Our 2022 enforcement trends report predicts that technology disruptions may create new areas of AML risk and that the FCA will make more robust supervisory interventions in response.

The FCA's most recent intervention is in the form of an FCA/OFSI/BoE joint statement on sanctions and the cryptoasset sector.

The statement is largely an exercise in emphasising existing AML/sanctions controls best practice.

But it may contain a couple of expansions - and ambiguities - with important longer term ramifications.

It indicates that blockchain analytics solutions may have a role to play.  Where they are used, compliance teams should be trained to understand how to use them effectively to identify "higher risk" wallet addresses and transactions linked to those wallet addresses.  Red flags could include the address' transaction history or that of associated addresses.

It identifies other novel red flags in the form of obfuscation tools.  First, location obfuscation e.g. an IP address associated with a VPN or proxy.  And secondly, source-of-funds obfuscation e.g. mixers and tumblers (see also the NCA's calls for regulation of decentralised crypto mixers).

UK-regulated cryptoasset firms must already KYC their customers in the traditional sense.  This guidance suggests that regulators are moving towards requiring them routinely to undertake blockchain analytics, with all the associated cost (humans are still needed to review red flags, no matter how optimistic the exponents of machine learning are about its promise).  Whilst "blockchain analytics" is easy to say, what does it actually mean?  There's no granular guidance, and the field is rapidly developing.

How "associated" does a tainted address need to be to an address to cast doubt upon its legitimacy?

Finally, location and source-of-funds obfuscation can be used entirely legitimately e.g. VPNs are widely used for privacy protection purposes.  Are firms asked to establish whether or not their use was legitimate in each case (a highly resource-intensive process)?  Or is this the beginnings of a move to drive out the use of such technologies from UK-regulated cryptoasset activity?

If previous experience is any indication, when questions as broad as this arise, they are answered over time through hindsight-based enforcement action and assertive supervisory interventions.  Turbulent times may lie ahead for UK-regulated cryptoasset firms.  Some may take a risk averse approach, gold-plating their implementation of the guidance potentially to the detriment of UK consumers' access to cryptoasset products and services.  Others may simply prefer to off-shore.