1. The Travel Rule implementation for cryptoasset firms
The so-called “Travel Rule” is set out in Recommendation 16 from the Financial Action Task Force (FATF). In summary, this rule requires that countries ensure that financial institutions send and record information on the originator and beneficiary of a wire transfer, and that this information remains with the transfer or related message throughout the payment chain. This information enables firms to detect potential money laundering (ML) and terrorist financing (TF) activity by ensuring that the identities of the parties to the transaction are known, and facilitates investigations by law enforcement by ensuring that appropriate records of transactions are kept.
The Consultation proposed to expand the application of the Travel Rule as set out in Recommendation 16 to cryptoassets. Whilst there was broad agreement across the industry that tailoring the provisions of the Funds Transfer Regulation to the cryptoasset sector was the best approach, respondents highlighted significant short-term and long-term costs for businesses. As a result, the government has allowed a 12-month grace period until September 2023 for the Travel Rule to apply to cryptoasset businesses. There will also be a de minimus threshold of EUR 1000, which we have outlined in (2) below.
2. Originator and beneficiary information for cryptoasset firms
In relation to cryptocurrency transactions, the government has confirmed that only one of the originator’s address, date of birth, or passport number will need to be sent with a cross-border transaction above the de minimis threshold of EUR 1,000 (including aggregate transactions of crypto and fiat currencies). As a similar de minimus threshold will be in place in other jurisdictions, concerns were raised that it would also not be workable for the UK to adopt significantly different requirements, as firms would then be faced with inconsistent regulatory requirements for cross-border transfers.
3. Unhosted Wallets
Unlike transfers of funds, which take place via systems only accessible to regulated financial institutions, it is possible for any individual to use technology that enables them to host their own crypto wallet (an “unhosted wallet”), which is able to make and receive transfers , including from wallets hosted by custodian wallet providers.
Current FATF guidance states that, where a beneficiary’s cryptoassets service provider receives a transfer from an unhosted wallet, it should obtain the required originator information from its own customer that receives the cryptoassets transfer. This requirement does not extend to the verification of the originator information that is provided by the “receiving customer”. Where a transfer is being sent from a wallet hosted by a cryptoassets service provider to an unhosted wallet, the originating provider is not expected to send information to an unhosted wallet, though it should still collect information on the intended beneficiary from its sending customer.
The government has modified its proposals in relation to unhosted wallets. The Response argues that many persons who hold cryptoassets for legitimate purposes use unhosted wallets due to their customisability and potential security advantages. Nevertheless, the government is conscious that completely exempting unhosted wallets from the Travel Rule could create an incentive for criminals to use them to evade controls. Therefore, the government’s modified proposals state that cryptoasset businesses will need to collect, but not verify, originator and beneficiary information in relation to unhosted wallets; even then, this only needs to be done on a risk-sensitive basis. The minimum factors that firms should consider when making such a determination of risk will be set out in the legislation, which is to follow.
4. Acquirers of cryptoasset firms
At the current time, the FCA does not need to approve the acquisition of a cryptoasset service provider which is registered under the MLRs. The Response changes this approach and will implement a change in control regime in the same way that already exists in relation to other types of financial services firms. The MLRs will be amended to require proposed acquirers of cryptoasset service providers to notify the FCA ahead of such acquisitions, allowing the FCA to undertake a ‘fit and proper’ assessment of the acquirer, and granting it the power to object proposed acquisition.
5. Decision to refuse registration of a cryptoasset firm
The MLRs are to be amended to allow the FCA and HMRC to publish information about decisions not to register a cryptoasset firm, and also allow the FCA to publish notices where it has objected to the acquisition of an already registered cryptoasset firm under the new controller regime mentioned in (4) above. This is intended to provide greater transparency for the market by signalling good/bad behaviour in the industry.
6. FCA sharing and reporting requirements
There will be further enhanced information sharing and gathering powers for the authorities and law enforcement by enabling the FCA to disclose the confidential information it receives in relation to its MLR duties to the Department for Business, Energy & Industrial Strategy (BEIS). The government is also amending the Regulations to align the current powers available to the FCA for cryptoasset businesses, with respect to reporting requirements, to other types of firms that are registered under the MLRs with the intention of creating a level playing field.
7. Account Information Service Providers (AISPs) no longer within scope
AISPs let consumers see all payment account information from different bank accounts in one place online or via a mobile app, and often allow consumers the ability to use this data to analyse their spending. Businesses registered as AISPs raised concerns that by being within scope of the MLRs, they are negatively impacted by disproportionate and duplicative AML obligations and compliance costs. This is because they are required to comply with the MLRs by conducting due diligence checks on customers, in addition to the checks carried out by the banks where the accounts of the customers are held. The government has taken these concerns into account and AISPs are to be excluded from the scope of the MLRs, given that the risk of money laundering (ML) and terrorist financing (TF) TF has been assessed as low for this type of business.
Payment Initiation Service Providers (PISPs) (firms which let consumers pay companies directly from their bank account rather than through debit/credit cards) will remain within scope of the regime – although the risk of ML/TF is considered low overall, the risks are potentially higher than those associated with AISPs, as PISPs are more closely involved with the underlying payment process.
8. Bill Payment Service Providers (BPSPs) and Telecoms, Digital and IT Payment Service Providers (TDITPSPs)
In summary, a BPSP provides a payment service for utility and other household bills and acts on behalf of the payer. A TDITPSP acts as an intermediary between a payer and the supplier of goods and services and:
- the payer gives consent to make the payment through any type of telecommunication, digital or IT device;
- a firm receive the payment and transfer it to the supplier of goods and services as an intermediary.
The Response confirms that BPSPs and TDITPSPs will remain in-scope of the MLRs. Amongst other things, the Response considered further research necessary (i) to confirm whether any business in the UK is truly operating as a BPSP (some may have registered in error); and (ii) to develop a more in-depth understanding of the small payment institution TDITPSPs supervised by HMRC and any associated AML/CTF risks.
9. Increased supervisory reviews of suspicious activity reports (SARs)
SARs are submitted by firms to the National Crime Agency. The Consultation had sought views on options to improve consistency of approach to accessing SARs by supervisors (i.e the FCA and HMRC). The government has decided that there will be enhanced powers for AML/CTF supervisors to review SARs. The measure will introduce a clear legal gateway for AML/CTF supervisors to access, view and consider the quality of the content of SARs submitted by supervised firms, provided they are necessary to fulfil supervisory functions. It is intended that this will help standardise the approach to accessing SARs and clarify the supervisors’ right of access. Ultimately, this is expected to allow the regulators to increase their understanding of sectoral risks, to be able to tailor guidance and, ultimately, to improve the effectiveness of their risk-based approach to supervision.
10. Definitions of credit and financial institution
Entities that fall within the definitions of a “credit institution” or a “financial institution” fall within the scope of the MLRs (amongst other types of firms). There had been plans to clarify these definitions, but these have been dropped after concerns that the policy and legal analysis required to appropriately define all forms of credit and financial institution in detail would be especially complicated and technical (and would require longer-term discussions with industry).
11. Proliferation Financing
The Consultation had proposed changes to implement FATF Recommendation 1, which requires financial institutions and designated non-financial businesses and professions to identify, assess and take effective action to mitigate proliferation financing (PF) risk. Proliferation financing refers to the act of providing funds or financial services which are used, in whole or in part, for the manufacture, acquisition, possession, development, export, trans-shipment, brokering, transport, transfer, stockpiling or use of nuclear, chemical or biological weapons and their means of delivery and related materials (including both technologies and dual-use goods used for non-legitimate purposes), in contravention of national laws or, where applicable, international obligations.
The Response confirms that FATF’s Proliferation Financing definition will be added to the MLRs and firms will be expected to undertake appropriate risk assessments (either in the form of a new exercise, or as incorporated into pre-existing AML/TF risk assessments), to reduce the burden for smaller businesses. A definition of proliferation financing will also be included in the MLRs to clarify the type of activity that would be considered proliferation financing.
12. Trust and Company Service Providers (TCSPs)
The TCSP definition in the MLRs currently uses the term “legal persons”. As well as clarifying the scope of the definition for TCSPs to include all forms of business arrangement (including UK-registered limited partnerships), TSCPs will also now be required to conduct client due diligence (CDD) on all business relationships, including one-off appointments.
Responses had noted that the systems and procedures for compliance with the MLRs should already be in place for all other business arrangements dealt with by TCSPs and therefore the change will simply require TCSPs to extend controls to firms with different legal structures and sole practitioners.
13. Material discrepancies in beneficial ownership
The government is expanding the discrepancy reporting requirement to expand the scope of the measure to also cover an ongoing business relationship. From April 2023 (to account for ongoing Companies House reforms), firms will be required to report material discrepancies in beneficial ownership arising from ongoing CDD obligations, including for the Register of Overseas Entities. The government will provide a list of what will be considered a “material discrepancy” – this is intended to help mitigate the increased compliance burden associated with the expansion of the regime.
14. Art market participants and Non-Fungible Tokens (NFTs)
Art market participants are already within the scope of the MLRs and the government is amending the definition of “Art Market Participant” to exclude artists who sell their own works of art over current EUR 10,000 threshold.
The government also noted the range of views on whether the definition of digital art (which the Consultation defined as art that has been created using digital technology, for example computer generated art) and NFTs (which has not yet been defined by HMT) should be expanded and will take these into consideration for possible future changes to the definition.
Most of the measures set out in this article will come into force on 1 September 2022, subject to Parliamentary approval. However, the following measures will come in at the following dates:
- Acquirers of cryptoasset firms – as soon as possible once Parliamentary approval has been obtained
- Notice of refusal of a cryptoasset firm – as soon as possible once Parliamentary approval has been obtained
- Discrepancy reporting requirements – April 2023
- Travel Rule – 1 September 2023
For further information, please contact any of our experts.
Co-authored by Daniel Lederman – Trainee Solicitor