The United Kingdom has one of the most structured and actively evolving crypto regulatory frameworks in the world. Any business operating a cryptoasset service in the UK - whether exchange, custody, brokerage or staking - must register with the Financial Conduct Authority (FCA) under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), as amended. Failure to register before commencing operations is a criminal offence carrying unlimited fines and up to two years'; imprisonment. This article maps the full regulatory landscape: from FCA registration and anti-money laundering (AML) obligations to the incoming Financial Services and Markets Act 2023 (FSMA 2023) regime, practical licensing timelines, and the strategic decisions that determine whether a UK crypto business survives regulatory scrutiny.
---
The UK';s approach to crypto regulation is layered. The current primary gateway is the MLRs regime, which requires cryptoasset exchange providers and custodian wallet providers to register with the FCA before conducting business in or from the UK. Registration under the MLRs is not a licence in the traditional financial services sense - it is a registration for AML and counter-terrorist financing (CTF) supervision. However, the FCA treats it with the same rigour as a full authorisation.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Regulation 14A, introduced the cryptoasset registration requirement. The FCA assesses whether the business has adequate AML systems, appropriate governance, and fit and proper individuals in key roles. The threshold for approval is high: the FCA has rejected or caused the withdrawal of a significant proportion of applications since the regime launched.
The Financial Services and Markets Act 2023 represents the next structural shift. FSMA 2023 grants HM Treasury powers to bring a broad range of cryptoasset activities within the regulated activities framework under the Financial Services and Markets Act 2000 (FSMA 2000). This means that activities such as operating a cryptoasset exchange, issuing stablecoins, and providing crypto custody will become regulated activities requiring full FCA authorisation - not merely registration. Secondary legislation implementing this regime is being phased in, with the stablecoin and exchange frameworks expected to be operative within the near-term legislative cycle.
The Proceeds of Crime Act 2002 (POCA 2002) and the Terrorism Act 2000 also apply directly to cryptoasset businesses. Any business that facilitates transactions involving the proceeds of crime - even unknowingly, if it failed to conduct adequate due diligence - faces criminal exposure under POCA 2002, Section 327 onwards.
A non-obvious risk is that many international businesses assume that operating a platform from outside the UK but serving UK customers does not trigger UK registration requirements. The FCA';s position is that if a business actively markets to or onboards UK persons, it is conducting business in the UK and must register. Ignoring this territorial reach has led to enforcement action against offshore operators.
---
The FCA cryptoasset registration process is demanding by design. The FCA uses it as a substantive supervisory tool, not a formality. Understanding the process in detail is essential before committing resources to a UK market entry.
Scope of registration. Registration covers cryptoasset exchange providers (businesses that exchange cryptoassets for fiat or other cryptoassets) and custodian wallet providers (businesses that safeguard private cryptographic keys on behalf of customers). If a business falls into either category and operates in the UK, registration is mandatory regardless of corporate domicile.
Application content. The FCA requires a detailed submission covering:
The FCA scrutinises each element. Incomplete or generic submissions are returned, restarting the clock. In practice, the FCA';s assessment period has ranged from several months to well over a year for complex applications.
Fit and proper assessment. Every individual who is a beneficial owner, officer or manager of the applicant must pass the FCA';s fit and proper test. This covers honesty, integrity and reputation; competence and capability; and financial soundness. Criminal records, regulatory sanctions in any jurisdiction, and undisclosed directorships are common grounds for rejection.
Temporary registration. Businesses that were already operating in the UK before the registration deadline were placed on the Temporary Registration Regime (TRR). The TRR has now closed to new entrants. Businesses that did not secure registration before the TRR closed and are still operating without registration are in breach of the MLRs.
Costs. The FCA charges an application fee, which varies by business size and complexity. Legal and compliance advisory fees for preparing a credible FCA registration application typically start from the low tens of thousands of GBP, depending on the complexity of the business model and the state of the applicant';s existing compliance infrastructure. Businesses with no prior AML framework face substantially higher preparation costs.
Common mistake. A frequent error by international applicants is submitting a compliance framework designed for another jurisdiction - such as a VASP registration from an EU member state or a CIMA-registered Cayman entity - and expecting the FCA to accept it as equivalent. The FCA does not operate on equivalence principles for AML registration. Each application must demonstrate UK-specific compliance.
To receive a checklist for FCA cryptoasset registration in the United Kingdom, send a request to info@vlolawfirm.com
---
AML and CTF compliance is the operational core of running a regulated crypto business in the UK. The FCA supervises registered cryptoasset businesses on an ongoing basis, and enforcement action for AML failures can result in deregistration, financial penalties and criminal referral.
Customer due diligence. The MLRs require cryptoasset businesses to apply CDD to all customers. CDD involves verifying the customer';s identity, understanding the nature and purpose of the business relationship, and conducting ongoing monitoring of transactions. Enhanced due diligence applies to higher-risk customers, including politically exposed persons (PEPs), customers from high-risk third countries, and customers with complex ownership structures.
Suspicious activity reporting. Under POCA 2002 and the Terrorism Act 2000, cryptoasset businesses must submit Suspicious Activity Reports (SARs) to the National Crime Agency (NCA) where they know or suspect that a customer is engaged in money laundering or terrorist financing. Failure to file a SAR when required is itself a criminal offence. The NCA';s Financial Intelligence Unit processes SARs and can issue a moratorium period - currently seven days, extendable to 31 days - during which the business must not proceed with a transaction pending NCA consent.
The travel rule. The UK implemented the cryptoasset travel rule through the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022. Under this rule, cryptoasset businesses must collect, verify and transmit originator and beneficiary information for cryptoasset transfers above a threshold of 1,000 GBP (or equivalent). This applies to transfers between virtual asset service providers (VASPs) and between VASPs and self-hosted wallets, subject to specific conditions. The travel rule creates significant technical and operational obligations, particularly for businesses that transact with counterparties in jurisdictions that have not yet implemented equivalent rules.
Sanctions screening. The Office of Financial Sanctions Implementation (OFSI), part of HM Treasury, administers UK financial sanctions. Cryptoasset businesses must screen customers and transactions against the UK Consolidated List of financial sanctions targets. OFSI has the power to impose civil monetary penalties for sanctions breaches without requiring proof of intent. A non-obvious risk is that cryptoasset transactions can inadvertently touch sanctioned addresses through mixing or layering, creating exposure even for businesses with no direct relationship with a sanctioned party.
Record-keeping. The MLRs require cryptoasset businesses to retain CDD records for five years from the end of the business relationship and transaction records for five years from the date of the transaction. Records must be retrievable promptly on request from the FCA or law enforcement.
In practice, it is important to consider that the FCA conducts both desk-based reviews and on-site visits of registered cryptoasset businesses. A business that passes initial registration but allows its compliance framework to deteriorate faces supervisory action. The FCA has used its powers to cancel registrations of businesses that failed to maintain adequate AML controls post-registration.
---
The transition from MLRs registration to full FSMA 2000 authorisation represents the most significant structural change for UK crypto businesses since the registration regime launched. Businesses that are currently registered under the MLRs will need to apply for FCA authorisation once the relevant secondary legislation comes into force.
What changes under FSMA 2023. Under the new framework, cryptoasset activities will be designated as regulated activities under FSMA 2000. This means that conducting a regulated cryptoasset activity without authorisation will constitute the "general prohibition" offence under FSMA 2000, Section 19 - a criminal offence carrying up to two years'; imprisonment and unlimited fines. The FCA will have the full suite of FSMA supervisory and enforcement tools available, including variation of permissions, imposition of requirements, and public censure.
Stablecoin regulation. HM Treasury has prioritised the regulation of fiat-backed stablecoins used as a means of payment. Under the incoming regime, issuers of such stablecoins and firms that facilitate their use will require FCA authorisation. The Bank of England will also have a role in supervising systemic stablecoin issuers. Businesses that issue or distribute stablecoins in the UK must monitor the legislative timetable closely, as operating without authorisation once the regime is live will be a criminal offence.
Market abuse and financial promotions. The Financial Services and Markets Act 2000 (Financial Promotion) Order 2005, as amended by the Financial Services and Markets Act 2000 (Financial Promotion) (Amendment) Order 2023, brought cryptoasset financial promotions within the FCA';s financial promotion regime. Since the rules came into force, cryptoasset businesses communicating financial promotions to UK persons must either be FCA-authorised or have their promotions approved by an FCA-authorised person. The FCA has taken enforcement action against businesses that communicated non-compliant promotions, including requiring the removal of social media content and issuing public warnings.
Practical scenario - exchange operator. A non-UK exchange with a significant UK user base that has been operating under a Cayman VASP registration faces a two-stage compliance challenge. First, it must assess whether it is currently required to hold FCA MLRs registration (likely yes, given active UK marketing). Second, it must plan for FSMA 2023 authorisation. The cost and operational burden of both stages is substantial, and the business must decide whether the UK market justifies the investment or whether geo-blocking UK users is a more viable commercial decision.
Practical scenario - DeFi protocol. A decentralised finance (DeFi) protocol with no central operator faces a different question: whether its activities fall within the FCA';s regulatory perimeter at all. The FCA has acknowledged that truly decentralised protocols may fall outside the current MLRs regime. However, the FCA has also indicated that it will look through decentralisation claims to identify whether there is in fact a central party exercising control. A protocol with an identifiable development team, governance token holders who can vote on protocol changes, or a foundation that controls treasury funds is unlikely to be treated as genuinely decentralised.
Practical scenario - NFT platform. A non-fungible token (NFT) marketplace must assess whether the NFTs it trades constitute cryptoassets within the MLRs definition. The FCA';s current position is that NFTs that are unique and non-fungible fall outside the MLRs registration requirement, but NFTs that are fractionalized or function as financial instruments may fall within the perimeter. This is a fact-specific analysis that requires legal assessment of each token type.
To receive a checklist for FSMA 2023 authorisation preparation for crypto businesses in the United Kingdom, send a request to info@vlolawfirm.com
---
The FCA';s enforcement posture toward cryptoasset businesses has hardened materially. Businesses that treat regulatory compliance as a box-ticking exercise rather than an operational priority face significant exposure.
FCA enforcement powers. The FCA can cancel or suspend a cryptoasset registration at any time if it concludes that the business is not fit and proper or has failed to comply with the MLRs. Cancellation is immediate in urgent cases. The FCA also has the power to impose financial penalties, issue public censures, and apply to court for injunctions or restitution orders. Under FSMA 2023, these powers will expand to cover the full range of regulated cryptoasset activities.
Criminal prosecution. The FCA refers cases to the Crown Prosecution Service (CPS) where it identifies evidence of deliberate fraud, market manipulation or serious AML failures. The Serious Fraud Office (SFO) also has jurisdiction over complex fraud cases involving cryptoassets. Prosecution timelines are long - typically several years from investigation to verdict - but the reputational and financial consequences are severe.
OFSI penalties. OFSI can impose civil monetary penalties for financial sanctions breaches without requiring proof of intent. The maximum penalty is the greater of 1 million GBP or 50% of the value of the breach. OFSI has demonstrated willingness to use these powers against financial services firms, and cryptoasset businesses are within scope.
Risk of inaction. A business that identifies a compliance gap but delays remediation faces compounding risk. The FCA treats prompt self-reporting and remediation as mitigating factors in enforcement decisions. A business that identifies a problem, fails to report it, and is later discovered by the FCA faces a materially worse outcome than one that self-reported and cooperated. The window for voluntary remediation closes once the FCA opens a formal investigation.
Common mistake - relying on legal opinions from non-UK counsel. Many international businesses obtain legal opinions on their UK regulatory status from counsel in their home jurisdiction. These opinions frequently underestimate the territorial reach of UK regulation and the FCA';s willingness to take action against offshore entities. UK-specific legal advice is essential before commencing or continuing UK-facing operations.
Loss caused by incorrect strategy. A business that structures its UK operations incorrectly - for example, by routing UK customer relationships through an unregistered offshore entity while maintaining a UK-based team - may find that the FCA treats the entire structure as a UK business requiring registration. The cost of unwinding such a structure, paying penalties, and rebuilding compliant operations typically far exceeds the cost of correct structuring at the outset.
Comparison of approaches. A business with a limited UK user base and no active UK marketing may conclude that geo-blocking UK users and accepting the resulting revenue loss is preferable to the cost and operational burden of FCA registration and eventual FSMA authorisation. A business with a material UK revenue stream, by contrast, will generally find that the economics favour investing in compliance. The decision turns on the size of the UK market opportunity, the cost of compliance, and the business';s risk appetite. There is no universally correct answer, but the decision must be made deliberately and documented.
We can help build a strategy for structuring your UK crypto operations and managing FCA regulatory risk. Contact info@vlolawfirm.com
---
What is the biggest practical risk for a crypto business that has not registered with the FCA?
Operating a cryptoasset exchange or custodian wallet service in the UK without FCA registration under the MLRs is a criminal offence. The FCA actively monitors the market and has issued warnings against unregistered businesses, requiring them to cease UK operations. Beyond the criminal exposure, unregistered businesses face civil enforcement, including injunctions and asset freezes. Banking relationships are also at risk: UK banks routinely conduct due diligence on their customers'; regulatory status, and an unregistered crypto business is likely to lose access to UK banking. The practical consequence is that the business cannot operate in the UK at all.
How long does FCA cryptoasset registration take, and what does it cost?
The FCA does not publish a fixed timeline, but in practice the process has taken anywhere from several months to over a year, depending on the complexity of the application and the quality of the submission. Applications that are incomplete or that contain generic compliance frameworks are returned, which restarts the assessment period. Legal and compliance advisory costs for preparing a credible application typically start from the low tens of thousands of GBP. Businesses with no existing AML infrastructure face higher costs. The FCA';s own application fee varies by business size. Businesses should budget for ongoing compliance costs post-registration, including staff, technology and periodic legal review.
Should a crypto business seek FCA registration now or wait for the FSMA 2023 regime?
Waiting is not a viable option for businesses that currently fall within the MLRs registration requirement. Operating without registration is a criminal offence regardless of the incoming FSMA 2023 framework. For businesses that are not yet operating in the UK, the strategic question is whether to enter under the current MLRs regime and then transition to FSMA authorisation, or to wait until the FSMA regime is fully operative and apply for authorisation directly. The answer depends on the business';s timeline and commercial priorities. Entering now under the MLRs provides market access sooner but requires a two-stage compliance investment. Waiting avoids the MLRs registration process but delays UK market entry. In either case, the compliance infrastructure required for MLRs registration substantially overlaps with what will be required for FSMA authorisation, so early investment in compliance is rarely wasted.
---
The United Kingdom';s crypto and blockchain regulatory framework is among the most demanding in the world, and it is becoming more so as the FSMA 2023 regime takes effect. Businesses that invest in proper FCA registration, robust AML and CTF compliance, and proactive engagement with the evolving regulatory framework are positioned to operate sustainably in one of the world';s most significant financial markets. Those that treat compliance as optional or that rely on offshore structures to avoid UK regulation face criminal exposure, enforcement action and loss of market access.
To receive a checklist for ongoing crypto regulatory compliance in the United Kingdom, send a request to info@vlolawfirm.com
Our law firm VLO Law Firms has experience supporting clients in the United Kingdom on crypto and blockchain regulatory matters. We can assist with FCA registration applications, AML framework development, financial promotions compliance, FSMA 2023 authorisation preparation, and regulatory risk assessment for international businesses entering the UK market. To receive a consultation, contact: info@vlolawfirm.com