A Guide to Anti-Money Laundering for Crypto Firms

What Are FCA Regulations and How Do I Become FCA Compliant?

Knowledge & Training

Who Are the FCA?

As the UK’s primary financial regulator, the Financial Conduct Authority (FCA) is tasked with protecting the country’s financial industry and consumers of its financial products and services. In that role, the FCA works to ensure that firms understand and comply with the UK’s AML/CFT rules and regulations, conduct investigations into possible compliance failures, and enforces those regulations where failures are found. 

In addition to those direct regulatory interventions, the FCA is also responsible for providing authorization for all banks and financial institutions operating in the UK. This status demonstrates customers can trust those firms and their products. FCA authorization involves an application process and firms must show that they have met a set of qualification criteria, including their capability to achieve compliance with FCA regulations. 

FCA Compliance: The Authorization Process

While every financial institution in the UK must be authorized by the FCA, the process is a crucial step for early-stage financial services firms, as it gives them a license to operate in the UK. Authorization should be a significant administrative priority: under FCA regulations, firms face strict financial and even criminal penalties if they do business without authorization. 

Sometimes taking over a year to complete, the approval process can be particularly challenging for FinTech startups that may struggle to identify best practices in the approval process and to understand what documentation they’ll be expected to provide.

This series has been written to demystify the authorization procedure and address common application mistakes – as seen first-hand by compliance consultants and co-author of this series, The Thistle Initiatives Group.

Threshold Conditions  

In order for an application for authorization or registration to be successful, firms must ensure that they meet the FCA’s Threshold Conditions. Central to this is the FCA’s requirement that firms be “ready, willing and organized”.

The FCA’s Threshold Conditions can effectively be summed up as:

  • Location of offices: Is the firm and its senior management/decision-making function based in the UK, and, if there are overseas influences or involvement, how do these impact the firm?
  • Supervision: Can the firm be effectively supervised by the FCA as part of meeting its own statutory obligations? The firm must demonstrate how it can effectively meet and report on its obligations while maintaining open and competent communication with the FCA.
  • Resources: Can the firm demonstrate that it has appropriate resources currently in place in order to meet its regulatory obligations? This includes both financial and non-financial resources.
  • Management: Is the senior management team appropriately skilled and able to run the business, and is it of a good professional, personal, and financial standing to discharge its obligations under the regulatory regime?
  • Business model: Have the firm’s business model, structure, and products been established with the customer in mind, and do they risk impacting the FCA’s statutory objectives?

The Application Process

Provided firms can meet the FCA’s Threshold Conditions and are “ready, willing, and organized,” applicant firms have two options: direct authorization and appointed representative/tied agent status.

Direct Authorization

This is where an application is made directly to the FCA to become authorized or registered. With Direct Authorization, firms can expect to go through the following process:

  • Preparation: Firms will need to compile and collate the required information and documentation in order to submit their application to the FCA. Among other things, this may include:
    • A regulatory business plan;
    • Financial forecasts;
    • Compliance monitoring program;
    • Senior Managers and Certification Regime documentation; and
    • Controller and ultimate beneficial owner information. 

Additional firm-specific documentation is also likely to be required as part of the submission. For example, if the firm is looking to become a credit lender, then it will need to have in place a detailed underwriting policy with accompanying procedures. 

  • Draft and submission: Once the firm’s information and documentation are ready to submit, the application form must be completed through the FCA’s Connect portal. After the form and supporting documentation has been uploaded, the FCA Connect portal will ask for the application declarations to be signed by the applicant firm’s director(s) and for the application fee to be paid before final submission. Once the application has been submitted, an automatic confirmation email will be sent from the FCA Connect system that includes an FCA application reference number. This reference number should be quoted in any future correspondence with the FCA.
  • Case handler and FCA questions: The application will be assigned to a case handler at the FCA who will be the main point of contact throughout the application process. Once the case handler has been appointed and has undertaken an initial review of the application, they are likely to get in touch via email for further information and/or documentation. The volume of questioning is largely based on the quality of the application, the documentation provided, the individuals within the firm, and its business model. Some more complex or inadequately presented applications will lead to further telephone or in-person discussions with the FCA.
  • Determination: Once the case handler is confident that the application is “complete” (meaning they have all relevant information and clarifications), it is circulated internally for a decision. After this process, firms can expect to receive one of four results: ‘approved’, ‘minded to approve’ (meaning approval is subject to something being executed), a prompt to withdraw the application at this time, or ‘minded to reject’.

Timeframes for applications will differ depending on the quality of the application, the business model, the customer base, compliance with the Threshold Conditions, and whether the application is for authorization or registration.

Appointed Representatives

Direct authorization can be a lengthy process – in some instances, it can take more than 12 months. Therefore, some applicants establish an Appointed Representative (AR) arrangement with a Principal firm (also known as “umbrella services”, “regulatory hosting”, or “networks”). This enables firms to bring their proposition to market sooner, typically within 3 months.

In this case, the AR undertakes its regulated activities by utilizing the permissions of a directly authorized Principal firm and is listed on the FCA register as an AR of the Principal.

Although this may be a viable and quicker route to market, the scope of the AR’s potential activities will be reduced. ARs can expect their regulated activities to be robustly monitored and enforced by their Principal.

It’s important to keep in mind that the Principal firm holds the ultimate regulatory responsibility and thus is liable for all of the risk inherent in the AR’s activities. This means that if an AR breaches any FCA rules, the FCA may pursue the Principal firm. Given Principal firms generally have several ARs, any significant rule breach would pose a potential risk to all other ARs trading under the Principal. Therefore, when ARs are being onboarded, they should expect to undergo robust due diligence not dissimilar to that required as part of the direct authorization process.

FCA Compliance Do’s and Don’ts

There are a number of considerations to keep in mind when submitting an application for authorization or registration. Some do’s and don’ts include:

Do’s

  • Ensure all of the FCA’s questions have been answered comprehensively and all relevant documentation has been supplied
  • Ensure the business model has been appropriately mapped out against relevant legislation and regulatory requirements
  • Ensure all the information provided to the FCA aligns – for example, financial forecasts and customer acquisition costs
  • Ensure that individuals have been appropriately skilled internally
  • Ensure all documentation/information compiled for the FCA is open and honest

Don’ts

  • Submit an application that has not been fully prepared and is not mapped against the relevant FCA requirements
  • Submit an application that explains material information or documentation will be provided at a later date post-submission
  • Submit an application that does not include all names and relevant supporting documentation for all senior managers, directors, and key individuals
  • Submit an application without having in place a comprehensive IT road map, with something tangible ready for the case handler to undertake an initial review (such as wireframes or a demonstrable customer journey)
  • Submit an application if the required funding to cover at least the first year of trading is not, or will not, be in place, with evidence of further capital being sought for years 2 and 3 post-authorization

FCA Regulations: Implementing an AML/CFT Program

The authorization process is designed to demonstrate that a firm is capable of complying with FCA regulations, including detecting and preventing money laundering and the financing of terrorism. Central to the FCA’s AML/CFT requirements is the need to implement a risk-based AML/CFT compliance monitoring program. 

In practice, a risk-based AML/CFT program means that a firm should perform risk assessments of individual customers and then deploy a proportionate compliance response. Depending on their level of risk exposure,  in order to achieve FCA compliance and authorization, firms should expect to put the following measures and controls in place: 

Customer identification: In order to conduct an accurate risk assessment, firms should perform suitable customer due diligence (CDD) to identify their customers. The FCA also requires firms to establish beneficial ownership of customer entities to ensure that money launderers are not using shell companies to commit financial crimes.

Transaction monitoring: The FCA requires firms to monitor their customers’ transactions for suspicious activity, which may include unusual transaction amounts, unusual transaction patterns, or transactions with high-risk countries.

Customer screening: In order to gauge their customers’ risk level, firms should screen against AML/CFT risk factors, including: 

  • Politically exposed persons: Government and elected officials – also known as politically exposed persons (PEP) – often present a higher AML risk than other types of customers since they may have access to government funds and be susceptible to corruption. Firms should screen suspected PEPs against PEP lists. 
  • International sanctions: Customers that are subject to economic sanctions may attempt to avoid AML/CFT controls to launder money. Firms should screen high-risk customer names against the relevant sanctions list, including the UNSC Consolidated List and the UK Sanctions List
  • Adverse media: Changes to a customer’s risk profile, such as their involvement in financial crime, election to political office, or designation for sanctions may be revealed in news reports before it is confirmed by official sources. Accordingly, firms should screen customers regularly against a range of global adverse media stories to capture adverse media that might indicate changes in risk. 

ComplyTry: Run FCA Compliance Checks for Free

FCA regulations often represent an administrative challenge and require a significant investment of company time and money. ComplyAdvantage’s ComplyTry platform is a way to conduct smarter, faster customer screening, reduce onboarding times, and enhance your customers’ compliance experiences.  

A manual customer verification tool, ComplyTry enables you to screen customers against a real-time database of sanctions, watchlists, PEP, and adverse media data for free. Simply upload your customer details and select your data source, and hit search: ComplyTry will generate a customer profile for you automatically as a pre-filled data card. 

Are you an early stage FinTech and need a KYC and AML solution?

Discover ComplyLaunch™, our automated compliance solutions package for early stage FinTechs.

Learn more

Who Are the FCA?

As the UK’s primary financial regulator, the Financial Conduct Authority (FCA) is tasked with protecting the country’s financial industry and consumers of its financial products and services. In that role, the FCA works to ensure that firms understand and comply with the UK’s AML/CFT rules and regulations, conduct investigations into possible compliance failures, and enforces those regulations where failures are found.  In addition to those direct regulatory interventions, the FCA is also responsible for providing authorization for all banks and financial institutions operating in the UK. This status demonstrates customers can trust those firms and their products. FCA authorization involves an application process and firms must show that they have met a set of qualification criteria, including their capability to achieve compliance with FCA regulations. 

FCA Compliance: The Authorization Process

While every financial institution in the UK must be authorized by the FCA, the process is a crucial step for early-stage financial services firms, as it gives them a license to operate in the UK. Authorization should be a significant administrative priority: under FCA regulations, firms face strict financial and even criminal penalties if they do business without authorization.  Sometimes taking over a year to complete, the approval process can be particularly challenging for FinTech startups that may struggle to identify best practices in the approval process and to understand what documentation they’ll be expected to provide. This series has been written to demystify the authorization procedure and address common application mistakes - as seen first-hand by compliance consultants and co-author of this series, The Thistle Initiatives Group.

Threshold Conditions  

In order for an application for authorization or registration to be successful, firms must ensure that they meet the FCA’s Threshold Conditions. Central to this is the FCA’s requirement that firms be “ready, willing and organized”. The FCA’s Threshold Conditions can effectively be summed up as:
  • Location of offices: Is the firm and its senior management/decision-making function based in the UK, and, if there are overseas influences or involvement, how do these impact the firm?
  • Supervision: Can the firm be effectively supervised by the FCA as part of meeting its own statutory obligations? The firm must demonstrate how it can effectively meet and report on its obligations while maintaining open and competent communication with the FCA.
  • Resources: Can the firm demonstrate that it has appropriate resources currently in place in order to meet its regulatory obligations? This includes both financial and non-financial resources.
  • Management: Is the senior management team appropriately skilled and able to run the business, and is it of a good professional, personal, and financial standing to discharge its obligations under the regulatory regime?
  • Business model: Have the firm’s business model, structure, and products been established with the customer in mind, and do they risk impacting the FCA’s statutory objectives?

The Application Process

Provided firms can meet the FCA’s Threshold Conditions and are “ready, willing, and organized,” applicant firms have two options: direct authorization and appointed representative/tied agent status.

Direct Authorization

This is where an application is made directly to the FCA to become authorized or registered. With Direct Authorization, firms can expect to go through the following process:
  • Preparation: Firms will need to compile and collate the required information and documentation in order to submit their application to the FCA. Among other things, this may include:
    • A regulatory business plan;
    • Financial forecasts;
    • Compliance monitoring program;
    • Senior Managers and Certification Regime documentation; and
    • Controller and ultimate beneficial owner information. 

Additional firm-specific documentation is also likely to be required as part of the submission. For example, if the firm is looking to become a credit lender, then it will need to have in place a detailed underwriting policy with accompanying procedures. 

  • Draft and submission: Once the firm’s information and documentation are ready to submit, the application form must be completed through the FCA’s Connect portal. After the form and supporting documentation has been uploaded, the FCA Connect portal will ask for the application declarations to be signed by the applicant firm’s director(s) and for the application fee to be paid before final submission. Once the application has been submitted, an automatic confirmation email will be sent from the FCA Connect system that includes an FCA application reference number. This reference number should be quoted in any future correspondence with the FCA.
  • Case handler and FCA questions: The application will be assigned to a case handler at the FCA who will be the main point of contact throughout the application process. Once the case handler has been appointed and has undertaken an initial review of the application, they are likely to get in touch via email for further information and/or documentation. The volume of questioning is largely based on the quality of the application, the documentation provided, the individuals within the firm, and its business model. Some more complex or inadequately presented applications will lead to further telephone or in-person discussions with the FCA.
  • Determination: Once the case handler is confident that the application is “complete” (meaning they have all relevant information and clarifications), it is circulated internally for a decision. After this process, firms can expect to receive one of four results: ‘approved’, ‘minded to approve’ (meaning approval is subject to something being executed), a prompt to withdraw the application at this time, or ‘minded to reject’.
Timeframes for applications will differ depending on the quality of the application, the business model, the customer base, compliance with the Threshold Conditions, and whether the application is for authorization or registration.

Appointed Representatives

Direct authorization can be a lengthy process – in some instances, it can take more than 12 months. Therefore, some applicants establish an Appointed Representative (AR) arrangement with a Principal firm (also known as “umbrella services”, “regulatory hosting”, or “networks”). This enables firms to bring their proposition to market sooner, typically within 3 months. In this case, the AR undertakes its regulated activities by utilizing the permissions of a directly authorized Principal firm and is listed on the FCA register as an AR of the Principal. Although this may be a viable and quicker route to market, the scope of the AR’s potential activities will be reduced. ARs can expect their regulated activities to be robustly monitored and enforced by their Principal. It’s important to keep in mind that the Principal firm holds the ultimate regulatory responsibility and thus is liable for all of the risk inherent in the AR’s activities. This means that if an AR breaches any FCA rules, the FCA may pursue the Principal firm. Given Principal firms generally have several ARs, any significant rule breach would pose a potential risk to all other ARs trading under the Principal. Therefore, when ARs are being onboarded, they should expect to undergo robust due diligence not dissimilar to that required as part of the direct authorization process.

FCA Compliance Do’s and Don’ts

There are a number of considerations to keep in mind when submitting an application for authorization or registration. Some do’s and don’ts include:

Do’s

  • Ensure all of the FCA’s questions have been answered comprehensively and all relevant documentation has been supplied
  • Ensure the business model has been appropriately mapped out against relevant legislation and regulatory requirements
  • Ensure all the information provided to the FCA aligns – for example, financial forecasts and customer acquisition costs
  • Ensure that individuals have been appropriately skilled internally
  • Ensure all documentation/information compiled for the FCA is open and honest

Don’ts

  • Submit an application that has not been fully prepared and is not mapped against the relevant FCA requirements
  • Submit an application that explains material information or documentation will be provided at a later date post-submission
  • Submit an application that does not include all names and relevant supporting documentation for all senior managers, directors, and key individuals
  • Submit an application without having in place a comprehensive IT road map, with something tangible ready for the case handler to undertake an initial review (such as wireframes or a demonstrable customer journey)
  • Submit an application if the required funding to cover at least the first year of trading is not, or will not, be in place, with evidence of further capital being sought for years 2 and 3 post-authorization

FCA Regulations: Implementing an AML/CFT Program

The authorization process is designed to demonstrate that a firm is capable of complying with FCA regulations, including detecting and preventing money laundering and the financing of terrorism. Central to the FCA’s AML/CFT requirements is the need to implement a risk-based AML/CFT compliance monitoring program.  In practice, a risk-based AML/CFT program means that a firm should perform risk assessments of individual customers and then deploy a proportionate compliance response. Depending on their level of risk exposure,  in order to achieve FCA compliance and authorization, firms should expect to put the following measures and controls in place:  Customer identification: In order to conduct an accurate risk assessment, firms should perform suitable customer due diligence (CDD) to identify their customers. The FCA also requires firms to establish beneficial ownership of customer entities to ensure that money launderers are not using shell companies to commit financial crimes. Transaction monitoring: The FCA requires firms to monitor their customers' transactions for suspicious activity, which may include unusual transaction amounts, unusual transaction patterns, or transactions with high-risk countries. Customer screening: In order to gauge their customers’ risk level, firms should screen against AML/CFT risk factors, including: 
  • Politically exposed persons: Government and elected officials - also known as politically exposed persons (PEP) - often present a higher AML risk than other types of customers since they may have access to government funds and be susceptible to corruption. Firms should screen suspected PEPs against PEP lists. 
  • International sanctions: Customers that are subject to economic sanctions may attempt to avoid AML/CFT controls to launder money. Firms should screen high-risk customer names against the relevant sanctions list, including the UNSC Consolidated List and the UK Sanctions List
  • Adverse media: Changes to a customer’s risk profile, such as their involvement in financial crime, election to political office, or designation for sanctions may be revealed in news reports before it is confirmed by official sources. Accordingly, firms should screen customers regularly against a range of global adverse media stories to capture adverse media that might indicate changes in risk. 

ComplyTry: Run FCA Compliance Checks for Free

FCA regulations often represent an administrative challenge and require a significant investment of company time and money. ComplyAdvantage’s ComplyTry platform is a way to conduct smarter, faster customer screening, reduce onboarding times, and enhance your customers’ compliance experiences.   A manual customer verification tool, ComplyTry enables you to screen customers against a real-time database of sanctions, watchlists, PEP, and adverse media data for free. Simply upload your customer details and select your data source, and hit search: ComplyTry will generate a customer profile for you automatically as a pre-filled data card.  [cta_card title="Are you an early stage FinTech and need a KYC and AML solution?" cta_img="60243" category="" bodytext="Discover ComplyLaunch™, our automated compliance solutions package for early stage FinTechs." cta_text="Learn more" cta_url="https://complyadvantage.com/complylaunch/"]

Originally published June 20, 2022, updated September 1, 2022

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2022 IVXS UK Limited (trading as ComplyAdvantage).