CryptoUK and members respond to the HMT consultation on improving the effectiveness of the Money Laundering Regulations.
Regulatory Engagement & Advocacy
  • Natalie Hall
  • 6 June, 2024

CryptoUK (“CUK”, “we”) and our members welcome the opportunity to comment on possible improvements to the effectiveness of the Money Laundering Regulations (“MLRs”). CUK is the United Kingdom (“UK’s”) self-regulatory trade association representing the cryptoasset sector. Our members comprise leading companies from across the sector.

In responding to the Consultation Paper, we set out the views of our members and others in the community. We seek to offer pragmatic and relevant suggestions as to how we believe the MLRs could be revised to increase effectiveness and ensure proportionality for both regulated firms and customers, whilst still enabling businesses to identify and prevent money laundering and terrorist financing.

Our primary focus in response to this Consultation has been those questions that relate to the treatment of cryptoassets and cryptoasset services providers (specifically questions 44 to 48 in Chapter 3 and questions 1 to 19 in Chapter 1), however we have also considered a number of additional questions in Chapter 2 (questions 26 to 34) and Chapter 3 (questions 35 to 40).  Our response to these questions is set out in order of priority below.  We have included a summary of our overall position as well as some specific points and recommendations that should be considered alongside our comments and answers throughout this response document.

Overall position 

We believe that the recommendations are generally appropriate, however our comments in this response are subject to detailed draft rules being released. Until further information is released, we are not able to give a full response, and any future draft rules may raise additional points that we would then wish to address.

As a further general point, we believe that the relevant authorities, including the FCA, should release further guidance on the MLRs at all stages of this process, including after the revisions have been implemented.  A higher degree of granular and practical guidance would benefit industry participants by clearly establishing the FCA’s expectations and guiding principles and providing firms with certainty around how to implement this crucial regime. The relevant authorities should also continue to support and validate key industry guidance sources, such as materials published by the JMLSG.

Specific points / recommendations

 

As we previously raised in our response to Discussion Paper DP23/4, a key concern is that the FCA will ultimately not take a ‘same risk, same regulatory outcome’ approach – i.e. where a digital asset firm faces the same type and level of risk as a traditional finance firm, then the level of regulation should be equivalent and not any more onerous than that which applies to the traditional finance sector. At the same time, we would stress that the FCA should take into account the increased level of reliance on technology, and the expanded capabilities that technology grants to firms that incorporate and implement technology in their products and services. It is important that the authorities recognise that technological solutions can result in a correspondingly lower degree of risk and in the achievement of the desired regulatory outcomes.

We have identified a number of instances where a firm that is currently registered under the MLRs and is required to transition to FSMA, or is required to become regulated under both FSMA and the MLRs, will face an increased regulatory and compliance burden. The relevant authorities, including the FCA, should consider whether there is an approach that will appropriately reduce the regulatory burden to a level that is consistent with the risks a firm poses and/or takes into account the controls it is required to implement under other regulatory regimes, e.g. allowing a firm that is authorised under FSMA to undertake a ‘streamlined’ MLR registration process or removing the requirement for a firm to be regulated under the MLRs entirely where it has been authorised under FSMA.

All processes implemented as a result of these changes should include mechanisms to allow for ongoing review and assessment of the appropriateness of each process as technology and the industry evolve.

Priority Consultation Questions

Chapter 3: Providing clarity on scope and registration issues

Change in control for cryptoasset service providers

  1. Do you agree that the MLRs should be updated to take into account the upcoming regulatory changes under FSMA regime? If not, please explain your reasons.

We agree that the MLRs should be updated to take into account the upcoming regulatory changes under FSMA. The focus of the changes to the MLRs should be to ensure consistency with FSMA and to ensure coherence across all regimes applicable to cryptoassets and cryptoasset providers.  We would also stress that the principle of ‘technology neutrality’ should be taken into account when updating the MLRs, as well as the principle of ‘same risk, same regulatory outcome’. Digital assets are not inherently more risky than traditional finance products, and, in fact, the sensible implementation of technological solutions that underpins the digital asset industry can actually reduce the risk associated with the purchase and sale of digital assets compared to other types of financial instruments. If the FCA could address this concern by providing further guidance and clarity on this point, it would be a welcome contribution to the discussion about any proposed regulation within the UK.

There are a number of potential unforeseen consequences that we would appreciate the FCA confirming they have addressed. For instance, where a platform provided is authorised under FSMA, it would be onerous and duplicative to require that party also to register under the MLRs. Where a product or service is regulated under FSMA and the MLRs, authorisation under FSMA should be sufficient to allow an entity to offer products and services without needing to obtain a separate registration.

It is also important that there is a sufficient degree of clarity on the activities that will be subject to registration under the MLRs once the amendments to FSMA have entered into force. Specifically, we would like to ask for more clarity in relation to both overseas firms and NFTs (or any scenario) for non-financial services.

We observe that overseas firms are currently not subject to MLRs, and would suggest that this remains true after the upcoming changes under FSMA.

We wish to caution against the scope of MLRs inadvertently or deliberately being expanded to include scenarios where there is no financial value or transference of wealth. MLRs should only apply to a financial service/financial instrument, and these should be clearly defined with guidance on exclusions.

With respect to non-financial NFTs, in particular, our members believe that these should not be subject to FSMA, since they are not within scope of the regime and the merits for bringing them in scope are debatable when considering the level of ML/TF risks associated with this type of asset. If non-financial NFTs are brought within scope of the MLRs there is a risk that overseas parties will decide that the regulatory burden for operating and offering services within the UK will be severely limited, with logical impacts on the range of products and services available for offer in the UK (and flow-on effects for UK-based consumers).

In order to illustrate the reasoning for excluding non-financial NFTs, we’d like to offer specific examples. Consider the three following scenarios:

  • Scenario 1: Tickets to an event are issued in the form of NFTs whereby each NFT grants access to the event just like a paper ticket would. They are part of a large series and can be transferred.
    • They do not fit the criteria of any financial services.
  • Scenario 2: To commemorate customers’ participation in a special event, a company issues identical paper postcards to each customer who attended. The postcards are simple tokens of appreciation and have no intrinsic financial value at the time of distribution.
    • Under current regulations, such simple tokens (tangible and intangible) do not meet the criteria of regulated instruments.
  • Scenario 3: Take all the same elements of Scenario 2 and transpose them into a digital version/token of appreciation. Identical NFTs are issued as tokens of appreciation instead of physical postcards. Like the physical postcards, these NFTs have no inherent financial value at the time of distribution and are merely a digital representation of appreciation.
    • If MLRs are applied solely based on the underlying technology, then event organisers who choose to use blockchain technology are obligated under MLRs.
    • However, issuers who use traditional paper or an electronic format with QR codes or barcodes are not subject to MLRs for the otherwise exact same use case.
    • This example illustrates that the principle of ‘technology neutrality’ is undermined under the proposed regulations.
  1. Do you have views on the sequencing of any such changes to the MLRs in relation to the upcoming regulatory changes under the FSMA regime? If yes, please explain.

The sequencing would need to take into account those entities that are currently registered under the MLRs, who will now need to transition to FSMA. We suggest that it would be preferable to reduce the number of firms currently registered under MLRs that would need to also transition to FSMA.

  1. Do you agree that this should be delivered by aligning the MLRs registration and FSMA authorisation process, including the concepts of control and controllers, for cryptoassets and associated services that are covered by both the MLRs and FSMA regimes? If not, please explain your reasons.

We agree that this should be delivered by aligning the MLRs registration and FSMA authorisation process. The notion of ‘control’ is more relevant than the notion of ‘beneficial ownership’, taking into account that the FCA’s intention is to assess the fitness and propriety of those persons who effectively control a licensed entity.  However the transition should be kept as simple as possible, considering the large number of natural persons who will be affected.

  1. In your view, are there unique features of the cryptoasset sector that would lead to concerns about aligning the MLRs more closely with a FSMA style fit and proper process? If yes, please explain.

Where a cryptoasset provider is a centralised entity with a ‘traditional’ corporate structure, there are no unique corporate or commercial features that might lead to concerns about aligning the MLRs more closely with a FSMA-style ‘fit and proper’ process. However, where a cryptoasset provider is decentralised or does not have a traditional corporate structure, there may be difficulties in applying the FSMA-style approach. On that basis, we would recommend that this process should include a mechanism to allow for ongoing review and assessment of the appropriateness of this process.

We consider that this is not a scenario that is unique to cryptoasset businesses, and this appears to be a situation where cryptoasset businesses are held to a higher standard despite not necessarily facing a higher standard of risk. It appears to us that the interpretation taken is that a higher degree of utilisation of technology results in higher risk, which is not the case (and in fact utilising tech in a sensible and effective manner may actually reduce risk). This process should therefore be applied to all businesses, regardless of industry, where this risk is identified. Otherwise a more onerous standard is imposed on cryptoasset providers regardless of the actual degree of risk, which is contrary to the FCA’s principle of ‘same risk, same regulatory outcome’.

  1. Do you consider there to be any unintended consequences to closer alignment in the way described? If yes, please explain.

Firms that are currently registered under the MLRs will, of course, need to transition to the new regime, as part of which they will be required to complete all necessary declarations and tests  of fitness and propriety.

A possible consequence of closer alignment between the regimes is that this change may not have the practical effect of making the UK more attractive to cryptoasset providers. If the regulatory burden is increased in the proposed manner without a corresponding benefit to consumers and the digital ecosystem generally, there is a risk that cryptoasset providers will elect not to participate in the UK market. This will especially be the case if the transition process and authorisation processes are not adequately resourced, resulting in extensive delays in the authorisation process. This would reduce innovation, increase the barriers to market, and ultimately suppress competition. This would then have the effect of allowing established UK-entities to create monopolies on the UK digital ecosystem, which serves to increase consumer risks and costs, rather than to protect consumers.

Chapter 1: Making customer due diligence more proportionate and effective

  1. Are the customer due diligence triggers in regulation 27 sufficiently clear?

We believe that the customer due diligence triggers in regulation 27 are sufficiently clear.

  1. In your view, is additional guidance or detail needed to help firms understand when to carry out ‘source of funds’ checks under regulation 28(11)(a)? If so, in what form would this guidance be most helpful?

We believe that the guidance in JMLSG 5.7 is sufficiently adequate and clear.

  1. Do you think the wording in regulation 28(10) on necessary due diligence on persons acting on behalf of a customer is sufficiently clear? If not, what could help provide further clarity?

We do not think the wording in regulation 28(10) is sufficiently clear in of itself and instead the understanding of it is highly reliant on guidance. In our view, there is an absence of relevant guidance on this regulation for the cryptoasset industry. This being said, we believe that the JMLSG guidance is the appropriate place for any additional guidance to be provided, rather than including this guidance within the MLRs itself.

A higher degree of certainty would exist for crypto industry participants if it was explicit that a person acting on behalf of a customer should be subject to the same levels and type of due diligence as if they were a direct client. This would ensure a consistent approach and reduce the burden on industry participants.

  1. What information would you like to see included in published digital identity guidance, focused on the use of digital identities in meeting MLR requirements? Please include reference to the level of detail, sources or types of information to support your answer.

We believe it is too early to produce specific, detailed guidance in respect of this area. Technology is evolving and being adopted at an exponential rate, and any guidance needs to take this into account and ‘future-proof’ against unforeseen types of technology that may be developed in the future. There would also need to be a mechanism for the guidance to be revisited on a regular basis, as well as on an ad-hoc basis as technology evolves.

Any guidance that is published needs to be clear and consistent as to the FCA’s expectations regarding digital identity. There should be a distinction between general principles and specific requirements, and the FCA should consult with industry specialists on how both general principles and specific requirements may be met via technology solutions.

  1. Do you currently accept digital identity when carrying out identity checks? Do you think comprehensive guidance will provide you with the confidence to accept digital identity, either more frequently, or at all?

Our members have confirmed that some do opt to accept digital identity checks. In some cases they use third-party tools. We do not view the use of such tools as true outsourcing because the due diligence and decision-making rests with our members and not the tools providers. For clarity, we would like to confirm that the FCA views these tools in the same way.

More comprehensive guidance and clarity on existing guidance from the FCA would be extremely helpful, however any guidance released cannot be too prescriptive. Otherwise, there is a risk that the guidance would not remain appropriate as technology evolves and is adopted more widely by industry participants.

  1. Do you think the government should go further than issuing guidance on this issue? If so, what should we do?

As set out above, further guidance is needed but this should be provided in a manner that is not overly prescriptive. The focus of any further guidance should be on improving the customer journey and emphasising education and resources for the customer.

  1. Do you think a legislative approach is necessary to address the timing of verification of customer identity following a bank insolvency, or would a non-legislative approach be sufficient to clarify expectations?

We have not considered this question, as it is not relevant to our members.

Q8. Are there other scenarios apart from bank insolvency in which we should consider limited carve-outs from the requirement to ensure that no transactions are carried out by or on behalf of new customers before verification of identity is complete?

We have not considered this question, as it is not relevant to our members.

  1. (If relevant to you) Have you ever identified suspicious activity through enhanced due diligence checks, as a result of the risk factors listed above? (Regulations 33(6)(a)(vii), 33(6)(a)(viii) and 33(6)(b)(vii)). Can you share any anonymised examples of this?

The risk factors listed are not generally relevant to CUK members.

  1. Do you think that any of the risk factors listed above should be retained in the MLRs?

These risk factors should be retained in the MLRs, and if possible may be supplemented by further risk factors agreed between the FCA and industry participants.

  1. Are there any other risk factors for enhanced due diligence, set out in regulation 33 of the MLRs, which you consider to be not useful at identifying suspicious behaviour?

There are no risk factors that CUK would add to reg.33 at this time. However, now that the cryptoasset industry is more well-established and well-understood by consumers, participants and regulators, we would encourage the FCA to engage in ongoing dialogue with industry participants to ensure that the relevancy of individual risk factors can be discussed and assessed on an ongoing basis.

  1. In your view, are there any additional risk factors that could usefully be added to, for example, regulation 33, which might help firms identify suspicious activity?

These risk factors are generally appropriate.

  1. In your view, are there occasions where the requirement to apply enhanced due diligence to ‘complex or unusually large’ transactions results in enhanced due diligence being applied to a transaction which the relevant person is confident to be low-risk before carrying out the enhanced checks? Please provide any anonymised examples of this and indicate whether this is a common occurrence.

As many firms still use fixed monetary thresholds to determine what is a ‘large’ transaction without consideration of the client’s risk profile or usual patterns of activity, it is a common occurrence for transactions to be flagged that may be large with respect to that individual customer without being unusual for that firms’ customers when considered holistically. This is especially true considering crypto and digital assets allow for microtransactions with a higher degree of frequency than traditional financial institutions. Technology solutions are being developed to allow for a more intuitive and effective approach that takes into account other considerations, however this is a work in progress. In the interim, further guidance and practice guides setting out the FCA’s principles and expectations would be valuable.

It would also be valuable for the FCA to consider whether there are any parallels between traditional financial institutions and cryptoasset providers. Cryptoasset providers should be treated equivalently to traditional financial institutions, and where technological solutions represent a lower degree of risk, this should be acknowledged and taken into account by the FCA.

  1. In your view, would additional guidance support understanding around the types of transactions that this provision applies to and how the risk-based approach should be used when carrying out enhanced checks?

Yes, for the reasons stated above. A greater range of risk triggers should be developed, and more guidance should be set out within the legislation. The FCA should engage with JMLSG and industry bodies to encourage input and dialogue from parties who will be putting this regime into practical effect.

  1. If regulation 33(1)(f) was amended from ‘complex’ to ‘unusually complex’ (e.g. a relevant person must apply enhanced due diligence where… ‘a transaction is unusually complex or unusually large’): • in your view, would this provide clarity of intent and reduce concern about this provision? Please explain your response. • in your view, would this create any problems or negative impacts?

Making this change to the regulation would be useful, however FCA guidance would be more useful considering this is a subjective concept that requires case-by-case consideration. Further guidance on how the principle of a ‘complex’ transaction should be treated, including what factors should be taken into account in what scenarios, would be more useful.

The FCA must also recognise that firms will exercise their discretion taking into account the firm’s experience with the specific client and the industry in general, as opposed to the FCA’s discretion which is usually applied at a higher level and without the same degree of granular knowledge as an industry participant. There may be a discrepancy when considering whether a transaction is unusual for the industry participant’s client, as opposed to whether a transaction is unusual taking into account the market as a whole. EDD should be applied in circumstances where a transaction is unusual in an industry participant’s experience, as the alternative (whether a transaction is unusual in the FCA’s experience) would result in firms being subject to an unreasonable and onerous burden.

The industry would also benefit from further qualification of the phrase ‘unusual’. It is our view that the implementation and adoption of technology in the digital assets sector has resulted in a lower level of opaque ownership and transactions compared to the traditional finance sector. On application of the FCA’s ‘same risk, same regulatory outcome’ approach, the digital assets sector should therefore be subject to a comparatively lower degree of regulation, since ownership can be more easily ascertained due to DLT and a lack of institutional amnesia and legacy systems. The proposed language is therefore addressing a risk that is not industry-specific, however we are concerned that the FCA has taken the view that this risk is specific to the cryptoasset industry.

  1. Would removing the list of checks at regulation 33(3A), or making the list non-mandatory, reduce the current burdens (cost and time etc.) currently placed on regulated firms by the HRTC rules? How?

Requiring businesses to check a range of mandatory factors or elements frequently result in these types of checks becoming ‘tick-box’ compliance exercises. This is not necessarily a negative outcome, since this may result in a more simplified process (especially where the process can be automated). The risk arising from this is that an ‘automatic’ negative outcome may bias commercial decisions, however this risk can be mitigated through implementing a manual review process.

  1. Can you see any issues or problems arising from the removal of regulation 33(3A) or making this list non-mandatory?

Please see our response above.

  1. Are there any High Risk Third Country-established customers or transactions where you think the current requirement to 33 carry out EDD is not proportionate to the risk they present? Please provide examples of these and indicate, where you can, whether this represents a significant proportion of customers/transactions.

As a general principle our members agree that, with the current approach to HRTC, there is a risk that HRTC-established customers or transactions may be  subject to EDD requirements that are completely disproportionate in certain circumstances. .

  1. If you answered yes to the above question, what changes, if any, could enable firms to take a more proportionate approach? What impact would this have?

Firms should be entitled to consider the risk factors present for a particular client on a holistic basis.  This would result in a greater degree of divergence in terms of how firms approach clients and there is a risk that any firm that has a reputation for ‘light touch’ due diligence may attract the majority of ‘bad actors’ in an industry. However, firms could more easily be held accountable if they are required to assess their clients on a case-by-case basis rather than relying on automated lists and risk factors that do not reflect the client’s actual risk profile.

Additional Consultation Questions

Chapter 2: Strengthening system coordination

Information sharing between supervisors and other public bodies

  1. Do you agree that we should amend the MLRs to permit the FCA to share relevant information with the Financial Regulators Complaints Commissioner?

We have not considered this question, as it is not relevant to our members.

  1. Should we consider extending the information-sharing gateway in regulation 52(1A) to other public bodies in order to support system coordination? If so, which public bodies? Please explain your reasons.

We have not considered this question, as it is not relevant to our members.

  1. Should we consider any further changes to the information sharing gateways in the MLRs in order to support system coordination? Are there any remaining barriers to the effective operationalisation of regulation 52?

We have not considered this question, as it is not relevant to our members.

Cooperation with Companies House

  1. Do you agree that regulation 50 should be amended to include the Registrar for Companies House and the Secretary of State in so far as responsible for Companies House

We have not considered this question, as it is not relevant to our members.

  1. Do you consider there to be any unintended consequences of making this change in the way described? Please explain your reasons

We have not considered this question, as it is not relevant to our members.

 

  1. In your view, what impact would this amendment have on supervisors, both in terms of costs and wider impacts? Please provide evidence where possible.

We have not considered this question, as it is not relevant to our members.

Regard for the National Risk Assessment

  1. Do you think the MLRs are sufficiently clear on how MLRregulated firms should complete and use their own risk assessment? If not, what more could we do?

We have not considered this question, as it is not relevant to our members.

  1. Do you think the MLRs are sufficiently clear on the sources of information MLR-regulated firms should use to inform their risk assessment (including the NRA)? If not, what more can we do?

We have not considered this question, as it is not relevant to our members.

  1. One possible policy option is to redraft the MLRs to require regulated firms to have a direct regard for the NRA. How do you think this will impact the activity of: a) firms b) supervisors? Is there anything this obligation should or should not do?

We have not considered this question, as it is not relevant to our members.

System Prioritisation and the NRA

  1. In your view, are there any reasons why the government should retain references to euros in the MLRs?

We have not considered this question, as it is not relevant to our members.

Chapter 3: Providing clarity on scope and registration issues

Currency Thresholds

  1. In your view, are there any reasons why the government should retain references to euros in the MLRs?

The currency thresholds that delimit the inter-cryptoasset business transfers obligations are set in Euros.

We agree that this is beneficial as it aligns UK rules with international FATF (Financial Action Task Force) standards which are expressed in euros and dollars. In fact, the varying global approaches to defining the thresholds that trigger Travel Rule information transmission obligations create challenges for VASPs when transacting internationally – for instance, a transaction could be in scope of Travel Rule requirements for one counterparty and out of scope for the other, due to differences in threshold amounts or relative value of the respective currencies. Therefore, it is undoubtedly beneficial for the UK to align with international standards as closely as possible, especially when defining thresholds for obligations related to inter-cryptoasset business transfers.

Other jurisdictions achieved this result by defining the threshold in local currency, while pegging it to Euro / Dollar (e.g., “obligations apply to transfers that are equal to or exceed the GBP equivalent of 1,000 euros”). This option would be equally effective in aligning UK rules with international standards, while ensuring the definition of the threshold in local currency.

  1. To what extent does the inclusion of euros in the MLRs cause you/your firm administrative burdens? Please be specific and provide evidence of the scale where possible.

Regarding the implementation of inter-cryptoasset business transfer obligations, the choice of currency for the threshold does not significantly impact operations. The value of the cryptocurrencies transacted must always be converted into fiat currency to determine applicable obligations. Whether the conversion is done using Euros or GBP should not affect the operational burden.

  1. How can the UK best comply with threshold requirements set by the FATF?

Please refer to our answer to question 36 above.

  1. If the government were to change all references to euros in the MLRs to pound sterling which of the above conversion methods (Option A or Option B) do you think would be best course of action?

Rather than choosing Option A or B, we propose following the approach outlined in our response to question 36 above. To maintain alignment with FATF standards and avoid deviations based on the relative value of the pound sterling against the Euro or US Dollar, the government should consider pegging the threshold set in pounds to the value of these currencies. This is particularly relevant in the context of inter-cryptoasset business transfers obligations, as further explained in our answer to question 36 above.

  1. Please explain your choice and outline with evidence, where possible, any expected impact that either option would have on the scope of regulated activity.

Please refer to our responses above.

SUBSCRIBE TO OUR NEWSLETTER