AML/CFT for crypto service providers
What obligations regarding AML/CFT regulations fall on cryptoasset service providers in the UK?
Cryptoasset service providers one of the many persons and firms that are subject to the UK's Money Laundering Regulations (Money Laundering and Terrorist Financing (Amendment) Regulations 2019, the “ML Regs”) governs the AML/CFT regulations. Additionally, since the Financial Conduct Authority of the UK is the supervisory body of cryptoasset service providers, extra guidelines imposed by the FCA must be adhered to. Do take note that your AML/CFT measures must also be in line with FATF's guidelines on AML/CFT.
"You must make sure that your business has adequate internal controls and monitoring systems. These should alert you and other relevant people in your business if criminals try to use your business for money laundering. Once you’ve been made aware of a potential threat, you can take steps to prevent it and report any suspicious activity.
Your controls should include:
- appointing a ‘nominated officer’ and making sure that employees know to report any suspicious activity to them
- appointing a compliance officer if your business is larger or more complex
- identifying the responsibilities of senior managers and providing them with regular information on money laundering risks
- training relevant employees on their anti-money laundering responsibilities
- documenting and updating your anti-money laundering policies, controls and procedures
- introducing measures to make sure that the risk of money laundering is taken into account in the day-to-day running of your business"
Source: GOV UK, last updated 4 August 2021
"Some requirements are set out below, however this is not an exhaustive list. It also does not include the wider rules and guidance that an FCA authorised business under FSMA must adhere to (which FSMA authorised firms must comply with in addition to the MLRs):
- take appropriate steps to identify and assess the risks of money laundering and terrorist financing which the business is subject to,
- assess the ML/TF risks related to any new technologies prior to launch and take appropriate measures to manage and mitigate those risks,
- have in place policies, systems and controls appropriate to mitigate the risk of the business being used for the purposes of money laundering or terrorist financing. This risk-based approach should seek to mitigate the risks identified in the business’s risk assessment,
- where appropriate with regard to the size and nature of its business, appoint an individual who is a member of the board or senior management to be responsible for compliance with the MLRs and the nominated officer. The nominated officer is also the person responsible for reporting suspicious activity to the National Crime Agency (NCA) under part 7 (money laundering) of the Proceeds of Crime Act 2002,
- where appropriate, with regard to the size and nature of its business, establish an independent internal audit function with responsibility for examining and evaluating the adequacy and effectiveness of the policies, controls and procedures, and making recommendations, as well as monitoring the controls,
- undertake screening of employees,
- undertake customer due diligence (CDD) when entering into a business relationship or occasional transactions,
- apply more intrusive due diligence, known as enhanced due diligence (EDD), when dealing with customers who may present a higher ML/TF risk. This includes customers who meet the definition of a politically exposed person (PEP),
- undertake ongoing monitoring of all customers to ensure that transactions are consistent with the business’ knowledge of customer, the customer’s business and risk profile."