FCA Crypto Authorization: What Exchanges Must Do in the UK
FCA Crypto Authorization Path Finder
What's Your Business Situation?
Answer these questions to determine which regulatory path applies to your crypto business in the UK.
Enter your business details above and click "Calculate Your Regulatory Path" to see which FCA authorization applies to you.
Key Takeaways
- UK crypto exchanges must register with the FCA under the Money Laundering Regulations (MLR) now.
- From 2026 onward, many crypto activities will need full FSMA authorisation, covering trading platforms, dealing, arranging and safeguarding.
- Overseas firms serving UK retail customers need UK authorisation unless they work through a UK‑authorised intermediary.
- Stablecoin issuers face a physical‑presence test; custodians must meet CASS audit standards.
- Preparing early - documentation, AML controls, skilled‑person appointments - reduces the risk of refusal.
The UK Financial Conduct Authority (FCA is the regulator that supervises financial markets, including crypto‑related services. ) has built a two‑track framework for crypto exchanges. The first track is the existing registration under the Money Laundering Regulations (MLR). The second, more demanding track, will soon require full authorisation under the Financial Services and Markets Act 2000 (FSMA). If you run a crypto exchange or plan to launch one, you need to know which track applies to you, what paperwork to gather, and how to avoid common pitfalls.
Current Landscape: MLR Registration
Since January 2020, any firm offering crypto‑asset exchange services or custodian wallet services in the UK must register with the FCA under the MLR. This is the baseline entry point and involves four possible outcomes: approval, rejection, withdrawal, or refusal. The registration process is designed to prove that you have robust anti‑money‑laundering (AML) and counter‑terrorist‑financing (CTF) controls.
Key documents the FCA expects:
- A risk‑based AML policy that references the Joint Money Laundering Steering Group (JMLSG) guidance for crypto‑asset exchange providers (PartII, Chapter22).
- Proof of customer‑due‑diligence (CDD) procedures, including Politically Exposed Persons (PEP) checks as outlined in FCA Guidance FG17/6.
- Evidence of a designated Money Laundering Reporting Officer (MLRO) and any required skilled‑person appointments.
- Systems for ongoing transaction monitoring and suspicious activity reporting.
Once approved, you receive a registration number and can legally offer exchange services to UK customers. However, registration does not grant permission to undertake activities that fall under the forthcoming FSMA regime, such as operating a qualifying crypto‑asset trading platform.
Upcoming Shift: FSMA Authorisation Requirements
The FCA is preparing to extend its authority under the FSMA to cover five core crypto‑related activities:
- Operating a qualifying crypto‑asset trading platform.
- Dealing in qualifying crypto‑assets as principal.
- Dealing in qualifying crypto‑assets as agent.
- Arranging deals in qualifying crypto‑assets.
- Safeguarding qualifying crypto‑assets and specified investment crypto‑assets.
Two additional activities - qualifying crypto‑asset staking and issuing qualifying stablecoins - will also need separate authorisation.
To obtain FSMA authorisation, firms must satisfy the FCA's Threshold Conditions (COND) and General Provisions (GEN) in the same way as traditional financial services firms. The Principles for Businesses (PRIN) apply with targeted disapplications for platform‑based transactions, recognising the unique nature of on‑chain trading.
Typical documentation includes:
- A detailed business plan covering the specific regulated activity, market size, and revenue model.
- Governance arrangements, including board composition, risk‑management framework, and internal controls.
- Financial resources calculations - capital adequacy to meet the FCA's minimum net‑wealth requirement for crypto‑asset activities.
- Policies for client asset segregation, referencing the CASS audit requirements for custodians and stablecoin issuers.
- Proof of systems that meet the FCA’s technical standards for transaction reporting and record‑keeping.
Applications are reviewed in stages: initial validation, substantive assessment, and, if needed, a request for additional information. The FCA may also conduct a site visit to verify infrastructure and controls.
Territorial Scope: When Overseas Firms Need UK Authorisation
The new FSMA rules expand FCA jurisdiction beyond UK‑based firms. An overseas exchange that offers services directly to UK retail consumers must obtain UK authorisation for the following activities:
- Operating a qualifying crypto‑asset trading platform.
- Dealing in qualifying crypto‑assets (principal or agent).
- Arranging deals in qualifying crypto‑assets.
There is an exception when the foreign firm works through a UK‑authorised intermediary that already holds the necessary permissions. This avoids a cascading chain of authorisations.
For institutional clients - defined as entities acting on behalf of a business, profession, or trade - the FCA provides an exemption. Overseas platforms serving only UK institutional customers do not need authorisation for platform operation, dealing, or arranging, provided they are not intermediaries for retail consumers.
Stablecoin issuers are treated differently. They need UK authorisation only if the activity is carried out from a UK establishment. This physical‑presence test means a foreign stablecoin project can market to UK users without a UK licence, as long as the issuance does not occur on UK soil.
Custody, Safeguarding, and the CASS Audit
Firms that hold client crypto‑assets must comply with the FCA’s Custody Asset Segregation (CASS) audit standards. The audit checks that assets are properly segregated, that the firm has robust IT security, and that there are clear processes for client asset restitution in case of insolvency.
Key CASS requirements:
- Segregated wallets for each client or class of client.
- Independent third‑party verification of wallet balances at least annually.
- Documentation of internal controls, including key‑management procedures.
- Business continuity plans that address cyber‑attack scenarios.
Stablecoin issuers fall under the same audit regime if they also act as custodians for the backing assets.
Checklist to Get Ready - From Registration to Authorisation
Use this quick checklist to track progress and avoid missing a requirement.
- Determine your activity scope. Are you only an exchange, or do you also offer staking, custodial services, or stablecoin issuance?
- Map the FCA regulatory path - MLR registration for now, FSMA authorisation for the future.
- Compile AML/CTF policies referencing JMLSG and FATF VASP guidance.
- Appoint a Money Laundering Reporting Officer (MLRO) and any required skilled persons.
- Prepare a business plan that includes capital resources, risk management, and client‑asset segregation.
- Set up technical systems for transaction monitoring, record‑keeping, and reporting to the FCA.
- If you are overseas, assess whether you need a UK authorised intermediary.
- Schedule a pre‑application meeting with the FCA to clarify doubts.
- Plan for a CASS audit if you hold client assets - engage an external auditor early.
- Track implementation timelines: aim to file MLR registration now and have the FSMA application ready before the 2026 rollout.
Comparison: MLR Registration vs FSMA Authorisation
| Aspect | MLR Registration (Current) | FSMA Authorisation (Future) |
|---|---|---|
| Regulatory basis | Money Laundering Regulations 2017 (as amended) | Financial Services and Markets Act 2000 (FSMA) |
| Scope of activities | Crypto‑asset exchange & custodian wallet services | Trading platform, dealing, arranging, safeguarding, staking, stablecoin issuance |
| Threshold conditions | Basic AML/CTF compliance | Full COND & GEN conditions, capital adequacy, governance |
| Application outcome | Approval or refusal - no ongoing supervision beyond AML checks | Authorised status with continuous FCA supervision (SUP) |
| Territorial reach | UK‑based firms only | Includes overseas firms serving UK retail customers |
| Custody standards | General AML controls | CASS audit requirements for custodial activities |
| Timeline | Immediate - registration opens year‑round | Planned rollout 2026, with consultation phases still ongoing |
Practical Tips from the Field
We spoke to several UK‑registered exchanges during the 2024-2025 consultation period. Here’s what they found most useful:
- Use a modular AML system that can be expanded to meet future FSMA data‑recording needs.
- Document every internal decision - the FCA likes to see a paper trail showing why a particular control was chosen.
- Start a “sandbox” version of your trading platform early; the FCA may allow limited live testing under a temporary licence.
- When hiring a skilled person, choose someone with FCA‑approved experience in both traditional finance and crypto‑asset custody.
- For overseas firms, set up a UK subsidiary rather than relying on an intermediary; it simplifies the authorisation route and reduces ongoing compliance friction.
Remember, the FCA’s ultimate goal is to protect UK consumers while allowing innovation. Aligning your compliance program with that goal not only avoids penalties but also builds trust with users.
Frequently Asked Questions
Do I need both MLR registration and FSMA authorisation?
If you only provide exchange services today, MLR registration is sufficient. However, once you plan to operate a qualified trading platform, deal as principal or agent, or offer staking, you must obtain FSMA authorisation. Running both in parallel is common during the transition period.
What counts as a “qualifying crypto‑asset” under the FCA?
A qualifying crypto‑asset is any crypto‑asset that the FCA deems to fall within the scope of regulated activities, such as Bitcoin, Ethereum, or any token that can be traded on a platform offering “exchange‑like” services. Stablecoins pegged to fiat are also qualifying if they meet the FCA’s definition of “stablecoin”.
Can an overseas exchange avoid UK authorisation by using a UK‑based partner?
Yes, if the UK partner holds the necessary FCA authorisation and the foreign exchange only accesses UK consumers through that partner. The FCA explicitly designed the rule to prevent an endless chain of authorisations.
What is the CASS audit and why does it matter?
CASS (Custody Asset Segregation) audit is a third‑party assessment of how a firm separates client crypto‑assets from its own holdings. It ensures that, if the firm fails, client assets can be returned promptly. The FCA will not grant authorisation for safeguarding activities without a satisfactory CASS audit.
When will the FCA’s new FSMA rules become enforceable?
The FCA plans to roll out the authorisation regime in 2026, following the final consultation on technical standards scheduled for early 2026. Firms should therefore start preparing their applications now.
1 Comments
Millsaps Crista
October 14 2025Alright, if you’re serious about launching a UK exchange you need to get your AML paperwork locked down right now. The FCA will not look kindly on half‑baked policies, so make that risk‑based AML manual rock solid. Appoint a competent MLRO and make sure you have proper CDD procedures for every customer. Don’t wait for the FSMA deadline – the sooner you register under MLR, the smoother the transition will be. Push your team, tighten the controls, and you’ll avoid unnecessary roadblocks.