UK Financial Conduct Authority (FCA) and Money Laundering Regulations (MLR):

In the UK, cryptoasset exchange providers must be registered with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The FCA is the supervisory authority for these businesses under the MLRs.

• The FCA, through its Policy Statement PS19/22: Guidance on Cryptoassets, set out where different categories of cryptoassets might fall in the regulatory perimeter (FCA, 2019).
• The FCA also released a “cryptoassets” webpage detailing how it regulates cryptoassets, including cryptocurrencies and which types of cryptoassets fall within the FCA’s regulatory remit.

Cryptoasset Exchanges:

Cryptoasset exchanges should conduct robust Know Your Customer (KYC) and Anti-Money Laundering (AML) checks as per the Money Laundering Regulations 2017, MLR 2017 Reg. 28(3). They also need to comply with the Sanctions and Anti-Money Laundering Act 2018.

Use of Non-Compliant or Unlicensed Exchanges and High Risk Jurisdictions:

Cryptoasset exchange providers are required to assess the risk of money laundering and terrorist financing to which their business is subject (MLRs, Reg. 18(1)). This would include considering the risk of dealing with non-compliant or unlicensed exchanges and exchanges in high-risk jurisdictions.

The Financial Action Task Force (FATF) has provided a list of jurisdictions under increased monitoring due to strategic deficiencies in their AML/CFT regimes. Providers should be cautious when dealing with transactions from these jurisdictions.

• FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (2019) provides recommendations for identifying high-risk jurisdictions and managing the associated risks.

Money Mules or Fraudulent Documents at Legitimate Exchanges:

To prevent the use of their services by money mules or individuals with fraudulent documents, cryptoasset exchanges should implement robust customer due diligence (CDD) measures (MLRs, Reg. 27).

• Chainalysis’s “Crypto Crime Trends for 2021” suggests using blockchain analytics to detect suspicious transaction patterns indicative of money mules or other illicit activities.
• The Wolfsberg Group’s Statement on Cryptocurrency Due Diligence (2019) also provides guidance on due diligence measures to detect and prevent fraudulent activities.

Preventative Measures:

1. Enhanced Due Diligence: For high-risk customers or transactions, Enhanced Due Diligence (EDD) should be applied (MLRs, Reg. 33).
2. Risk Assessment: Cryptoasset exchange providers should undertake an assessment of the risks of money laundering and terrorist financing to which their business is subject, and implement policies, controls, and procedures to mitigate and manage effectively the risks identified (MLRs, Reg. 18(1)).
3. Suspicious Activity Reporting: If a provider knows or suspects (or has reasonable grounds for knowing or suspecting) that a person is engaged in money laundering or terrorist financing, they must report it to the National Crime Agency (NCA) (Proceeds of Crime Act 2002, ss. 330-332).
4. Ongoing Monitoring: Ongoing monitoring of business relationships is required, including scrutiny of transactions to ensure they’re consistent with the provider’s knowledge of the customer, their business, and risk profile (MLRs, Reg. 28(11)).
5. Record Keeping: Providers must keep records of customer due diligence measures and supporting evidence for a period of five years (MLRs, Reg. 40).
6. Training: Providers must regularly give their employees training in how to recognize and deal with transactions and other activities which may be related to money laundering or terrorist financing (MLRs, Reg. 24).

In addition to these measures, Elliptic’s “Financial Crime Typologies in Cryptoassets” and the International Association of Cryptocurrency Compliance Professionals (IACCP) Cryptocurrency AML Certification Program provide further guidance on best practices for AML/CFT in the context of cryptoassets.