Hot on the heels of the crackdown on advertising cryptoassets in the UK, the Financial Conduct Authority has also sent a notice to all the firms it supervises who 'interact' with cryptoassets or related services. There's nothing new here but a sense that the FCA has suddenly realised that the UK authorities are way behind the crypto-curve (particularly in light of recent sanctions), and there's a mad scramble to avoid another LC&F scandal - or worse.
The FCA expects firms to ensure that consumers understand what aspects of their services are regulated and clearly distinguish those elements which are not regulated. The firm is responsible for identifying and managing potential risks related to cryptoassets.
There is a reminder that it is a criminal offence to provide cryptoasset exchange services or custodian wallet services by way of business in or from the UK without being registered with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (or have temporary permission to do so while your application is pending).
All authorised and registered firms must have appropriate systems and controls to counter the risk of being misused for financial crime, so firms should be reviewing whether cryptoasset businesses they interact with are listed on the FCA’s Unregistered Cryptoasset Businesses page, for example.
The FCA's Dear CEO letter also remains relevant in terms of how to achieve best practice where clients and customers may be using cryptoassets, or where firms are providing services to customers offering cryptoassets.
Firms should assess the risks posed by a customer whose wealth or funds derive from the sale of cryptoassets, or other cryptoasset related activities, using the same criteria that would be applied to other sources of wealth or funds (even if the evidence trail may be weaker).
While there are no specific prudential (capital) treatments that explicitly mention cryptoassets, firms subject to the investment firm prudential regime (IFPR), have obligations (under MIFIDPRU 7) to assess and mitigate the potential for harm to clients, to the markets in which the firm operates and to itself, that could arise from all of their business - even if the activity is unregulated or carried out on a principal, agency some other basis. Assessing adequate financial resources should involve assessing and managing risks and exposures from cryptoassets and deducting from regulatory capital any cryptoasset that is accounted for as an intangible asset.
All FCA regulated firms must observe the Principles for Business in the Handbook, and Principle 10 requires a firm to arrange adequate protection for clients’ assets. The FCA’s Client Assets Sourcebook (CASS) provides detailed rules for firms to follow when holding regulated assets in custody, as part of their investment business. Where cryptoassets are security tokens (and so count as specified investments), firms carrying out regulated activities involving custody of those cryptoassets are likely subject to CASS.
The FCA will continue to monitor the use of cryptoassets in custody arrangements and act where appropriate.