UK crypto companies have to follow a substantial number of regulations to stay compliant and avoid penalties. At the same time, the UK government is working towards making these regulations clearer. For example, on February 1, 2023, the UK HM Treasury released a consultation on the Future Financial Services Regime for Crypto Assets following the collapse of FTX, in a bid to improve the regulatory framework and sector engagement.

In general, the UK is seeking to move towards a more regulated crypto industry within the next 12 months. To keep you up to date, we at Sumsub prepared this guide explaining UK regulations and how to follow them.

Who is the regulator?

The Financial Conduct Authority (FCA) is the main financial regulator in the UK. It regulates crypto asset providers to ensure that they implement effective Anti-Money Laundering and Countering Terrorism Financing (AML/CFT) policies and procedures.

The FCA maintains a register of crypto asset providers that fall under UK money laundering regulations (MLR 2017 with amendments) and issues guidelines. When it comes to assets, security tokens are the only ones regulated by the FCA.

Other UK institutions that regulate crypto include:

What are the main regulations?

Crypto companies in the UK have comply with the following to meet AML/CFT requirements:

Depending on the nature and type of assets a crypto firm deals with, the following laws and regulations can also apply:

Who is affected?

Affected companies can be separated into two types, according to the MLR 2017 and its amendments. The first are “crypto asset service providers,” which include companies that conduct either of the following:

The second are “custodian wallet providers,” which provide services to safeguard and/or administer crypto assets—or private cryptographic keys for holding, storing, or transferring crypto assets—on behalf of customers.

Who needs to register with the FCA?

Companies that deal with security tokens must register with the FCA because they are considered “regulated tokens”. Meanwhile, companies that deal with exchange and utility tokens do not have to register.

How to register with the FCA

Before registering with the FCA, companies should answer the following questions:

*If there is no UK office or other activity in the UK, beyond having a client in the UK, the FCA is likely to consider that the company is not conducting UK business.

If a company answers positively to some of these questions, then registration with the FCA is likely to be required.

The full requirements for registration can be found on the FCA website.

AML requirements

Companies should take AML requirements very seriously, as failure to comply may lead to severe penalties.

To stay compliant with the AML requirements introduced in the MLRs in 2017, companies have to implement a clear set of procedures. This includes at least the following:

At the onboarding stage (KYC), at least the following information should be collected from users for verification:

As a rule, such data is collected from government-issued documents. Proof of address documents can include current bank statements or credit/debit card statements issued by a regulated financial sector firm in the UK, in addition to utility bills.

UK Crypto Travel Rule

The UK recently has adopted the Travel Rule requirement to its regulation of crypto asset service providers. The Travel Rule requires crypto companies to obtain information from the sender and receiver of crypto assets and share it with counterparty crypto asset service providers. The requirement comes into force on September 1, 2023.

The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulation 2022 is the key law explaining the specifics of the Travel Rule in the UK.  There is no information regarding the de minimis threshold, which means that certain  information should be transferred regardless of the transaction amount.

For certain transactions equal or exceeding 1,000 euros, there are some additional requirements. This includes international transfers as well as transactions involving unhosted wallets.

As a rule, VASPs (cryptoasset exchange providers and a custodian wallet providers in the UK) have to take the following steps to comply with the Travel Rule:

1) In respect of an inter-cryptoasset business transfer, the originating VASP must ensure that the transfer is accompanied by the following information:

  1. the name of the originator and the beneficiary
  2. if the originator or beneficiary is a firm, the registered name of the originator or beneficiary (as the case may be), or if there is no registered name, the trading name
  3. the account number of the originator and the beneficiary, or if there is no account number, the unique transaction identifier.

If the beneficiary VASP request additional information about the sender, the originating VASP should also transfer the following information within 3 days, provided each VASP is conducting business in the United Kingdom:

(a) if the originator is a firm—

If a VASPs is carrying out business outside the United Kingdom and the transaction is equal to or exceeding 1,000 euros in value, the originating VASP should ensure that the transfer is accompanied by all the information specified in paragraph 1 (clauses a, b, c + a or b).

2) Information relating to the originator must be verified by the originating VASP using documents or a reliable source independent of the person whose identity is being verified.

3) When a Beneficiary VASP receives a crypto-asset as part of an inter-cryptoasset business transfer it must, before making the crypto-asset available to the beneficiary, check whether —

(a) it has received the information required by regulation to be provided; and

(b) the information relating to the beneficiary corresponds with information verified by it during customer due diligence.

4) Where the Beneficiary VASP becomes aware that any information required by regulation to be provided is missing or does not correspond with information verified by it, it  must—

(i)to delay making the cryptoasset available to the beneficiary until the information is received or any discrepancy is resolved; and

(ii)if the information is not received or if any discrepancy is not resolved within a reasonable time, to return the cryptoasset to the cryptoasset business of the originator.

5) The beneficiary VASP must report repeated failure by a crypto-asset business to provide any information required as well as any steps the crypto-asset business of the beneficiary has taken in respect of such failures to the FCA.

6) A crypto-asset business must respond fully and without delay to a request in writing from a law enforcement authority for any information in connection to these requirements.

Please check out Sumsub’s Travel Rule guide for the requirements in relation to the transfers with unhosted wallets and any further details.

The future of crypto regulations in the UK

For the last several years, the UK has been working towards a more regulated crypto industry. The country’s latest plans were announced in February 2023, including:

According to the “Future Financial Services Regime for Crypto Assets” Consultation document, the UK plans to widen the scope of regulated crypto activities, including activities with stablecoins. This includes:

The proposed regulatory regimes will be divided into phases. To learn more, you can read pages 27-28 here.

The “Future Financial Services Regime for Crypto Assets” also specifies a primary aim to expand “specified investment”.

Moreover, the HM Treasury now proposes to monitor crypto asset activities in the United Kingdom. This would monitor activities provided by UK firms to persons based in the UK or overseas (natural and legal), as well as those provided by overseas firms to UK persons (natural or legal).

Leave a Reply

Your email address will not be published. Required fields are marked *