Starting a peer-to-peer (P2P) money exchange business that facilitates the buying and selling of cryptocurrency for cash comes with significant regulatory obligations. In the UK, such a business would fall under the remit of the Financial Conduct Authority (FCA) and would need to comply with the Money Laundering Regulations (MLR). In order to operate effectively and in accordance with the law, businesses must implement robust Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) measures.

The Financial Conduct Authority (FCA) in the UK mandates businesses dealing with cryptocurrencies to register and comply with its AML and CFT regulations (FCA, 2020). These regulations require businesses to conduct risk assessments, perform customer due diligence (CDD), report suspicious activity, and maintain records.

1. Risk Assessment: Businesses must conduct a risk assessment to identify and assess the risks of money laundering and terrorist financing to which their business is subject (Money Laundering Regulations, Reg. 18). This should be informed by high-quality resources, such as Elliptic’s Financial Crime Typologies in Cryptoassets and Chainalysis’s Crypto Crime Trends reports, which provide insights into the latest methods and trends in cryptocurrency-related financial crimes.
2. Customer Due Diligence (CDD): Businesses must apply CDD measures when establishing a business relationship or carrying out an occasional transaction (Money Laundering Regulations, Reg. 27). This involves verifying the customer’s identity and understanding the nature of the customer’s activities. The Wolfsberg Group’s Statement on Cryptocurrency Due Diligence and IACCP’s Cryptocurrency AML Certification Program offer guidance on the best practices for conducting CDD in the context of cryptocurrency transactions.
3. Reporting Suspicious Activity: If a business suspects that a person is engaged in money laundering or terrorist financing, it must promptly inform the National Crime Agency (Money Laundering Regulations, Reg. 33).
4. Record Keeping: Businesses must maintain records of CDD measures and transactions for five years after the end of the business relationship or transaction (Money Laundering Regulations, Reg. 40).
5. Compliance Monitoring: Businesses must monitor compliance with their policies, controls, and procedures (Money Laundering Regulations, Reg. 21).

The FATF’s Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers provides additional international guidance on AML and CFT measures. This guidance encourages businesses to adopt a risk-based approach, meaning that more stringent measures should be applied to higher-risk customers and transactions. The Cambridge Centre for Alternative Finance’s Global Cryptoasset Regulatory Landscape Study is another useful resource for understanding the international regulatory landscape.

The Blockchain Transparency Institute’s Crypto Anti-Money Laundering Report provides further insights into the scale and nature of money laundering risks in the cryptocurrency industry, which can inform your business’s risk assessment and AML strategy.

It’s important to note that the regulatory environment for cryptocurrencies is evolving rapidly, so businesses must stay abreast of changes to ensure ongoing compliance. Consultation with a legal expert in this field is recommended.