Programme of operations: the specific cryptoasset services for your business. The activities you are applying for should be selected within the application form with additional explanation of how they will be used within the Regulatory Business Plan.
Regulatory Business Plan: your business objectives, customers, employees, governance, plans and projections. It should give enough detail to show that the proposal has been thought through and that the adequacy of financial and non-financial resources has been considered. It should also include details on the volume and value of transactions, number and type of customers, pricing, the main lines of income and expenses and any additional products or services that your business plans to offer in the future.
Structural organisation chart: a description of how your business is organised (including a corporate structure chart, any close links and group entities). You must include a description of any relevant outsourcing arrangements. We may ask for a copy of the outsourcing contract.
Jurisdictions: a list of any jurisdictions your business or group currently operate in. Include any group entities in the ‘structural organisation’ section detailed above. If governed by a regulator in those jurisdictions please state who, and for what services.
IT systems: details of the key IT systems you will use to run your business, including details of IT security policies and procedures.
Company details: we would expect to see up-to-date information about your business, and individuals within it. We will compare this information against Companies House. We would also expect to see no outstanding charges. If there are outstanding charges, please provide an explanation as to why.
Individuals, beneficial owners and close links: directors and any other persons who are, or will be, responsible for the management of the business, must satisfy us they have a good reputation, and have the appropriate knowledge and experience. We would expect to see, as part of an organisation chart, details of the roles and responsibilities of key individuals.
A business must appoint a person to be responsible for compliance with the MLRs, to monitor and manage compliance with policies, procedures and controls relating to the MLRs and to act as the nominated officer under the Proceeds of Crime Act 2002.
These functions can be carried out by the same person, but we expect them to have the knowledge, experience and training, level of authority, independence, and sufficient access to resources and information to enable them to carry out that function. For businesses already authorised or registered by us for other services, the relevant officer can be the same person as for those other services, subject to the person having appropriate knowledge, experience, capacity to perform the role and probity for the cryptoasset business.
You will still need to provide details of the relevant officer on the application form when registering for cryptoasset service. We expect to see Money Laundering Reporting Individual forms for all directors, executives and officers and beneficial owner forms for shareholders.
Governance arrangements and internal control mechanisms: details of senior management responsibility, oversight, organisational structure, budget forecasts and financials for the first 3 financial years and business continuity arrangements.
There should be a clear description of the type of management information the senior management of the business will have at their disposal in order to effectively manage the business. This could include, but not limited to, the reporting of suspicious activity, AML breaches and reporting, conflicts of interest, training records and risk management.
There should also be a description of the internal controls to identify, assess and manage the money laundering, terrorist financing and proliferation financing risks relevant to the business.
Anti-Money Laundering/Counter Terrorist Finance (AML/CTF) framework: a description of their AML/CTF framework, including policies, procedures and training material designed to comply with the MLRs.
Business-wide risk assessment: this should evidence an assessment of the inherent risks the business faces with the impact and likelihood of these risks assessed. An explanation of the control framework (design-only for non-trading firms). How risks are evaluated and what the residual risks are should be documented. The methodology of how the risk assessment was constructed should also be evidenced.
Customer risk assessment: a holistic assessment of the risk presented by a customer. At a minimum it should include the factors noted in the MLRs such as jurisdiction risk.
The customer risk assessment should provide a risk rating outcome that drives the level of due diligence, customer due diligence / enhanced due diligence) the business must collect, as per the applicant’s policies and procedures. A detailed methodology should lie behind the risk assessment.
Financial promotions: details of your financial promotions policy including details of the systems, controls and processes in place to ensure that financial promotions comply with our rules and are fair, clear and not misleading. You should also provide copies of any promotions (adverts, etc) you have issued or have plans to issue in the future. For more information please see approving financial promotions and PS23/6.
Travel Rule:policies and procedures to describe how you will meet the requirements of Regulations 64 A-H of the MLRs to receive and transmit details of the beneficiary and originator when conducting cryptoasset transfers. This should be supported by a detailed flow of funds diagram which includes the flow of Travel Rule data as well as details of any technology solutions that you will use to support their implementation.For more information, please see the FCA sets out expectations for UK cryptoasset businesses complying with the Travel Rule.
All cryptoasset public keys/wallet addresses: all of the cryptoasset addresses controlled by your business and used in the activity of the business for each cryptoasset that your business deals with.
Customer on-boarding process: details of screening tools/processes for sanctions, politically exposed persons and adverse media.
Flow of funds and customer journey diagram: this diagram should also include any dependencies on linked group entities or other third-parties.
Ongoing monitoring and transaction monitoring procedures: this should include processes for detecting and escalating suspicious activity.
Record-keeping and recording procedures: this should include making the FCA aware of changes in individuals attached to the applicant or updates to any policies and procedures that have previously been submitted as part of the application.
