Sectoral Anti Money Laundering (AML) Guidance for Crypto Businesses in the United Kingdom

Virtual asset platforms around the world are witnessing scrutiny of various kinds, with money laundering concerns at its helm. Specifically, when it comes to cryptocurrencies, anti-money laundering (“AML”) legislations have often been at their forefront owing to its nascent state in the industry. In the United Kingdom, a recent update in the United Kingdom Anti Money Laundering (“UK AML”) regime has clarified the scope of such scrutiny. The update (later referred to as the CSG) plays a key role to highlight the risk of laundering when dealing with such crypto-assets, and to mitigate the same, cryptoasset firms would be required to register with the Financial Conduct Authority (“FCA”) for supervision under AML regime.

The Joint Money Laundering Steering Group (“JMLSG”) which is an authoritative body for the AML rules had introduced report under its ‘new guidance’ series called Part II: Sectoral Guidance on July 27, 2020 (“Sectoral Guidance Compendium”) that included various guidelines for all sectors to prevent money laundering and combating terrorist financing. Under this, the 22nd sector on the Sectoral Guidance Compendium (“CSG”) dealt with cryptoasset exchange providers and custodian wallet provider. The Sectoral Guidance Compendium in its entirety received Her Majesty’s (HM) treasury ministerial approval on August 19, 2020.

Ambit of Sectoral Cryptoasset Guidance

The CSG are within the scope of UK’s Money Laundering Regulations, 2017 (“MLR”) and now additionally requires the businesses to register with FCA, and the latter is required to consider such guidance to determine if any applicant business has breached the MLR.

The CSG defines cryptoassets as mentioned in Regulation 14A (3) (a) and (c) of the MLR and further includes other types of tokens, payment, asset and utility tokens while Cryptoasset Exchange Provider (“CEP”) is picked from the Regulation 14 A (1) of the MLR and the custodian wallet provider (“CWP”) from Regulation 14 A (2) .The MLR applies to CEPs and CWPs carrying on business in UK since January 10, 2020.

It was also clarified that while there are certain activities that directly did not constitute work of CEP, the FCA still has to supervise the following activities from AML perspective on case to case basis:

There are certain activities of the CEP which however are not covered within the ambit of CSG, such as, a) the definition does not intend to capture firms that only provide a forum where buyers and sellers can post their bids and offers or b) to arrange the exchange of cryptoasset for money or other cryptoasset. The issuance of cryptoasset or their acceptance in return for goods, services, rights or actions is beyond scope of the CSG much like refund of payment using a cryptoasset refunded to the same payment instrument.

Background

The Financial Action Task Force (“FATF”) has called on its members to tighten the norms for crypto-assets in order to minimize the possibility that this emerging medium could be used for financial crime. In addition, the European Union's Fifth Money Laundering Directive, enforced in the UK by modifications to the MLRs, mandates that member states act in this regard.

The CSG is intended to reflect the changes made by the MLRs that go further than the directive by bringing CEPs and CWPs into the framework of the MLRs. Businesses engaging in cryptoasset operations must have been compliant with MLRs as of January 10, 2020. The CSG is intended to help CEPs and CWP comply with CSG by taking a risk-based approach to cryptoassets.

Money Laundering Risks of Cryptoassets

A study by National Crime Agency (“NCA”) of UK published in 2020 suggests that virtual assets like cryptocurrencies are being used to launder money and a few UK based criminals have been identified who are involved in such activities. Under Paragraph 22.3 of CSG there are various risk factors that have been highlighted:

1. Anonymity - There are certain unregulated platforms that provide opportunities to transact in cryptocurrencies without being fully identified, serving as a potential risk of money laundering and terrorist financing which to some extent is transparent in public blockchains as public blockchains create irrevocable transaction records which helps analyzing risk and scrutiny.

Suggestion: Thus, it is suggested that firms should undertake self-analysis to access any nexus with anonymous sources (like darkweb or blacklisted addresses) or appoint specialist blockchain analysis providers to mitigate risks.

2. Cross-border capability of transactions- Owing to the easy cross-border ability of transactions, crypto-assets can cross several jurisdictions which could reduce supervision by the regulators by inability to apply effective AML control in their jurisdiction.

Suggestion: Cryptoasset firms should ensure effective application of all AML processes in their respective jurisdictions where they operate provide for any cross-border risk associated with it.

3. Decentralization- There are instances where cryptoasset systems are decentralized, which means, there are no parent servers responsible for identifying transaction or users, making the applicability of risk assessment and AML regulations difficult.

Suggestion- There is a need to install measures to identify such transactions flowing from decentralized systems. For instance where firms deal with funds originating from decentralized system they should apply risk based mitigation measures such as blockchain analysis.

4. Segmentation- Chances of oversight increases when parties, involved in payment and transfers, are in different jurisdictions. This puts a hindrance in the applicability of AML compliances.

Suggestion: Introduction of robust systems where firms retain responsibility for AML compliances by making parties of different jurisdictions act as outsourced service providers or as agents.

5. Convertibility- Conversion of cryptocurrencies into actual money or other forms of cryptocurrencies, allows an induction into the mainstream financial system and an easy exit from it, thus permitting it to be used as proceeds of crime without hindrance.

Suggestion: Entities can work with other parties in the value chain to address the risk by ensuring the entry and exit mechanism from the mainstream financial system.

6. Immutability- One of the main features of any blockchain based transactions is immutability, once a transaction is validated, it cannot be deleted, retrieved or modified.

Suggestion- It is generally assumed that all blockchains are immutable, however, that may not be the case with permissioned blockchains. In a permissioned blockchain, all the nodes are known to each other and are usually employed by a company. Further, immutability may even help identify cases of money laundering.

7. Innovation- Innovations in the cryptoasset sphere leads to novel financial crimes which are not known with traditional payment and financial service products.

Suggestion: Collaborative effort from the firms to track financial crime typologies is the way to address this risk.

Important Dates

A key point to remember is that since January 10, 2020, CEPs and CWPs have been required to register with the FCA explicitly for AML supervision before undertaking any crypto-asset or related business, even if they are already FCA-authorized.

To ensure processing time (by law, the FCA has up to 3 months to complete the registration application). While this deadline has now passed, the FCA has extended time until January 10, 2021 as a transitional period for the concerned companies which should still send their applications as soon as possible.

Risk Assessment

The CSG explains that the firms should carry out a meticulous assessment of risk and look into the following aspects:

1. Customer Risks- The CSG defines a customer as a person requesting exchange of cryptoassets for the purpose of CEPs and for CWPs. A customer is someone for whom such entities hold, store and transfer a cryptoasset. Thus firms working in such capacity take a holistic view of the information obtained from such customers and conduct customer due diligence to create a customer risk profile.

2. Product Risks- A risk associated with any financial product is determined on the basis of a features offered and cryptoassets that the customers hold.

3. Transaction Risks- Risks associated with the platform or the blockchain should be assessed to track any high risk events. Such risk assessment may be outsourced to experts however, this does not absolve the liability of the firm.

4. Geographical Risks- A geographical risk depends on the provenance of cryptoassets and a customer’s place of establishment. Publicly available information can be utilized to assess the regulatory approaches in different jurisdictions.

5. Delivery Channel Risks- A customer usually accesses services related to cryptoassets online, however, in other cases there may be intermediaries. Many service providers also establish ATMs. The risk associated with intermediaries must be assessed.

Risk Mitigation

Risk mitigation is followed by a number of measures one has to take to curb financial malpractices. A few important measures are as follows:

Business Impact

JMLSG guidances though are not legally binding, once it receives a ministerial sign off from the HM Treasury, it is a persuasive set of documents with its guidance trusted to balance the competing needs of consumer protection, market competition and regulatory certainty. Thus, the UK courts, if not initially, would eventually look at the compliance with CSG for determining a money laundering offence.

The regulator i.e. FCA would then investigate it from the CSG perspective, and also take into account the non-compliance of the CSG. The CSG overall is a precautionary measure as it eliminates risks associated to the CEPs, CWPs and most importantly to the consumers, as it ensures that their funds are not being converted as proceeds of crimes for sponsoring any illegal activity. The CSG surely increases the task for the business to update their working mechanism but goes a long way to stop perpetration of crimes against humanity.

The article is authored by Ayush Chowdhury, Co-Head, BlockSuits and Mustafa Rajkotwala, Officer, Data and Innovation, BlockSuits