On the 10th January 2020 the UK transposed the EU's 5th Anti – Money Laundering Directive ('5MLD') into domestic law via the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 ('the 2019 Regulations'), updating the 2017 Regulations and extending the scope of persons subject to anti-money laundering laws to include: Virtual Currency Exchange Platforms ('VCEP') and Custodian Wallet Providers ('CWP').
The 2019 Regulations define cryptoassets as “ a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically”. This definition is wider than the 5MLD and captures exchange, security and utility tokens. For the purposes of the 2019 Regulation VCEP activity covers peer-to-peer providers, cryptoasset Automated Teller Machine (ATM), issuing new cryptoassets e.g. an Initial Coin Offering (ICO) or Initial Exchange Offering (IEO). Firms that fall into these categories as defined are 'relevant persons' obliged to comply with the UK's anti – money-laundering regime.
While many virtual currency and wallet providers already require customers to verify their identities, transactions using crypto currencies often allow a degree of anonymity allowing some to exploit this as a means to transfer illicit funds without detection.
In 2019 the Financial Action Task Force (FATF) introduced the Travel Rule, which required Cryptocurrency firms registered in an EU Member State to disclose customer information on transfers over $1,000. The 2019 Regulations go further. This article will summarise the impact of anti-money laundering laws on cryptoasset companies operating in the UK.
Anti- money laundering requirements (AML)
- Risk assessment and controls: VCEPs and CWPs must take appropriate steps to assess the risks of money laundering and terrorist financing within its business activities. Its customers, the countries in which it operates, its transactions, its services and its delivery channels, should all be considered when assessing money-laundering risks. Where the assessment of these factors indicate the need for controls, these should be proportionate and appropriate according to the size and nature of the business. Controls must include, but not limited to, senior management oversight, employee training, an independent audit and where appropriate the appointment of a 'relevant person'. All systems, policies and procedures should be risk based; meaning resources should be focused in areas that present the greatest threat of money laundering and terrorist financing. All steps taken must be recorded in writing.
- Customer Due Diligence ('CDD'): With a focus on greater data sharing and enhanced transparency, the 2019 Regulations require European Financial Intelligence Units (FIUs) to have access to addresses and owners of virtual currency. This means the cryptocurrency industry will need to apply "know your customer" (KYC) and CDD on all new and pre-existing customers. CDD will need to be sufficient to demonstrate the beneficial owners. They will need to identify and verify the transacting parties; and monitoring and reporting mechanisms need to be in place for suspicious transactions. Existing CDD and KYC processes will need review to ensure continuing compliance and adherence to a risk based approach.
- Enhanced Due Diligence: In addition to CDD there is an obligation to apply enhanced customer due diligence. The 2019 Regulations extend EDD to transactions that are complex, or unusual. Other triggers include high risk third countries (as identified by the EU Commission), transactions at risk of money laundering or terrorist financing, dealings with Politically Exposed Persons ('PEPs'), and upon discovery of false identification. In such circumstances, a cryptoasset firm should adopt a KYC process that provides a greater level of scrutiny. This may include obtaining additional information about the client, source of wealth and understanding the indented use of the performed transactions
- Simplified Due Diligence: Where circumstances present a lower risk of money laundering and terrorist financing, simplified customer due diligence may be adopted. For instance if a customer is a publicly owned enterprise, resident in a geographically lower risk area or a company with securities listed on a regulated market. Whilst cryptoasset businesses will still need to conduct KYC, the rules are less stringent and a client's identification may be supported by fewer documents. However, if at any point there is any indication of a higher risk of money laundering or terrorist financing, the appropriate CDD must be applied.
- Record keeping: To enable swift compliance with information requests from the FCA or FIUs, documents obtained by the firm for CDD purposes, need to be maintained for at least five years after the business relationship has ended, or after the date of the transaction.
- Identification of Beneficial Ownership: When entering into a relevant transaction (i.e. a transaction that would ignite the CDD process) with a body corporate, or a specified trust, VCEPs and CWPs must take steps to identify its beneficial owners.
- Reporting: Cryptoasset businesses must report suspicious transactions, and file Suspicious Activity Reports (SARs). Firms will need to appoint a nominated officer to review suspicious transactions. This obligation is now more stringent as a result of the FIU's extended powers under the 2019 Regulation to access information from VCEPs and CWPs regardless of any pre-existing SAR.
- There is a requirement that all relevant entities are to be registered with a supervisory body and the FCA are the appointed the supervisory body for cryptoasset businesses. Therefore, any new cryptoasset business set up after 10th January 2020 must be registered with the FCA before they commence any activity. For existing cryptocurrency businesses, the date of registration is extended to 10th January 2021. The FCA must refuse to register an applicant if they are not 'fit and proper' to carry on the business of a VCEP or CWP.
- The FCA have additional powers, which include directing a business to remedy compliance failures, requiring a business to provide the FCA with information, and the power to require disclosure to customers. The disclosure element relates to cryptoasset dealings, which do not fall within scope of the Financial Ombudsman Services, or the Financial Services Compensation Scheme. Where a 'relevant person' has been appointed, this should be disclosed to the FCA who will maintain a register for information sharing purposes.
- The FCA operates a risk-based approach. Any dealing or transaction considered more risky than usual will be under tighter scrutiny. Where there is non-compliance the business could be subject to a number of enforcement options by the FCA including injunctions, investigations, fines, suspension and even criminal prosecutions.
For a more general overview of the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 follow this link: https://www.fieldfisher.com/en/insights/new-uk-aml-law-now-in-force
With special thanks to Thomas McEvilly, trainee solicitor, for his contribution to this blog.