FCA Crypto Authorization Requirements: A Guide for Exchanges
Running a crypto exchange in the UK isn't as simple as launching a website and opening a wallet. If you want to operate legally, you have to deal with the Financial Conduct Authority (FCA), which is the regulatory body responsible for overseeing financial markets and firms in the United Kingdom. For years, the barrier to entry was mostly about money laundering, but the rules are shifting toward a much more rigorous financial services model. Whether you're a homegrown UK startup or a global giant eyeing the London market, ignoring these requirements is a fast track to getting your business shut down or facing heavy fines.
The Baseline: MLR Registration
Before the fancy new laws, there was the Money Laundering Regulations (MLRs). Since January 2020, any business acting as a cryptoasset exchange provider or a custodian wallet provider in the UK has had to register with the FCA. Think of this as the "entry permit." If you aren't registered under the MLRs, you essentially can't touch UK customers legally.
The registration process isn't a formality; it's a gauntlet. The FCA doesn't just want to see your ID; they want to know exactly how you stop criminals from washing money through your platform. You'll need to prove you've read and implemented the guidance from the Joint Money Laundering Steering Group (JMLSG), specifically the sections dedicated to cryptoassets. When you apply, the FCA will either approve you, reject you, or ask you to withdraw if your paperwork is a mess.
The Big Shift: FSMA Authorization
The game is changing with the Financial Services and Markets Act 2000 (FSMA). While MLR registration was about fighting crime, FSMA is about FCA crypto authorization and protecting the financial system. This moves crypto from a "special case" of money laundering into the same regulatory bucket as traditional banks and stockbrokers.
Under this new regime, the FCA has identified five core activities that now require full authorization. If your exchange does any of these, you're in scope:
- Operating a qualifying cryptoasset trading platform.
- Dealing in qualifying cryptoassets as a principal (acting as the market maker).
- Dealing in qualifying cryptoassets as an agent (matching buyers and sellers).
- Arranging deals in qualifying cryptoassets.
- Safeguarding qualifying cryptoassets.
This means you can't just "be an exchange"; you have to specify exactly which roles you're playing. If you're also into staking or issuing stablecoins, those are separate regulated activities with their own sets of rules.
| Feature | MLR Registration | FSMA Authorization |
|---|---|---|
| Primary Goal | Anti-Money Laundering (AML) | Market Integrity & Consumer Protection |
| Focus Area | Crime prevention/Terrorist financing | Prudential standards, conduct, and safeguarding |
| Scope | Exchange & Custodian services | Trading platforms, dealing, staking, and stablecoins |
| Requirement | Baseline registration | Full regulatory permission (Part 4A) |
Does This Apply to Overseas Exchanges?
Many platforms think that because their servers are in the Seychelles or Singapore, they can ignore the FCA. That's a dangerous assumption. The FCA's territorial scope is designed to protect UK consumers, regardless of where the company is based. If you are actively serving retail customers in the UK, you generally need authorization.
There is a key distinction here between retail and institutional clients. If you only provide services to UK institutional customers (like hedge funds or big banks), you might be exempt from authorization for trading and dealing activities, as long as those institutions aren't just acting as middlemen for retail users. However, if you're offering a "buy" button to a regular person in Manchester, you're under the FCA's thumb.
One clever workaround the FCA allows is the use of authorized intermediaries. If an overseas firm works through a UK-authorized partner that already has the necessary permissions, the overseas firm might not need its own separate authorization. This prevents a messy chain of endless permits for every single partner in a trade.
Special Rules for Stablecoins
Stablecoins are treated differently. Unlike trading platforms, which are regulated based on who the customer is, the issuance of qualifying stablecoins is based on where the business is. You only need UK authorization for issuing stablecoins if you are carrying out that activity from an establishment located physically within the United Kingdom.
This "physical presence test" means a foreign stablecoin project can be used by UK citizens without the issuer needing a UK license, provided they don't have an office or a legal base on British soil. It's a much more relaxed approach than the one applied to exchanges.
Standards of Conduct and Supervision
Once you're authorized, you don't just get a badge and go back to work. You are subject to the same high-level standards as any other financial firm. This includes Threshold Conditions (COND), which ensure you have the right financial resources and fitness to run a business, and General Provisions (GEN).
The FCA also uses the "Principles for Businesses" (PRIN). However, they've tweaked these for crypto. For instance, some rules about "customers' interests" (Principle 6) are relaxed for professional clients or specific trading platform transactions, acknowledging that pros know the risks better than a retail hobbyist.
Supervision is where the rubber meets the road. The FCA has the power to appoint "skilled persons" to audit your books, demand information on a whim, and enforce strict CASS audit requirements. CASS refers to the rules for safeguarding client assets; basically, you can't gamble with your users' funds or mix them with your own operational cash.
Recent Shifts: The Return of Crypto ETNs
The FCA isn't just about restrictions; they occasionally pivot. A great example is the shift regarding Crypto Exchange-Traded Notes (cETNs). Back in 2021, the FCA banned the sale of crypto derivatives and ETNs to retail clients. But as of October 8, 2025, they've reversed this. Retail investors can now access these products, provided they trade on an FCA-approved, UK-based Recognised Investment Exchange. This move shows a growing acceptance of crypto as a legitimate asset class, provided the infrastructure is safe.
How to Apply Without Getting Rejected
Applying for authorization is an exercise in documentation. You can't just tell the FCA you're compliant; you have to prove it. Your application needs to be a direct response to a set of high-standard guides. If you haven't referenced the following, your application will likely be tossed:
- The FATF VASP Guidance (Virtual Asset Service Providers).
- The FATF risk-based approach for money laundering.
- FCA Guidance FG17/6 on how to handle Politically Exposed Persons (PEPs).
- The FCA Financial Crime guide for firms.
Pro tip: Don't fly blind. The FCA offers pre-application meetings. Use them to gauge if your business model is even acceptable to them before you spend thousands on legal fees for a formal application.
Do I need FCA authorization if I only serve institutional clients in the UK?
Generally, no. Overseas crypto firms serving only UK institutional customers are often exempt from authorization for trading and dealing activities, provided those institutions aren't acting as intermediaries for retail consumers. However, this doesn't apply to safeguarding or staking services.
What is the difference between MLR registration and FSMA authorization?
MLR registration is a baseline requirement focused on anti-money laundering (AML) and combating the financing of terrorism. FSMA authorization is a deeper, more comprehensive process that regulates the actual financial conduct, consumer protection, and operational stability of the firm.
Can an overseas exchange operate in the UK via a partner?
Yes. If an overseas firm deals with UK consumers through a UK-authorized intermediary that already possesses the necessary permissions, the overseas firm may not be required to seek separate authorization.
Who counts as a "consumer" under FCA rules?
A consumer is defined as an individual acting for purposes outside of any trade, business, or profession. Essentially, this refers to retail investors rather than professional traders or entities.
What happens if my application for authorization is refused?
The FCA has four primary outcomes for applications: approval, rejection, withdrawal, or refusal. If refused, you will typically receive a reason based on your failure to meet Threshold Conditions or provide sufficient evidence of AML compliance.
Next Steps for Exchange Operators
If you're already registered under the MLRs, your priority should be a gap analysis. Look at your current operations and see which of the five FSMA regulated activities you're performing. You'll likely need to upgrade your compliance framework to meet the a-la-carte requirements of a full financial services license.
For those just starting, start with the JMLSG guidance. It's the gold standard for AML in the UK. If you can't master the AML part, you'll never get past the first gate, let alone reach the FSMA authorization stage. Finally, keep an eye on the CASS audit requirements; safeguarding client assets is the most scrutinized part of the current supervisory approach.
13 Comments
Deepak Prusty
April 4, 2026 at 07:39
The distinction between MLR and FSMA is basic regulatory evolution. Most people miss that the transition from a registration regime to an authorization regime is essentially the FCA admitting that crypto isn't a niche experiment anymore, but a systemic financial component. The CASS requirements are the real hurdle here because the operational overhead for proper asset segregation is massive compared to the loose standards most exchanges currently use.
Erica Mahmood
April 5, 2026 at 14:20
basically just a pivot from AML focused’ to prudential supervision. the CASS audit is where the real friction is since most offshore platforms can't handle that level of transparency without leaking their entire alpha
Earnest Mudzengi
April 7, 2026 at 00:57
Typical government overreach!! They just want to map every single wallet to a real-world identity so they can freeze your assets the moment you stop paying their fake taxes. This whole FSMA shift is just a front for a global surveillance grid. They're using "consumer protection" as a buzzword to implement CBDCs and kill the peer-to-peer dream. Wake up people, the "authorized intermediaries" are just state-approved checkpoints for your money!
Krystal Moore
April 7, 2026 at 06:53
Honestly, it's about time! I'm so sick of seeing people lose their entire life savings to some scam exchange based in the Seychelles that just vanishes overnight. If you can't follow basic rules to protect people, you shouldn't be in business. Period. It's actually disgusting how some of these "founders" think they're above the law just because they use a blockchain.
Susan Payne
April 8, 2026 at 16:08
The lack of ethical fortitude in the crypto industry is truly appalling. One must wonder why these entities are so resistant to the most fundamental tenets of financial stewardship. Those who avoid authorization are not "innovators," they are merely opportunists avoiding the inevitable scrutiny of their own incompetence.
Sharhonda Walker
April 9, 2026 at 21:54
I've helped a few firms with their gap analysis and honestly the most common mistak is ignoring the JMLSG updates. If your AML manual is just a copy-paste from a generic template, the FCA will shred it in seconds. You need actual evidence of your risk-based approach, not just a policy doc that says you do it. Make sure you check the PEP guidence too because that's where a lot of applcations get stuck in the loop.
Joshua Aldrich
April 11, 2026 at 20:15
It's funny how we try to box this tech into 20-year-old laws. The whole idea of "authorization" assumes a centralized authority, but crypto is inherently about removing that. Still, I get the need for safety. I think the most interesting part here is the stablecoin loop-hole. It feels like the UK is trying to attract issuers while still controlling the trading. Its a weird balance of wanting the innovation but fearing the risk, which is basically the human condition in a nutshell, right? Just trying to find a safe way to gamble with the future.
Matthew Wright
April 12, 2026 at 22:17
This is a great breakdown!! I wonder if the CASS audits will eventually lead to a standardized reporting format for all UK exchanges??? That would be a huge win for transparency!!!
Susan Wright
April 13, 2026 at 16:16
For anyone actually doing this, don't skip the pre-application meetings. Seriously. The FCA is way more likely to tell you what's wrong in a call than they are to give you a detailed explanation in a rejection letter. It saves so much time and money on lawyers if you just get the vibe check done first.
Nicholas Whooley
April 13, 2026 at 20:19
It is truly heartening to see the industry moving toward a more structured environment. This will undoubtedly provide a safer harbor for new investors to explore the digital asset space. I encourage all budding entrepreneurs to view these regulations not as hurdles, but as a framework for sustainable growth and long-term trust.
Siddharth Bhandari
April 14, 2026 at 20:13
The retail ETN reversal is the most significant part here. It signals a shift in the risk appetite of the regulator.
akash temgire
April 15, 2026 at 08:34
The physical presence test for stablecoins is inefficient. It creates a loophole for offshore entities to influence the UK market without accountability. This is a flawed approach.
alex rodea
April 16, 2026 at 15:37
Just keep pushing and do the paperwork right! You got this!