Money laundering changes for Cryptoasset and cryptocurrency regulation

Part 5: Upcoming changes to the UK’s anti-money laundering regime

In July 2021, HM Treasury launched a new AML consultation entitled ‘Amendments to the Money Laundering Terrorist Financing and Transfer of Funds Regulations 2017’. This consultation outlined ways in which the government intended to amend the UK’s money laundering regulations (MLRs) with several time-sensitive updates. The planned updates are required to ensure that the UK continues to meet international AML standards, whilst also clarifying how the UK’s anti-money laundering and counter-terrorist financing (AML/CTF) regime works. 

The changes to the MLRs have been made through draft secondary legislation entitled ‘the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022’. Most of the measures in this SI will come into force on 1 September 2022, subject to parliamentary approval

In this series of blog posts, we take a closer look at what these changes will mean for anti-money laundering compliance.

Transfer of cryptoassets and the Travel Rule

The consultation set out the government’s proposed changes to comply with the expansion of the application of FATF Recommendation 16, regarding information sharing requirements for wire transfers, to cryptoassets (known as the ‘Travel Rule’). 

The government will no longer require both fiat currency and cryptoasset transfers to be considered for the calculation of the de minimis threshold. The government has also decided to make the information requirements relating to unhosted wallet transfers applicable on a risk-sensitive basis only. 

The government has decided to allow for a 12-month grace period, to run from the point at which the amendments to the MLRs take effect until 1 September 2023, subject to parliamentary approval, during which the cryptoasset businesses will be expected to implement solutions to enable compliance with the Travel Rule.

Use of provisions from the Funds Transfer Regulation

Regarding the applications of the relevant provisions of the FTR to the cryptoasset sector, there was broad acceptance of the proposed information that would need to be collected and shared by cryptoasset businesses. 


The government has decided to maintain the information sharing requirements as set out in the consultation, since this information reflects FATF requirements and cannot be changed while remaining compliant with FATF standards. 

Also, these requirements align with similar requirements in other jurisdictions and so the UK cannot adopt significantly different requirements, as this would mean firms would be inconsistent in regard to regulatory requirements for cross-border transfers.

The government concluded that the concept of an intermediary cryptoasset business is sufficiently clear and workable, but the legislation will make clear that the Travel Rule only applies to intermediaries that are cryptoasset exchange providers of custodian wallet providers and will not capture others, like software providers, to whom the Travel Rule is not intended to apply. 

Provisions specific to cryptoasset firms

The government has modified its proposals with regard to unhosted wallets. Instead of requiring the collection of beneficiary and originator information for all unhosted wallet transfers, cryptoasset businesses will only be expected to collect this information for transactions identified as posing an elevated risk of illicit finance. The minimum factors that firms should consider when making such a determination of risk will be set out in the legislation.

The government has not decided that unhosted wallet transactions should automatically be viewed as higher risk, as many people who hold crytpassets for legitimate purposes use unhosted allets. Nevertheless, the government is conscious that completely exempting unhosted wallets from the Travel Rule could create an incentive for criminals to use them to evade controls.

The FATF do not currently require information collected for unhosted wallet transfers to be verified. The government has decided against amending the proposals to require verification, as they decided this would pose practical difficulties for both cryptoasset businesses and users, and that it would be impractical.

VinciWorks’ AML and SRA training and solutions

SRA compliance solution – personalised training and centralised reporting

SRA compliance solutions

Get your entire firm on board with the SRA compliance process with our complete SRA compliance solution. The SRA puts a significant burden on firms to train their staff on the Standards and Regulations in addition to managing compliance registers and processes such as annual declarations, undertakings, diversity surveys and more. Our SRA compliance suite allows firms to comply with every requirement of the SRA through personalised SRA training and centralised SRA reporting.

Anti-money laundering training and client onboarding solution

Our anti-money laundering training is interactive and customisable for any business and any user, anywhere. Our courses are packed with realistic scenarios, real-life case studies and every customisation option you can think of. We have everything from in-depth induction training to refresher courses and five-minute knowledge checks. 

Our AML client onboarding solution offers one central platform to complete client risk assessments, due diligence and ongoing monitoring. Using Omnitrack, our centralised, flexible tracking and reporting tool, our AML solution enhances both the risk assessment and document collection aspects of client onboarding.

If you are interested in any of our solutions, complete the short form below and a member of our team will get in touch.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.