News & Views

Crypto Exchange's AML deficiencies lead to FCA rejection

The Financial Conduct Authority (FCA) recently issued a Decision Notice outlining its refusal to register Zeux Limited as a cryptoasset business. This decision, predicated on deficiencies within Zeux’s anti-money laundering (AML) framework, serves as a salient reminder of the critical importance of robust AML compliance for firms operating in the cryptoasset sector.

This development should be seen within the context of a broader drive for enhanced AML effectiveness. Regulatory scrutiny, both domestically and internationally, is focused on ensuring that the UK's AML regime operates effectively across all sectors, including the evolving cryptoasset landscape. The FCA has adopted a particularly stringent approach to the registration of cryptoasset firms, leading to many businesses facing difficulties in obtaining approval. This context makes the FCA's firm stance in the Zeux case all the more significant.

Zeux’s Business Activities

Zeux, according to the Decision Notice, operated a crypto exchange through a mobile-device platform available on Android and iOS devices. The platform enabled users to manage their finances, make and receive payments, and invest in various investment products. Zeux is authorised and regulated by the FCA for arranging deals in investments, making arrangements with a view to transactions in investments, agreeing to carry on a regulated activity, account information services, and payment initiation services.

It is crucial to emphasise that even if Zeux did not have those FCA permissions, as a business carrying out cryptoasset activity in the UK, it still had to comply with the requirements set out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) and needed to register with the FCA. The application in question related specifically to its proposed cryptoasset exchange activities, involving the exchange of fiat currency for cryptoassets and the exchange of one cryptoasset for another.

Zeux's target customers are "wealthy middle-class individuals”, as well as small and medium-sized enterprises, based in the United Kingdom and Europe. The firm also intended to use social media marketing to target members of the Chinese expatriate and student community in the UK. At the time of its application, Zeux had approximately five hundred active customers and projected significant growth in the following years.

However, the FCA's assessment revealed several serious shortcomings in Zeux's approach to AML, ultimately leading to the rejection of their application.

Failings in the Business-Wide Risk Assessment

A primary concern for the FCA was the inadequacy of Zeux's Business-Wide Risk Assessment (BWRA). The Decision Notice details a catalogue of errors, including the failure to note all risk factors outlined in Regulation 18 of the MLRs, limited consideration of inherent risks, and a lack of methodological rigour in the BWRA process. It was apparent that Zeux had not appropriately tailored its BWRA to the specific risks associated with its business activities. These failings highlight a need for firms to adopt a meticulous approach to risk assessment, a need that is being underscored by regulators and international bodies alike.

Deficiencies in Customer Risk Assessment

The FCA identified significant failings in Zeux's Customer Risk Assessment (CRA). The Authority found that Zeux's CRA lacked a comprehensive methodology for assessing customer risk, relying instead on a superficial categorisation of customers based on limited criteria. This deficiency undermined Zeux's ability to effectively identify, manage, and mitigate the money laundering and terrorist financing risks posed by its customer base. Such deficiencies are precisely what regulators, under pressure to demonstrate effective AML controls, seek to eliminate.

Shortcomings in Enhanced Due Diligence

Enhanced Due Diligence (EDD) procedures were also found to be deficient. Zeux's AML Policy failed to incorporate all necessary EDD triggers, including the critical scenario of dealing with customers established in high-risk third countries, as specified in Schedule 3ZA of the MLRs. These requirements are in place to address higher risk scenarios, and the FCA's focus on these details reflects the broader emphasis on tackling financial crime risks effectively.

Inadequacies in Suspicious Activity Report Procedures

Finally, the FCA highlighted inadequacies in Zeux's Suspicious Activity Report procedures. A fundamental error was noted in the firm’s reference to “Suspicious Transaction Reporting,” a term relating to reports made to the FCA, rather than the correct terminology of “Suspicious Activity Report,” which pertains to reports made to the National Crime Agency. The FCA also expressed concern regarding the absence of any reference to a Defence Against Money Laundering, a critical mechanism for firms to manage potential offenses under the Proceeds of Crime Act 2002. Accurate reporting and procedures are essential for effective AML, and any shortcomings in this area are viewed seriously by regulators.

Conclusion

The FCA's Decision Notice serves as a clear indication of the stringent regulatory expectations placed on cryptoasset businesses. Firms operating within this sector must ensure that their AML frameworks are not only compliant with the letter of the law but also demonstrate a robust and effective approach to mitigating financial crime risks. This is particularly important in the context of increased scrutiny on AML effectiveness, both domestically and internationally. As demonstrated in other areas of financial regulation, such as insurance policy wordings and damage waivers, meticulous attention to detail and a thorough understanding of regulatory requirements are paramount.

For further information, please contact Joshua Bates or call 0151 906 1000.