FCA Crypto Asset Registration: How to Navigate the UK's Notoriously Difficult Process

The FCA’s Crypto Registration Regime: Current Status

The UK’s Financial Conduct Authority operates a two-layer crypto regulatory framework. The current layer — AML registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) — governs cryptoasset exchange providers and custodian wallet providers that operate in or from the UK.

The forthcoming layer — full authorization under the Financial Services and Markets Act 2000 as amended by the Financial Services and Markets Act 2023 — will impose capital adequacy, conduct of business, and operational resilience requirements comparable to those applied to investment firms. The FCA is consulting on these rules through 2025–2026, with full authorization expected to be required from 2026–2027 onward.

For compliance officers planning a UK market entry strategy in 2026, the immediate question is FCA AML registration. But planning must account for the forthcoming authorization regime; firms that get AML registration now will face a separate authorization process within 18–24 months.

AML Registration vs. Full Authorization: Understanding the Difference

AML Registration (current regime) covers:

• Cryptoasset exchange providers: businesses that exchange fiat for cryptoassets or cryptoassets for cryptoassets
• Custodian wallet providers: businesses that hold or safeguard cryptoassets or the private keys controlling cryptoassets on behalf of clients

AML registration does not grant a permission to conduct regulated financial services. It means the FCA is satisfied that the firm has adequate AML/CFT systems and controls in place. Registered firms can operate legally under UK law, but they do not hold a regulated firm permission.

Full Authorization (forthcoming) will:

• Require capital adequacy (expected to align with IFPRU/BIPRU frameworks depending on activity)
• Impose detailed conduct of business rules for retail and professional client interactions
• Apply operational resilience requirements under the FCA’s published rules
• Require Consumer Duty compliance for retail-facing services
• Cover a broader set of cryptoasset activities than the current AML registration scope

Firms currently AML-registered will need to apply for full authorization; AML registration will not automatically convert. The FCA has signaled that firms with a clean AML registration history will have a smoother path to authorization, but the process will be separate.

The 80%+ Rejection Reality

Between 2020 and 2025, the FCA received over 300 cryptoasset registration applications. Fewer than 20% proceeded to registration; the remainder were either rejected outright or withdrawn by the applicant after receiving the FCA’s assessment of deficiencies.

The FCA is explicit about what it is looking for and equally explicit about the standards it holds. This is not a jurisdiction where a well-resourced legal team can overcome substantive deficiencies in a firm’s AML framework. The FCA’s reviewers — many with backgrounds in major bank AML compliance — know what adequate looks like.

The primary rejection categories are:

1. Inadequate Money Laundering Risk Assessment Every registered firm must conduct a firm-wide money laundering risk assessment. The FCA expects this to be granular, product-specific, and customer-type specific. A two-page generic risk assessment will be returned. The FCA expects firms to identify their specific high-risk customer types, transaction patterns, geographies, and products — and to demonstrate that the risk controls are commensurate with the assessed risks.

2. Inadequate AML Policies and Procedures The FCA expects CDD and EDD procedures to specify exactly what documents are required from which customer types, what screening databases are used, what the refresh frequency is for ongoing monitoring, and how the firm escalates alerts. Policies that defer to “applicable law” without specifying the actual procedure are insufficient.

3. Responsible Person Not Fit for Purpose The Nominated Officer (MLRO equivalent for MLR-registered firms) must have relevant experience. The FCA has rejected applications where the proposed Responsible Person is a lawyer or accountant with no AML operational experience, or where the person clearly cannot dedicate sufficient time to the role given their other responsibilities.

4. Technology Systems Not Described in Sufficient Detail The FCA wants to know what transaction monitoring system the firm uses, what the alert rules are, how many alerts were generated during testing, and what the disposition rate is. Firms that describe their transaction monitoring in vague terms without specifying the actual system and its configuration have consistently failed.

5. Beneficial Ownership Opacity Complex corporate structures with multiple layers of holding companies and nominee shareholders make the FCA’s UBO assessment more difficult. The FCA expects clean, demonstrable UBO chains. Structures that appear designed to obscure ownership are red flags that can cause rejection on their own.

What the FCA Actually Wants: The Substance Test

The FCA has described its assessment approach as substance-based: it wants to see that the firm’s AML framework genuinely controls money laundering and terrorist financing risk, not that the firm has produced documents that check regulatory boxes.

Practically, this means:

Board involvement must be real. The FCA expects the board (or equivalent governance body) to have received and discussed the firm-wide risk assessment. Minutes of that discussion should exist. The board should be able to demonstrate understanding of the firm’s key AML risks.

The MLRO must be senior. The Nominated Officer/MLRO should have direct access to senior management and the board. If the MLRO role is buried in a compliance team several layers below the board, the FCA will question whether the governance structure is adequate.

Testing and monitoring must have occurred. For firms with any operational history, the FCA expects evidence of actual transaction monitoring activity: alerts generated, investigated, and escalated as appropriate. A new firm without operational history must demonstrate how its systems will work through simulation or testing.

Training records must exist. AML training must be documented for all relevant staff. The FCA will ask for training completion records, training materials, and how training is updated to reflect evolving risks.

The Application Process: Step by Step

Step 1: Application via Connect

The FCA application is submitted through Connect, the FCA’s online portal. The application fee is £2,000 (non-refundable, regardless of outcome).

The application requires:

• Business description and activities sought
• Corporate structure and beneficial ownership information
• Details of the Responsible Person (Nominated Officer)
• AML/CFT policies and procedures
• Firm-wide risk assessment
• Customer types and due diligence approach
• Technology systems description
• Financial statements or projections

Step 2: FCA Review and Information Requests

The FCA does not have a statutory deadline for processing MLR registration applications (unlike the MiCA NCA 3-month window). In practice, initial review can take 6–12 months before the FCA issues its assessment.

The FCA typically issues a Request for Information (RFI) listing deficiencies it has identified. Firms have a specified period to respond. Multiple rounds of RFI are common — each round adds to the timeline.

Step 3: Decision

The FCA issues a decision notice granting or refusing registration. If refused, the firm may appeal to the Upper Tribunal (Tax and Chancery Chamber). Few firms appeal FCA crypto registration refusals.

Financial Promotions Compliance: October 2023 Regime

Since 8 October 2023, all financial promotions in relation to cryptoassets communicated to UK persons must either be:

• Made or approved by an FCA-authorized person
• Made by an FCA-registered cryptoasset business (for its own promotions only)
• Exempt under the Financial Promotions Order

This rule applies regardless of where the firm promoting the cryptoasset is incorporated. A US firm advertising a Bitcoin fund to UK retail investors via social media is communicating a financial promotion and must comply with the UK rules.

The practical requirements include:

• Mandatory risk warnings on all cryptoasset promotions
• Prohibition on certain incentives (refer-a-friend bonuses, “new joiner” promotions)
• 24-hour cooling-off period for first-time retail clients
• Personalised risk warnings for clients who have not invested in cryptoassets before
• Client categorization prior to access to high-risk investment promotions

The FCA has issued multiple enforcement actions since October 2023 for non-compliant financial promotions, including against offshore firms marketing to UK consumers. The FCA publishes a list of firms it has warned, which has reputational consequences disproportionate to any formal sanction.

Travel Rule Requirements

The UK implemented FATF Recommendation 16 (the Travel Rule) for cryptoasset transfers through the amended MLRs, effective September 2023. All FCA-registered cryptoasset businesses must collect and transmit originator and beneficiary information on cryptoasset transfers above £1,000 (or the equivalent in other currencies).

Required originator information:

• Name
• Account number / wallet address
• Geographic address, national identity number, customer identification number, or date and place of birth

Required beneficiary information:

• Name
• Account number / wallet address

For transfers to unhosted wallets (self-custodied addresses), the FCA expects firms to apply a risk-based approach: higher-value transfers to unhosted wallets require additional customer information about the purpose of the transfer and the customer’s relationship to the wallet address.

Technical solutions for Travel Rule compliance include TRISA (Travel Rule Information Sharing Architecture), Notabene, Sygna Bridge, and OpenVASP. The Travel Rule compliance guide covers these in detail.

The Digital Securities Sandbox

The Financial Services and Markets Act 2023 established the Digital Securities Sandbox (DSS), operated jointly by the FCA and Bank of England. The DSS permits firms to test the use of digital ledger technology (DLT) for the issuance, trading, and settlement of securities within a temporary legal modification — in effect, allowing sandbox participants to operate under a modified regulatory framework for a defined period.

The DSS is relevant to tokenization platforms because it provides a route to testing tokenized security infrastructure in the UK without requiring full regulatory authorization upfront. Sandbox participants operate under FCA/BoE oversight but within a modified regulatory framework that accommodates DLT-based settlement.

Key features:

• Applications assessed by FCA and Bank of England jointly
• Participants receive a sandbox license that permits defined activities within defined limits
• Regulatory feedback through the sandbox may inform the firm’s eventual full authorization application
• No guarantee of full authorization following sandbox participation

The DSS represents the UK’s recognition that its post-Brexit financial services regulatory framework needs to accommodate technological innovation. For tokenization platforms uncertain whether their business model fits cleanly within existing UK financial services categories, the DSS may offer a more productive entry point than an MLR registration application.

Further information: FCA cryptoasset firms guidance

Related Resources

• Licensing Cost and Timeline Comparison
• AML Framework for Tokenization Platforms
• Travel Rule Compliance Guide
• Jurisdictions Database: United Kingdom
• Regulatory Encyclopedia