CMS Expert Guide to Crypto Regulation in United Kingdom

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘MLRs’) contain a number of relevant anti-money laundering and counter-terrorist financing (‘AML’) rules.  Firms that fall within the scope of the MLRs generally need to be registered with the United Kingdom Financial Conduct Authority (‘FCA’).

The MLRs apply to:

• a  “cryptoasset exchange provider”, being a firm or sole practitioner that by way of business provides one or more of the following services:
  • exchanging, or arranging or making arrangements with a view to the exchange of:
    • cryptoassets for money or money for cryptoassets; or
    • one cryptocurrency for another; or
  • operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets; and
• a “custodian wallet provider”, being a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer:
  • cryptoassets on behalf of its customers; or
  • private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets,

when providing such services.

For the purposes a “cryptoasset” is “a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically”.

As such, cryptoasset businesses carrying out exchange or custody activities within the UK will generally be subject to regulation under the MLRs. Please see the response to question 3 below for further detail.

Firms within the scope of the MLRs are required to implement certain AML systems and controls, including the UK’s implementation of the “travel rule” where cryptoasset businesses have been required to collect, verify and share information about cryptoasset transfers. The specific information to be collected will depend on the value of the transaction and whether it involves an international transfer.

Existing Regulation: The Financial Promotion Regime 

The financial promotion regime applies to any communications which are capable of having an effect in the UK that invite or induce persons to engage in certain types of investments, including a “qualifying cryptoasset”.

Most types of cryptocurrencies will fall within the current proposed definition of a “qualifying cryptoasset”, including for example Bitcoin. 

The regime applies to communications made to or directed at persons located in the UK, including from overseas on a cross-border basis. 

Any financial promotions communicated in the course of business must:

• be issued by an FCA-authorised person;
• be approved by an FCA-authorised person; or
• fall within an exemption from the financial promotion regime.

Those who breach the financial promotion regime may be subject to up to two years imprisonment and/or an unlimited fine, as well being liable to pay compensation to any investors that may have invested following such a breach.

Future Regulation: Investment Business Regulation

There are plans to implement a cryptoasset regulatory regime:

Phase 1: the creation of a regulatory regime for fiat-backed stablecoins used for payments (capturing GBP and other fiat-backed stablecoins issued in the UK).  

Phase 2: the introduction of regime to regulate the following tokens, where they are used for regulated activities:

• Exchange tokens;
• Utility tokens;
• Non-fungible tokens (NFTs);
• Asset-referenced tokens;
• Commodity-linked tokens;
• Crypto-backed tokens;
• Algorithmic tokens;
• Governance tokens;
• Fan tokens.

The legislation for the Phase 1 regime is expected to be introduced later in 2024, with Phase 2 likely to follow in 2025, and with enforcement remaining subject to transitional periods. It should be noted that decentralised finance (‘DeFi’) does not fall within scope of the regulatory agenda at this point.

As noted in the response to question 1 above, both exchange and custody activities relating to crypto assets fall within the scope of the MLRs. In essence, the MLRs serve to prohibit cryptoasset service providers that engage in exchange and/or custody activities from operating in the UK unless they are registered with the FCA.

A cryptoasset business will not automatically need to register with the FCA unless it is involved in exchange or custody activity. The MLRs set out specific criteria that aims to determine whether a cryptoasset business is engaging in such activities and, therefore, within scope of the FCA’s supervisory jurisdiction.

Exchange/Direct Sales: A cryptoasset business will be considered to be an ‘exchange provider’ if and where it provides services by way of business to exchange, or arrange, or make arrangements with a view to the exchange of cryptoassets for money or other cryptoassets. This definition also includes crypto ATMs, whereby a person or business operates a machine that utilises automated processes to exchange cryptoassets for money or other cryptoassets.

Custody: A cryptoasset business will be considered to be a ‘custodian wallet provider’ where it provides services by way of business to safeguard, or to safeguard and administer, cryptoassets or private cryptographic keys on behalf of its customers.

It should be noted that, while not explicitly referred to, staking and other mechanisms may take on the characteristics of either exchange or custody activities, with each instance being considered based on the specific fact pattern. Therefore, staking activities could fall within the UK’s AML regime and businesses that offer such services may be required to register with the FCA.

If the activities of a relevant cryptoasset business satisfy either definition, they will need to register with the FCA under the MLRs. Upon a successful application for registration, the cryptoasset business will appear on the FCA’s cryptoasset register and be allowed to carry on their exchange or custody business within the UK. Compliance is ongoing, meaning proper policies and procedures must be put in place and reporting requirements must be adhered to.

Existing Regulation: Investment Business Regulation

Under the current regime, a cryptoasset may constitute a “specified investment” (i.e., it has the characteristics of a share, a debenture, e-money, a unit in a collective investment scheme, a derivative etc.).  If this is the case, then any exchange or custody of that cryptoasset (as well as certain other activities, such as providing investment advice) may constitute a regulated activity under the UK’s regulated investment business regime.

Those engaging in any such regulated activity will need to apply for authorisation under the Financial Services and Markets Act 2000 (“FSMA 2000”). Carrying on a FSMA 2000 regulated activity without authorisation (or without falling within an exemption) constitutes a criminal offence. Those who breach the rules may be subject to up to two years imprisonment and/or an unlimited fine, as well being liable to pay compensation to any investors that may have invested following such a breach.

Future Regulation: Investment Business Regulation

The Government has advised that the incoming cryptoasset regime will mean that businesses engaging in regulated cryptoasset activities will likely need to adhere to the same regulations under FSMA 2000 as are currently applied to equivalent or similar traditional financial service. Thus, such firms will need to obtain the appropriate licenses to conduct their business.

With regard to NFTs, the Government noted that it will focus on the characteristics of NFTs when determining whether they will fall within scope of the regulation (e.g., if an NFT acts as an exchange token it will be treated as such).

Direct Sales:

Direct sales of certain tokens, such as security tokens, may fall within scope of FSMA 2000. This will largely depend on the nature and characteristics of the token.

Borrowing/Lending:

At present, borrowing and lending of cryptoassets is not explicitly regulated under FSMA 2000.

In its Consultation Response, the Government noted that lending presents a significant risk to consumers and the market more broadly. As such, they intend on a regulatory approach that prioritises addressing retail consumer risks and systemic risk more generally. In saying this, the basis of the regulatory regime acknowledges that the differing lending arrangements and risks do not warrant a single model approach; as such, it is likely to be regulated in accordance with similar, but traditional asset types.

Yield/Staking Services:

The regulation and categorisation of yield and staking services remains complicated under the existing framework. Broadly speaking, the analysis will turn on the specific characteristics of the model and service. In practice, the most pronounced regulatory risk would be whether the arrangement could be considered a collective investment scheme and whether any tokens would then be considered units in that scheme.

It should be noted that the Government concluded that ‘staking’ should refer to activities that directly facilitate a validation process on a proof of stake (‘PoS’) blockchain. As such, activities labelled as ‘staking’ that do not fall within this definition should not be considered staking.

Financial promotion regime:

There is no licence required from the FCA to comply.  Instead, as stated above there are three routes cryptoasset firms can take to lawfully communicate cryptoasset promotions:

1. an authorised person communicates the promotion;
2. an authorised person approves the promotion; or
3. the promotion otherwise complies with the conditions of an exemption in the FPO.

Exact timing will depend on the route that is taken.  However, this usually related to the time involved in drafting and/or arranging for the financial promotion to be approved/fall within an exemption.

Investment business authorisation:

Most cryptoasset relates firms are not currently within the scope of FSMA 2000.  For those that are, processing times for FSMA 2000 applications will vary depending on the authorised activity.

From the date of submission, the FCA is required to process a complete application within six months and an incomplete application within 12 months.

The application fees for cryptoasset businesses registering with the FCA will vary depending on the activities or services offered. At the time of writing, application fees for cryptoasset business are around £10,000. Assuming the application is successful, additional fees will be charged per year; these will vary depending on the size and income of the authorised firm, starting at around £2,000.

Legal and other professional fees will be necessary. There are compliance costs associated with meeting the regulatory requirements set by the FCA. These costs may include hiring compliance professionals, conducting AML and KYC checks, and implementing robust security measures.

Financial promotion regime:

There is no licence required from the FCA to comply.  The costs involved usually instead relate to compliance relates costs.

Investment business authorisation:

The application fee will depend on the particular application. Legal and other professional fees will be necessary.

The FCA publishes statistics relating to applications for registrations under the MLRs here.

The FCA have published high-level guidance, detailing what they expect to see in applications; successful applications will generally be sufficiently detailed and properly advised. Among other things, a successful application will detail that the business has implemented proper procedures, policies and controls to address the risk of money-laundering and terrorist financing, measured proportionately to the size and nature of the business’ activities.

Financial promotion regime:

There is no licence required from the FCA to comply.

Investment business authorisation:

The success rate for applications in 2023/2024 Q1 has been reported as 97%.

The Government has confirmed that registration under the MLRs will not translate to automatic FSMA 2000 authorisation under the incoming cryptoasset regulatory regime.  Cryptoasset firms that are registered under the MLRs will therefore need to submit a new authorisation application under the new regime.

The MLRs registration requirement generally only applies to persons and entities that conduct their business from within the UK. The regime will therefore apply to UK companies, and will also extend to businesses that have a sufficient physical nexus to the UK (i.e., employees, offices etc.).  In these instances, the FCA has made it clear that they expect these businesses to have a sufficient establishment within the UK and comply with the associated UK regulations.  Money Laundering Reporting Officers (“MLROs”) are expected to be based within the UK and the FCA is likely to refuse any applications with non-UK based MLROs.

All firms that are looking to set up a cryptoasset business within the UK should comply with the FCA’s non-exhaustive list of conditions to be registered under the MLRs. These conditions include:

• taking appropriate steps to identify and assess the risk of money laundering and terrorist financing, as the business is or may subject to;
• assessing the money laundering and terrorist financing risks that relate to any new technologies before launching or integrating such technologies, taking appropriate measures to manage and mitigate such risks;
• undertaking customer due diligence (CDD) when entering into a business relationship or occasional transactions; and
• applying more intrusive due diligence (or ‘enhanced due diligence’) when dealing with customers that may present a higher money laundering or terrorist financing risk, such as politically exposed persons.

Financial promotion regime:

Please see comments in earlier questions

Investment business authorisation:

Similar to the MLRs, the threshold conditions to be authorised under FSMA 2000 including having an office and appropriate resources in the UK. 

The firm will need to show the FCA that they are able to comply with the FCA’s detailed rules and requirements as part of the authorisation process.