The Cryptoassets Regulations come into force on 25 October 2027.
Practical Takeaways
The responses cover a number of areas for firms to consider before the cryptoasset regime comes into force, including:
- Regulatory perimeter, regimes and transition: The FCA makes clear that there will be no automatic conversion from MLR registration and that firms will need to obtain FCA authorisation. Firms that already authorised under the Financial Services and Markets Act 2000 (FSMA) for other regulated activities will need to vary their existing permissions if they wish to offer one of the new cryptoasset regulated activities. The FCA will start accepting applications for authorisation under FSMA from 30 September 2026. The FCA encourages new firms to focus on securing authorisation under FSMA rather than applying for MLR registration. That said, firms that still wish to apply for MLR registration after 30 September 2026 should contact the FCA’s Pre-application Support Service (PASS) to explain their plans and rationale.
- AML governance, MLRO and senior management arrangements: Firms seeking FSMA authorisation must comply with FCA expectations regarding governance, leadership and resourcing. The FCA expects firms to demonstrate clear senior ownership and accountability for financial crime risk management, effective escalation routes, and management information that enables sufficient oversight, in line with the FCA’s Senior Management Arrangements, Systems and Controls (SYSC) 3. Individuals in key AML roles, including the Money Laundering Reporting Officer (MLRO), must be competent and appropriately experienced for the activities and risks in scope, and have sufficient time and resources to discharge their responsibilities effectively.
- AML framework design, documentation and risk: The FCA expects firms to maintain a risk-based AML framework that is proportionate and tailored to the firm’s cryptoasset activities. The business-wide risk assessment (BWRA) is described as a foundational document, which should be in place before a firm seeks registration or authorisation and should be kept up to date whenever there are material changes for example, new products, customer types, geographies, delivery channels, or changes to transaction flow. Firms may use templates as a starting point, but policies and procedures must be appropriately tailored and embedded in day-to-day operations.
- Crypto-specific risk assessment: The FCA expects firms to demonstrate how the BWRA drives their customer due diligence, monitoring and wider control framework. The BWRA should consider products and services offered, customer types and expected use cases, geographic exposure, delivery channels, transaction risk, and how the firm interacts with third parties or counterparties.
- Transaction monitoring, blockchain analytics and surveillance: Where firms use blockchain analytics or transaction monitoring tools (whether in-house or third-party), they should be able to explain why the solution is appropriate, what it covers and does not cover, how it is configured, the outcomes it produces, and how effectiveness is tested and overseen.
- Travel Rule and information sharing: The Travel Rule obligations form part of the MLRs and operate concurrently with the new FSMA regime. Firms should consider whether their activities bring them within scope of the MLRs, with Travel Rule applicability assessed on a firm-by-firm basis taking account of the firm’s individual business and operating model.
- Sanctions, fraud and broader financial crime controls: The FCA expects firms to recognise that AML, CTF, CPF controls sit alongside other relevant financial crime obligations and risks, including sanctions and fraud. This should be reflected in governance, risk assessments, monitoring and escalation processes, and in how controls operate end-to-end.
- Operational resilience and cross-border considerations: The FCA expects firms to recognise the close links between operational resilience and financial crime controls. Firms should demonstrate how they have identified their important business services and, where they rely on common infrastructure or concentrated third-party providers, consider the operational resilience and financial crime implications of those dependencies.
- Cross-border activity and international alignment: The FCA notes that firms operating across multiple jurisdictions should ensure their UK AML framework meets UK regulatory requirements and is implemented effectively in respect of UK in-scope activity, regardless of where group policies, systems, or overseas operations are located.

