Global menu

Our global pages


Cryptocurrency AML Regulation: 10 January 2020 Regime

  • United Kingdom
  • Financial services disputes and investigations
  • Litigation and dispute management


As part of the UK Governments’ ongoing programme to implement the European Union’s Fifth Money Laundering Directive (5MLD) in UK law, the FCA will begin supervising Anti Money Laundering and Countering Financing of Terrorism (AML/CFT) compliance within the cryptoasset sector from 10 January 2020. The 5MLD are due to be implemented into UK law through the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (MLR 2019) coming into force on 10 January 2020, amending the existing Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Our article on the wider changes brought in by the MLR 2019 can be found here.

Regime Scope and Regulatory Deadlines

The new regime encompasses a significantly increased number of activities within the cryptoasset sector. AML/CFT principles are already well-embedded in many firms who are active within the fiat-crypto exchange sector, and companies involved in UK tokenised security offerings will have experienced FCA regulation of tokenised securities. But the scope of the regime will bring previously unregulated activities within the FCA’s domain, including centralised and peer-to-peer exchanges (fiat- unregulated cryptoassets and unregulated cryptoassets - unregulated cryptoassets) and unregulated cryptoassets custodian wallet providers.

Companies active within these areas wishing to continue business after 10 January 2020 will need to comply with the MLR 2017 (as amended) as regulated persons. Failure to comply opens firms to significant fines, public censure, and in cases of employee obstruction of regulatory investigations, up to two years imprisonment. The FCA’s expectation is that businesses carrying out cryptoasset activities will need to comply by 10 January and registration can follow later in January 2020. Existing cryptoasset businesses must be registered by 10 January 2021 or stop all cryptoasset activity.

A Risk-Based Approach

Central to 5MLD and MLR 2017 (as amended) is the principle of a risk-based approach to implementing AML/CFT measures. Regulated persons are required to assess risk and cannot rely solely on the Government and the FCA to outline risks. With the rapid development of the technology behind cryptoassets, some of the traditional indicators used by financial institutions for fiat currency are of limited relevance to cryptoasset AML/CFT.

Many companies are likely to already be implementing processes of customer due diligence to comply with regulations in other jurisdictions or for fraud prevention. However customer due diligence is just one element of a risk-based approach, and alone is far from sufficient to meet the requirements of the MLR 2017 (as amended) . Existing CDD processes will need review to ensure there are systems of record keeping and internal oversight to meet the AML/CFT standards that will be expected by the FCA.

Criminal and terrorist organisations use a wide range of obfuscation measures to avoid the transaction traceability inherent to many DLT implementations. While implementing a strong customer due diligence process will be key to compliance, regulated persons cannot expect that it will be sufficient to satisfy the MLR 2017 (as amended), nor can they expect governmental and supervisory briefings to offer an off-the-shelf risk assessment for their business.

Under the MLR 2017 (as amended) there is an expectation that regulated persons will actively assess new sources of risk within their activities and take appropriate action to mitigate as and when it arises. Given the continually changing cryptoasset landscape, regulated persons can expect to be at the forefront of identifying Money Laundering and Terrorist Financing (ML/TF) activity and taking action to counter it as technologies develop.

Stopping attempts to obfuscate the parties involved in moving value is core to ML/TF systems and controls, and monitoring activity patterns alongside CDD will be necessary to develop adequate AML/CFT standards. Exchanges offering privacy coins will have particular difficulties given the nature of the token, and will need robust on-boarding checks before allowing participants into their systems. Movements from addresses known to have been related to criminal activities (such as private key thefts or ransomware) are clear signs of risk and can be screened for relatively directly. Other activities will be more difficult to identify, for example DL histories which show signs of obfuscation such as tumbling, use of initial coin offering / token generation events to disguise asset movements, or physical transfer of cold wallets.


Cryptoasset businesses are now required to have the necessary processes and support frameworks to implement strong AML/CFT principles. But businesses cannot treat this as a one-off investment; regulated persons will have to continually monitor the landscape for emerging criminal tactics, and be prepared to harness their existing frameworks to quickly and effectively implement procedures to combat these risks. AML/CFT regulation is not a passing trend, and cryptoasset companies need to be prepared to embed these principles at the core of their activities going forward. The FCA Gateway opens for businesses to submit registration applications on 10 January 2020 with a hard deadline of 10 January 2021.