The advance of the regulation of crypto-assets and crypto-related service providers has been piecemeal in the U.K. The latest round of changes took place in the Money Laundering Regulations 2017 (MLR) on 1 September 2022 with some provisions, including the “change in control” provisions, coming into force on 11 August 2022. The effect of these provisions is not limited to registered cryptoasset businesses (FCA Crypto Firms) but will have an impact on anyone who wishes to purchase or make investments in FCA Crypto Firms, thus becoming a “controller”. Other changes to the MLR for FCA Crypto Firms together with sanctions-reporting requirements will increase their compliance requirements and, for would-be acquirers, the amount of regulatory due diligence.
The threshold and aspects of the “controller” test for FCA Crypto Firms will also be different to that of FCA authorised firms, such as banks, broker-dealers, investment managers, insurers, and payment service providers, including such firms that offer regulated crypto services (FCA Authorised Firms). It is also different to that proposed in the European Union (EU) Markets in Crypto Asset Regulation which is near-identical to the regime for EU regulated investment firms on which the regime for FCA Authorised Firms was based before the U.K.’s withdrawal from the EU.
However, the regulatory process for approval and criminal penalties for failing to secure approval are the same. Moreover, the burdens for acquiring or investing in FCA Crypto Firm will be very close to those for acquiring or investing in an FCA Authorised Firm although the immediate impact of the controller provisions may be small because, at the time of writing, there are only about 30 FCA Crypto Firms versus the thousands of FCA Authorised Firms.
How Do the Controller Provisions Fit Within the Developing Regulatory Framework?
The MLR were expanded in 2020 to bring “cryptoasset exchange providers” (Exchanges) and “custodian wallet providers” (Wallet Providers) within their scope as FCA Crypto Firms. Although the MLR now impose an Financial Conduct Authority (FCA) registration requirement on FCA Crypto Firms, the requirement is different to the full authorisation requirement for FCA Authorised Firms. FCA Crypto Firms may be subject to much of the same anti-money laundering requirements as FCA Authorised Firms but they are not (yet) subject to the other requirement for FCA Authorised Firms, including rules on governance, regulatory capital, operational resilience, and customer protection.
Were Crypto Businesses Caught by Notification Requirements Before the Changes?
Insofar as a UK crypto business is an FCA Authorised Firm because, for example, its authorised as a payment services or e-money institution, it will be subject to the Financial Services and Markets Act 2000 (FSMA) section on “control over authorised persons”. This includes the requirement for a person acquires or increases “control” of the Firm, generally ≥ 10% of the shares or voting power in (a) the FCA Authorised Firm or (b) a parent of the Firm, to secure FCA approval before the acquisition or increase.
What Type of Businesses Do the Changes Affect?
The existing MLR definitions are relevant when determining when an Exchange or Wallet Provider triggers the controller provisions. For practical purposes, the question to ask is whether a business is registered with the FCA (as an FCA Crypto Firm). If it is, the MLR controller provisions.
That said, the MLR definitions are important. If a business falls within the definitions and is not FCA registered, an acquirer will have bigger regulatory issues to consider: an Exchange or Wallet Provider is prohibited from carrying on its business in the U.K. without FCA registration.
The MLR defines Exchanges broadly to include firms that exchange, arranges, or makes arrangements with a view to: (a) the exchange of, cryptoassets for money or money for cryptoassets; (b) the exchange of one cryptoasset for another, or (c) the operation of a machine which utilises automated processes for the types of exchange in (a) and (b). They define Wallet Providers to include firms that provide services to safeguard, or to safeguard and administer: (a) cryptoassets on behalf of its customers, or (b) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets. (“Cryptoasset” for these purposes is a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored, or traded electronically). This is a broad definition and would include fungible tokens, such as bitcoin, and non-fungible tokens (NFTs) which are capable of being converted into fiat currency or held in a wallet.
Who Will Be a “Controller?”
The MLR import the controller provisions contained in the Financial Services and Markets Act 2000 (FSMA) with modifications, the most significant of which is the description of when a person acquires or increases “control”. In this respect, a person (A) acquires or increases control over a FCA Crypto Firm or a parent undertaking of (B) (Parent) if (A) would become a beneficial owner, within the meaning of the MLR, of the FCA Crypto Firm or its Parent.
Where the FCA Crypto Firm or its Parent is a private body corporate (C), a “beneficial owner”, will be: (a) any individual who exercises ultimate control over C’s management; (b) any individual who ultimately owns or controls (in each case whether directly or indirectly), including through bearer share holdings or by other means, more than 25% of the shares or voting rights in C; (c) or an individual who controls C, i.e. the individual meets the significant control test and/or C meets the subsidiary test in the Companies Act 2006.
The FCA confirms on its website that a single threshold of 25% or more applies to FCA Crypto Firm.
This is different to the tests for FCA Authorised Firms, the controllers of which are generally determined by reference to percentage thresholds of holdings of shares or voting power in those Firms.
What Are the Assessment Criteria?
Another key difference from the FSMA provisions is that the MLR do not import the multiple criteria for assessing a prospective controller of an FCA Authorised Firm but instead use the existing fit and proper test in the MLR for the registration of FCA Crypto Firms. This has the effect of disqualifying a prospective controller (A) where A commits one of the offences identified in the MLR or (a) A has consistently failed to comply with the requirements of the MLR; (b) there is a risk that A’s business may be used for money laundering or terrorist financing; and (c) A, and any officer, manager or beneficial owner of A, does not have adequate skills and experience and has not acted and may not be expected to act with probity. Although the criteria for approving a controller of an FCA Crypto Firm narrower than those for an FCA Authorised Firm, the standard for approval as a controller of an FCA Crypto Firm is the same as that for registration as an FCA Crypto Firm. Unlike the position for FCA Authorised Firms, the requirements for becoming the owner of an FCA Crypto Firms are the same as those for becoming the operator of that Firm.
How Does the Approval Process Work?
The process is near-identical to that for the acquisition or increase in control for an FCA Authorised Firm under the FSMA. The proposed controllers must submit prescribed forms to the FCA to enable the FCA to make the fit and proper assessment noted above. The FCA updated its forms on 11 August 2022 to include forms for corporate, partnership, individual, and trust controllers of FCA Crypto Firms.
The FCA has 60 working days from receipt of a “complete” application to approve the acquisition with or without conditions or object to the acquisition. Until the 50th day of the assessment period, the FCA may “stop the clock” for up to 30 working days to request further information. The FCA may specify the period for which the approval is valid which, in practice, is three months although extensions may be granted.
The need for FCA approval typically results in a split signing and completion of an acquisition conditional on receipt of the FCA approval.
What About Selling or Reducing Holdings?
Unlike the requirements with respect to an FCA Authorised Firm, someone who ceases to control or reduces the extent of its control does not have to notify the FCA of the cessation or reduction in question.
Will Changes to the MLR Have an Impact on Due Diligence?
Even before the introduction of the controller regime, the MLR would have been relevant when buying an FCA Crypto Firm because the MLR imposes regulatory obligations on the Firm. These include obligations connected with customer and enhanced customer due diligence and reliance and record-keeping which an acquirer will need to include as part of its regulatory due diligence in addition to related items under the general law, such provisions governing anti-bribery.
The changes to the MLR, of which the addition of the controller requirements were a part, also include a requirement that FCA Crypto Firms must collect, but do not have to verify, originator and beneficiary information relating to unhosted wallets.
From 1 September 2023, FCA Crypto Firm will have to comply with the changes to the MLR that apply the “Travel Rule”. This requires countries to ensure that financial institutions send and record information on the originator and beneficiary of a wire transfer, and that this information remains with the transfer or related message throughout the payment chain.
Are There Other Relevant Recent Changes?
In addition to the changes to the MLR noted above, from 30 August 2022, the duty on FCA Authorised Firms to notify the Office of Financial Sanctions Implementation (OFSI) if they become aware of a person or entity subject to financial sanctions (Designated Persons) or of a breach of the U.K. financial sanctions regime in the course of their business, was expanded to FCA Crypto Firms. They now have a duty to notify OFSI of certain information as soon as practicable if they know, or have reasonable cause to suspect that, in the course of their business they have: (a) identified that a person is a designated person; (b) identified a breach of the financial sanctions regime, including a breach by the Firm itself; and/or (c) identified that there has been a transfer into or out of a frozen account owned by a designated person. Failure to provide the notification is an offence for which OFSI can impose a penalty and may be a criminal offence.
Acquirers will therefore need to add OFSI reporting compliance to the list of regulatory due diligence items.
What About Future Changes?
The changes to the MLR are a further step in what looks like a journey towards full FCA authorisation for crypto-businesses. There are likely to be many further changes as the crypto sector becomes more regulated. Two particular points to note are:
- The imposition of requirements for “financial promotions”, such as advertisements, connected with “qualifying crypto-assets”, such as bitcoin and ethereum, to be approved by FCA Authorised Firms (the Approval Requirement). The U.K. government issued a discussion paper and the FCA consulted on new rules in Q1 2022; it is unclear when the government will consult on changes to the financial promotion regulations and the FCA said in its response in Q3 2022 to the rules consultation that it will only publish its rules when the government issues the revised law. The breadth of the definition of “controlled activities”, about which financial promotions will be subject to the Approval Requirement, makes it likely that advertisements about the services which FCA Crypto Firms offer will require approval by an FCA Authorised Firm. Therefore, future due diligence on FCA Crypto Firms is likely to require the inclusion of questions about financial promotions and compliance with the Approval Requirement.
- The Financial Services and Markets Bill 2022, which provides for, amongst other things, the regulation of “digital settlement assets” (DSAs) defined to include, in essence, fiat based or backed cryptoassets, such as stable coins, that can be used for the settlement of payment obligations. The Bill gives the government the power to apply the law and regulation governing payment services institutions (PSIs) and e-money institutions (EMIs) to those providing services connected with DSAs. If FCA Crypto Firms providing DSA related services become regulated as PSIs and EMIs, this will bring them within the controller regime for FCA Authorised Firms and impose governance, regulatory capital and customer protection requirements, in turn, increasing the regulatory risk and due diligence burden for acquirers and investors. While operational resilience and the management of operational risk are central even to unregulated crypto business, the increased regulatory focus on these areas will add them to the list of regulatory due diligence items for acquirers and investors.