Assessing firms’ compliance with the FCAs cryptoasset financial promotions rules

金融服务监管 | 28/08/2024

The FCA has recently published¹ its assessment of firms’ compliance with what it calls its "back end" cryptoasset financial promotions rules. We summarise the good and the bad practices they found.

These requirements were imposed from June 2023, The FCA's "back end"’ rules require firms to:

provide 24-hour cooling-off period;
provide personalised risk warnings;
undertake client categorisation;
carry out appropriateness assessments;
carry out effective record keeping; and
carrying out due diligence on cryptoassets.

Following the implementation of these rules, the FCA reviewed a sample of crypto firms’ compliance with those rules, identifying good and poor practice. The FCA found some firms still needed to make significant improvements.

The cryptoasset promotions rules were incorporated into existing rules for Restricted Mass Market Investments ("RMMI"s).

The FCA chose a sample of firms offering qualifying cryptoassets which were either:

registered with the FCA under Money Laundering Terrorist Financing and Transfer of Funds (information on the Payer) Regulations 2017 (the "MLRs"), or
authorised firms able to approve promotions for unregistered/unauthorised firms.

FCA's findings

1. Cooling-off period

Firms must allow a cooling-off period for new consumers who respond to a Direct Offer Financial Promotion (DOFP).

Some firms gave consumers limited or no information on why they must wait before committing to an investment, which could lead to consumer confusion. Additionally, some firms did not inform consumers about the cooling-off period until they were a significant way through the investment journey.

Firms allowed consumers to deposit funds into their accounts during the cooling-off period but where this included a fee for withdrawing these funds. The firms did not explain the nature or extent of these fees before the consumer made their deposit. Good practice would be to clearly explain fees that could impact the decision of whether to proceed at the end of the cooling-off period.

Examples of good practice

Giving clear information that there is a cooling-off period, and explaining that it was there to ensure consumers take the time to consider if the product is right for them;
Giving clear information once the cooling-off period has ended; and
Displaying information that factually indicates the time remaining before the cooling-off period ends, but did not pressurise or otherwise unduly influence consumers.

Examples of poor practice

Not providing information about the reason for the cooling-off period; and
Not giving consumers the express option to proceed or leave the investment journey at the end of the cooling-off period.

2. Personalised risk warnings

Firms must provide a personalised risk warning to new consumers, tailored to include the client’s name, and include both a risk warning and link to a risk summary.

One firm gave the personalised risk warning after applying the client categorisation and appropriateness test. This was in breach of COBS 4.12A.20R which requires the personalised risk warning to be given before the client categorisation and appropriateness assessment. This approach incorrectly combined the separate requirements (i) for consumers to specify if they wish to proceed to the DOFP or leave the journey at the end of the cooling-off period with (ii) giving the personalised risk warning.

In some instances, the personalised risk warning did not meet the prominence requirements or did not present the options to proceed with or leave the investment journey with equal prominence.

Examples of good practice

Positioning the warning on its own page with no other information, making the warning the sole focus for the consumer;
Improving the prominence and engagement of the options to proceed with or leave the journey by making them the sole focus of the screen; and
Including clear processes for consumers who wish to leave the investment journey.

Examples of poor practice

Including frictions for consumers who wished to leave the journey; and
Using language in the personalised risk warning that downplayed the risks of the cryptoassets or encouraged consumers to proceed with the journey.

3. Client categorisation

Firms must take reasonable steps to establish that a consumer is certified as either a Restricted, High Net Worth or Certificated (note, not self-certified) Sophisticated Investor before communicating a DOFP in relation to cryptoassets. The FCA have some serious concerns in this regard.

Most firms had implemented a process for ensuring consumers were able to self-categorise appropriately and provided correctly worded categorisation statements. In most cases, consumers were given clear and accurate information to help them select the most appropriate category.

However, there were poor examples where firms were "guiding consumers through the process by telling consumers what they need to enter to proceed". In some instances, if a consumer entered a value that did not meet the requirements of their selected category, a warning message would appear on screen, encouraging consumers to change their response to fit the permitted range. This might steer consumers towards a category that did not appropriately reflect their circumstances, in breach of COBS 4.12A.26R.

In better examples, firms gave clear explanations of the purpose of the categorisation process and a clear description of the available categories. Consumers would only be informed if they entered values that were outside the permitted range for that category after they had submitted the full response. Consumers could choose to restart the categorisation process but were not unduly encouraged or pressured to do so.

Some firms had changed the title or description of the investor categories in a way that inappropriately downplayed the risk of investing in cryptoassets.

The FCA rules allow firms to give consumers the option to categorise as a certified sophisticated investor by confirming that they have received a certificate of sophistication from an FCA-authorised firm. Some firms chose not to offer this category (this is allowed).

However, some firms who offered this category did not take reasonable steps to establish that the consumer met the criteria as the firm did not ensure the authorised firm named on the certificate was in fact genuine. Some of the submissions from consumers were clearly jokes or not relevant.

In one instance, a firm offered the option to select a self-certified sophisticated investor category. This category is not applicable to cryptoassets, and firms should not have offered this category.

One poor example of how investor statements are presented to consumers involved, in addition to splitting the statement over different screens, amending the wording and combining some sections of the statement, reducing the impact and clarity of the information.

Examples of good practice

Giving an option to leave the journey if the consumer does not meet the criteria of the available categories;
Considering whether it is appropriate to offer the certified-sophisticated category; and
Verifying the submissions of all consumers who categorise themselves as certified-sophisticated and rejecting any submissions which do not meet the requirements.

Examples of poor practice

Pushing or leading consumers through the categorisation process by suggesting responses that met the criteria of the category instead of allowing the consumer to volunteer the information, in breach of the FCA's rules;
Re-naming the categories or describing them in a way that downplays the investment risks;
Changing the wording of the investor statements from the prescribed language;
Not checking that the information provided in the categorisation statements aligns with the criteria for that particular category e.g., not checking they have been given the name of a genuine FCA authorised firm when being categorised as a certified-sophisticated investor; and
Offering a self-certified investor category.

4. Appropriateness

Firms must assess whether the qualifying cryptoasset is appropriate for the consumer before they process an application or order in response to a DOFP. This was covered in significant detail and is clearly a key, and troubling, focus area for the FCA. The FCA's feedback was split into two sections:

Design of the appropriateness assessment

Poor practice included firms using the assessments as an educational tool rather than an assessment of a consumer's current knowledge. This included, for example, using questions providing information to consumers rather than assessing their knowledge or experience of the products. While firms could provide information and support prior to taking the assessment, this should not be done within the assessment.

Some firms had features which worked to guide consumers to the "correct" answer. For example, assessments included clearly implausible answers in multiple-choice questions. Others included "all of the above" as an answer, which was the correct answer in all questions where it was present. In another example, the correct answer was always significantly longer than the incorrect alternatives.

In some cases, firms included questions which asked the consumer to self-assess their own level of knowledge or experience. Positive scores were awarded for consumers who claimed to have high levels of knowledge without having to demonstrate it. Questions should objectively test consumers’ knowledge and experience. In other cases, questions were included which were not relevant to the products and included obvious answers.

Many of the assessments did not cover all relevant topics outlined in COBS 10 Annex 4G or were randomly selected questions from a question bank where the selected questions may not have covered all topics. Of particular concern, the FCA found that "most" firms would allow consumers to invest in specific cryptoasset products despite not demonstrating that these are appropriate for them.

As outlined in COBS 10 Annex 4G, firms may need to ask additional or alternative questions to ensure that the consumer has the necessary knowledge to understand the risks relevant to the specific product being offered. This may include stablecoins, commodity-backed tokens, complex yield products and memecoins. Most of the firms produced assessments which allowed consumers to answer one or more questions incorrectly yet still treated the cryptoassets to be appropriate for them. While the FCA rules do not specify a particular pass mark, firms should consider whether there are any particular questions, or combinations of questions, where incorrect answers would suggest a fundamental misunderstanding of a key risk of the product.

The most robust assessments ensured that it covered all relevant topic areas. In some cases, this was achieved by having several fixed, predetermined question sets. In other cases, questions were allocated to specific topic areas. Less robust approaches included where the firm had a bank of questions, and each test randomly selected a predetermined number of questions from the bank. This meant a test could include multiple questions on one topic, but not include any questions on another.

Failing the assessment

Most firms had created question banks that allowed for multiple, repeat assessments to be undertaken, but without re-using the same questions, ensuring that they complied with COBS 4.12A.31R(3). However, some firms used the same questions on multiple, repeat assessments, usually with different answer options or answers in a different order.

Examples of good practice

Approaching the design of the assessment holistically with its overall purpose in mind -ensuring the assessment robustly assesses the consumers understanding of the risks associated with the specific cryptoassets being offered;
Assessments cover all appropriate topics outlined in COBS 10 Annex 4G, and specific risks of each cryptoasset type offered;
Questions having at least three plausible answers, followed a similar format and encouraged engagement from the consumer;
Grouping questions into specific topics and ensuring every iteration of the assessment covers all topics;
Inclusion of "key" questions which the consumer must answer correctly to pass;
Requiring consumers to pass an assessment for each particular type of cryptoasset offered and only allowing the consumer to purchase a cryptoasset once they had passed the relevant assessment;
Providing information on the general topics a consumer answered incorrectly to allow them to research before retaking the assessment;
Having a limit on the number of times a consumer can attempt the assessment before being told that cryptoassets are unlikely to be appropriate for them; and
Communications sent to the consumer being balanced, fair and which do not encourage the consumer to take the assessment again.

Examples of poor practice

Where the assessment did not require all questions to be answered correctly, the consumer was able to incorrectly answer questions that fundamentally showed that cryptoassets were not appropriate for them, yet they are able to pass the assessment;
Asking leading or simplistic questions that directed the consumer to the correct answer;
Including questions that asked the consumer to assess their own level of knowledge and experience;
Condensing the topics of COBS 10 Annex 4G into groups, where individual questions from this group did not cover all the grouped topics;
Allowing consumers to invest in cryptoasset types where the consumer had not been assessed on whether the cryptoasset type was appropriate for them;
Relying on information provided elsewhere to replace the need to determine a consumer’s knowledge by assessing their understanding;
Not ensuring that all relevant topics were covered in every iteration of the assessment; and
Allowing consumers to retake the assessment indefinitely or not having consistent processes for determining that the products are not appropriate for a consumer.

5. Record keeping

The FCA rules require firms to record specific information captured during the customer journey. All firms were doing so. The best firms had a clear and defined plan of how they will use the data captured. However, most firms were unable to detail how they would use the captured data to improve the customer journey.

Examples of good practice

Capturing real-time data of frictions during onboarding and using this to improve the journey; and
Incorporating data analysis into reporting at various levels, including Board, to enable continuing monitoring and improvements.

Examples of poor practice

Not having a clearly defined path of how to use data recorded;
Being unable to identify or produce recorded information quickly and reliably; and
Not taking reasonable steps to verify the accuracy of data provided.

6. Due diligence on cryptoassets

Approach to conducting due diligence

Most firms reviewed had processes to conduct due diligence before they promoted the cryptoassets.

Most firms’ approach to due diligence considered the topics covered in the FCA's guidance in FG23/3. Some firms had also developed their own risk taxonomies for cryptoassets to identify material risks or issues of concern.

The best firms considered a wider range of factors as part of their due diligence, such as consumer protection, financial crime and operational risks. A few firms had a thorough approach to considering operational and technological risks, such as having specialist teams review smart contract code and network stability.

The best firms clearly showed how and when they would reject a cryptoasset for failing to meet their due diligence requirements and their risk appetite for promoting cryptoassets.

Most firms primarily relied on publicly available information when conducting due diligence (e.g., information in the white paper provided by the issuer/foundation or from news services. The best firms considered information from a wide range of sources, combining on-chain and off-chain information with information from specialist third parties.

There was a risk that firms considered due diligence to be a "once and done" process whereas they should conduct due diligence on an ongoing basis.

Examples of good practice

Carefully considering the topics covered in FG23/3 and also considering additional topics relevant to the specific cryptoassets being promoted;
Having clear criteria for when a cryptoasset would fail the due diligence process;
Thorough processes for considering operational and technology risks, such as reviewing smart contract code and network stability; and
Considering information from a wide range of sources, combining on-chain and off-chain information with information from specialist third parties.

Examples of poor practice

Incorrectly believing due diligence on cryptoassets is not required or not considering ESG factors as part of the due diligence;
Excessive focus on whether the cryptoasset amounts to a security in certain jurisdictions, rather than being tailored to UK regulatory requirements;
Being unable to explain how and when a cryptoasset would fail their due diligence requirements and being unable to explain their risk appetite for promoting cryptoassets; and
Being unable to show how information from the issuer or foundation behind the cryptoasset had been independently verified.

Use of due diligence

The weakest aspect of most firms was their inability to clearly show how they used their due diligence to inform their decision making. This again appears to be a major concern for the FCA.

Most firms primarily used their due diligence to inform a binary decision on whether to promote a particular cryptoasset. The best firms also showed how they used information gained in the due diligence process to inform consumers about the specific cryptoasset being promoted.

The firms that displayed the poorest practice did not appear to consider that the information gained during the due diligence process would be relevant to disclose to consumers. For example, information gained on the concentration of token holdings. These firms were often unable to show how they used the information gathered in the due diligence process, such as how due diligence could inform the following decisions:

How the cryptoasset should be promoted;
Whether certain communication mediums, such as social media, are appropriate for promoting the cryptoasset;
How to disclose information gained during the due diligence process, and the most effective way of doing so to help consumers make informed investment decisions; and
Whether their appropriateness assessment needs to be changed to assess consumers’ knowledge and understanding of specific risks identified by due diligence.

Firms that displayed the poorest practice did not appear to consider that omitting information, including that information gained during due diligence, can result in financial promotions being non-compliant with our rules.

Examples of good practice

Using information gained in the due diligence process to inform consumers about the specific cryptoasset being promoted;
Having systems to automatically flag events that might impact the fairness of promotions and the specific promotions that may be affected.

Examples of poor practice

Not considering the full range of decisions that due diligence can help inform consumers; and
Not considering how omissions of information may lead to non-complaint promotions.

Due diligence on cryptoassets that claimed a form of stability

Given their unique risk profile, The FCA specifically reviewed firms’ approach to due diligence on cryptoassets that claimed a form of stability.

The best firms had considered the risks specific to this type of cryptoasset and carried out thorough due diligence to assess any claims of stability. For example, conducting due diligence on the nature of the stabilisation mechanism, the quality of backing assets, how any backing assets were custodied, the regulated status of the issuer and the issuer’s redemption policy.

Firms that displayed the poorest practice were also promoting cryptoassets whose stability mechanism primarily relied on an algorithm or reserves of other cryptoassets as stable.

Examples of good practice

Considering the due diligence required specifically for cryptoassets that claim a form of stability; and
Conducting thorough due diligence to assess any claims of stability as described above.

Examples of poor practice

Promoting cryptoassets as stable despite their not maintaining a stable value, in breach of the FCA rules;
Not actively monitoring the stability of these cryptoassets or considering specialist reports by third parties on the weaknesses in the stability mechanism of the cryptoassets they were promoting; and
Promoting cryptoassets whose stability mechanism primarily relies on an algorithm or reserves of other cryptoassets as stable in breach of the FCA's rules.

Our observations

tWe expect the FCA's regulation of businesses which deal in cryptoassets is likely to be vigorous. Now it is "on their watch", we predict that the FCA will want to be seen as taking a robust approach to policing these new rules around promoting investment in this asset class.

The FCA is nuanced in its approach to cryptoassets. For example, in a speech given by Sarah Pritchard, Executive Director of Markets, and Executive Director of International², in April 2023, she said "While we have been relentless about warning that consumers need to be prepared to lose all their money if buying cryptoassets - …..- we have always been open to innovation. Cryptoassets and blockchain offers opportunities for more efficient and innovative financial services and products."

While referring to "Crypto risks and scams", she anticipated the new rules being implemented, saying "we expect crypto promotions to be treated on a par with other high-risk investments and failure to comply will be a criminal offence. ….We will take robust action where we see firms promoting cryptoassets to UK consumers in breach of these rules. Sanctions will range from taking down websites, to issuing public warnings, to enforcement action."

Those businesses impacted by the FCA's crypto-financial promotion rule should consider taking immediate steps to avoid the poor practices the FCA have identified and to meet or aspire to the good practices identified if they are to stay on the right side of the regulator. We do not expect the FCA to go easy on those who fail to heed it warnings.

Author: David Capps, partner

¹ Assessing firms’ compliance with ‘back end’ cryptoasset financial promotions rules | FCA

²https://www.fca.org.uk/news/speeches/regulation-digital-assets-uk