UK FCA Crypto Exchange Authorization Requirements 2025

Running a crypto exchange in the United Kingdom means navigating two overlapping regulatory regimes. First, you need to be on the right side of the Money Laundering Regulations (MLR). Then, you must prepare for the upcoming Financial Services and Markets Act 2000 (FSMA) authorization that will cover a broader set of activities. This guide walks you through every step, from the initial registration to the future licensing landscape, so you can keep your platform compliant and avoid costly delays.

TL;DR

• All UK‑based crypto exchanges must register with the FCA under the MLR - the baseline hurdle.
• From 2026 onward, many exchange activities will need full FSMA authorisation (trading platform, dealing, arranging, safeguarding, staking, stablecoins).
• Overseas platforms serving UK retail users also need UK authorisation unless they work through a UK‑authorised intermediary.
• Key compliance artefacts: JMLSG AML guidelines, FCA Financial Crime guide, CASS audit plan, detailed governance and capital policies.
• Start early: schedule a pre‑application meeting, build a dedicated compliance team, and keep documentation ready for both regimes.

Current Baseline: MLR Registration

FCA is the United Kingdom’s financial regulator, responsible for supervising firms that offer crypto‑related services. Under the Money Laundering Regulations (MLR), any crypto‑asset exchange provider or custodian wallet provider must register with the FCA before serving UK consumers.

The registration process, running since January2020, has four possible outcomes: approval, rejection, withdrawal, or refusal. The FCA expects:

• Robust AML/CTF policies matching the Joint Money Laundering Steering Group (JMLSG) sector‑specific guidance (PartII, Chapter22).
• Evidence of customer due‑diligence, risk‑based assessments, and procedures for politically exposed persons (FCA Guidance FG17/6).
• Clear governance, senior management responsibility, and a designated Money‑Laundering Reporting Officer.

Failure to register-or to maintain the registration standards-means the FCA can enforce civil penalties, restrict business activities, or even issue a cease‑and‑desist order.

Future Landscape: FSMA Authorization

Starting sometime in 2026, the FCA will shift many crypto activities into a full FSMA authorisation regime. The draft legislation identifies five core regulated activities that will require FCA permission:

1. Operating a qualifying crypto‑asset trading platform (QCAP).
2. Dealing in qualifying crypto‑assets as principal.
3. Dealing in qualifying crypto‑assets as agent.
4. Arranging deals in qualifying crypto‑assets.
5. Safeguarding qualifying crypto‑assets and specified investment crypto‑assets.

Two additional activities-qualifying crypto‑asset staking and issuing qualifying stablecoins-will each have their own authorisation route.

When the FCA authorises a firm, it will apply the same Threshold Conditions (COND), General Provisions (GEN) and Principles for Businesses (PRIN) that govern traditional financial services. Notably, Principles 1, 2, 6 and 9 are partially dis‑applied for transactions executed on a QCAP, reflecting the platform’s supervisory role over trading rules.

Territorial Scope - Who Needs UK Permission?

The new FSMA rules extend FCA reach beyond UK‑incorporated firms. Any overseas crypto‑asset business that directly or indirectly serves UK retail customers must obtain UK authorisation for the five core activities listed above.

There is a key exception: if the overseas firm works through a UK‑authorised intermediary that already holds the necessary permissions, the foreign entity does not need a separate licence. This prevents a never‑ending chain of authorisations.

Institutional clients are treated differently. An overseas platform serving only UK institutional investors (e.g., pension funds, asset managers) can operate without UK authorisation, provided those clients are not acting as intermediaries for retail users.

Stablecoin Issuance - A Physical‑Presence Test

Stablecoins fall under a distinct regulatory pathway. A firm must be established in the United Kingdom to issue a qualifying stablecoin. The FCA therefore applies a physical‑presence test rather than the consumer‑focus test used for exchange activities. This means a foreign‑based stablecoin issuer can sell its token to UK consumers only if it has a UK entity that holds the authorisation.

Stablecoin issuers will also face the CASS audit regime (see below), ensuring that the reserves backing the token are segregated, audited annually, and meet the FCA’s capital adequacy expectations.

Compliance Checklist - Documents & Evidence You’ll Need

Whether you are filing an MLR registration now or preparing an FSMA application later, the FCA expects a comprehensive compliance package. Below is a practical checklist:

• Governance: Board charter, senior management responsibilities, risk‑management framework.
• AML/CTF Programme: Policies aligned with JMLSG guidance, transaction monitoring system, PEP screening procedures.
• Financial Crime Documentation: FCA Financial Crime guide adherence, FATF VASP guidance implementation, suspicious activity reporting process.
• Custody & Safeguarding: CASS audit plan, segregation of client assets, proof of insurance or capital buffers.
• Technical Specification: Details of the trading engine, order‑matching rules, latency controls, and audit trails.
• Capital & Liquidity: Evidence of meeting the FCA’s minimum capital requirements for the specific activity (e.g., §31(2) for custodians).
• Consumer Protection: Dispute‑resolution procedures, complaint handling policy, terms of service in plain language.
• Professional Conduct: Policies covering market abuse, insider dealing, and manipulation detection.

All documents must be signed by a senior officer and submitted in a machine‑readable format (PDF or Excel). The FCA also allows a pre‑application meeting to discuss any gaps before the formal submission.

Side‑by‑Side: Current Registration vs Future Authorisation

Practical Steps to Secure Authorisation

1. Self‑Assessment: Map every service you provide against the FCA’s regulated activity list. Identify gaps.
2. Engage a Specialist: Hire or contract a compliance consultancy with FCA experience. They can help draft policies that satisfy both JMLSG and FSMA PRIN adjustments.
3. Prepare Documentation: Use the checklist above. Keep a version‑controlled repository (e.g., SharePoint) to track changes.
4. Request a Pre‑Application Meeting: Submit a short brief to the FCA’s Crypto Desk. This saves time by surfacing issues early.
5. Submit the Application: For MLR, use the FCA’s online portal. For FSMA, expect a larger dossier - include governance, technical, and risk‑management sections.
6. Post‑Approval Tasks: Implement the FCA’s supervisory reporting schedule, set up a CASS audit schedule, and train staff on the updated Principles for Businesses.

Remember, the FCA can ask for additional information at any stage, so keep your evidence ready for rapid response.

Next‑Step Troubleshooting

If your application stalls, consider these common culprits:

• Insufficient AML Controls: The FCA often rejects when transaction monitoring cannot capture rapid crypto‑to‑fiat flows. Upgrade your system to include real‑time blockchain analytics.
• Missing Senior Personnel Fit‑and‑Proper Evidence: Submit CVs, background checks, and conflict‑of‑interest declarations for all senior officers.
• Unclear Custody Arrangements: Provide detailed segregation diagrams, third‑party custodian contracts, and proof of insurance.
• Technical Gaps in Order‑Matching Logic: Offer test‑case logs showing compliance with market‑abuse rules.

Addressing these points quickly often turns a “refusal” into an “approval” on the next round.

Frequently Asked Questions

Do I need both MLR registration and FSMA authorisation?

Yes. Until the FSMA regime fully kicks in, the MLR registration remains the legal baseline. Once you obtain FSMA permission for a specific activity, you still retain the MLR registration, but the authorisation becomes the dominant compliance framework for that activity.

Can an overseas exchange avoid UK authorisation by using a UK‑based partner?

If the UK partner is a fully authorised intermediary (holding the relevant FSMA permission), the foreign exchange can operate without a separate licence. The partnership must be documented, and the UK intermediary remains responsible for consumer protection.

What are the capital requirements for a crypto‑custodian under FSMA?

The FCA proposes a minimum tangible capital of €1million (or the local equivalent) for custodians, plus additional buffers based on the value of client assets held. The exact figure will be set in the final rulebook.

How often must a CASS audit be performed?

At least once every 12months. The audit must be carried out by an FCA‑approved independent auditor and cover segregation, valuation, and insurance of client crypto assets.

When will the FSMA crypto authorisation regime become effective?

The FCA expects the regime to be operational in early 2026, following the final consultation on technical standards. Firms should aim to submit applications in 2025 to avoid a compliance gap.