The financial crime risks surrounding cryptoassets (which the FCA define in their letter as “… any publicly available electronic medium of exchange that features a distributed ledger and a decentralised system for exchanging value”) have been one of the reasons that cryptocurrencies such as Bitcoin and Ether were (and in some jurisdictions still are) viewed with suspicion. Their relative anonymity and connection to sites on the Dark Web, such as Silk Road, AlphaBay and Hansa, created an association with criminality. Due to this history, firms operating in the crypto space should already have had regard to the financial crime risks. If they haven’t, the FCA’s recent letter is a clear warning that they should do so.
So what should banks do? The “Dear CEO letter” sets out some steps that the FCA expects firms to take to manage these financial crime risks. However, firms should not restrict themselves to only these suggestions or treat all clients identically. It is clear that a risk-based approach is key.
At a high level, the FCA advises banks offering services to current (or prospective) clients who derive significant business activities or revenues from crypto-related activities that they must ensure that they are confident about their client’s source of funds. Although the nature of cryptocurrency transactions and the underlying technology means that evidencing the source of funds can more difficult, the “Dear CEO letter” explicitly states that this does not justify firms using a different source of funds test than they usually would. In fact, where the evidence is weaker, firms are advised to exercise more care than they would usually.
The steps suggested in the “Dear CEO letter” are:
- developing staff knowledge and expertise on cryptoassets to help them identify the clients or activities that pose a high risk of financial crime;
- ensuring that existing financial crime frameworks adequately reflect the crypto-related activities in which the firm is involved, and that they are capable of keeping pace with fast-moving developments;
- engaging with clients to understand the nature of their businesses and the risks they pose;
- carrying out due diligence on key individuals in the client business including consideration of any adverse intelligence;
- in relation to clients offering forms of crypto-exchange services, assessing the adequacy of those clients’ own due diligence arrangements;
- for clients involved in ICOs, considering the issuer’s investor-base, organisers, the functionality of tokens (including intended use) and the jurisdiction; and
- categorising state-sponsored cryptoassets that are designed to evade international sanctions as high-risk.
More broadly, firms should consider whether they are within scope of the new Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692) and if so, ensure that they are aware of the identity of their clients and taking a risk-based approach to any relevant transactions. They will also need to consider reporting any suspicious activity to the UK National Crime Agency or other authorities as appropriate.
There is also the risk that firms inadvertently fall foul of the prohibitions on dealing and transactions with the companies and individuals on the EU and US sanctions lists. Traditionally, it is the banks, with their systems to screen transactions against the sanctions lists, that enforce these prohibitions. The “Dear CEO letter” highlights this risk by stating that clients using state-sponsored cryptoassets, which are designed to evade international sanctions, should be categorised as high-risk.
Bryan Cave Leighton Paisner’s Investigations, Financial Regulation and White Collar team are ideally placed to advise on this complex and ever-evolving area of law and regulation. If you would like to discuss this article, or this area more generally, please do not hesitate to contact Joseph Ninan or Samantha Paul.