Search and find what you need faster.

Dominic Holden explores the Home Office consultation on ransomware payments, in Law360

Posted on: April 10th, 2025 by Natasha Cox

Director Dominic Holden examines the recent Home Office consultation on cyber attacks and banning ransom payments by public bodies and critical infrastructure operators, and discusses the potential impact of such reforms on SMEs, in Law360.

Dominic’s article was published in Law360, 9 April 2025. 

On 14 January 2025, the Home Office opened a consultation on proposals to ban ransom payments by publicly owned bodies and operators of critical national infrastructure that have or may have suffered a ransomware attack[1]. The consultation runs until 8 April 2025, and the government seeks input from potential compliance stakeholders, industry, research, and the public.

The overall aim is to tackle the multi-billion-pound cybercrime industry, and the specific objective is potentially to make vital infrastructure like hospitals and the National Grid an unattractive prospect for hackers.

Yet, these proposals are not without their flaws.

The below article examines these plans, explores the development of the ransomware industry, and discusses how such reforms could impact UK businesses.

What is ransomware?

Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system. Once infected, critical IT networks can become crippled and inoperable. The hacker then promises to provide the key to unlock the files in return for money, typically in cryptocurrency.

These attacks can be particularly harmful due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant business/service disruption and reputational damage.

Growing threats

One of the key triggers for this consultation exercise appears to have been the Synovis ransomware attack in June last year, which caused severe damage to the NHS with the postponement of over 10,000 outpatient appointments and around 1,700 elective procedures in London.[2]

Ransomware attacks are a growing threat. Over a period of twelve months which ended in August 2024, the UK’s National Cyber Security Centre’s (NCSC) became involved in managing 430 cyber incidents including 13 separate ransomware incidents which were “deemed to be nationally significant and posed serious harm to essential services or the wider economy”. According to the National Crime Agency, the number of UK victims appearing on ransomware data leak sites has also doubled since 2022[3].

As a result, ransomware is viewed by the National Crime Agency as one of the most serious organised cybercrime threats to the UK’s national security.

These attacks have now become highly profitable. In 2024, one study revealed that UK respondents paid an average of £870,000 with two organisations admitting to paying £10m-£20m in ransoms[4]. According to Sophos (which specialises in endpoint security), the median global ransomware payment made by victims over the past couple of years has also increased by 400% up from $400,000 to $2 million. Meanwhile the recovery costs to victims of a ransomware attack have also increased from $1.82 million to $2.73 million – a rise of around 50%[5].

Whether the ransom is paid or not, regulators and customers will very likely need to be notified of the attack under existing legislation, leading to the threat of an investigation, fines, claims and significant damage to an organisation’s reputation as their customers and suppliers learn of the attack.

The question of how to meet this threat faces governments across the globe.

Exploring the Home Office proposals

Banning ransomware payments

The idea of banning ransomware payment by certain organisations could be an effective deterrent to reduce ransomware attacks, with hackers looking elsewhere – hopefully overseas – for easier pickings that are permitted to pay out. The policy would follow the long-standing principle of the UK Government not to pay ransoms for its citizens taken hostage by terrorists.

However, a ban could be damaging to businesses. Paying a ransom can often be the fastest and most cost-effective way for an organisation to recover from these attacks.

The alternative to non-payment is trying to reset and restore an organisation’s system from backup (assuming regular backups exist) and a potentially catastrophic data loss. The business disruption that follows can be ruinous, both financially and reputationally.

According to Veeam’s 2024 Ransomware Trends Report, 96% of security professionals surveyed said that their backup repositories had been targeted, while a mere 15% were able to recover their data without paying a ransom[6].

That said, paying a ransom can be a risky business. The same report found that 27% of those organisations who had paid the ransom, were still unable to recover their data. In other words, while paying up might seem to offer a quick solution, there is no guarantee that it will resolve the problem.

‘Double dipping’ poses a further risk for victims. In such cases, a ransom is paid only for a further attack to follow a few days later. Or, even worse, an additional ransom is demanded to avoid the hacker publishing the compromised data or selling the information to the highest bidder.

This poses the question of whether the Government’s proposed limited ban goes far enough.

The focus on publicly owned bodies and operators of critical national infrastructure is a good start, given the obvious disruption that stems from the paralysis of these organisations. However, the policy risks hackers moving their attention away from these organisations, focusing their efforts on private companies who would still be permitted to pay a ransom. This could be particularly devastating for SMEs – which make up around 99.9% of the UK economy, but who lack the resources to mount an effective defence against, and response to, a ransomware attack[7].

A limited ban is not the only measure under consideration.

Reporting of all ransomware attacks

The mandatory reporting of all ransomware attacks by companies that meet a certain threshold is also proposed. This proposal is similar to that which has already been proposed in the Cyber Security and Resilience Bill, which is due to be put to Parliament this year.

The purpose of the reporting is to assist law enforcement agencies by giving them a better understanding of the scale and nature of attacks, in order to identify patterns and improve responses to such attacks, and stop them from spreading.

This would appear to be an obvious ‘win’. The more up-to-date information available, the better the future decision-making on how to combat the threat.

The question which then arises, however, is whether the Government will properly resource the authorities who will receive this data, to allow them to take effective steps to respond.

Decision to pay a ransom

Finally, the Home Office proposes that the decision to pay a ransom could be left to the authorities.

The idea of the authorities needing to approve (or not) the payment of ransoms, is likely to be unworkable. It assumes a level of dynamism and responsiveness from Government authorities that is unlikely to be achieved in practice. Taking this decision out of the hands of those who know the organisation and the data at risk best, would seem to be ill-advised.

It also remains to be seen how the Government proposes to enforce legislation against the payment of ransoms. Criminalising the victims of a ransomware attack for making a ransom payment would seem to be unduly punitive given that these organisations are the innocent parties in this situation.

The Government may consider substantial fines to be a more appropriate sanction in line with current legislation around data, such as the UK General Data Protection Regulation/Data Protection Act 2018.

Conclusion

It is clear that the time has come for decisive action to be taken in the battle against ransomware attacks, and the Home Office’s initial focus on critical infrastructure and the public sector is a welcome first step.

However, the consultation is light on detail as to the how the Government intends to enforce compliance, and around the resources that will be available to ensure the reporting of ransomware attacks informs an effective strategy to prevent these attacks from occurring and spreading.

If a limited ban on ransom payments is introduced, it is incumbent on the Government to ensure that support will be provided to soften the increased business interruption that will invariably follow in the private sector.

While these proposals rumble throughout Westminster, there are still steps businesses can take to improve their chances of avoiding an attack, or ensure they are able effectively to deal with one when it comes.

Training staff to identify potential ransomware and other cyber-attacks along with regular system checks, backups and patching, can be essential in mitigating against these threats. Cyber insurance can also provide valuable support and resources to deal with the consequences of an attack, along with a robust incident response plan which deals with how the business can operate in the face of a ransomware event.

For more information on our services relating to technology disputes, please see here

[1]                 https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime

[2]                  https://www.england.nhs.uk/london/synnovis-ransomware-cyber-attack/latest-media-statement-on-synnovis-cyber-attack/#:~:text=As%20a%20result%20of%20the,St%20Thomas’%20NHS%20Foundation%20Trust.

[3]                  https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime#:~:text=The%20NCSC%20managed%20430%20cyber,services%20or%20the%20wider%20economy.

[4]                 Over Half of Breached UK Firms Pay Ransom – Infosecurity Magazine

[5]                  https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf

[6]                  https://www.primesys.co.uk/wp-content/uploads/2024/10/Veeam-2024-ransomware-trends-report.pdf

[7]                  https://www.gov.uk/government/statistics/business-population-estimates-2023/business-population-estimates-for-the-uk-and-regions-2023-statistical-release

Crypto recovery – navigating the first 72 hours

Posted on: April 8th, 2025 by Natasha Cox

When a person goes missing, the first 72-hours are mission critical.

The same urgency applies if you have been hacked, scammed or are the victim of a theft- even more so if the loss are crypto assets. Quick and decisive action in the immediate hours will significantly mitigate the risk of those assets being obfuscated and dissipated and assist with recovery.

Crypto scammers are particularly ruthless, often deploying all manner of sophisticated tactics. From straightforward account compromises and theft with no direct interaction, to elaborate social engineering, often gaining trust through dating websites, fake investment platforms, or social media, their ultimate aim is to deprive a rightful owner of crypto assets.

Discovering that you have been the victim, regardless of the methodology used, can be emotionally draining as well as financially devastating. Clarity of thought and rational action can often give way to absentmindedness. This can lead to victims continuing to pay the bad actors, or fake recovery firms who are one and the same.

In the circumstances this is entirely understandable.

The appropriate next steps can vary depending on the specific circumstances, however our recommended action plan is detailed below and applies to most scenarios:

  1. Secure your communications

Often, particularly in cases where victims have been socially engineered, your email addresses and social media accounts will likely have been compromised as the result of the hack.

Most mainstream email providers will allow you to see a log-in history which details the IP address and location of all log-in attempts. Consider if any are unrecognisable.

If there are any suspicious log-ins, it is likely that your email address has been compromised and your communications may be monitored by the scammers. This could also impact other personal and financial accounts linked to your email, such as online shopping accounts, bank accounts and social media profiles. Credit ratings and access to future baking facilities may also be affected.

In this case, it is vital that you immediately change the password for your email, and then for all other accounts held online.

In addition, we recommend that you set up a new, secure email address immediately and avoid logging into any accounts you suspect may have compromised. You should divert any personal and critical emails to your new account, and ensure that you update your email address across your online shopping, social media and bank accounts.

It is important that you notify your bank and or cryptocurrency exchange of your new email address, which replaces the old one, and ensure to communicate that no instructions are to be taken from the old email address.

  1. Cease communications strategically

In cases where scammers have maintained prolonged contact, they may continue to reach out to you. Let them remain unaware you know this is a fraudulent scheme. If they know that you are aware, there is a heightened risk that they will take steps to obfuscate their trail and dissipate assets, which can make asset recovery more complicated.

If you can, you should look to cease communication strategically without encouraging further interaction. One approach might be to indicate you will be unavailable or away for a few weeks. This will hopefully give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action.

In short, the longer the scammers believe that their scam is undetected, the better.

You should then immediately begin collating a detailed record of all previous communications, including requests for payments, emails, phone calls, text messages, social media interactions, transaction details, wallet addresses and transaction hashes etc. Accurate records are crucial for any subsequent legal action and investigations. If you have been directed to a webpage during your interactions with the scammers, you should ensure to take screenshots of these pages in case they disappear.

Evidence of what jurisdiction they may be in is also vital. For example, note of their telephone number and dialling code (e.g. +44 for UK) or mention of a registered office (even if untrue) will help dramatically.

  1. Report to law enforcement

As soon as possible, you should report the theft to the police and Action Fraud – or equivalent law enforcement agencies. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible, and obtain a direct liaison and contact details. Action Fraud is only a database, and your query will not progress unless the police investigate.

Try not be discouraged or frustrated if the police cannot offer much help. Police resources, expertise, and capacity to deal with crypto related crimes can vary considerably, and officers may lack immediate familiarity with blockchain technology, or the complexities involved

Even if the police are unable to offer much direct assistance, formally reporting the incident is a crucial step as it creates an official record that supports any subsequent legal and recovery actions you may take with the support of your legal team.

  1. Device management and evidence preservation

Given that so much of our lives are conducted online and contained within personal devices such as laptops and mobile phones, it is crucial to exercise heightened caution if these devices may have been compromised.

If you notice unusual behaviour or unexpected activity on your devices (for example, unprompted command prompt windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much) then this may be an indication your device may be compromised.

This is more likely if the scammers have previously taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

As tempting as it may be, avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets. Formatting or resetting the device risks destroying potentially valuable evidence which often indicates the attack vectors used by the scammers and can be a useful part of the puzzle in identifying who they may be.

If your budget permits, obtaining new, uncompromised devices for interim use is recommended.

  1. Secure remaining cryptoassets

It may be that the scammers have only targeted or been able to target specific parts of your crypto holdings. However, if your devices or email/social media accounts have been compromised, it is likely they know much more than you think – including what centralised exchange accounts and wallet addresses you have that they may wish to target next.

As such, you should immediately access and review all centralised exchange accounts you may hold online, and cold storage where applicable. Update your details held at these accounts, including email, contact information and passwords.

It is also crucial to strengthen your two-factor authentication and carefully review transactions to identify any activity you do not recognise which may be indicative of that account being compromised.

If you are holding any assets on these accounts, consider creating new, secure self custodial wallets on uncompromised devices and transferring remaining assets between multiple wallets.

If you have previously staked assets, check to see whether these remain staked or have been unstaked without your knowledge and are in any cooldown period. If unstaking has been initiated, try to take steps to ensure the unstaked assets can immediately be sent to your new, secure wallets as soon as possible.

  1. Engage with experts

Engaging promptly with specialist lawyers experienced in crypto asset disputes, particularly asset tracing on blockchains and recovery, can be vital ensuring the swift tracing and recovery of your assets.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets (such as statements) as well as relevant transaction hashes or addresses as this will form the basis of asserting your proprietary claim to those assets. This is essential in recovering such assets.

Scammers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. These exchanges will have established payment rails which allow them to enable the transfer of fiat funds and are crucial to their business operations. 

As these payment rails exist within a regulated environment, banks must be comfortable with the funds handled by these exchanges. Consequently, exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Once an investigator can identify exchanges which have received the stolen assets, your legal team should then enter into dialogue to place them on notice that they have received the proceeds of crime and request they take specific actions. These include freezing the relevant accounts to secure any assets held within, as well as requesting disclosure of any onward transfers and withdrawals from that account which can be used to further trace the stolen assets with a view to recovery.

This draws a line in the sand – the exchange is now aware of the issue and any funds held at or subsequently deposited at that account must now be frozen.

  1. Seek emotional support

Recognising that you have fallen victim to a scam can trigger intense emotional distress, anxiety, and feelings of isolation. It is important to recognise you are not alone and that these feelings, while overwhelming, are a common response to what can be a very personal breach of privacy, trust and security.

If you find yourself in such a position, consider reaching out to supportive friends and family. Whilst there are also online communities offering support to victims, you should treat these with caution, as these can present attractive hunting grounds for scammers seeking to exploit those at their most vulnerable.

If you find your emotional state severely impacted or you are feeling persistent low, anxious or overwhelmed, it is essential to seek professional medical or mental health support.

As outlined above, acting quickly and methodically within the immediate hours and days after discovering a scam or can significantly improve the prospects of recovery and limit the broader financial and emotional damage.

For more information on our services relating to technology disputes, please click here. For our cryptoassets services, please click here

Dominic Holden discusses encryption in The Times

Posted on: March 6th, 2025 by Natasha Cox

Director Dominic Holden explores the recent dispute between Apple and the Home Office over the use of end-to-end encryption and potential backdoors into user data, in The Times.

Dominic’s article was published in The Times, 6 March 2025, and can be found here. 

Apple refuses to open the backdoor, but at what cost?

The Home Office’s demand for Apple to provide them with a ‘backdoor’, allowing access to users’ encrypted data, has been met by simple refusal by Apple. In protest, the tech giant instead opted to entirely withdraw from UK users the ability to protect their data using Apple’s most advanced encryption feature.

End-to-end encryption is double-edged – and the arguments on both sides are compelling.

On the one hand, it allows users to better protect their private data from hackers and other prying eyes. On the other, it can allow criminals to avoid law enforcement’s digital surveillance. It can also be a minefield for prosecution lawyers hampering their ability to obtain disclosure of the documents they need to build a case against terrorists and others who have threatened national security.

Like many tech companies, Apple faces a dilemma. It must respect the laws of the jurisdiction in which it operates. However, security and privacy are at the heart of its offering. Kowtowing to the UK government, risks opening the floodgates to other governments making similar demands in spite of Apple’s privacy commitments to its customers.

As this debate rages on, it remains to be seen whether Apple’s solution sufficiently placates the UK Government, or whether the next round will involve a demand that a backdoor is provided for all data.

The creation of a backdoor is, by its very nature, a risk. It creates a vulnerability which could be exploited by hackers. It is perhaps for this reason that Apple has made this decision – either you have encryption (with no backdoor), or you don’t have encryption at all.

This approach, however, misses a nuance.

Permitting users to encrypt their data is an effective tool against hackers and will ward off the vast majority of opportunistic hackers. Although creating a backdoor may create a vulnerability for the most sophisticated of hackers to exploit, this must surely be a better option than a blanket removal of such a powerful weapon users have at their disposal?

Understandably, many will bristle at the idea of the Government being able to gain access to their encrypted data. However, given that we do not live in a police state and the vast majority of us are not up to no good, a backdoor could help to keep the public safe – provided that there is robust, considered legislation and supervision from the English Courts.

For now, Apple users should take stock of their data and consider that which they would most regret falling into the hands of a hacker. There are still, after all, many (non-Apple) services available that allow for the secure storage and transmission of your data.

For more information on our data privacy and data protection services, please click here

 

Dominic Holden comments on Apple’s end-to-end encryption in TechRound

Posted on: February 27th, 2025 by Natasha Cox

Director Dominic Holden comments on the news that Apple is set to withdraw its Advanced Data Protection feature from the UK, following a dispute with the Home Office over end-to-end encryption and enabling government access to user data. 

Dominic’s comments were published in TechRound, 26 February 2025, and can be found here.

Dominic’s comments are replicated below:

“Balancing privacy rights with the needs of national security is a tightrope that tech companies walk daily. In this case, it appears Apple have begun to teeter.

“End-to-end encryption allows users to more effectively secure their data and better protect it from hackers and other bad actors. However, it can also allow criminals to plot and conduct illicit activity.

“Aside from whether the public trust that a back door such as this will not be misused by the government, the danger of a back door is that it also creates a vulnerability which a hacker may be able to exploit.

“Apple’s decision to withdraw UK user’s ability to encrypt data removes an effective weapon to protect against hacking, whilst hackers and other bad actors will likely migrate to alternative encrypted services that the government cannot access.”

 

Dominic Holden explores cybersecurity for SMEs in Thomson Reuters Regulatory Intelligence

Posted on: February 24th, 2025 by Hugh Dineen-Lees

Director Dominic Holden explores the increasingly important role of cyber insurance for SMEs, and discusses how businesses can best ensure they are protected from cyberattacks, data breaches and hacking.

Dominic’s article was published in Thomson Reuters Regulatory Intelligence, 21 February 2025, and can be found here:

Cybersecurity_ a blind spot for SMEs – [regintel-content.thomsonreute

 

 

Dominic Holden comments on DeepSeek and data protection in The Lawyer

Posted on: January 29th, 2025 by Hugh Dineen-Lees

With Chinese AI platform DeepSeek rapidly becoming the most downloaded free app in the UK and the US, Director Dominic Holden comments on the potential cybersecurity and data protection concerns, in The Lawyer.

Dominic’s comments were published in The Lawyer, 28 January 2025, and can be found here.

“DeepSeek’s privacy policy makes clear that they will collect your personal data, use it for a broad range of purposes and store it in China. This data is very valuable especially when provided at scale by thousands of users. The same concerns which gave rise to the proposed TikTok ban seem to apply here.

“With China’s national security laws obliging Chinese firms to share data with government agencies, users cannot know what will ultimately become of their data or how it might be used. Great care should be taken by users in deciding what to share with the platform.”

Dominic Holden comments on the potential cybersecurity risks surrounding RedNote and TikTok, in Yahoo! News

Posted on: January 15th, 2025 by Natasha Cox

Director Dominic Holden comments on the potential cybersecurity and data protection risks of downloading RedNote, the social media platform which users are downloading before the potential US TikTok ban, in Yahoo! News.

Dominic’s comments were published in Yahoo! News, 14 January 2025, and can be found here

“Like TikTok, RedNote is owned by a Chinese company which potentially raises the same privacy and data concerns that led to TikTok’s possible ban. 

“Whilst the app itself does not appear to be dangerous, users concerned about their data privacy and how their data is to be used by RedNote, may be slow to adopt it until more is known

“There is also the further risk that as RedNote gains popularity, as a Chinese-owned company, it too may need to deal with the same regulatory issues TikTok has faced. Failure to do so could result in a future ban or legal action against RedNote.”

For more information on our technology disputes practice please click here

Abtin Yeganeh comments on the Renters’ Rights Bill capping up-front payments for renters

Posted on: January 13th, 2025 by Natasha Cox

Director and Head of Property Litigation Abtin Yeganeh comments on a new provision of the Renters’ Rights Bill making it illegal to ask tenants to pay more than one month’s rent plus a six-week deposit up front.

Abtin’s comments were published in Metro, 10 January 2025, and can be found here.

Will the new legislation work?

So, why have landlords been allowed to ask for such vast amounts upfront until now?

As Abtin Yeganeh, Director and Head of Real Estate Disputes at Lawrence Stephens tells Metro, landlords often use these hefty deposits for peace of mind when, for example, tenants might not have a UK-based guarantor.

‘In order to tackle issues of bad credit and/or renting to overseas individuals, landlords often seek rent in advance as additional financial security. This can amount to six months’ rent in advance,’ Abtin details.

But as he believes, we’ll have to wait and see how it pans out – and whether landlords listen to the details of enforcement.

‘The outcome of these reforms is that tenants should, in theory, have more options when it comes to securing rental properties as they will not have to compete with prospective tenants who can pay a lump sum in advance. 

‘However, given that landlords have a choice as to who they want to take on as a tenant, it remains to be seen whether the proposed changes have the desired effect.’

For more information on our Real Estate Disputes services, please click here

Lawrence Stephens expands its Real Estate Disputes team with appointment of Senior Associate Roberto Francis

Posted on: January 6th, 2025 by Natasha Cox

Leading dispute resolution firm, Lawrence Stephens, is pleased to announce the appointment of Roberto Francis as Senior Associate to its Real Estate Disputes team.

Roberto joins the firm with extensive experience acting for bridging and alternative lenders with a primary focus on secured and unsecured recoveries, which includes but is not limited to possession claims, receivership, insolvency and professional negligence.

Head of Real Estate Disputes, Abtin Yeganeh said “We’re delighted to welcome Roberto to our team. We’re certain that the breadth of his experience will enhance our service offering and enable us to continue delivering commercially focused, marketing-leading legal advice.”

Lawrence Stephens appoints litigation and commercial fraud specialist Dominic Holden

Posted on: November 12th, 2024 by Natasha Cox

Leading full-service law firm Lawrence Stephens is pleased to announce the appointment of dispute resolution specialist Dominic Holden, who joins as a Director in its Dispute Resolution department.

News of Dominic’s appointment was published in Commercial Dispute Resolution here and The Legal Diary here

Dominic specialises in substantial civil fraud claims, as well as complex data and hacking claims and multi-national, investigatory, enforcement and asset tracing work.

Prior to joining Lawrence Stephens, Dominic was Head of Litigation at Burlingtons in Mayfair.

Dominic advises on a broad range of commercial disputes and has particular expertise in matters involving complex and cross-border elements. Notable highlights include acting for aviation magnate Farhad Azima in his long-running and high-profile litigation against Ras-Al Khaimah’s sovereign wealth fund and its advisers, international law firm Dechert LLP and former partner Neil Gerrard.

Dominic also advises on breach of trust, professional negligence, contentious insolvency and director, shareholder and/or partnership disputes.

With a wealth of experience in litigation and disputes, Dominic’s appointment reflects the continued and exciting growth of Lawrence Stephens in recent years, while bolstering both the firm’s existing Dispute Resolution offering and cross-practice expertise.

Commenting on his appointment, Dominic said: “I am excited to begin the next chapter of my career with Lawrence Stephens. It is a pleasure to be working alongside a dynamic team of leading practitioners across a range of sectors, helping clients to navigate a range of high-profile and complex international disputes.”

Lawrence Kelly, Director in the Dispute Resolution department at Lawrence Stephens, commented: “We are delighted to welcome Dominic to the Lawrence Stephens team. His experience and tenacity complement our Dispute Resolution offering and broaden our cross-departmental expertise – allowing us to continue to offer our clients bespoke and integrated legal advice.”

Matt Green, Director and Head of Blockchain and Digital Assets and Technology Disputes at Lawrence Stephens, commented: “Dominic is a truly first-class litigator with a wealth of experience in technology disputes including litigation relating to hacking and data issues, I look forward to working with Dominic closely on a range of technology related matters at Lawrence Stephens.”

Abtin Yeganeh comments on landlord-imposed work from home bans in The Independent

Posted on: July 8th, 2024 by Natasha Cox

Senior Associate, Abtin Yeganeh, comments on landlords banning their tenants from working from home, as well as tenants’ protections in this area, in The Independent.

Abtin’s comments were published in The Independent, 07 July 2024.

“As a general rule, a landlord cannot stop a tenant from working from home as it would interfere with a tenant’s statutory right to quiet enjoyment of their property. The position is somewhat more complicated where a tenant seeks to run a business from their rental property. With that said, whilst landlords can seek to exclude a tenant’s right to work from home, The Small Business Enterprise and Employment Act 2015 (subject to several exclusions) provides that landlords cannot unreasonably refuse a tenant’s request to do so.”  

Registering as a cryptoasset business

Posted on: January 5th, 2024 by AlexT

Whilst currently cryptoassets are generally unregulated in the UK, businesses that provide certain cryptoasset services are required to register with the Financial Conduct Authority (FCA) – the UK’s main financial regulatory body.

For businesses operating within the crypto industry, FCA registration represents a critical compliance milestone, and has been a requirement for cryptoasset businesses operating in the UK since 10 January 2020.

If Cryptoassets are unregulated, why is there a requirement for FCA registration?

On 10 January 2020, the EU’s 5th Anti-Money Laundering Directive came into effect, which was implemented in the UK by way of amendments to the existing Money Laundering Regulations (MLR).

The effect of the directive being implemented was that, amongst other things, it sought to provide a legal definition of cryptocurrency. It also detailed the types of entities and business operations involving cryptoassets that would be subject to Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) regulations akin to traditional financial institutions.

This directive also appointed the FCA as the supervisor of UK cryptoasset businesses under the MLR.

These regulations require that all businesses that conduct activities, by way of business that fall within its scope, to comply with anti-money laundering and counter-terrorist financing regulations, which includes registering with the FCA.

It is important to note, however, that there is a distinction between being ‘authorised’ by the FCA and being ‘registered’. Successful registration with the FCA as a cryptoasset business shows that the business follows an appropriate level of AML and CTF measures and safeguards,  while complying with the regulations in a manner acceptable to the FCA. It also serves as a mark of credibility in what has, at times, been an industry characterised by a number of bad actors.

As such, FCA registration can enhance the reputation of the business in the eyes of potential customers. However, consumers should be aware that being registered with the FCA does not mean that they will be protected by the Financial Services Compensation Scheme should something go wrong.

What type of cryptoasset businesses fall within the scope for registration?

Currently, the following types of cryptoasset business activity would fall within the scope for registration with the FCA under regulation 14A of the MLR 2017:

  • Exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets;
  • Exchanging or arranging or making arrangements with a view to the exchange of, one cryptoasset for another;
  • Operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets (e.g. Crypto ATMs) and;
  • Providing services to safeguard and/or administer cryptoassets or private cryptographic keys to hold on behalf of customers in order to hold, store and transfer cryptoassets.

Registering with the FCA

Registering with the FCA is an involved process and requires significant preparation and understanding of the regulatory requirements. Once a business has determined it falls within the scope of registration, it is then necessary for them to demonstrate that the business has in place a robust financial crime control framework which is compliant with the requirements of the MLR.

This framework should encompass a comprehensive business-wide financial crime risk assessment, tailored to your business model. Essentially, this should demonstrate how a specific business could be manipulated or be used as a conduit for financial crime.

The FCA will expect businesses to identify all risks pertaining to their business model and, as perturbing as some applicants might find this process, being upfront in identifying risks will not weaken an application. Rather, the accurate and detailed identification of risks will make it more likely that the frameworks built around a business model (and in support of a business’ application) are fit for purpose.

As part of the application the business will also be required to provide clear governance structures, customer risk assessment methodologies, policies for due diligence and suspicious activity reporting, as well as financial crime prevention training procedures. Businesses are also required to appoint a Money Laundering Reporting Officer (MLRO) with relevant knowledge and experience.

The FCA will also expect to see a business plan and forecast in support of an application. This plan should include details of the business model, key individuals and responsibilities, sources of liquidity, details of the customer journey and flow of funds.

Since the Travel Rule requirement for cryptoassets came into effect on 1 September 2023, cryptoasset businesses must demonstrate compliance with this. The requirements of the Travel Rule are contained within the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulation 2022, and require relevant businesses such as exchanges or custodian wallet providers to collect, verify and share information relating to cryptoasset transfers.

As with any application with a regulatory body, the process should not be contentious, and businesses should be aware that the FCA is not actively trying to catch them out or deny an application. A collaborative approach inevitably yields more positive feedback.

Despite this, however, the application process can be long winded and subject to delays. It is not uncommon to have different case handlers and multiple requests for information provided previously which can cause dissatisfaction with applicants.

As such, a well-prepared and presented application is inevitably more likely to succeed and so engaging with an advisor can provide valuable insights and improve the chances of a successful registration. Therefore, as the FCA itself recommends, seeking independent legal advice can be key in presenting a well prepared and informed application.

Will registering with the FCA “future proof” a business?

Currently, relevant cryptoasset businesses are subject to limited financial services regulation, primarily aimed at anti-money laundering and counter-terrorist financing obligations. However, subject to governmental consultations, the future regulatory landscape will become more widely applicable, and the government anticipates implementing the legislation required to develop this regulatory regime in 2024.

Businesses wishing to undertake activities involving cryptoassets by way of business will, under this new regulatory environment, be required to obtain authorisation from the FCA. This is because it is intended that certain cryptoassets will be brought within the scope of the definition of ‘specified investments’ and, therefore, the activities in relation to these cryptoassets will be regulated as opposed to the cryptoassets themselves.

It is envisaged that this regulatory regime will be specific to certain types of cryptoassets depending on the regulated activity, and there will be more precise criteria set out in secondary legislation to determine whether a cryptoasset and activity is within the regulatory scope.

As well as existing regulated activities being applicable in relation to cryptoassets, there are also additional proposed activities specific to cryptoassets which will fall within the scope of future regulation, including:

  • Safeguarding and/or administration (custody) activities;
  • Issuance, payment and exchange activities;
  • Investment and risk management activities;
  • Lending, borrowing and leverage activities and;
  • Validation and governance activities.

 As such, carrying out regulated activities involving cryptoassets by way of business will require authorisation by the FCA under part 4A of the Financial Services and Markets Act (FSMA), and this will equally apply to firms already registered with the FCA under the MLR.

At Lawrence Stephens, our team is adept at assisting diverse businesses in harnessing the potential of cryptoassets. With our bespoke legal insights, we ensure your cryptocurrency adoption journey is seamless, safeguarded, and aligned with the developing digital finance sector.