Jun, 3 2026
You cannot run a crypto business in the UK without strict adherence to anti-money laundering (AML) laws. If you are an exchange or custodian wallet provider, you are under the watchful eye of the Financial Conduct Authority (FCA). The landscape shifted dramatically with the full implementation of the Financial Services and Markets Act (FSMA) regime in early 2026. This transition replaced the old registration system with a comprehensive licensing framework, raising the stakes for compliance, transparency, and operational readiness.
The days of operating in a regulatory gray area are over. The UK government has moved from a 'registration' model to a 'licensing' model, aligning cryptoassets with traditional financial services oversight. For business owners, this means higher upfront costs, stricter due diligence protocols, and zero tolerance for oversight errors. Understanding these rules is not just about avoiding fines; it is about securing your license to operate in one of the world’s largest digital asset markets.
From MLR Registration to FSMA Licensing
Until recently, crypto businesses operated under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017). This required firms to register with the FCA for AML supervision. However, as of Q1 2026, the Financial Services and Markets Act 2000 Order 2025 has fully integrated cryptoasset activities into the broader financial services regulatory perimeter.
This shift eliminates the previous 'dual regulatory regime.' Previously, firms had to navigate separate pathways for AML registration and potential future authorization. Now, there is a single, unified licensing process. The FCA no longer just checks if you have basic AML policies; they assess your entire business model, governance structure, and systemic risk contribution. According to Norton Rose Fulbright, this consolidation is expected to reduce the number of regulated entities by 35-40% through industry consolidation, as smaller players struggle to meet the heightened capital and reporting requirements.
The practical impact is immediate. Firms that were merely 'registered' under the old MLR framework must now apply for full authorization under FSMA. The application process is more rigorous, requiring detailed evidence of senior management competence, robust IT infrastructure, and proven transaction monitoring capabilities. The average processing time for these new licenses remains around 9 months, so early preparation is critical.
Customer Due Diligence and the Travel Rule
At the heart of UK crypto AML compliance is Customer Due Diligence (CDD). You must identify and verify your customers using at least two independent sources. This is not a one-time check. Ongoing monitoring is mandatory, with records retained for five years. The FCA expects a risk-based approach, meaning higher-risk customers require Enhanced Due Diligence (EDD).
A major component of this is the Travel Rule, implemented in the UK in 2022. This rule mandates that for transactions exceeding £1,000, crypto businesses must collect and share specific information about both the originator and the beneficiary. This includes names, account numbers, and physical addresses. The goal is to prevent anonymous transfers that could facilitate money laundering or terrorist financing.
In 2025, draft amendment regulations introduced stricter Counterparty Due Diligence (CPDD) requirements. Aligned with FATF Recommendations 13 and 15, firms must now verify counterparties even if they are not direct customers. This creates a chain of custody for funds, ensuring that every link in the transaction chain is vetted. Failure to comply with Travel Rule obligations can result in significant penalties and reputational damage, as the FCA actively monitors cross-border data sharing.
| Requirement | Threshold/Standard | Implication |
|---|---|---|
| Transaction Reporting | >£1,000 | Must share originator/beneficiary details (Travel Rule) |
| Change in Control Notification | >10% shares/voting rights | Mandatory notification to FCA (stricter than EU's 20%) |
| Record Retention | 5 years | All CDD and transaction records must be accessible |
| Sanctions Screening | Real-time | Screen against 12+ global sanctions lists daily |
Ownership Transparency and Change in Control
One of the most significant changes in the 2025-2026 regulatory update is the lowering of the threshold for change in control notifications. Under the previous regime, firms only needed to notify the FCA if ownership changed by 25%. The new FSMA-aligned rules lower this to 10% of shares or voting rights.
This reflects the UK’s 'precautionary approach' to ownership transparency, as noted by legal experts at AO Shearman. The rationale is clear: illicit actors often use small stake acquisitions to gain influence without triggering regulatory scrutiny. By catching these changes earlier, the FCA can assess whether new investors pose a financial crime risk.
For founders and investors, this means tighter corporate governance. Any equity round, employee stock option exercise, or secondary sale that crosses the 10% mark requires immediate disclosure. Professor Nicholas Ryder of the University of Bristol has criticized this as creating 'unnecessary administrative burden,' but the FCA maintains that the benefit of preventing shell company manipulation outweighs the cost. Non-compliance here is treated seriously, as it obscures beneficial ownership-a key red flag in money laundering investigations.
Costs and Operational Challenges
Compliance is expensive. Data from March 2025 shows that crypto firms spent an average of £287,500 on initial compliance setup. Ongoing annual costs average £142,300 per firm. These figures include legal fees, technology procurement, and staff training. For startups, this is a substantial barrier to entry.
Technology integration is a major pain point. Firms need systems that can screen transactions against over 12 sanctions lists in real-time. The Office of Financial Sanctions Implementation (OFSI) reported that 41.6% of firms initially failed this requirement. Integrating blockchain analytics tools with traditional KYC systems often requires custom development, costing upwards of £185,000 according to industry reports.
Staffing is another challenge. The FCA mandates 35 hours of annual AML training per compliance staff member. Most firms (82.7%) use specialized AML training platforms to ensure consistency. Furthermore, the high failure rate during registration-87.3% of firms between 2020-2023-means many companies hire external consultants. One Reddit user reported spending over £500,000 in consultancy fees after 14 months of back-and-forth with the FCA.
Despite these costs, there is a silver lining. Registered and licensed firms report improved investor confidence. A 2025 survey by CryptoUK found that 73.4% of members acknowledged better access to institutional capital after achieving compliance status. The market is consolidating, with only 147 registered firms remaining as of June 2025, down from 184 the previous year. Those who survive the transition will operate in a cleaner, more trusted environment.
Looking Ahead: Regulatory Coherence
The transition to the FSMA regime is designed to create long-term stability. Dr. Sarah Breeden, Deputy Governor for Financial Stability at the Bank of England, described the alignment of MLRs with FSMA as a 'critical step toward regulatory coherence.' While the short-term pain is real, the long-term goal is to position the UK as a 'premium but selective' crypto jurisdiction.
HM Treasury’s Economic Crime Plan 2023-26 aims to reduce regulatory burden for compliant firms by 40% by 2027. This suggests that once the initial licensing hurdle is cleared, ongoing supervision will become more predictable and proportionate. For businesses already in the UK, the message is clear: invest in compliance now. The window for easy entry has closed, and the regulators are watching closely.
Do I still need to register with the FCA under the new FSMA rules?
No, simple registration is no longer sufficient. As of early 2026, cryptoasset businesses must apply for full authorization under the Financial Services and Markets Act (FSMA). This is a more rigorous licensing process that evaluates your entire business model, not just your AML policies. Existing registrants must transition to this new licensing framework within the timelines set by the FCA.
What is the Travel Rule threshold in the UK?
The Travel Rule applies to all crypto transactions exceeding £1,000. For these transactions, you must collect and share specific information about the originator and the beneficiary, including their names, account numbers, and physical addresses. This data must be transmitted securely to the receiving institution to maintain a clear audit trail.
How much does it cost to comply with UK crypto AML rules?
Initial compliance setup averages £287,500, while ongoing annual costs are approximately £142,300 per firm. These costs cover legal advice, compliance software, sanctions screening systems, and staff training. Many firms also hire external consultants, which can add hundreds of thousands of pounds to the total expense, especially if the first application is rejected.
When do I need to notify the FCA about a change in ownership?
Under the new FSMA-aligned rules, you must notify the FCA if there is a change in control involving more than 10% of shares or voting rights. This is stricter than the previous 25% threshold and is designed to ensure greater transparency regarding beneficial ownership and prevent illicit actors from gaining hidden influence in regulated firms.
What happens if my firm fails the FCA licensing assessment?
If your firm fails the assessment, you will not receive a license and cannot legally operate as a cryptoasset service provider in the UK. Historically, 87.3% of firms faced deficiencies in their initial applications, citing inadequate risk assessments and poor transaction monitoring. You may be allowed to reapply after addressing the specific issues raised, but this process can take many months and incur significant additional costs.