| | | Effective PR

UK warns Crypto ATMs to close.

Nigel Morris-Cotterill

"Crypto ATMs offering cryptoasset exchange services in the UK must be registered with us and comply with UK Money Laundering Regulations). None of the cryptoasset firms registered with us have been approved to offer crypto ATM services, meaning that any of them operating in the UK are doing so illegally and consumers should not be using them."

Thus said the Financial Conduct Authority today after receiving the judgment in Gidiplus v The Financial Conduct Authority.

There's history. A company called Gidiplus applied for registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, universally known as The Money Laundering Regulations. Gidiplus wanted to register as a cryptoasset (that's the term preferred by the Bank for International Settlements which doesn't like "cryptocurrencies") exchange provider. For clarity, it should be noted that "registration" is not the same as "authorisation" although, as the case demonstrates, that distinction has been greatly eroded.

Gidiplus does not have branches. It operates machines, called Crypto-ATMs that provide a service of taking in banknotes and exchanging them for, in this case, bitcoin. Although machines can take in crypto and issue banknotes, Gidiplus does not offer that service.

Gidiplus was operating the machines when an amendment to the Regulations required the operators of such machines to be registered from 10 January 2020. Existing operators were granted a temporary registration until 10 January 2021. Being aware that not all applications might have been concluded by January 2021, the FCA created a "Temporary Registration Regime" for those who had been operating before 10 Jan 2020 but whose applications had not been determined.

On 15 November, 2021, the FCA refused the application but defaulted in the procedure for doing so by issuing a notice that said that thee temporary registration was cancelled but did not disclose the grounds for refusal. On 30 December, 2021, the FCA notified Gidiplus of its reasons and also that it considered that it was in the interests of the public for it to have immediate effect. Gidiplus appealed. That appeal was heard by the Upper Tribunal (a type of Court for administrative cases) by video conferencing on 1 February 2022 and an Order made on 16th February by HH Judge Timothy Herrington.

Basically, the FCA rejected the application because of a lack of understanding of the requirements of the Regulations, that the proposed risk and compliance system was inadequate, that there were concerned as the probity of Gidiplus' principle shareholder, Mr. Olumide Osunkoya, and as to his responses given during an interview conducted by video conferencing.

[The FCA had particular concerns in respect of Gidiplus’ business-wide and customer risk assessments, customer due diligence, enhanced
due diligence and transaction monitoring [and]considered that Mr Osunkoya had not demonstrated that he has adequate knowledge, skills and experience in respect of Gidiplus’ obligations under the [Regulations]. Mr Osunkoya’s responses at the Interview in respect of Gidiplus’ banking arrangements also raised concerns regarding his probity."

- Judgment

The FCA decided that the company was not "fit and proper" be registered and that Mr. Osunkoya was not "fit and proper" to hold the position of Money Laundering Reporting Officer. The issue as to probity related to an interview he had with police in 2018 during an investigation into possible money laundering. Gidiplus had three bank accounts and it transpired that he had "deliberately not informed two banks" of the true nature of the business. The third bank was told that Gidiplus was "an events business." Further, he had misdescribed certain payments as "stock orders" or "events catering" so as to be consistent with the nature of the business as told to the bank. He was, it was found, aware that if the true nature of the business, as an operator of Crypto-ATMs, was disclosed it was likely that the bank accounts would be closed under the banks' de-risking. He told the FCA all of this and said that it was because Gidiplus had had great difficulty in opening a bank account for its business and so he resorted to subterfuge to, as the FCA put it, circumvent the systems and controls within the banks.

The FCA considered that he lacked the knowledge, skills and experience to be a "Nominated Officer." In particular his training was inadequate.

The FCA's assessment based on the documents submitted as part of Gidiplus’s application and Mr Osunkoya’s responses at the Interview was that he lacked sufficient experience and training to undertake the roles of Nominated Officer and senior manager responsible for compliance, not having undertaken any significant compliance role before and that he had only completed 1.5 hours of training in anti-money laundering and anti-bribery in June 2020.

- Judgment

Much turned on the fact that Mr Osunkoya was not familiar with the term "smurfing". When the FCA explained it to him, he "claimed that it was inconceivable that any such activity could be conducted through his Crypto-ATMs."

The list of ways in which the FCA considered that the operation fell far below the standards that it expected are many and varied. It would not be stretching the truth to say he was almost clueless both as to his obligations and as to the risks that his operation faced. Moreover, the approach to the identification of customers was "in direct contravention" of the Regulations. The failures included that the company's Policies and Procedures made no mention of the need to obtain information on the business relationship or occasional transaction. In short, although this is not how it was put, the machines are acting as a bureau de change and should operate subject to the same regime.

Gidiplus set limits (max GBP250 per day up to a max of GBP1,000 per month) and identified its customers with reference to mobile phone number and a photograph taken by the machine. That did not, the FCA said, meet the obligation to identify suspicious patterns of transactions or to identify transactions that have no apparent economic or legal purpose. Worse, beyond those limits, there was no monitoring of transactions to attempt to identify suspicious activity.

The FCA told the Tribunal "Gidiplus is unable to undertake meaningful transaction monitoring in relation to a proportion of its transactions because Gidiplus does not attempt to assess the purpose and intended nature of the business relationship at the point of onboarding."

Gidiplus told the Tribunal that it had plans to fix the problems including engaging external compliance consultants to help it identify and rectify its shortcomings. " It said its aim was to have all its improved controls in place before 31 March 2022 and will regularly share its progress on the
remediation with the FCA. It also said that it planned to hire new skilled and qualified management staff, including a Money Laundering Reporting Officer."

The essential question for the Tribunal is whether it can be satisfied that if the Suspension Application is granted there will be no significant risk beyond the normal risk of a firm that is undertaking business in a broadly compliant manner. I would therefore need to be satisfied that if a suspension
were granted, Gidiplus would, pending the determination of its appeal, carry out its activities in a manner which was broadly compliant with the Regulations.

- judgment

In its defence, Gidiplus set out several grounds which, it has to be said, seem reasonable from a distance.

They included that there is identification with reference to a mobile phone number for which only post-paid monthly accounts are accepted, a photo at the booth which is compared to a scan of an official document such as a driving licence which has a photograph and that there are both manual and automated checks including the use of Alaco Analytics and General Bytes software to check if the person is on a relevant watch list. Anyone trying to undertake multiple transactions would be identified by the operators of the shops, etc. which is where the machines were located and they would telephone Gidiplus to inform them (there was no information as to how this delegated monitoring could actually work in practice). Also, the machines have a capacity of a maximum of GBP600 in banknotes which, as it it less than three daily transaction limits means the risk if low. Also, the FCA, it was said, found "no evidence that Gidiplus' platform posed a significant risk beyond that faced by any financial services business." It also said the the company's current bankers are fully aware of the nature of the business.

Findings of fact:
1 Gidiplus operates 13 Crypto ATMs in total. These machines are situated in various locations in London, Kent, Nottingham and Sheffield and are situated in off-licence shops on busy high streets.

2. Customers are limited to depositing GBP250 per day, regardless of the number of Gidiplus’s machines that they use.

3. No evidence was led that the software used was capable of producing suspicious activity reports; the company said it was, the FCA through its counsel challenged that.

4. Evidence as to the identification process was unsatisfactory.

5. It appears that the GBP250 limit can be crossed when a photo-identification document is produced. Daily transactions not exceeding GBP250 required only a "selfie" and a phone number.

The Judge said that it is established law that "the burden is on the applicant to satisfy the Tribunal that the interests of the public in being protected from the risk of money laundering and the integrity of the UK financial system, in preventing it from being used to launder money, will not be prejudiced if the application was granted."

Fundamentally, though, the case comes down to the capability and probity of the individual and in this the Tribunal found him sadly lacking.
Osunkoya was honest when he admitted to telling lies; he does not appear to accept that lying was wrong - indeed he took the view that he had to lie in order to get a bank account; he had not undertaken any additional training beyond the hour and a half previously noted,

It was argued that this is a small business and the risk is limited by the GBP250 per day limit (no mention was made at that point of the possible crossing of that limit) but the Judge found that the Regulations do not provide for what amounts to a small business exemption.

In all the circumstances, the company had failed to satisfy the Tribunal that it would carry on its business in a broadly compliance manner.

Today, the FCA said "we are concerned about crypto ATM machines operating in the UK and will therefore be contacting the operators instructing that the machines be shut down or face further action."

Set against the background that the FCA said "None of the cryptoasset firms registered with us have been approved to offer crypto ATM services" this means that all crypto-ATMs operating in the UK are illegal.


Judgment: https://assets.publishing.serv...
FCA statement: https://www.fca.org.uk/news/ne...

---------------- Advertising ----------------