A Guide to FCA Cryptoasset AML/CTF Applications for Crypto Firms: PART IV

A Guide to FCA Cryptoasset AML/CTF Applications for Crypto Firms: PART IV

By Rodrigo Zepeda, CEO, Storm-7 Consulting


In June 2024, the Financial Conduct Authority (FCA) published feedback on good and poor quality applications under the existing cryptoasset anti-money laundering (AML) and counter-terrorist financing (CTF) regime (Feedback) (FCA,
4 June 2024
). The Feedback identified that out of 347 applications received by the FCA since January 2020, only 47 firms (n=14%) were ultimately registered.

A further 36 (n=11%) applications were rejected, 13 applications (n=4%) were refused, and 236 (n=71%) applications were withdrawn. This
four-part blog series aims to provide crypto firms and their compliance personnel (including Money Laundering Reporting Officers (MLROs) and Nominated Officers (NOs)) with some additional guidance and clarification on the Feedback that
may assist firms.

It covers relevant issues concerning money laundering (ML), terrorist financing (TF), proliferation financing (PF), and
The Money Laundering, Terrorist Financing
and Transfer of Funds (Information on the Payer) Regulations 2017
(MLRs). It focuses on
part four of the Feedback (When preparing an application), which covers thirteen different sub-areas:

  1. business plan (BP);
  2. comprehensive description of products and services;
  3. risk assessment and management;
  4. policies, systems, and controls (PSCs);
  5. transaction monitoring (TM) and blockchain analysis (BA) coverage;
  6. group structure and reliance on group policies and procedures (GPPs);
  7. outsourcing;
  8. training;
  9. suspicious activity reporting (SAR);
  10. disclosures;
  11. applicant is already authorised for other activities; 
  12. sanctions; and
  13. website.  

addressed sub-areas 1-3. PART
addressed sub-areas 4-7, and PART
addressed sub-areas 8-13. PART IV will set out some brief critical assessment and commentary on crypto firm applications and ML/TF/PF regulatory requirements. This will explore the massive application failure rate that exists overall
(n=86%), and the huge application withdrawal rate (n=71%). PART IV will cover
five areas:

  1. AML/CTF/PF framework;
  2. complexity;
  3. costs;
  4. expertise; and
  5. FCA guidance.


Where cryptoasset firms intend to carry out cryptoasset activity in the United Kingdom (UK), and that activity falls within scope of the MLRs, such firms must register with the FCA before carrying out any cryptoasset activity. This ensures that they
are deemed to be compliant with the cryptoassets AML/CTF regime. The FCA acts as the AML/CTF supervisor of UK cryptoasset businesses under the MLRs. On the face of it, the objective for crypto firms is AML/CTF authorisation, so it seems obvious that crypto
firms will focus on AML/CTF compliance.

Nevertheless, our analysis so far would tend to indicate that this in itself will not be enough. To be sure, implementing an effective AML/CTF framework is a core requirement. However, firms will also need to produce a very comprehensive BP, which should
include a comprehensive description of products and services. They also need to undertake firmwide risk assessment and management, devise highly extensive PSCs, and implement TM and BA coverage which is adequate for the firm’s
size and complexity.

A firm’s AML/CTF framework must also be specifically configured to reflect cryptoassets, cryptoasset-related risks, PF, and sanctions-specific controls to reflect the nature of the firm’s cryptoasset-based business model, as well as cryptoasset-specific
‘red flag’ indicators (RFIs) for potential sanctions breaches. On top of this, the crypto firm needs to adhere to highly demanding staff training requirements, and will be required to address disclosures, outsourcing, and SAR in its risk assessment
and management, PSCs, and AML/CTF framework.

All of these requirements may very likely not be immediately obvious to crypto firms from the outset. What is more, in our analysis we saw that each of these areas individually was complex. For example, a firm’s description of products and services is not
simply made up of descriptive statements. Crypto firms must identify types of
native and associated cryptoassets, classify tokens, and set out token functionalities assigned within the business.

They must also create a cryptoasset token vetting policy. They must explain in detail how cryptoasset custodian services operate, how dependent a firm is on external ecosystems for liquidity, and how the firm has implemented the use of decentralised finance
(DeFi) and/or smart contracts. So, what may be happening with applications in relation to the
AML/CTF/PF framework, is that crypto firms may be:

  1. focusing too narrowly on the AML/CTF framework, and marginalising or excluding other important areas (e.g., BA,
    PSCs, sanctions, SAR, TM, training); 
  2. significantly underestimating the extensive requirements for AML/CTF compliance that go beyond the core AML/CTF framework.


Our analysis has shown us that each of the thirteen different sub-areas covered is complex in nature, especially technologically complex areas such as cryptoasset SAR, PSCs, TM and BA coverage, and cryptoasset and AML/CTF risk assessment and management.
The more innovative and novel the underlying business model, the more complex that each of these individual areas will be, and the more cumulatively complex crypto firm applications will be. Moreover, it is not just the fact that the sub-areas are complex,
but also that they each cover different skill sets, such as:

  • blockchain technologies and BA;
  • business management;
  • cryptoassets and token management;
  • financial crime (ML, TF, PF, sanctions);
  • law and legal;
  • outsourcing operations;
  • risk assessment and management;
  • systems management;
  • technical documentation;
  • technology systems; and
  • training (BA, crypto risks, legal, operations, TM).

Crypto firm applications may therefore demand a very broad range of professional expertise and skills. This complexity may end up posing a significant challenge for many smaller crypto firms. This is because they may not have all the staff with relevant
expertise needed to address all these different areas. Or it may be that they discover the staff that they do have are not sufficiently qualified in terms of the expectations set by the FCA.

For example, to save costs a crypto firm may have hired a junior MLRO to ‘learn on the job’ about crypto, BA, and TM, and to deliver in-house crypto AML/CTF training. However, the firm will have learned that this was not acceptable to the FCA. So, what may
be happening with applications in relation to complexity, is that crypto firms may:

  1. be significantly underestimating the complexity of sub-area requirements (individually
    or cumulatively); 
  2. find that they do not have the internal professional expertise necessary to meet the sub-area requirements; 
  3. subsequently realise it will be too costly to meet sub-area requirements by employing
    external consultants.


Our analysis has shown that crypto firm applications will incur significant costs. This is one of the areas that may prove to be the most problematic for firms. Each of the thirteen sub-areas will require significant time and effort to be addressed properly
by firms. One issue is that firms may not have sufficient professional expertise internally, so they may be required to hire external consultants, law firms, technology firms, and training providers to provide necessary services.

Another issue for firms is that they may not initially recognise that they will have to do this. It may only become apparent to firms once they have embarked upon the application process. Firms may not have developed an accurate estimate of overall costs,
or their estimate of costs may prove to be deficient because they have missed out a number of areas which they subsequently had to address.

Costs estimates may have been based on a 3-month FCA authorisation process, which then turns out to be a 9-12-month authorisation process. In practice, the crypto firm application requires a highly efficient project management (PM) approach to be
adopted. However, given the high application failure rate, it is highly likely that firms have not adopted such an approach.

We previously saw how developing and implementing PSCs was very documentation heavy. It will require a great deal of effort to implement an effective internal AML/CTF framework that covers a Business-Wide Risk Assessment (BWRA), Customer Risk Assessment
(CRA), Customer Risk Scoring (CRS), Due Diligence procedures, risk controls, SAR, screening, TM, and training.

All of these areas may require comprehensive and detailed technical documentation, legal documentation, and firm policies. What is more, all these areas are not based on well-established circumstances present in traditional finance (TradFi) firms.
Instead, they need to reflect areas, business models, factors, risks, and situations particular to crypto and DeFi (e.g., higher risk cryptoassets, native token trading, product interoperability, sub-custodian crypto services).

Any lack of accuracy or underestimation in these areas may lead to increased costs. If crypto firms seriously underestimate the amount of work required, costs may very quickly start to spiral upwards. This may take crypto firms beyond the point of commercial
viability of the firm’s initial business model. So, what may be happening with applications in relation to
costs, is that crypto firms may significantly underestimate:

  1. costs; 
  2. the amount of work required; 
  3. the firm’s professional staff expertise;
  4. the amount of external services that may be required.  


Another significant problem that may arise with respect to applications, is that the professional expertise that is required by crypto firms may prove to be too extensive. For example, for certain types of crypto or DeFi business models, TM and BA coverage
may need to be highly advanced. This may require the use of a range of sophisticated blockchain analytics tools and techniques to be put in place.

A firm’s risk assessment and management will also extend beyond the core AML/CTF framework. Risk assessment and management will need to address all crypto operational areas, such as asset and token management, collateral management, crypto payments, custodian
and sub-custodian services, cyber security, third party outsourcing arrangements, and third party technology providers.

Consequently, a firm’s MLRO/NO may not have sufficient expertise to cover AML/CTF, risk management, and TM/BA altogether. Also, the FCA may find that a firm’s MLRO/NO does not have sufficient crypto AML/CTF expertise to provide staff with in-house training.
As a result, a firm would need to implement a range of new hires to cover additional risk management, TM/BA, and training requirements, or to hire external consultants.

At this point we can start to see that all the four areas identified so far (AML/CTF/PF framework,
complexity, costs, expertise) are interrelated. If crypto firms underestimate any of these areas, they may impact upon the other areas. If the complexity of sub-areas is underestimated, this may require additional professional expertise
which increases costs.

If deficiencies in a firm’s AML/CTF/PF framework are identified, these may lead to increased complexity, the need for additional expertise, and significant additional costs. All these interrelated areas may act together to make the firm’s application more
difficult and beyond the firm’s existing staff expertise. So, what may be happening with applications in relation to
expertise, is that crypto firms may:

  1. harbour false expectations about staff expertise (e.g., staff may not be able to cover something they were expected to cover such as AML/CTF training or TM and BA coverage); 
  2. realise the professional expertise required renders the application commercially unviable; 
  3. underestimate the amount of additional professional expertise (external consultants) required;
  4. underestimate the professional expertise (internal staff) required.


When you identify an 86% application failure rate you know something is going seriously wrong with crypto firm AML/CTF FCA authorisation applications. In
11% of cases, firm applications were either incomplete or of such poor quality, that the submission was deemed invalid by the FCA. It is possible these
36 firms either did not at all understand the FCA crypto AML/CTF requirements, or they simply did not have the technical expertise and competence to submit applications that contained the minimum information requested.

In 4% of cases, firm applications were refused. This means the application reached the final stage of the decision-making process, at which point the application was refused. This may have been because a firm did not meet the regulatory standard required,
or the firm intentionally withheld information, or provided false or incomplete information. The FCA will have provided these
13 firms with reasons for the refusal.

However, in 71% of cases firm applications were withdrawn. This means that
236 crypto firms applied for AML/CTF authorisation, but then subsequently withdrew their applications. This may have occurred either
intentionally (e.g., the firm decided to withdraw) or unintentionally (e.g., a firm did not respond to a request for more information within 20 business days). In addition to the potential reasons for this identified above, this may have occurred

  • the application was incomplete;
  • the application process took too long for firms (e.g., between 6-12 months);
  • the firm failed to meet FCA expectations at some point;
  • the firm failed to respond adequately to FCA follow-up information requests;
  • the firm failed to recruit key internal positions (e.g., MLRO/NO with significant crypto AML/CTF experience and skills);
  • there were material errors in the application;
  • there were significant deficiencies in financial resources identified; 
  • there were significant deficiencies in non-financial resources identified.

This figure shows that there are real problems in crypto firm applications that are still not been addressed and remedied. The point that I make here in relation to FCA guidance is that it is insufficient for crypto firms. I will provide three illustrative
examples below.

FCA guidance on sub-area 2 is set out below, it totals 78 words.

A Guide to FCA Cryptoasset AML/CTF Applications for Crypto Firms: PART IV PlatoBlockchain Data Intelligence. Vertical Search. Ai.

FCA guidance on sub-area 3 is set out below, it totals 52 words.

A Guide to FCA Cryptoasset AML/CTF Applications for Crypto Firms: PART IV PlatoBlockchain Data Intelligence. Vertical Search. Ai.

FCA guidance on sub-area 13 is set out below, it totals 51 words.

A Guide to FCA Cryptoasset AML/CTF Applications for Crypto Firms: PART IV PlatoBlockchain Data Intelligence. Vertical Search. Ai.

This is the type of guidance that crypto firms have to draw upon. This is the information that has been provided by the national regulatory authority of a country to guide firms, in what we have now established, are highly complex and extremely challenging
regulatory applications. What crypto firms actually need is an application guide manual. What crypto firms actually get is a small paragraph. In the previous PARTS of the blog series, we saw how I had to describe the meaning of these sub-areas
in detail to make them understandable, and to show how they related to crypto firm operations.

We also saw that in some areas, firms do not even have objective regulatory standards or guidance that they can rely on and draw upon (e.g., to establish what exactly constitutes effective TM and BA coverage which is adequate for the firm’s size
and complexity
). This is the official guidance provided to crypto firms, with the expectation that they will turn the UK into a world-leading crypto hub.


The FCA authorisation process for crypto firms is not the same as for TradFi firms. We have seen that crypto firm applications are highly complex and have virtually no comprehensive regulatory guidance provided that they can employ. In some areas, there
are no objective regulatory standards or guidance which firms can rely upon, such as the adequacy of TM and BA coverage required. There is no official guidance provided to firms in relation to cryptoasset SAR.

Overall, crypto firm applications at the moment clearly seem like a huge waste of resources, in terms of time and money, for both crypto firm applicants and the FCA. I know lots and lots of ways that these problems could be remedied, but at present I do
not think they will be. Some people may see these simply as failed applications, but what they really represent to the UK are lost potential. That is, they represent millions and perhaps billions in future revenues that could potentially be contributed
to the UK economy.

This could prove to be a vital contribution to the UK’s future economic recovery. Yet, we will never know, because these firms were never really given a chance on an equal footing to TradFi firms. The UK government is seeking to turn the country into a world-leading
crypto hub. The 86% application failure rate shows us that if we do not support crypto firms this will never happen. Application failure rates remain too high, and the clear problems in the crypto application process have not yet been addressed.

Time Stamp:

More from Fintextra