FCA Crypto Regulation: Registration, Financial Promotions, and the Digital Securities Sandbox

Overview

The Financial Conduct Authority (FCA) is the UK’s conduct regulator and the supervisory authority for cryptoasset businesses operating in the United Kingdom. The FCA’s crypto regulatory framework has developed through several distinct phases: AML registration from January 2020, financial promotions rules from October 2023, expanded powers under the Financial Services and Markets Act 2023, and the joint Digital Securities Sandbox established with the Bank of England in 2024.

The FCA’s approach to crypto regulation has been characterized by a demanding interpretation of AML compliance requirements, reflected in rejection rates that exceeded 80% for initial cryptoasset business applications between 2020 and 2023. This stringency — which drew significant industry criticism — has produced a registered firm population of higher average compliance quality than most international peer registries, at the cost of delayed market development for some UK-based crypto businesses.

AML Registration Framework (January 2020)

The FCA’s AML registration requirement for cryptoasset businesses derives from the UK’s implementation of the EU’s Fifth Anti-Money Laundering Directive (5AMLD) through the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended in 2019 to capture cryptoasset exchange providers and custodian wallet providers.

Under the regime, firms providing the exchange of cryptoassets for fiat currency, the exchange of one cryptoasset for another, custody and administration of cryptoassets, or the operation of a cryptoasset ATM must register with the FCA. Registration is not an authorization — it does not confer the right to conduct regulated investment business — but its absence constitutes a criminal offense.

The FCA’s AML registration process requires firms to demonstrate: effective AML and counter-terrorism financing (CTF) systems and controls, fit and proper management and ownership, adequate resources and operational resilience, and compliance with the Travel Rule (since September 2023). The FCA reviews applications against these criteria and may conduct on-site visits, interview senior personnel, and request extensive documentation of AML policies and procedures.

The 80%+ rejection rate reflected both genuine compliance deficiencies in many applicant firms and the FCA’s application of banking-grade AML standards to firms that had not previously been regulated at that level. The FCA’s temporary registration regime — which allowed firms to operate while their applications were assessed — was progressively restricted, with repeated tightening of the criteria for remaining on the temporary register.

Financial Promotions Rules (October 2023)

In October 2023, the FCA implemented the cryptoasset financial promotions regime — bringing cryptoasset marketing communications within the scope of the financial promotions restriction in Section 21 of the Financial Services and Markets Act 2000 (FSMA). The restriction makes it a criminal offense to communicate a financial promotion unless the communicator is FCA-authorized, or the promotion has been approved by an FCA-authorized person.

The FCA’s cryptoasset financial promotions rules require: clear risk warnings on all cryptoasset promotions (including standardized warnings that the investment can result in total loss), a cooling-off period for first-time investors, a ban on incentive offers (sign-up bonuses, referral incentives) in direct-offer promotions, prohibition of predictions of future performance, and classification of cryptoassets as a “Restricted Mass Market Investment” category subject to the most rigorous consumer-facing rules.

The practical effect was immediate and significant. Several major international exchanges — including Binance — withdrew from UK-accessible marketing following the October 2023 implementation date rather than implement the required compliance infrastructure within the mandated timeframe. Other exchanges invested heavily in systems to categorize UK users and apply UK-specific promotions rules to their communications, effectively creating separate UK compliance tracks within their global operations.

The financial promotions regime applies regardless of where the promoting firm is located: a firm incorporated in Singapore that sends promotional communications to UK consumers is subject to the UK financial promotions restriction. This extraterritorial application is one of the most consequential aspects of the FCA’s regime for international platforms with UK user bases.

FSMA 2023 and Full Regulatory Powers

The Financial Services and Markets Act 2023 (FSMA 2023) designated cryptoassets as a new regulated activity category under FSMA 2000, giving the FCA powers to make rules requiring cryptoasset businesses to obtain FCA authorization (rather than merely registration) to conduct specified crypto activities in the UK. This represents a significant expansion from the AML registration regime — full authorization requirements impose capital, governance, conduct, and market integrity obligations analogous to those applicable to traditional investment firms.

The FCA is developing specific authorization rules for cryptoasset businesses under FSMA 2023 powers, with a phased implementation timeline that is expected to extend through 2025-2026. Firms currently registered for AML purposes will need to apply for full authorization when the relevant rules come into force.

Digital Securities Sandbox: Joint FCA and Bank of England Initiative

The Digital Securities Sandbox (DSS) was established in 2024 as a joint initiative between the FCA and the Bank of England, implementing the powers granted under the Financial Services and Markets Act 2023. The DSS creates a legal space in which firms can operate DLT-based securities settlement and custody infrastructure with temporary modifications to the Financial Services and Markets Act 2000, the Companies Act, and other primary legislation that would otherwise prevent DLT settlement systems from achieving legally recognized finality.

The DSS’s legal structure allows the FCA and Bank of England to grant sandbox entrants exemptions from or modifications to the Financial Market Infrastructure Special Administration Regime, the UK CSDR equivalents, and other legislation, enabling genuinely novel institutional DLT infrastructure to operate with legal certainty before permanent legislative reform is completed.

The first cohort of DSS firms — announced in 2024 — included eight businesses across custody, settlement, and tokenization categories. The DSS runs for a five-year period, at the end of which the FCA and Bank of England must report to HM Treasury on whether the activities of sandbox firms should be permitted under permanent legislation, and if so, what legislative changes are required.

For compliance officers at firms considering DSS entry, the key requirements are: demonstrated institutional-grade operational resilience, a credible plan for how the firm’s activities would operate under permanent regulation, financial resources sufficient to wind down in an orderly manner if the sandbox is not converted to permanent authorization, and engagement with FCA and Bank of England supervision throughout the sandbox period.

Travel Rule Implementation (September 2023)

The UK implemented the Financial Action Task Force (FATF) Travel Rule for cryptoasset transfers in September 2023, requiring UK-registered cryptoasset businesses to collect, verify, and transmit originator and beneficiary information for transfers of GBP 1,000 or more (aligned with the wire transfer threshold rather than the lower FATF recommended threshold used by some jurisdictions). The implementation gave firms a phased period to develop sunrise period compliance, recognizing that Travel Rule information exchange requires counterparty VASP cooperation.

The FCA’s Travel Rule implementation guidance specifies the data fields required, the verification standards applicable to beneficiary information, the treatment of transfers to unhosted wallets, and the record-keeping obligations. Firms must implement technical solutions — such as those provided by Notabene, Sygna, or VerifyVASP — capable of exchanging Travel Rule information with counterparty VASPs in FATF-member jurisdictions before initiating transfers above the threshold.

Further Resources

• ESMA — European Counterpart Regulation
• MiCA Regulation Overview
• Jurisdiction Profiles — United Kingdom
• Tokenization Licensing Overview