Widespread poor practice has been revealed in the FCA’s review of firms’ adherence to ‘back-end’ marketing rules. The review is intended to “help firms meet their obligations” by providing additional clarity on its expectations for the rules.
A financial promotion rules regime was introduced by the FCA in October 2023 and the regulator has been working with the sector to try to raise standards.
The newly published review includes examples of good and poor practice, with the FCA concluding that “more work needs to be done to improve compliance.”
The FCA is sympathetic to the plight of the crypto firms and understands that for many “this is the first conduct regulation they have needed to comply with” and that compliance has required firms to “invest in significant technical developments.” The FCA is also aware that the firms “are having to implement this regime alongside other regulatory changes” and has provided “extensive support” as well as allowing firms to delay the implementation of the new regime from October 2023 to January 2024 in response to the challenges.
The review will be of interest to firms promoting cryptoassets and restricted mass market investments to retail consumers as well as those firms approving financial promotions for such investments.
The FCA obtained information from a representative sample of firms and visited each firm to review the approach to key marketing rules requirements.
The review findings are summarized in the tables below, but the detail is essential reading for compliance teams at crypto firms.
The regulator stresses the fact that “these rules are important for preventing harm to consumers” and firms should treat this document as a warning that regulatory action is likely should compliance outcomes not improve.
Cooling-off period
| Requirement | Best practice advice for firms |
|---|---|
| Minimum 24-hour cooling-off period for new consumers requesting a Direct Offer Financial Promotion (DOFP). | Provide clear and timely information at the appropriate point of the user journey. Clearly explain fees that could impact the decision of whether to proceed. Consider the user journey and give the option to leave or proceed equal prominence. |
| Good practice | Poor practice |
|---|---|
| Giving clear information that there is a cooling-off period, and explaining that it is there to ensure consumers take the time to consider if the product is right for them. Giving clear information once the cooling-off period has ended. Displaying information that factually indicates the time remaining before the cooling-off period ends, but does not pressurise or otherwise unduly influence consumers. | Not providing information about the reason for the cooling-off period. Not giving consumers the express option to proceed or leave the investment journey at the end of the cooling-off period. |
Personalized risk warnings
| Requirement | Best practice advice for firms |
|---|---|
| Tailored risk warnings with a link to a risk summary must be provided to new consumers before they receive a DOFP. | Risk warning must be given before client categorization and appropriateness assessment is completed. Neutral and non-influential language to be used in the risk warning with this receiving appropriate prominence without any other information diluting the message. |
| Good practice | Poor practice |
|---|---|
| Positioning the warning on its own page with no other information, making the warning the sole focus for the consumer. Improving the prominence and engagement of the options to proceed with or leave the journey by making them the sole focus of the screen. Including clear processes for consumers who wish to leave the investment journey. | Including frictions for consumers who wish to leave the journey. Using language in the personalised risk warning that downplays the risks of the assets or encourages consumers to proceed with the journey. |
Client categorization
| Requirement | Best practice advice for firms |
|---|---|
| Must take reasonable steps to establish that a consumer is certified as a Restricted, High Net Worth or Certificated Sophisticated investor before communicating a DOFP. This must include a signed declaration by the consumer along with a rationale as to why they meet the criteria. Only valid for a 12-month period. | User journeys should not steer consumers towards a category that does not appropriately reflect their circumstances. Titles or descriptions of investor categories should not be altered to inappropriately downplay the risk of investing in crypto, although there is flexibility around the presentation of the investor statement in order to improve usability on smaller screens. Information submitted by consumers in connection with a certificate of sophistication should be checked with. Firms must, at a minimum, ensure that the name of an FCA-authorized firm has been submitted in the investor statement. Information submitted that suggests incorrect categorization must not be ignored by firms. |
| Good practice | Poor practice |
|---|---|
| Giving an option to leave the journey if the consumer does not meet the criteria of the available categories. Considering whether it is appropriate to offer the certified-sophisticated category. Verifying the submissions of all consumers who categorise themselves as certified-sophisticated and rejecting any submissions which do not meet the requirements. | Pushing or leading consumers through the categorisation process by suggesting responses that meet the criteria of the category instead of allowing the consumer to volunteer the information, this is in breach of our rules. Re-naming the categories or describing the categories in a way that downplays the risks of investing. Changing the wording of the investor statements from the prescribed language in the handbook. Not taking steps to check that the information provided in the categorisation statements aligns with the criteria for that particular category. For example, not checking that the consumer has given the name of a genuine FCA-authorized firm when being categorised as a certified-sophisticated investor. Offering a self-certified investor category or any other category not specified in COBS 4.12A.21, this is in breach of rules. |
Design of the assessment
| Requirement | Best practice advice for firms |
|---|---|
| Should request information about the consumer’s knowledge and experience in order to assess whether investing in qualifying cryptoassets is appropriate. | The assessment cannot be an education tool and should assess the consumer’s existing knowledge and understanding of risks. Assessment questions should be objective and should not guide the consumer to an obvious ‘correct’ answer. Assessments must cover all relevant topics. Each iteration of the assessment should cover all relevant features of the cryptoassets that the consumer can purchase following successful completion, including the specific risks of different products and asset types. Firms should consider whether there are any particular questions, or combinations of questions, where incorrect answers would suggest a fundamental misunderstanding of a key risk of the product. Consumers should be warned of lock-outs longer than the 24-hour minimum following the failing of two or more consecutive assessments. Firms that have not implemented a permanent lock-out and permit consumers an unlimited number of attempts should consider a point at which repeated failure indicates that the product is not appropriate. |
| Good practice | Poor practice |
|---|---|
| Approaching the design of the assessment holistically with its overall purpose in mind – ensuring the assessment robustly assesses the consumers understanding of the risks associated with the specific cryptoassets being offered. Assessments cover all appropriate topics outlined in COBS 10 Annex 4G, and specific risks of each cryptoasset type offered. Questions have at least three plausible answers, follow a similar format and encourage engagement from the consumer. Grouping questions into specific topics and ensuring every iteration of the assessment covers all topics. Inclusion of ‘key’ questions which the consumer must answer correctly to pass. Requiring consumers to pass an assessment for each type of cryptoasset offered and the consumer is only able to purchase a cryptoasset once they have passed the relevant assessment. Giving consumers access to relevant resources to be able to research and understand the products and risks. Providing information on the general topics a consumer answered incorrectly to allow them to research before retaking the assessment. Having a limit on the number of times a consumer can attempt the assessment before being told that cryptoassets are unlikely to be appropriate for them. Communications sent to the consumer are balanced, fair and do not encourage the consumer to take the assessment again. | Where the assessment does not require all questions to be answered correctly, the consumer is able to incorrectly answer questions that fundamentally show that cryptoassets are not appropriate for them, yet they are able to pass the assessment. Asking leading or simplistic questions that direct the consumer to the correct answer. Including questions that ask the consumer to assess their own level of knowledge and experience. Condensing the topics of COBS 10 Annex 4G into groups, where individual questions from this group do not cover all the grouped topics. Allowing consumers to invest in cryptoasset types where the consumer has not been assessed on whether the cryptoasset is appropriate for them. Relying on information provided elsewhere to replace the need to determine a consumer’s knowledge by assessing their understanding. Where the assessment questions are selected randomly from a bank of questions, not ensuring that all relevant topics are covered in every iteration of the assessment. Treating the assessment as an educational tool for the consumer, instead of assessing if the consumer has relevant knowledge or experience of the products. Allowing consumers to retake the assessment indefinitely or not having consistent processes for determining that the products are not appropriate for a consumer. |
Recordkeeping
| Requirement | Best practice advice for firms |
|---|---|
| Specific information is required to be captured during the customer journey. | Firms should consider how the data captured could be used to improve customer journeys. |
| Good practice | Poor practice |
|---|---|
| Capturing real-time data of frictions during onboarding and using this to improve the journey and ensure the frictions are working effectively. Incorporating data analysis into reporting at various levels, including Board, to enable continuing monitoring and improvements. | Not having a clearly defined path of how to use data recorded. Being unable to identify or produce recorded information quickly and reliably. Not taking reasonable steps to verify the accuracy of data provided. |
Due diligence
Conduct of due diligence
| Requirement | Best practice advice for firms |
|---|---|
| Is a key component of the financial promotions regime. | Due diligence should be tailored to UK regulatory requirements and should take into account operational and technological risks as well as ESG factors. Information from a wide variety of sources should be considered and not all taken at face value. Firms should have a clear understanding of how and when a cryptoasset might fail their due diligence requirements or risk appetite. Due diligence should be conducted on an ongoing basis – it is not a ‘once and done’ process. |
| Good practice | Poor practice |
|---|---|
| Carefully considering the topics covered in FG23/3 and also considering additional topics relevant to the specific cryptoassets being promoted. Having clear criteria for when a cryptoasset would fail the due diligence process. Thorough processes for considering operational and technology risks, such as reviewing smart contract code and network stability. Considering information from a wide range of sources, combining on-chain and off-chain information with information from specialist third parties. | Incorrectly believing due diligence on cryptoassets is not required or not considering ESG factors as part of the due diligence, as outlined in FG23/3. Excessive focus on whether the cryptoasset amounts to a security in certain jurisdictions, rather than being tailored to UK regulatory requirements. Being unable to explain how and when a cryptoasset would fail their due diligence requirements and unable to explain their risk appetite for promoting cryptoassets. Being unable to show how information from the issuer or foundation behind the cryptoasset had been independently verified. Not considering how to conduct due diligence on an ongoing basis. For example, not considering what systems and controls would be required to monitor cryptoassets for market events that would materially affect the fairness and accuracy of promotions or the risk profile of the cryptoasset. |
Use of due diligence
| Requirement | Best practice advice for firms |
|---|---|
| Is not a tick box exercise, but a key tool in guiding firm’s decision making regarding a cryptoassets. | Due diligence information should help inform consumers about the specific cryptoassets being promoted. Not disclosing information gleaned during the due diligence process can lead to financial promotions that are non-compliant with the FCA’s rules. |
| Good practice | Poor practice |
|---|---|
| Using information gained in the due diligence process to inform consumers about the specific cryptoasset being promoted. Having systems to automatically flag events that might affect the fairness of promotions and the specific promotions that may be affected. | Not considering the full range of decisions that due diligence can help inform. Not considering how omissions of information may lead to non-complaint promotions with our rules. |
Due diligence on ‘stable’ cryptoassets
| Requirement | Best practice advice for firms |
|---|---|
| ‘Stable’ cryptoassets may attract closer regulatory scrutiny as a result of their ‘unique’ risk profile. | Due diligence should be conducted on: – nature of the stabilization mechanism; – quality of the backing assets; – backing asset custody; – regulated status of the issuer; – issuer’s redemption policy. Promoting of cryptoassets as stable despite them not maintaining a stable value is a breach of the rules. Cryptoassets whose stability mechanism relies exclusively on an algorithm or reserves of other cryptoassets may not be considered stable simply by virtue of this. |
| Good practice | Poor practice |
|---|---|
| Considering the due diligence required specifically for cryptoassets that claim a form of stability. Conducting thorough due diligence to assess any claims of stability. For example, conducting due diligence on the nature of the stabilisation mechanism, the quality of backing assets, how any backing assets are custodied, the regulated status of the issuer and the issuer’s redemption policy. | Promoting cryptoassets as stable despite them not maintaining a stable value, this is in breach of our rules. Not actively monitoring the stability of these cryptoassets or considering specialist reports by third parties on the weaknesses in the stability mechanism of the cryptoassets they were promoting. Promoting cryptoassets whose stability mechanism primarily relies on an algorithm or reserves of other cryptoassets as stable, this is in breach of rules. |