The FCA has recently published1 its assessment of firms’ compliance with what it calls its "back end" cryptoasset financial promotions rules. We summarise the good and the bad practices they found.
These requirements were imposed from June 2023, The FCA's "back end"’ rules require firms to:
Following the implementation of these rules, the FCA reviewed a sample of crypto firms’ compliance with those rules, identifying good and poor practice. The FCA found some firms still needed to make significant improvements.
The cryptoasset promotions rules were incorporated into existing rules for Restricted Mass Market Investments ("RMMI"s).
The FCA chose a sample of firms offering qualifying cryptoassets which were either:
Firms must allow a cooling-off period for new consumers who respond to a Direct Offer Financial Promotion (DOFP).
Some firms gave consumers limited or no information on why they must wait before committing to an investment, which could lead to consumer confusion. Additionally, some firms did not inform consumers about the cooling-off period until they were a significant way through the investment journey.
Firms allowed consumers to deposit funds into their accounts during the cooling-off period but where this included a fee for withdrawing these funds. The firms did not explain the nature or extent of these fees before the consumer made their deposit. Good practice would be to clearly explain fees that could impact the decision of whether to proceed at the end of the cooling-off period.
Firms must provide a personalised risk warning to new consumers, tailored to include the client’s name, and include both a risk warning and link to a risk summary.
One firm gave the personalised risk warning after applying the client categorisation and appropriateness test. This was in breach of COBS 4.12A.20R which requires the personalised risk warning to be given before the client categorisation and appropriateness assessment. This approach incorrectly combined the separate requirements (i) for consumers to specify if they wish to proceed to the DOFP or leave the journey at the end of the cooling-off period with (ii) giving the personalised risk warning.
In some instances, the personalised risk warning did not meet the prominence requirements or did not present the options to proceed with or leave the investment journey with equal prominence.
Firms must take reasonable steps to establish that a consumer is certified as either a Restricted, High Net Worth or Certificated (note, not self-certified) Sophisticated Investor before communicating a DOFP in relation to cryptoassets. The FCA have some serious concerns in this regard.
Most firms had implemented a process for ensuring consumers were able to self-categorise appropriately and provided correctly worded categorisation statements. In most cases, consumers were given clear and accurate information to help them select the most appropriate category.
However, there were poor examples where firms were "guiding consumers through the process by telling consumers what they need to enter to proceed". In some instances, if a consumer entered a value that did not meet the requirements of their selected category, a warning message would appear on screen, encouraging consumers to change their response to fit the permitted range. This might steer consumers towards a category that did not appropriately reflect their circumstances, in breach of COBS 4.12A.26R.
In better examples, firms gave clear explanations of the purpose of the categorisation process and a clear description of the available categories. Consumers would only be informed if they entered values that were outside the permitted range for that category after they had submitted the full response. Consumers could choose to restart the categorisation process but were not unduly encouraged or pressured to do so.
Some firms had changed the title or description of the investor categories in a way that inappropriately downplayed the risk of investing in cryptoassets.
The FCA rules allow firms to give consumers the option to categorise as a certified sophisticated investor by confirming that they have received a certificate of sophistication from an FCA-authorised firm. Some firms chose not to offer this category (this is allowed).
However, some firms who offered this category did not take reasonable steps to establish that the consumer met the criteria as the firm did not ensure the authorised firm named on the certificate was in fact genuine. Some of the submissions from consumers were clearly jokes or not relevant.
In one instance, a firm offered the option to select a self-certified sophisticated investor category. This category is not applicable to cryptoassets, and firms should not have offered this category.
One poor example of how investor statements are presented to consumers involved, in addition to splitting the statement over different screens, amending the wording and combining some sections of the statement, reducing the impact and clarity of the information.
Firms must assess whether the qualifying cryptoasset is appropriate for the consumer before they process an application or order in response to a DOFP. This was covered in significant detail and is clearly a key, and troubling, focus area for the FCA. The FCA's feedback was split into two sections:
Poor practice included firms using the assessments as an educational tool rather than an assessment of a consumer's current knowledge. This included, for example, using questions providing information to consumers rather than assessing their knowledge or experience of the products. While firms could provide information and support prior to taking the assessment, this should not be done within the assessment.
Some firms had features which worked to guide consumers to the "correct" answer. For example, assessments included clearly implausible answers in multiple-choice questions. Others included "all of the above" as an answer, which was the correct answer in all questions where it was present. In another example, the correct answer was always significantly longer than the incorrect alternatives.
In some cases, firms included questions which asked the consumer to self-assess their own level of knowledge or experience. Positive scores were awarded for consumers who claimed to have high levels of knowledge without having to demonstrate it. Questions should objectively test consumers’ knowledge and experience. In other cases, questions were included which were not relevant to the products and included obvious answers.
Many of the assessments did not cover all relevant topics outlined in COBS 10 Annex 4G or were randomly selected questions from a question bank where the selected questions may not have covered all topics. Of particular concern, the FCA found that "most" firms would allow consumers to invest in specific cryptoasset products despite not demonstrating that these are appropriate for them.
As outlined in COBS 10 Annex 4G, firms may need to ask additional or alternative questions to ensure that the consumer has the necessary knowledge to understand the risks relevant to the specific product being offered. This may include stablecoins, commodity-backed tokens, complex yield products and memecoins. Most of the firms produced assessments which allowed consumers to answer one or more questions incorrectly yet still treated the cryptoassets to be appropriate for them. While the FCA rules do not specify a particular pass mark, firms should consider whether there are any particular questions, or combinations of questions, where incorrect answers would suggest a fundamental misunderstanding of a key risk of the product.
The most robust assessments ensured that it covered all relevant topic areas. In some cases, this was achieved by having several fixed, predetermined question sets. In other cases, questions were allocated to specific topic areas. Less robust approaches included where the firm had a bank of questions, and each test randomly selected a predetermined number of questions from the bank. This meant a test could include multiple questions on one topic, but not include any questions on another.
Most firms had created question banks that allowed for multiple, repeat assessments to be undertaken, but without re-using the same questions, ensuring that they complied with COBS 4.12A.31R(3). However, some firms used the same questions on multiple, repeat assessments, usually with different answer options or answers in a different order.
The FCA rules require firms to record specific information captured during the customer journey. All firms were doing so. The best firms had a clear and defined plan of how they will use the data captured. However, most firms were unable to detail how they would use the captured data to improve the customer journey.
Most firms reviewed had processes to conduct due diligence before they promoted the cryptoassets.
Most firms’ approach to due diligence considered the topics covered in the FCA's guidance in FG23/3. Some firms had also developed their own risk taxonomies for cryptoassets to identify material risks or issues of concern.
The best firms considered a wider range of factors as part of their due diligence, such as consumer protection, financial crime and operational risks. A few firms had a thorough approach to considering operational and technological risks, such as having specialist teams review smart contract code and network stability.
The best firms clearly showed how and when they would reject a cryptoasset for failing to meet their due diligence requirements and their risk appetite for promoting cryptoassets.
Most firms primarily relied on publicly available information when conducting due diligence (e.g., information in the white paper provided by the issuer/foundation or from news services. The best firms considered information from a wide range of sources, combining on-chain and off-chain information with information from specialist third parties.
There was a risk that firms considered due diligence to be a "once and done" process whereas they should conduct due diligence on an ongoing basis.
The weakest aspect of most firms was their inability to clearly show how they used their due diligence to inform their decision making. This again appears to be a major concern for the FCA.
Most firms primarily used their due diligence to inform a binary decision on whether to promote a particular cryptoasset. The best firms also showed how they used information gained in the due diligence process to inform consumers about the specific cryptoasset being promoted.
The firms that displayed the poorest practice did not appear to consider that the information gained during the due diligence process would be relevant to disclose to consumers. For example, information gained on the concentration of token holdings. These firms were often unable to show how they used the information gathered in the due diligence process, such as how due diligence could inform the following decisions:
Firms that displayed the poorest practice did not appear to consider that omitting information, including that information gained during due diligence, can result in financial promotions being non-compliant with our rules.
Given their unique risk profile, The FCA specifically reviewed firms’ approach to due diligence on cryptoassets that claimed a form of stability.
The best firms had considered the risks specific to this type of cryptoasset and carried out thorough due diligence to assess any claims of stability. For example, conducting due diligence on the nature of the stabilisation mechanism, the quality of backing assets, how any backing assets were custodied, the regulated status of the issuer and the issuer’s redemption policy.
Firms that displayed the poorest practice were also promoting cryptoassets whose stability mechanism primarily relied on an algorithm or reserves of other cryptoassets as stable.
tWe expect the FCA's regulation of businesses which deal in cryptoassets is likely to be vigorous. Now it is "on their watch", we predict that the FCA will want to be seen as taking a robust approach to policing these new rules around promoting investment in this asset class.
The FCA is nuanced in its approach to cryptoassets. For example, in a speech given by Sarah Pritchard, Executive Director of Markets, and Executive Director of International2, in April 2023, she said "While we have been relentless about warning that consumers need to be prepared to lose all their money if buying cryptoassets - …..- we have always been open to innovation. Cryptoassets and blockchain offers opportunities for more efficient and innovative financial services and products."
While referring to "Crypto risks and scams", she anticipated the new rules being implemented, saying "we expect crypto promotions to be treated on a par with other high-risk investments and failure to comply will be a criminal offence. ….We will take robust action where we see firms promoting cryptoassets to UK consumers in breach of these rules. Sanctions will range from taking down websites, to issuing public warnings, to enforcement action."
Those businesses impacted by the FCA's crypto-financial promotion rule should consider taking immediate steps to avoid the poor practices the FCA have identified and to meet or aspire to the good practices identified if they are to stay on the right side of the regulator. We do not expect the FCA to go easy on those who fail to heed it warnings.
Author: David Capps, partner
