FCA Crypto Authorization Requirements: A Guide for Exchanges
Running a crypto exchange in the UK isn't as simple as launching a website and opening a wallet. If you want to operate legally, you have to deal with the Financial Conduct Authority (FCA), which is the regulatory body responsible for overseeing financial markets and firms in the United Kingdom. For years, the barrier to entry was mostly about money laundering, but the rules are shifting toward a much more rigorous financial services model. Whether you're a homegrown UK startup or a global giant eyeing the London market, ignoring these requirements is a fast track to getting your business shut down or facing heavy fines.
The Baseline: MLR Registration
Before the fancy new laws, there was the Money Laundering Regulations (MLRs). Since January 2020, any business acting as a cryptoasset exchange provider or a custodian wallet provider in the UK has had to register with the FCA. Think of this as the "entry permit." If you aren't registered under the MLRs, you essentially can't touch UK customers legally.
The registration process isn't a formality; it's a gauntlet. The FCA doesn't just want to see your ID; they want to know exactly how you stop criminals from washing money through your platform. You'll need to prove you've read and implemented the guidance from the Joint Money Laundering Steering Group (JMLSG), specifically the sections dedicated to cryptoassets. When you apply, the FCA will either approve you, reject you, or ask you to withdraw if your paperwork is a mess.
The Big Shift: FSMA Authorization
The game is changing with the Financial Services and Markets Act 2000 (FSMA). While MLR registration was about fighting crime, FSMA is about FCA crypto authorization and protecting the financial system. This moves crypto from a "special case" of money laundering into the same regulatory bucket as traditional banks and stockbrokers.
Under this new regime, the FCA has identified five core activities that now require full authorization. If your exchange does any of these, you're in scope:
- Operating a qualifying cryptoasset trading platform.
- Dealing in qualifying cryptoassets as a principal (acting as the market maker).
- Dealing in qualifying cryptoassets as an agent (matching buyers and sellers).
- Arranging deals in qualifying cryptoassets.
- Safeguarding qualifying cryptoassets.
This means you can't just "be an exchange"; you have to specify exactly which roles you're playing. If you're also into staking or issuing stablecoins, those are separate regulated activities with their own sets of rules.
| Feature | MLR Registration | FSMA Authorization |
|---|---|---|
| Primary Goal | Anti-Money Laundering (AML) | Market Integrity & Consumer Protection |
| Focus Area | Crime prevention/Terrorist financing | Prudential standards, conduct, and safeguarding |
| Scope | Exchange & Custodian services | Trading platforms, dealing, staking, and stablecoins |
| Requirement | Baseline registration | Full regulatory permission (Part 4A) |
Does This Apply to Overseas Exchanges?
Many platforms think that because their servers are in the Seychelles or Singapore, they can ignore the FCA. That's a dangerous assumption. The FCA's territorial scope is designed to protect UK consumers, regardless of where the company is based. If you are actively serving retail customers in the UK, you generally need authorization.
There is a key distinction here between retail and institutional clients. If you only provide services to UK institutional customers (like hedge funds or big banks), you might be exempt from authorization for trading and dealing activities, as long as those institutions aren't just acting as middlemen for retail users. However, if you're offering a "buy" button to a regular person in Manchester, you're under the FCA's thumb.
One clever workaround the FCA allows is the use of authorized intermediaries. If an overseas firm works through a UK-authorized partner that already has the necessary permissions, the overseas firm might not need its own separate authorization. This prevents a messy chain of endless permits for every single partner in a trade.
Special Rules for Stablecoins
Stablecoins are treated differently. Unlike trading platforms, which are regulated based on who the customer is, the issuance of qualifying stablecoins is based on where the business is. You only need UK authorization for issuing stablecoins if you are carrying out that activity from an establishment located physically within the United Kingdom.
This "physical presence test" means a foreign stablecoin project can be used by UK citizens without the issuer needing a UK license, provided they don't have an office or a legal base on British soil. It's a much more relaxed approach than the one applied to exchanges.
Standards of Conduct and Supervision
Once you're authorized, you don't just get a badge and go back to work. You are subject to the same high-level standards as any other financial firm. This includes Threshold Conditions (COND), which ensure you have the right financial resources and fitness to run a business, and General Provisions (GEN).
The FCA also uses the "Principles for Businesses" (PRIN). However, they've tweaked these for crypto. For instance, some rules about "customers' interests" (Principle 6) are relaxed for professional clients or specific trading platform transactions, acknowledging that pros know the risks better than a retail hobbyist.
Supervision is where the rubber meets the road. The FCA has the power to appoint "skilled persons" to audit your books, demand information on a whim, and enforce strict CASS audit requirements. CASS refers to the rules for safeguarding client assets; basically, you can't gamble with your users' funds or mix them with your own operational cash.
Recent Shifts: The Return of Crypto ETNs
The FCA isn't just about restrictions; they occasionally pivot. A great example is the shift regarding Crypto Exchange-Traded Notes (cETNs). Back in 2021, the FCA banned the sale of crypto derivatives and ETNs to retail clients. But as of October 8, 2025, they've reversed this. Retail investors can now access these products, provided they trade on an FCA-approved, UK-based Recognised Investment Exchange. This move shows a growing acceptance of crypto as a legitimate asset class, provided the infrastructure is safe.
How to Apply Without Getting Rejected
Applying for authorization is an exercise in documentation. You can't just tell the FCA you're compliant; you have to prove it. Your application needs to be a direct response to a set of high-standard guides. If you haven't referenced the following, your application will likely be tossed:
- The FATF VASP Guidance (Virtual Asset Service Providers).
- The FATF risk-based approach for money laundering.
- FCA Guidance FG17/6 on how to handle Politically Exposed Persons (PEPs).
- The FCA Financial Crime guide for firms.
Pro tip: Don't fly blind. The FCA offers pre-application meetings. Use them to gauge if your business model is even acceptable to them before you spend thousands on legal fees for a formal application.
Do I need FCA authorization if I only serve institutional clients in the UK?
Generally, no. Overseas crypto firms serving only UK institutional customers are often exempt from authorization for trading and dealing activities, provided those institutions aren't acting as intermediaries for retail consumers. However, this doesn't apply to safeguarding or staking services.
What is the difference between MLR registration and FSMA authorization?
MLR registration is a baseline requirement focused on anti-money laundering (AML) and combating the financing of terrorism. FSMA authorization is a deeper, more comprehensive process that regulates the actual financial conduct, consumer protection, and operational stability of the firm.
Can an overseas exchange operate in the UK via a partner?
Yes. If an overseas firm deals with UK consumers through a UK-authorized intermediary that already possesses the necessary permissions, the overseas firm may not be required to seek separate authorization.
Who counts as a "consumer" under FCA rules?
A consumer is defined as an individual acting for purposes outside of any trade, business, or profession. Essentially, this refers to retail investors rather than professional traders or entities.
What happens if my application for authorization is refused?
The FCA has four primary outcomes for applications: approval, rejection, withdrawal, or refusal. If refused, you will typically receive a reason based on your failure to meet Threshold Conditions or provide sufficient evidence of AML compliance.
Next Steps for Exchange Operators
If you're already registered under the MLRs, your priority should be a gap analysis. Look at your current operations and see which of the five FSMA regulated activities you're performing. You'll likely need to upgrade your compliance framework to meet the a-la-carte requirements of a full financial services license.
For those just starting, start with the JMLSG guidance. It's the gold standard for AML in the UK. If you can't master the AML part, you'll never get past the first gate, let alone reach the FSMA authorization stage. Finally, keep an eye on the CASS audit requirements; safeguarding client assets is the most scrutinized part of the current supervisory approach.
