Takeaways from the FCA’s 2nd Authorisations Webinar: Preparing for the Part 4A / FSMA Regime

Executive Summary

Yesterday, the UK Financial Conduct Authority (FCA) hosted its second authorisations webinar outlining its supervisory expectations for crypto-asset firms transitioning to the new Financial Services and Markets Act (FSMA) Part 4A authorisation regime.

The FCA’s overarching message to the industry was unequivocal: do not wait for the new regime to build your compliance framework. The transition from the existing Money Laundering Regulations (MLR) to FSMA will expand the regulatory perimeter (bringing in SYSC 6 requirements and tighter sanctions oversight). Still, the foundational AML, CTF, and PF expectations remain identical. The FCA explicitly stated that investing in a robust, crypto-specific AML framework today is a “no-regret investment,” as these exact standards will dictate the success of your FSMA application.

Based on the FCA’s presentation, the SwanFS team has distilled the five most common failure points in recent applications, alongside the actionable steps your firm must take immediately to secure regulatory approval.

1. The MLRO: Elevated Scrutiny and “AI Explainability”

The FCA views the selection and competency of the Money Laundering Reporting Officer (MLRO) as the primary indicator of an application’s quality.

Prior SMF Titles Are Not Mandatory: The FCA clarified that candidates do not strictly need prior SMF 16 or 17 regulatory experience. However, they must pass a rigorous “fit and proper” interview demonstrating deep, crypto-specific knowledge tailored to your exact business model.

·

The AI Mandate: If your firm utilises Artificial Intelligence (AI) or machine learning for risk assessments or transaction monitoring, the MLRO cannot treat these systems as a “black box.” The FCA expects the MLRO to confidently explain the underlying algorithms, the data inputs, and exactly how the outcomes are derived.

Capacity and Independence: For global firms, if an MLRO oversees multiple jurisdictions, the FCA will heavily scrutinise their bandwidth to serve the UK entity. Furthermore, the MLRO must not hold revenue-generating responsibilities (e.g., winning business), which the FCA views as an inherent conflict of interest.

2. Business-Wide Risk Assessment (BWRA): The Methodology Gap

The BWRA was cited as having the most frequent and critical omissions. The FCA routinely rejects applications that rely on generic, off-the-shelf risk templates.

Inherent Risk vs Control Weakness: A major FCA red flag is confusing a control weakness (e.g., listing "ate submission of a SAR”) with an inherent business risk. You must clearly assess inherent risks across your customers, geographies, and products before applying mitigating controls 

Formal Methodology Required: You must submit a repeatable Methodology Document detailing exactly how risks were scored (e.g., utilising a 5x5 heat map) and how residual risk was calculated against the firm’s approved risk appetite.

Dummy Data Testing: If your firm is pre-launch or pre-operational in the UK, the FCA still expects you to prove your controls work. You must use “dummy data” to test and evidence the practical effectiveness of your BWRA and corresponding controls.

3. Customer Risk Assessment (CRA): The Alignment Problem

Your CRA must act as the granular, customer-level execution of your BWRA. The FCA noted that firms frequently fail because their CRA tool contradicts their BWRA (e.g., the BWRA identifies a specific token as high-risk, but the CRA tool does not subsequently penalise customers transacting in that token).

·

Holistic Weighting: Avoid oversimplified, binary risk assessments. The FCA expects a weighted mathematical approach across multiple factors (e.g., Geography 25%, Product 35%, Customer Entity 20%).

·

Automated Overrides: Your CRA must include specific red flags and triggers (e.g., PEP status, exposure to sanctioned wallets) that automatically override baseline scores and immediately escalate the user to high-risk.

4. Transaction Monitoring (TM): Total Product Coverage

The FCA stated they have no preference between in-house proprietary builds or third-party vendor solutions (the “build vs buy” debate). However, the chosen solution must be operationally flawless in its coverage.

No Blind Spots: A common pitfall is deploying a TM solution that covers core exchange functions but has blind spots regarding new token offerings or specific off-chain fiat rails. The tool must cover your entire product and service suite.

Operational Readiness: You must explicitly detail your alert calibration, how you will handle alert backlogs, the escalation path for Suspicious Activity Reports (SARs), and your capability to proactively block high-risk wallet addresses.

5. The Travel Rule: Visualising the Data Flow

Travel Rule compliance must not sit in a silo; it must be deeply integrated into your broader AML framework.

Flow of Funds Diagrams: The FCA explicitly requested that the clearest way to present your Travel Rule solution is to provide a visual Flow of Funds/Flow of Data diagram that maps exactly how regulatory data moves alongside digital assets.

·

Friction Points: Your policies must explicitly address how your firm handles counterparty discovery (unhosted wallets vs crypto-asset businesses) and your exact protocols for delaying funds pending the resolution of missing Travel Rule data from overseas entities.

6. Global Operating Models & UK Localisation

For our international clients utilising global AML frameworks, the FCA clarified that they do not require all controls to be localised physically in the UK. Relying on overseas group compliance entities is acceptable, provided the UK applicant can demonstrate strict local oversight. This includes establishing documented SLAs, regular Quality Assurance (QA) testing, and internal audits to ensure the offshore team is flawlessly executing UK statutory requirements.

Immediate Next Steps & How SwanFS Can Support You

The FCA announced that it will open its Pre-Application Support Service (PASS) in July for FSMA applications. This is a critical window to engage the regulator on complex business models and proprietary tech before formal submission. Furthermore, firms must begin preparing for incoming HM Treasury MLR reforms (recalibrating CDD/EDD triggers) and the application of SYSC 6 (financial crime and sanctions systems and controls).

SwanFS Recommended Actions:

Audit Your BWRA & CRA: SwanFS can assist in drafting the mandatory methodology documents, running “dummy data” stress tests, and ensuring mathematical alignment between your firm-wide and customer-level risk assessments.

Develop Travel Rule Visuals: Our technical advisory team can help map your operational architecture into the exact visual flow diagrams the FCA is requesting.

MLRO Interview Prep: SwanFS offers mock “Fit and Proper” interviews to prepare your MLRO to defend your automated tools and algorithmic AI risk logic to the regulator.

Please reach out to your primary SwanFS Engagement Partner to schedule a working session to review your current AML framework against these newly clarified FCA expectations.

SwanFS Regulatory Compliance & Advisory

Navigating the future of digital asset compliance.