On June 11, 2018, the United Kingdom’s Financial Conduct Authority (“FCA”) issued guidance in the form of a “Dear CEO” letter on “Cryptoassets and Financial Crime.” It’s among the only guidance from a major regulator to assist banks in understanding their anti-money laundering obligations for clients involved in cryptoasset activity. The fact that guidance was issued at all is good news for the crypto industry. Regulatory silence could be viewed by banks as disapproval. In the guidance, the FCA made clear that it’s okay to provide banking services to crypto businesses so long as banks subject these clients to enhanced scrutiny using a risk-based approach.
Knowing this, the guidance creates an opportunity for crypto businesses to go on the offensive in their attempt to get a banking services. Crypto businesses now know what banks need to satisfy their regulator. Why not proactively bring all of this information to banks upfront without them having to ask?
To begin, crypto businesses need to go into conversations with the banks knowing that they are going to have to provide a lot of information about their business. While the FCA letter tells banks they “may” need to give additional scrutiny to crypto businesses, in this regulatory environment the banks will certainly treat this a “must.”
In the guidance, the FCA gives some high-level examples of actions that banks should consider taking for crypto business clients. While level of detail required may depend on the type of crypto business, here are some thoughts on what crypto businesses could provide the banks to address each of the FCA’s suggested actions.
engaging with clients to understand the nature of their businesses and the risks they pose
Crypto businesses will need to provide banks with a lot of detail about their business – what do you do, where are you located, who are your clients, where are your clients located, what is your revenue, how do you plan to use the bank account, what type of transactions, where will those transactions be going, who controls your business, where are they located, who operates you business, and on and on.
Providing all of this information is the minimum. But if that’s all you do you are leaving the risk analysis up to the bank. Crypto businesses having trouble getting banking services should consider providing banks with a risk analysis of your business. An independent review by a credible source will be given more weight by the bank. But even an internal assessment of your business’s financial crimes risk will do a couple of things: (1) show that you understand the potential risks of your business; and (2) that you’ve taken steps to mitigate those risks.
The assessment should address the nature of your business, where you do business and who you clients are, where your clients are from and how all of these things affect your financial crimes risk. How might criminals try to exploit your business? How have criminals exploited similar businesses in the past? Then, once you’ve shown you understand the potential risk, you go into detail about how you are mitigating that risk. This could be things like client selection, know your customer information collected, reviews of client activity, etc.
By doing a risk assessment of your business and providing it to the bank, it will be the starting point for the bank’s analysis. The bank will still do their own analysis, but if your assessment is thorough and impartial, it will give you the opportunity to influence the bank’s thinking and will put you in a better position to get services than if you left the analysis completely up to the bank.
carrying out due diligence on key individuals in the client business including consideration of any adverse intelligence
“Adverse intelligence” could mean any number of things. From a criminal conviction at one end of the spectrum to negative blog articles at the end of the spectrum. Banks are required to try to find this information about their prospective clients. Again, this provides an opportunity to be proactive. If your company and your key executives do not have a criminal record, are not under any government investigation, and are not the subject of any significant civil litigation, why not provide that information to the bank up front? Give the bank a signed document attesting to it. Tell them that if any of these things should occur in the future you’ll affirmatively disclose it to them. If there are any of these things, disclose it and explain it. The bank will find out. You are better off earning credibility by being up front and explaining the circumstances. Similarly, with negative news reports, do you own Google searches. See what negative information is out there. You won’t need to address every negative reference, but if there is something negative from what could be perceived as a reputable source you should disclose it up front and explain it.
in relation to clients offering forms of crypto-exchange services, assessing the adequacy of those clients’ own due diligence arrangements
A bank is typically not required to collect information on the exchange’s customers. However, the bank is required to get some assurance that the exchange is meeting its anti-money laundering obligations. For traditional businesses, a certification from the client to the bank is often sufficient. For crypto-exchanges struggling to get banking services, this probably won’t be enough.
Banks are likely to ask to see the exchange’s anti-money laundering policies and procedures. Assuming those are sufficient, they’ll still likely want some evidence the exchange is actually doing what is says it’s doing. To proactively address this, exchanges should considering giving banks the most recent independent review of their anti-money laundering program. If they exchange hasn’t had a recent review, it should consider obtaining one for the purpose of disclosing to potential banking partners. Again, the review will only be as useful as the source and its thoroughness, but it may be the exchange’s best shot at demonstrating they have an effective anti-money laundering program in place.
for clients which are involved in ICOs, considering the issuance’s investor-base, organisers, the functionality of tokens (including intended use) and the jurisdiction
From a financial crimes perspective, a bank’s number one concern with clients or potential clients raising money through an ICO will be fraud. And rightly so. So company’s raising money through an ICO will need to assure the bank that the money will be raised honestly and used for legitimate purposes. Current bank clients looking to use an ICO should explain that to their bank before it occurs. The company should walk their bank through the purpose of the ICO, what the money will be used for, the type of activity the bank should expect to see in the account after the ICO and how that activity will be consistent with the purpose disclosed to the investors. Prospective bank clients that have used an ICO in the past should disclose all of the same information up front.
In today’s environment, the Compliance, Legal and Risk Department’s at most banks will be looking for a reason to say no to onboarding a crypto-related business. Now that the FCA has given banks permission, under certain conditions, to bring on crypto-related clients, your best hope will be to use the FCA guidance proactively to give banks what they need to know up front. Over-communicate, over-deliver and provide the banks with independent analysis to show that you understand the risks of your business and have taken reasonable steps to mitigate them.