are presented with equal prominence and allow consumers to decide whether to proceed.

A good example displayed the warning on one page, followed by a separate page with the options to proceed with, or leave, the journey. Presenting the warning in this way highlighted the importance of the wording and encouraged engagement with the options, as they were prominently displayed without any other information diluting the message.

Examples of good practice

  • Positioning the warning on its own page with no other information, making the warning the sole focus for the consumer.
  • Improving the prominence and engagement of the options to proceed with or leave the journey by making them the sole focus of the screen.
  • Including clear processes for consumers who wish to leave the investment journey.

Examples of poor practice

  • Including frictions for consumers who wish to leave the journey.
  • Using language in the personalised risk warning that downplays the risks of the assets or encourages consumers to proceed with the journey.

3.3. Client categorisation

Firms must take reasonable steps to establish that a consumer is certified as either a Restricted, High Net Worth or Certificated Sophisticated investor before communicating a DOFP. This requires consumers to sign a declaration stating that they meet the relevant criteria to be categorised as such, as well as stating why. This rule is important for ensuring that only consumers who can absorb potential losses invest in cryptoassets, by limiting ordinary retail consumers to investing no more than 10% of their net assets in high-risk investments (including cryptoassets).

The client categorisation is only valid for a 12-month period, meaning firms will need to categorise consumers again after the 12-month period has expired if they wish to make further DOFPs.

Most firms had implemented a process for ensuring consumers were able to self-categorise appropriately and provided correctly worded categorisation statements. We saw that in most cases, consumers are given clear and accurate information to help them select the most appropriate category.

However, we saw poor examples where firms are guiding consumers through the process by telling consumers what they need to enter to proceed. In some instances, if a consumer entered a value that did not meet the requirements of their selected category, a warning message would appear on screen. This wording encouraged the consumer to change their response to fit the permitted range. The system did not record whether consumers changed their response, or what values they originally entered. When done inappropriately, this might steer consumers towards a category that does not appropriately reflect their circumstances and could be in breach of COBS 4.12A.26R.

In better examples, firms gave clear explanations of the purpose of the categorisation process and a clear description of the available categories. They would then allow consumers to complete the relevant statement and submit their responses including relevant values. Consumers would only be informed if they entered values that were outside the permitted range for that category after they had submitted. Consumers could then choose to restart the categorisation process, but were not unduly encouraged or pressured to do so. This also enabled the firm to track whether consumers had changed their responses in the categorisation process.

Some firms had changed the title or description of the investor categories in a way that inappropriately downplayed the risk of investing in cryptoassets. Firms should use the investor categories and related statements specified in our rules.

Our rules allow firms to give consumers the option to categorise as a certified sophisticated investor by confirming that they have received a certificate of sophistication from an FCA authorised firm within the last 3 years. We have seen that some firms do not offer this category, as they are concerned that no firm is able to provide a certificate of sophistication relating to cryptoassets. Some firms thought this option was likely to confuse consumers. There is no requirement for firms to offer this category.

We also saw that some firms who offered this category did not take reasonable steps to establish that the consumer met the criteria as the firm did not ensure the authorised firm named on the certificate was genuine. Firms should, at a minimum, establish that the consumer has given the name of an FCA authorised firm when completing their investor statement. Some of the submissions from consumers were clearly jokes or not relevant, and firms had not checked these certificates.

In one instance, a firm offered the option to select a self-certified sophisticated investor category. This category is not applicable to cryptoassets and firms should not offer this category.

Firms have taken differing approaches on how investor statements are presented to consumers, particularly with mobile apps that have limited screen space. The COBS 4 Annexes in FCA’s Handbook set out the certificates to be signed in relation to each category. Diverging from the way the statements are set out can present challenges to how it is delivered to the consumer. However, done well, these challenges can be managed, and can highlight key information to the consumer. In the best example of this, we saw that one firm split the statement into sections, showing each section on a separate page in the app to help consumers understand the different elements.

However, we saw a poor example where in addition to splitting the statement over different screens, the firm had amended the wording and combined some sections of the statement. This reduced the impact and clarity of the information. More significant changes to how the statement is presented to the consumer may increase the risk the statement will be non-complaint with our rules.

Firms should not ignore information from the consumer suggesting that they may be incorrectly categorised.

Examples of good practice

  • Giving an option to leave the journey if the consumer does not meet the criteria of the available categories.
  • Considering whether it is appropriate to offer the certified-sophisticated category.
  • Verifying the submissions of all consumers who categorise themselves as certified-sophisticated and rejecting any submissions which do not meet the requirements.

Examples of poor practice

  • Pushing or leading consumers through the categorisation process by suggesting responses that meet the criteria of the category instead of allowing the consumer to volunteer the information, this is in breach of our rules.
  • Re-naming the categories or describing the categories in a way that downplays the risks of investing.
  • Changing the wording of the investor statements from the prescribed language in the handbook.
  • Not taking steps to check that the information provided in the categorisation statements aligns with the criteria for that particular category. For example, not checking that the consumer has given the name of a genuine FCA authorised firm when being categorised as a certified-sophisticated investor.
  • Offering a self-certified investor category or any other category not specified in COBS 4.12A.21, this is in breach of our rules.

3.4. Appropriateness

Firms must assess whether the qualifying cryptoasset is appropriate for the consumer before they process an application or order in response to a DOFP.

This requires the firm to assess that the consumer has the necessary experience and knowledge to understand the risks involved in relation to the specific cryptoasset. Guidance in the handbook on the topics we would expect firms to include is intended to set a baseline standard and help firms understand their obligations. Firms may need to ask additional or alternative questions to ensure that the retail client has the necessary knowledge to understand the risks involved in the specific type of cryptoasset offered.

Our rules are not prescriptive about how the appropriateness assessment should be conducted. As a result, firms have a variety of approaches.

We’ve split our feedback into 2 sections:

  • How the assessment is designed, including format and questions.
  • The processes for consumers who fail assessments.

Design of the assessment

The appropriateness assessment should request information about the consumer’s knowledge and experience in order to assess whether investing in qualifying cryptoassets is appropriate for the consumer. If a firm considers, based on the assessment, that investing in qualifying cryptoassets is not appropriate for the consumer, the firm must not allow the consumer to proceed with the investment journey. The purpose of this rule is to prevent consumers investing in qualifying cryptoassets where they have not shown the necessary knowledge and experience to understand the risks of investing in the offered cryptoassets.  

Poor practice included firms using the assessments as an educational tool, rather than an assessment of a consumer's current knowledge. For example, with questions providing information to consumers rather than assessing their knowledge or experience of the products. Whilst firms can provide information and support prior to taking the assessment, this should not be done within the assessment as it undermines the purpose of assessing a consumer’s understanding of the risks of the product. 

We found some firms had features which worked to guide consumers to what the ‘correct’ answer was. For example, assessments included clearly implausible answers in multiple choice questions. Others included ‘all of the above’ as an answer, which was the correct answer in all questions where it was present. In another example, the correct answer was always significantly longer than the incorrect alternatives. These features could guide consumers to the correct answer without them understanding the question or genuinely knowing the correct answer. As a result, we felt these assessments would not adequately assess the product’s appropriateness for their consumers. Firms can refer to COBS 4.12A.34.G for guidance.

In some cases, firms included questions which asked the consumer to self-assess their own level of knowledge or experience. Positive scores were awarded for consumers who claimed to have high levels of knowledge without having to show it. Firms should not simply rely on a consumer to state whether they understand something, as their understanding may be incorrect. Questions should objectively test consumers’ knowledge and experience. In other cases, questions were included which were not relevant to the products and included obvious answers. Firms should ensure that all questions in the assessment are relevant to the products and assets offered. 

Many of the assessments we have seen do not cover all relevant topics outlined in COBS 10 Annex 4G or are randomly selected questions from a question bank where the selected questions may not cover all topics. We have also seen that most firms will allow consumers to invest in specific cryptoasset products despite not demonstrating that these are appropriate for them. Several firms claimed that limitations in their appropriateness assessment were mitigated by providing information elsewhere, such as the risk summary or a ‘learn’ section of the website. Providing information to consumers elsewhere is not substitute for robustly assessing consumer's knowledge of the features and risks of the products. 

As outlined in COBS 10 Annex 4G, firms may need to ask additional or alternative questions to ensure that the consumer has the necessary knowledge to understand the risks relevant to the specific product being offered. This may include stablecoins, commodity backed tokens, complex yield products and memecoins.  

In the best examples, each iteration of the assessment covered all relevant features of the cryptoassets that the consumer can purchase following successful completion of the assessment, including the specific risks of different products and asset types. Consumers should only be able to invest in specific assets and products once they have shown that they have the knowledge and experience to understand the risks of these. We saw an effective approach adopted by a firm that implemented 2 appropriateness assessments. Each assessment relating to a specific type of asset, and covered the risks relevant to that asset type. Consumers were only able to access an asset type if they had passed the relevant appropriateness assessment for that asset. 

Most of the firms have produced assessments which allow consumers to answer one or more questions incorrectly and still consider the cryptoassets to be appropriate for them. Our rules do not specify a particular pass mark. However, when considering the requirements to pass the assessment, firms should consider whether there are any particular questions, or combinations of questions, where incorrect answers would suggest a fundamental misunderstanding of a key risk of the product. This will ensure that the consumer is not able to display a lack of knowledge of a key feature or risk of the cryptoassets and still be considered as appropriate to invest.  

The most robust assessments ensure that each time a consumer takes an assessment, that assessment covers all relevant topic areas. In some cases, this was achieved by having several fixed, predetermined question sets. In other cases, questions were allocated to specific topic areas, with each iteration of the test randomly selecting 1 question from each topic area. Both options also ensure that the consumer does not face the same set of questions if they need to retake the assessment. Less robust approaches included where the firm had a bank of questions, and each test randomly selected a predetermined number of questions from the bank. This meant a test could include multiple questions on one topic, but not include any questions on another topic that was important to understanding the products’ risks.

Failing the assessment

Most firms have created question banks that allow for multiple assessments to be undertaken without re-using the same questions, ensuring that they comply with COBS 4.12A.31R(3). However, we have seen some firms use the same questions on multiple assessments, usually with different answer options or answers in a different order.

Most firms are only telling consumers whether they have passed or failed. However, where firms allow consumers to answer one or more questions incorrectly and pass the assessment, they might consider informing consumers that passed the test, of any topics they answered incorrectly and what the correct answers were. This will ensure that consumers who pass the assessment do not have any misconceptions that the incorrect answers provided were correct and gives them the opportunity to improve their knowledge.

All of the firms we reviewed have a minimum 24-hour lock out for consumers who have failed 2 or more consecutive assessments, as required by COBS 4.12A.32R. Most firms have implemented longer lock outs for consumers who have failed multiple assessments. However, we found that few firms notify consumers facing longer lock-outs of this before they start the assessments.

Some firms have limited the number of assessments a consumer can take before being permanently locked out and informed that cryptoassets are likely not appropriate for them. Firms that allow consumers an unlimited number of attempts, may wish to consider whether there is a point at which repeated failures indicate that the product is not appropriate for that consumer.

Examples of good practice

  • Approaching the design of the assessment holistically with its overall purpose in mind – ensuring the assessment robustly assesses the consumers understanding of the risks associated with the specific cryptoassets being offered.
  • Assessments cover all appropriate topics outlined in COBS 10 Annex 4G, and specific risks of each cryptoasset type offered.
  • Questions have at least 3 plausible answers, follow a similar format and encourage engagement from the consumer.
  • Grouping questions into specific topics and ensuring every iteration of the assessment covers all topics.
  • Inclusion of ‘key’ questions which the consumer must answer correctly to pass.
  • Requiring consumers to pass an assessment for each type of cryptoasset offered and the consumer is only able to purchase a cryptoasset once they have passed the relevant assessment.
  • Giving consumers access to relevant resources to be able to research and understand the products and risks.
  • Providing information on the general topics a consumer answered incorrectly to allow them to research before retaking the assessment.
  • Having a limit on the number of times a consumer can attempt the assessment before being told that cryptoassets are unlikely to be appropriate for them.
  • Communications sent to the consumer are balanced, fair and do not encourage the consumer to take the assessment again. 

Examples of poor practice

  • Where the assessment does not require all questions to be answered correctly, the consumer is able to incorrectly answer questions that fundamentally show that cryptoassets are not appropriate for them, yet they are able to pass the assessment.
  • Asking leading or simplistic questions that direct the consumer to the correct answer.
  • Including questions that ask the consumer to assess their own level of knowledge and experience.
  • Condensing the topics of COBS 10 Annex 4G into groups, where individual questions from this group do not cover all the grouped topics.
  • Allowing consumers to invest in cryptoasset types where the consumer has not been assessed on whether the cryptoasset is appropriate for them.
  • Relying on information provided elsewhere to replace the need to determine a consumer’s knowledge by assessing their understanding.
  • Where the assessment questions are selected randomly from a bank of questions, not ensuring that all relevant topics are covered in every iteration of the assessment.
  • Treating the assessment as an educational tool for the consumer, instead of assessing if the consumer has relevant knowledge or experience of the products.
  • Allowing consumers to retake the assessment indefinitely or not having consistent processes for determining that the products are not appropriate for a consumer.

3.5. Record keeping

Our rules require firms to record specific information captured during the customer journey, and we found that all firms were doing so. Some firms are going beyond the requirements and recording additional data during the onboarding journey. This allows them to further understand how consumers interact with their platform. This includes comparing purchase volumes and asset types of consumers in different categories. 

The best firms that we saw have a clear and defined plan of how they will use the data captured. We saw that one firm used this data to identify misleading wording in the onboarding journey and amended it to remove ambiguity. However, most firms were not able to detail how they would use the captured data to improve the customer journey.

Examples of good practice

  • Capturing real-time data of frictions during onboarding and using this to improve the journey and ensure the frictions are working effectively.
  • Incorporating data analysis into reporting at various levels, including Board, to enable continuing monitoring and improvements.

Examples of poor practice

  • Not having a clearly defined path of how to use data recorded.
  • Being unable to identify or produce recorded information quickly and reliably.
  • Not taking reasonable steps to verify the accuracy of data provided.

4. Due diligence on cryptoassets

Due diligence is a key component of the financial promotions regime. To help firms understand their obligations, we set out guidance in FG23/3 on conducting due diligence before communicating a financial promotion. This covered due diligence on both the cryptoasset or cryptoasset service being promoted and claims made in the promotion.

We reviewed both firms’ approach to due diligence for cryptoassets and services they promoted, and how they used the due diligence. We also reviewed due diligence specific to cryptoassets that claim a form of stability.

4.1. Approach to conducting due diligence

Most firms we reviewed had processes to conduct due diligence before they promoted the cryptoassets.

Most firms’ approach to due diligence considered the topics covered in FG23/3. The best firms had carefully considered the topics covered in FG23/3 and also considered additional topics relevant to the specific cryptoassets they were promoting. For example, developing their own risk taxonomies for cryptoassets to identify material risks or issues of concern.

For some firms due diligence seemed unduly focused on whether the cryptoasset amounted to a security in certain jurisdictions, rather than being tailored to UK regulatory requirements. The best firms considered a wider range of factors as part of their due diligence, such as consumer protection, financial crime and operational risks. A few firms had a thorough approach to considering operational and technological risks, such as having specialist teams review smart contract code and network stability.

One firm believed, incorrectly, that it did not need to conduct due diligence on cryptoassets. Another firm believed, incorrectly, that it did not need to consider environmental, social or governance factors when conducting due diligence.

The best firms clearly showed how and when they would reject and not promote a cryptoasset for failing to meet their due diligence requirements and their risk appetite for promoting cryptoassets. For example, one firm was able to clearly explain the various stages of their due diligence process and how this resulted in them promoting less than 10% of the cryptoassets they reviewed. The least effective firms were unable to explain how and when a cryptoasset would fail their due diligence requirements and were unable to explain their risk appetite for promoting cryptoassets.

Most firms primarily relied on publicly available information when conducting due diligence. For example, information in the white paper, provided by the issuer/foundation behind the cryptoasset, or gathered from news services. The best firms considered information from a wide range of sources, combining on-chain and off-chain information with information from specialist third parties. Firms should consider the suitability of relying on information provided by specialist third parties on a case-by-case basis.

The least effective firms were unable to clearly show how they verified information and appeared to take information at face value.

Most firms we reviewed primarily focused due diligence at the point when first deciding whether to promote the cryptoasset. There was a risk that these firms considered due diligence to be a ‘once and done’ process. Firms had given less thought to how they would conduct due diligence on an ongoing basis. For example, what systems and controls would be required to monitor cryptoassets for market events that would materially impact the fairness of promotions including in light of the risk profile of the cryptoasset.

Examples of good practice

  • Carefully considering the topics covered in FG23/3 and also considering additional topics relevant to the specific cryptoassets being promoted.
  • Having clear criteria for when a cryptoasset would fail the due diligence process. 
  • Thorough processes for considering operational and technology risks, such as reviewing smart contract code and network stability.
  • Considering information from a wide range of sources, combining on-chain and off-chain information with information from specialist third parties. 

Examples of poor practice

  • Incorrectly believing due diligence on cryptoassets is not required or not considering ESG factors as part of the due diligence, as outlined in FG23/3.
  • Excessive focus on whether the cryptoasset amounts to a security in certain jurisdictions, rather than being tailored to UK regulatory requirements.
  • Being unable to explain how and when a cryptoasset would fail their due diligence requirements and unable to explain their risk appetite for promoting cryptoassets.
  • Being unable to show how information from the issuer or foundation behind the cryptoasset had been independently verified.
  • Not considering how to conduct due diligence on an ongoing basis. For example, not considering what systems and controls would be required to monitor cryptoassets for market events that would materially impact the fairness and accuracy of promotions or the risk profile of the cryptoasset. 

4.2. Use of due diligence

Due diligence has a purpose. It is not a tick box exercise but should be a key tool in guiding firms’ decision making regarding a cryptoasset.

The weakest aspect of most firms we reviewed was their inability to clearly show how they used their due diligence to inform their decision making.

Most firms primarily used their due diligence to inform a binary decision on whether to promote the cryptoasset. The best firms also showed how they used information gained in the due diligence process to inform consumers about the specific cryptoasset being promoted. For example, creating detailed risk disclosure documents specific to each cryptoasset. One firm was in the process of developing a system that would automatically scan the news for information that could materially affect the fairness of promotions, and automatically identify which promotions may need to be amended.

The firms that displayed the poorest practice did not appear to consider that the information gained during the due diligence process would be relevant to disclose to consumers to ensure compliance with our rules. For example, information gained on the concentration of token holdings. These firms were often unable to show how they used the information gathered in the due diligence process, such as how due diligence could inform the following decisions:

  • How the cryptoasset should be promoted.
  • Whether certain communication mediums, such as social media, are appropriate for promoting the cryptoasset.
  • How to disclose information gained during the due diligence process and the most effective way of doing so to help consumers make informed investment decisions.
  • Whether their appropriateness assessment needs to be changed to assess consumers’ knowledge and understanding of specific risks identified by due diligence.

Firms that displayed the poorest practice did not appear to consider that omitting information, including that gained during due diligence, can result in financial promotions being non-compliant with our rules.

Examples of good practice

  • Using information gained in the due diligence process to inform consumers about the specific cryptoasset being promoted.
  • Having systems to automatically flag events that might impact the fairness of promotions and the specific promotions that may be affected. 

Examples of poor practice

  • Not considering the full range of decisions that due diligence can help inform.
  • Not considering how omissions of information may lead to non-complaint promotions with our rules.

4.3. Due diligence on cryptoassets that claim a form of stability

Given their unique risk profile, we specifically reviewed firms’ approach to due diligence on cryptoassets that claim a form of stability.

The best firms had considered the risks specific to this type of cryptoasset and carried out thorough due diligence to assess any claims of stability. For example, conducting due diligence on the nature of the stabilisation mechanism, the quality of backing assets, how any backing assets are custodied, the regulated status of the issuer and the issuer’s redemption policy.

Firms that displayed the poorest practice did not appear to have robust processes for conducting due diligence on this type of cryptoasset. For example, they were promoting certain cryptoassets as stable despite them not maintaining a stable value, this is in breach of our rules. These firms did not appear to be actively monitoring the stability of these cryptoassets or considering a range of information sources, including reports by specialist third parties, that highlighted significant weaknesses in the stability mechanism of the cryptoassets they were promoting.

Firms that displayed the poorest practice were also promoting cryptoassets whose stability mechanism primarily relied on an algorithm or reserves of other cryptoassets as stable. These firms did not appear to consider that this could result in their promotions being non-compliant with our rules.

The good and poor practice previously noted is also relevant to this type of cryptoasset. In particular, regarding monitoring for market events that could affect the fairness of promotions or risk profile of the cryptoasset.

Examples of good practice

  • Considering the due diligence required specifically for cryptoassets that claim a form of stability.
  • Conducting thorough due diligence to assess any claims of stability. For example, conducting due diligence on the nature of the stabilisation mechanism, the quality of backing assets, how any backing assets are custodied, the regulated status of the issuer and the issuer’s redemption policy. 

Examples of poor practice

  • Promoting cryptoassets as stable despite them not maintaining a stable value, this is in breach of our rules.
  • Not actively monitoring the stability of these cryptoassets or considering specialist reports by third parties on the weaknesses in the stability mechanism of the cryptoassets they were promoting.
  • Promoting cryptoassets whose stability mechanism primarily relies on an algorithm or reserves of other cryptoassets as stable, this is in breach of our rules.

5. What firms need to do

We have given individual feedback to all the firms involved about the areas they need to improve. We expect firms offering qualifying cryptoassets to retail clients, and firms approving financial promotions under s21 FSMA, to consider these examples and any changes they need to make to their practices to meet our expectations and improve consumer outcomes.

Firms communicating, or approving financial promotions, must make sure they have strong systems and controls for compliance in place. Firms should not rely on comparisons with industry peers to benchmark what is acceptable practice, and we urge all firms to read our good and poor practice and work proactively with us to continue to improve standards across the sector.