All You Need to Know About UK Crypto Regulations—2023 Guide 

UK crypto companies have to follow a substantial number of regulations to stay compliant and avoid penalties. At the same time, the UK government is working towards making these regulations clearer. For example, on February 1, 2023, the UK HM Treasury released a consultation on the Future Financial Services Regime for Crypto Assets following the collapse of FTX, in a bid to improve the regulatory framework and sector engagement. 

In general, the UK is seeking to move towards a more regulated crypto industry within the next 12 months. To keep you up to date, we at Sumsub prepared this guide explaining UK regulations and how to follow them. 

Who is the regulator?

The Financial Conduct Authority (FCA) is the main financial regulator in the UK. It regulates crypto asset providers to ensure that they implement effective Anti-Money Laundering and Countering Terrorism Financing (AML/CFT) policies and procedures.

The FCA maintains a register of crypto asset providers that fall under UK money laundering regulations (MLR 2017 with amendments) and issues guidelines. When it comes to assets, security tokens are the only ones regulated by the FCA.

Other UK institutions that regulate crypto include:

• HM Treasury
• The Bank of England

What are the main regulations?

Crypto companies in the UK have comply with the following to meet AML/CFT requirements:

• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, or simply MLR, which is the main regulation that outlines all the AML requirements and registration requirements. It has been amended several times since its original publication to implement the EU’s AMLD5 in 2019 and the Travel Rule in 2022.

Depending on the nature and type of assets a crypto firm deals with, the following laws and regulations can also apply:

• The Financial Services and Markets Act 2000 (“FSMA”) and the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (“RAO”)
• Electronic Money Regulations 2011 (“EMRs”) or the Payment Services Regulations 2017 (“PSRs”)

Who is affected?

Affected companies can be separated into two types, according to the MLR 2017 and its amendments. The first are “crypto asset service providers,” which include companies that conduct either of the following: 

• “Exchanging, or arranging or making arrangements with a view to the exchange of, crypto assets for money or money for crypto assets,
• Exchanging, or arranging or making arrangements with a view to the exchange of, one crypto asset for another, or
• Operating a machine which utilizes automated processes to exchange crypto assets for money or money for crypto assets.”

The second are “custodian wallet providers,” which provide services to safeguard and/or administer crypto assets—or private cryptographic keys for holding, storing, or transferring crypto assets—on behalf of customers. 

Who needs to register with the FCA? 

Companies that deal with security tokens must register with the FCA because they are considered “regulated tokens”. Meanwhile, companies that deal with exchange and utility tokens do not have to register. 

How to register with the FCA

Before registering with the FCA, companies should answer the following questions: 

• Does the company advertise or act in a way that suggests it’s providing crypto asset services by way of business? 
• Does the company receive direct or indirect benefit from this service?
• How significant is the activity to the business’ other activities (crypto asset activities may be only part of the business)?
• Does the frequency of the activity suggest that it is being carried on as a business?
• Does the company have a registered or head office in the UK* and does the company carry on day-to-day management of these activities from this office, irrespective of where, geographically, the crypto asset activity is conducted?
• Does the company operate one or more ATMs in the UK?
• Does the company have any UK presence that is engaged in or facilitates crypto asset activities?

*If there is no UK office or other activity in the UK, beyond having a client in the UK, the FCA is likely to consider that the company is not conducting UK business.

If a company answers positively to some of these questions, then registration with the FCA is likely to be required. 

The full requirements for registration can be found on the FCA website. 

AML requirements

Companies should take AML requirements very seriously, as failure to comply may lead to severe penalties. 

To stay compliant with the AML requirements introduced in the MLRs in 2017, companies have to implement a clear set of procedures. This includes at least the following:

• Appointing a Money Laundering Reporting Officer (MLRO)
• Staff training
• Risk assessment
• Conducting Customer Due Diligence (CDD), Simplified Due Diligence (SDD) and Enhanced Due Diligence (EDD) 
• Screening for persons on sanction lists, Politically Exposed Persons (PEPs) lists
• Transaction monitoring
• Ongoing monitoring of customer behavior and transactions
• Recordkeeping for at least five years from the date of the end of a business relationship or final transaction
• Reporting suspicious activity to the National Crime Agency

At the onboarding stage (KYC), at least the following information should be collected from users for verification:

• Full name
• Birth date
• Address

As a rule, such data is collected from government-issued documents. Proof of address documents can include current bank statements or credit/debit card statements issued by a regulated financial sector firm in the UK, in addition to utility bills. 

UK Crypto Travel Rule

The UK recently has adopted the Travel Rule requirement to its regulation of crypto asset service providers. The Travel Rule requires crypto companies to obtain information from the sender and receiver of crypto assets and share it with counterparty crypto asset service providers. The requirement comes into force on September 1, 2023.

The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulation 2022 is the key law explaining the specifics of the Travel Rule in the UK.  There is no information regarding the de minimis threshold, which means that certain  information should be transferred regardless of the transaction amount. 

For certain transactions equal or exceeding 1,000 euros, there are some additional requirements. This includes international transfers as well as transactions involving unhosted wallets. 

As a rule, VASPs (cryptoasset exchange providers and a custodian wallet providers in the UK) have to take the following steps to comply with the Travel Rule:

1) In respect of an inter-cryptoasset business transfer, the originating VASP must ensure that the transfer is accompanied by the following information: 

1. the name of the originator and the beneficiary
2. if the originator or beneficiary is a firm, the registered name of the originator or beneficiary (as the case may be), or if there is no registered name, the trading name
3. the account number of the originator and the beneficiary, or if there is no account number, the unique transaction identifier.

If the beneficiary VASP request additional information about the sender, the originating VASP should also transfer the following information within 3 days, provided each VASP is conducting business in the United Kingdom:

(a) if the originator is a firm—

• the customer identification number or
• the address of the originator’s registered office, or, if there is none, its principal place of business
• if the originator is an individual, one of the following—
• the customer identification number
• the individual’s address
• the individual’s birth certificate number, passport number, or national identity card number
• the individual’s date and place of birth.

If a VASPs is carrying out business outside the United Kingdom and the transaction is equal to or exceeding 1,000 euros in value, the originating VASP should ensure that the transfer is accompanied by all the information specified in paragraph 1 (clauses a, b, c + a or b).  

2) Information relating to the originator must be verified by the originating VASP using documents or a reliable source independent of the person whose identity is being verified. 

3) When a Beneficiary VASP receives a crypto-asset as part of an inter-cryptoasset business transfer it must, before making the crypto-asset available to the beneficiary, check whether —

(a) it has received the information required by regulation to be provided; and

(b) the information relating to the beneficiary corresponds with information verified by it during customer due diligence.

4) Where the Beneficiary VASP becomes aware that any information required by regulation to be provided is missing or does not correspond with information verified by it, it  must—

• request that the originating VASP provides the missing information;
• consider whether to make enquiries as to any discrepancy between information received and information verified during the CDD process; and
• where the Beneficiary VASP becomes aware that any information required to be provided is missing or does not correspond with information verified during customer due diligence, it must consider whether—

(i)to delay making the cryptoasset available to the beneficiary until the information is received or any discrepancy is resolved; and

(ii)if the information is not received or if any discrepancy is not resolved within a reasonable time, to return the cryptoasset to the cryptoasset business of the originator.

5) The beneficiary VASP must report repeated failure by a crypto-asset business to provide any information required as well as any steps the crypto-asset business of the beneficiary has taken in respect of such failures to the FCA.

6) A crypto-asset business must respond fully and without delay to a request in writing from a law enforcement authority for any information in connection to these requirements.

Please check out Sumsub’s Travel Rule guide for the requirements in relation to the transfers with unhosted wallets and any further details.

The future of crypto regulations in the UK

For the last several years, the UK has been working towards a more regulated crypto industry. The country’s latest plans were announced in February 2023, including:

• Strengthening rules for crypto trading platforms
• Creating a world-first regime for crypto lending
• Implementing new rules to protect customers from market manipulation (e.g., pump and dump schemes)

According to the “Future Financial Services Regime for Crypto Assets” Consultation document, the UK plans to widen the scope of regulated crypto activities, including activities with stablecoins. This includes: 

• Issuance 
• Payment 
• Exchange 
• Investment and risk management 
• Lending, borrowing, and leverage 
• Safeguarding and/or administration 
• Validation and governance 

The proposed regulatory regimes will be divided into phases. To learn more, you can read pages 27-28 here. 

The “Future Financial Services Regime for Crypto Assets” also specifies a primary aim to expand “specified investment”.

Moreover, the HM Treasury now proposes to monitor crypto asset activities in the United Kingdom. This would monitor activities provided by UK firms to persons based in the UK or overseas (natural and legal), as well as those provided by overseas firms to UK persons (natural or legal). 

FAQ

• Is cryptocurrency legal in the UK?

  Cryptocurrency is legal in the UK, but it is not legal tender. Anyone can buy crypto assets from crypto asset providers and store them in digital wallets.

• Is cryptocurrency regulated in the UK?

  Yes, it is regulated. In accordance with the MLR, some companies working with crypto assets must register with the FCA and comply with AML requirements.

• What is the new UK crypto regulation?

  The UK is currently working to introduce more comprehensive crypto regulations. This includes:

  • Introducing robust regulation of crypto asset activities
  • Strengthening rules for crypto trading platforms
  • Creating a world-first regime for crypto lending
  • Implementing new rules to protect customers from market manipulation (e.g., pump and dump schemes)
  • Providing a comprehensive regulatory framework for stablecoins
  • Widening the list of regulated activities

• How to use identity verification in business

  Identity verification is necessary for businesses to comply with regulations. At the same time, businesses can lose customers during the onboarding process, if applicants are overwhelmed by the number of documents they have to submit. That’s why it’s essential to build a user journey that spreads out the verification process across multiple stages and doesn’t request everything at once.

• What is the FATF Travel Rule?

  The Travel Rule is a term used to refer to FATF Recommendation 16, which aims to combat money laundering and terrorism financing (ML/TF). It requires financial institutions engaged in VA transfers and Virtual Asset Service Providers (VASPs) to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.

• What is the FATF Travel Rule threshold for transfer of personal data?

  The FATF recommends a de minimis threshold of 1,000 USD/EUR. If companies apply a lower threshold, they can enjoy less stringent requirements (e.g., less information may be transferred). However, it should be noted that countries can establish their own threshold or forego one altogether. For example, in the UK, there is no de minimis threshold, however there are particular requirements for transactions equal or exceeding 1,000 euros in value.