Finnovation.UK

View Original

FCA Registrations: Uncovering the Pitfalls for Crypto Firms

As confirmed in the FCA’s Annual Report 2023/24, over 87% of crypto registration applications were withdrawn, rejected or refused for weak money laundering controls (over the 12 month reporting period; year ended 31st March 2024). In total, this now means that despite over 350 crypto firms seeking money laundering registration since the FCA has been overseeing the crypto sector and registering firms under the UK’s AML rules - just 44 crypto firms have been successful. 

This poses a real challenge for crypto firms wanting to serve UK customers from within the UK and whilst the FCA sets out their expectations and provides guidelines on good and poor practice, providing guidance for those writing their applications, clearly something is going wrong.

Recognising that there are challenges on both sides - some crypto companies report that the application process is interrupted by long wait times and that they receive limited feedback - the result either way is that the success rate is low and that crypto firms either give up, or seek registration outside the UK, with a small number persevering to see the process through to completion.

It is true that the FCA sets high standards, particularly with regards to consumer protection - this is what you would expect from the UK regulator - however a robust [AML] compliance and risk management framework, supported by an appropriately skilled (and resourced) team, including experienced senior management, is essential to operate in the crypto space in the UK. 

Without these key elements in place, registration success is unlikely. It wouldn’t be unreasonable to observe that the FCA errs more extremely on the side of caution with these applications, given some of the perceptions of higher risks associated with crypto firms, and so crypto firms have to make every effort to demonstrate that they take compliance seriously.

Below are the primary reasons why so many crypto firms face rejection during the registration process and some suggestions as to how they can be addressed.

1. Inadequate Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Controls

  • Weak AML Procedures: One of the most common reasons for rejection is the failure of firms to demonstrate robust anti-money laundering (AML) and counter-terrorist financing (CTF) systems and controls. Crypto firms have tended to deal with pseudonymous transactions and identities, which is more likely to increase the risk of money laundering. Crypto firms potentially have to work harder to demonstrate stringent customer and business risk assessments and controls and to prove to the regulator that their AML policies and procedures are sufficiently robust.

  • Insufficient Customer Due Diligence (CDD): Firms may lack proper Know Your Customer (KYC) processes to verify customer identities, assess risk profiles, and monitor transactions for suspicious activity. There are a number of innovative solutions available, many of which can be embedded into platform registration processes to enable a smooth process without detriment to the user experience; and so this is a relatively easy requirement to address, albeit it of course comes at a financial cost to the crypto firm.

  • Inadequate Transaction Monitoring: The FCA expects firms to have automated systems that can effectively monitor and flag suspicious transactions, particularly for large or unusual crypto transfers. Many firms fail to demonstrate sufficient tools or resources for this. Again, there are plenty of tools that enable automated (AI-driven) real-time monitoring and reporting, but firms have to be willing to invest and integrate these solutions from the outset.

  • Failure to Meet Reporting Obligations: Some firms do not have appropriate procedures to report suspicious activities to the UK's National Crime Agency (NCA) or maintain proper records of AML-related activities. A suitably qualified MLRO should be able to take the lead on this.

2. Poor Governance and Compliance Frameworks

  • Lack of Senior Management Oversight: The FCA requires crypto firms to have competent and experienced leadership. A lack of experienced senior management with a clear understanding of regulatory requirements and the absence of a suitably experienced compliance officer can lead to rejections. 

  • Weak Governance Structures: Some crypto firms do not have appropriate internal structures in place, such as clear accountability, risk management processes, or internal compliance departments. Get this right from the outset - by embedding good governance practices into your business operations this will demonstrate to the FCA that you are “ready, willing and organised” and this will also set you in good stead as your business grows.

  • Failure to Appoint a Money Laundering Reporting Officer (MLRO): The FCA requires firms to appoint a suitably qualified and experienced MLRO to oversee their AML efforts. Firms often fail to show they have this essential role covered. This is really important - so make sure you seek a strong background and relevant experience, and that ensure this role is fulfilled by a dedicated MLRO with sufficient capacity (and not a person that is spread too thinly across other areas).

3. Inadequate Risk Management and Operational Controls

  • Insufficient Risk Assessments: Firms are required to regularly assess risks related to money laundering, fraud, and other financial crimes. Many applications are rejected because firms fail to present a thorough risk management framework or adapt to changing risks in the crypto market. Work through your end-to-end processes, including data and money flows, and highlight those areas of risk. Incorporating this thought process into all business model and product design will help you to identify those areas in need of scrutiny.

  • Operational Weaknesses: Crypto firms may have vulnerabilities in their IT infrastructure, cybersecurity, and operational resilience, all of which can be flagged by the FCA as concerns. Given the high risk of hacking and data breaches in the crypto space, the FCA expects firms to have robust systems to protect both operations and consumer data.

  • Lack of Adequate Capital: The FCA assesses a firm’s financial resources to ensure they can operate sustainably and meet their obligations to customers. Many crypto firms struggle to meet these capital adequacy requirements. This is an important consideration before applying for registration - make sure that you are financially ready.

4. Failure to Meet the "Fit and Proper" Test

  • Inadequate Background of Key Individuals: The FCA applies a “fit and proper” test to senior management, directors, and controllers of crypto firms. Rejections can occur if individuals have a history of regulatory breaches, criminal convictions, or lack relevant experience. Bear in mind also, that the FCA requires the “mind and management” of a regulated firm to be in the UK, so at least 50% of your executive team should be UK based.

  • Lack of Relevant Experience: Senior managers often lack sufficient experience in regulation, which raises concerns about their ability to manage the firm’s compliance with regulatory obligations. Do not underestimate the impact that one or more executives or senior managers with a background in risk and compliance can have on your firm’s credibility and regulatory confidence. 

5. Poor Documentation and Incomplete Applications

  • Incomplete Submissions: Many applications are rejected simply because they are incomplete, poorly prepared, or lacking sufficient detail in key areas like risk management, AML policies, or internal controls. Take the process seriously, seeking external support if you do not have licence application experience internally. This is likely to be your first contact with the regulator and it is important to make a good first impression.

  • Inadequate Business Plans: The FCA expects crypto firms to submit clear and detailed business plans that outline how they will operate in a compliant manner. If the business plan is vague or unrealistic, and with inadequate details regarding risk appetite and management, the FCA is likely to reject the application.

  • Lack of Transparent Operating Models: Some firms fail to provide transparent and detailed explanations of their operating models, including how they manage customer funds, conduct due diligence, or mitigate risks. The FCA views this as a major compliance gap. Indeed, providing information that may be difficult for the FCA to navigate or indeed to understand, will not give the FCA confidence that your business can operate compliantly. 

6. Insufficient Adaptation to Regulatory Expectations

  • Unwillingness to Adapt: Some firms fail to adjust their business models to meet the FCA’s stringent regulatory expectations. For instance, if a firm continues to rely on lax or outdated practices that are insufficient in the context of the regulatory requirements, their application is likely to be rejected. An example is the financial promotion rules for cryptoasset firms that came into effect in October 2023, requiring firms to include risk warnings in their promotions, ensuring that marketing material is clear and balanced and follow approval processes for promotions targeted at retail customers.

  • Poor Understanding of UK Regulations: Many crypto firms, especially those operating internationally, may not have a deep understanding of the specific requirements in the UK. This can lead to non-compliance and rejection. Firms should seek legal advice and engage a sufficiently experienced compliance consultancy or compliance officer to support.

The FCA's high rate of rejection for crypto firms reflects its rigorous approach to protecting consumers and ensuring that the market is not exposed to financial crime. Crypto firms wishing to succeed with their FCA applications need to demonstrate strong governance, robust AML controls, and a commitment to protecting consumers, while also adapting to the evolving regulatory landscape, ensuring that they are sufficiently resourced and supported as they develop their risk management frameworks.