Learn about crypto regulations in the UK and the FCA registration process
UK crypto companies have to follow a substantial number of regulations to stay compliant and avoid penalties. At the same time, the UK government is working towards making these regulations clearer. For example, on February 1, 2023, the UK HM Treasury released a consultation on the Future Financial Services Regime for Crypto Assets following the collapse of FTX, in a bid to improve the regulatory framework and sector engagement.
In general, the UK is seeking to move towards a more regulated crypto industry within the next 12 months. To keep you up to date, we at Sumsub prepared this guide explaining UK regulations and how to follow them.
The Financial Conduct Authority (FCA) is the main financial regulator in the UK. It regulates crypto asset providers to ensure that they implement effective Anti-Money Laundering and Countering Terrorism Financing (AML/CFT) policies and procedures.
The FCA maintains a register of crypto asset providers that fall under UK money laundering regulations (MLR 2017 with amendments) and issues guidelines. When it comes to assets, security tokens are the only ones regulated by the FCA.
Other UK institutions that regulate crypto include:
Crypto companies in the UK have comply with the following to meet AML/CFT requirements:
Depending on the nature and type of assets a crypto firm deals with, the following laws and regulations can also apply:
Affected companies can be separated into two types, according to the MLR 2017 and its amendments. The first are “crypto asset service providers,” which include companies that conduct either of the following:
The second are “custodian wallet providers,” which provide services to safeguard and/or administer crypto assets—or private cryptographic keys for holding, storing, or transferring crypto assets—on behalf of customers.
Companies that deal with security tokens must register with the FCA because they are considered “regulated tokens”. Meanwhile, companies that deal with exchange and utility tokens do not have to register.
Before registering with the FCA, companies should answer the following questions:
*If there is no UK office or other activity in the UK, beyond having a client in the UK, the FCA is likely to consider that the company is not conducting UK business.
If a company answers positively to some of these questions, then registration with the FCA is likely to be required.
The full requirements for registration can be found on the FCA website.
Companies should take AML requirements very seriously, as failure to comply may lead to severe penalties.
To stay compliant with the AML requirements introduced in the MLRs in 2017, companies have to implement a clear set of procedures. This includes at least the following:
At the onboarding stage (KYC), at least the following information should be collected from users for verification:
As a rule, such data is collected from government-issued documents. Proof of address documents can include current bank statements or credit/debit card statements issued by a regulated financial sector firm in the UK, in addition to utility bills.
The UK recently has adopted the Travel Rule requirement to its regulation of crypto asset service providers. The Travel Rule requires crypto companies to obtain information from the sender and receiver of crypto assets and share it with counterparty crypto asset service providers. The requirement comes into force on September 1, 2023.
The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulation 2022 is the key law explaining the specifics of the Travel Rule in the UK. There is no information regarding the de minimis threshold, which means that certain information should be transferred regardless of the transaction amount.
For certain transactions equal or exceeding 1,000 euros, there are some additional requirements. This includes international transfers as well as transactions involving unhosted wallets.
As a rule, VASPs (cryptoasset exchange providers and a custodian wallet providers in the UK) have to take the following steps to comply with the Travel Rule:
1) In respect of an inter-cryptoasset business transfer, the originating VASP must ensure that the transfer is accompanied by the following information:
If the beneficiary VASP request additional information about the sender, the originating VASP should also transfer the following information within 3 days, provided each VASP is conducting business in the United Kingdom:
(a) if the originator is a firm—
If a VASPs is carrying out business outside the United Kingdom and the transaction is equal to or exceeding 1,000 euros in value, the originating VASP should ensure that the transfer is accompanied by all the information specified in paragraph 1 (clauses a, b, c + a or b).
2) Information relating to the originator must be verified by the originating VASP using documents or a reliable source independent of the person whose identity is being verified.
3) When a Beneficiary VASP receives a crypto-asset as part of an inter-cryptoasset business transfer it must, before making the crypto-asset available to the beneficiary, check whether —
(a) it has received the information required by regulation to be provided; and
(b) the information relating to the beneficiary corresponds with information verified by it during customer due diligence.
4) Where the Beneficiary VASP becomes aware that any information required by regulation to be provided is missing or does not correspond with information verified by it, it must—
(i)to delay making the cryptoasset available to the beneficiary until the information is received or any discrepancy is resolved; and
(ii)if the information is not received or if any discrepancy is not resolved within a reasonable time, to return the cryptoasset to the cryptoasset business of the originator.
5) The beneficiary VASP must report repeated failure by a crypto-asset business to provide any information required as well as any steps the crypto-asset business of the beneficiary has taken in respect of such failures to the FCA.
6) A crypto-asset business must respond fully and without delay to a request in writing from a law enforcement authority for any information in connection to these requirements.
Please check out Sumsub’s Travel Rule guide for the requirements in relation to the transfers with unhosted wallets and any further details.
For the last several years, the UK has been working towards a more regulated crypto industry. The country’s latest plans were announced in February 2023, including:
According to the “Future Financial Services Regime for Crypto Assets” Consultation document, the UK plans to widen the scope of regulated crypto activities, including activities with stablecoins. This includes:
The proposed regulatory regimes will be divided into phases. To learn more, you can read pages 27-28 here.
The “Future Financial Services Regime for Crypto Assets” also specifies a primary aim to expand “specified investment”.
Moreover, the HM Treasury now proposes to monitor crypto asset activities in the United Kingdom. This would monitor activities provided by UK firms to persons based in the UK or overseas (natural and legal), as well as those provided by overseas firms to UK persons (natural or legal).
Cryptocurrency is legal in the UK, but it is not legal tender. Anyone can buy crypto assets from crypto asset providers and store them in digital wallets.
Yes, it is regulated. In accordance with the MLR, some companies working with crypto assets must register with the FCA and comply with AML requirements.
The UK is currently working to introduce more comprehensive crypto regulations. This includes:
Identity verification is necessary for businesses to comply with regulations. At the same time, businesses can lose customers during the onboarding process, if applicants are overwhelmed by the number of documents they have to submit. That’s why it’s essential to build a user journey that spreads out the verification process across multiple stages and doesn’t request everything at once.
The Travel Rule is a term used to refer to FATF Recommendation 16, which aims to combat money laundering and terrorism financing (ML/TF). It requires financial institutions engaged in VA transfers and Virtual Asset Service Providers (VASPs) to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.
The FATF recommends a de minimis threshold of 1,000 USD/EUR. If companies apply a lower threshold, they can enjoy less stringent requirements (e.g., less information may be transferred). However, it should be noted that countries can establish their own threshold or forego one altogether. For example, in the UK, there is no de minimis threshold, however there are particular requirements for transactions equal or exceeding 1,000 euros in value.