The UK is bringing specified cryptoasset activities within the FSMA regulatory perimeter, giving firms a clearer rulebook and strengthening consumer protections.

In our previous article, we discussed the upcoming change for firms undertaking regulated cryptoasset activities – from anti-money laundering (AML)-focused registration under the Money Laundering Regulations (MLRs) to full authorisation and supervision under the Financial Services and Markets Act (FSMA). This change is expected to come into effect on 25 October 2027. We outlined the timetable for the authorisation application period (30 September 2026 - 28 February 2027) and discussed the benefits of applying during this application window. 

For cryptoasset firms, the complexity of a full FSMA application should not be underestimated.  Preparation should begin now. 

In this piece, the second in our series of three articles, we focus on the first two key considerations for firms undertaking regulated cryptoasset activities, and the steps to take ahead of submitting an authorisation or Variation of Permission (VoP) application. 

Assess PRIN/SYSC Requirements and Establish Core Controls

Firms will be expected to meet all Financial Conduct Authority (FCA) Handbook expectations, including the Principles for Business (PRIN) and Systems and Controls (SYSC). 

Under the new regime, cryptoasset firms must prevent, detect, and report market abuse consistent with a comprehensive framework tailored to crypto markets. This should cover insider dealing, unlawful disclosure of inside information, and market manipulation.¹

What you should do

• Conduct a PRIN/SYSC gap assessment and produce a remediation plan with owners, timelines, and evidence. 
• Implement market abuse surveillance appropriate to crypto markets, formalise conflicts of interest and personal account dealing policies, and embed surveillance governance and escalation.
• Establish a risk taxonomy, risk and controls self-assessment, key risk indicator (KRI)/ management information (MI) suite and issues/remediation lifecycle with appropriate documentation.

Build/Assess AML Framework

Firms must establish a robust framework to deter money laundering (ML), terrorism financing (TF) and proliferation financing (PF). Firms should assess or enhance their AML framework to confirm that it meets the expectations of the MLRs and to evidence its operational effectiveness.

The FCA has highlighted five aspects of the AML framework that cryptoasset firms should pay particular attention to:²

Money Laundering Reporting Officer (MLRO)

Key steps³

• Firms must appoint an MLRO with sufficient knowledge and experience, resource and capacity, and who meets fitness and propriety requirements.
• The MLRO must be able to provide adequate oversight and challenge to the first line of defence. 
• The MLRO must understand the firm’s business model and its ML, TF, and PF risks across key risk factors (customers, geography, products and services, transactions, and delivery channels), as well as the related controls.
• The MLRO must be able to outline the relevant governance structures, reporting, and escalation lines as well as decision-making processes.
• The MLRO must have knowledge of crypto-specific topologies and risks to the business.

Business Wide Risk Assessment (BWRA)

Key steps

• The BWRA is the foundation of the AML framework, and must be clearly documented. 
• The BWRA must assess the firm’s inherent ML, TF, and PF risks by customer, geography, products and services, transactions, and channels. 
• For cryptoasset firms, the BWRA should also demonstrate how the risk posed by different types of crypto assets is assessed and addressed.
• The BWRA must identify the controls to manage those risks and evaluate their effectiveness.
• The BWRA must identify any residual risk and determine whether it falls within the firm’s risk appetite. 

Customer Risk Assessment (CRA)

Key steps

• The CRA must be clearly documented and must align with the BWRA. 
• It must consider all risk factors stipulated by regulation: customer, product and services, country, industry or occupation, and delivery channel. These risk factors must be assessed together, not in isolation.
• The CRA should include red flags and triggers that cause an escalation of risk, e.g., Politically Exposed Person (PEP) status.
• It should provide a holistic assessment of the risk posed by each customer and the controls to be applied to manage the risk of that customer relationship, covering due diligence, transaction monitoring (TM), periodic review, and senior management approval.
• It must be clear how ratings were determined (e.g. using lists of risk factors), how risk thresholds were set, and under which circumstances human judgement may be applied.

Transaction Monitoring

Key steps

• Firms should carefully consider an appropriate TM solution appropriate to their business model and be prepared to explain their choice.
• The TM solution must be embedded into the organisational and control framework, with a clear pathway from alert generation to submission of a Suspicious Activity Report (SAR). 
• Firms should anticipate the challenges that may be encountered during and after implementation of their TM solution (e.g. calibration of alerts and management of TM backlogs). They must consider how these challenges will be addressed, including escalation pathways, governance, and reporting.
• The FCA expects firms to monitor off-chain, on-chain, and fiat crypto currency transactions, and to be able to block transactions to high-risk wallet addresses. Firms should also be able to explain their approach to screening and re-screening of wallet addresses.

Travel Rule (TR)

Key steps

• Firms should select an appropriate TR solution appropriate to their business model and be able to explain their choice.
• The TR solution must be embedded into the firm’s organisational and control framework. 
• Firms should consider producing a flow of funds diagram that includes the flow of TR data. 
• Firms should also outline their approach to counterparty discovery and transfers to/from overseas cryptoasset businesses which may not have their own TR requirements.
• Firms should anticipate challenges that may arise during and after the implementation of their TR solution (e.g. issues identifying a counterparty or delay of transfers with pending TR information). They must consider how these will be addressed, including escalation pathways, governance, and reporting.

In addition, the FCA will also consider following aspects of firms’ AML framework during its assessment:

Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and Periodic Reviews

Key steps⁴

1. Firms must identify their customers and, if applicable, their beneficial owners and verify their identities. 
2. Firms must capture and record sufficient information on the purpose and intended nature of the customer relationship to understand the risk associated with it, and allow its subsequent monitoring. 
3. For customers who are not a natural person, reasonable steps must be taken to understand the ownership and control structure.
4. CDD measures must be risk-sensitive, e.g. by stipulating additional EDD for higher risk customers. 
5. EDD should be relevant and proportionate to the risk associated with the customer relationship. Firms should clearly evidence any EDD measures taken (including senior management approval where required) and maintain clear triggers for when EDD is applied.
6. Periodic reviews should follow a risk-based approach, with clear cadence for periodic and triggers for event-driven reviews as part of ongoing due diligence.
7. Any electronic identification processes used must be independent of the person being verified, secure from fraud/misuses and capable of providing an appropriate assurance on the person’s identity.
8. Where a firm cannot apply CDD measures – including where a firm cannot be satisfied that it knows who the beneficial owner is – it must not enter or continue the business relationship.

Suspicious Activity Reports (SARs)

Key steps

• Firms must have a nominated officer to report SARs to the National Crime Agency.
• There must be a clear and documented decision-making process relating to SARs.
• It must be clear to all staff that they are required to report concerns to the nominated officer.
• There must be a documented process for responding to Production Orders.

Training and Record Keeping

Key steps

• Firms must keep copies of information obtained to meet CDD requirements, and sufficient supporting records for transactions, for five years after the business relationship ends or five years after an occasional transaction. Records of transactions occurring within a business relationship do not need to be kept for more than 10 years. 
• Any data collected must be deleted after these periods.
• Personal data collected under the MLRs should only be processed for the purpose of preventing ML and TF. 
• Employees must receive appropriate AML training.

Across the AML framework, it is important that documentation and assessments are crypto-specific rather than generic. 

In the next part of this series, we will explore further issues for cryptoasset firms, including: implementation of the consumer duty and financial promotion standards, strengthening governance and Senior Managers and Certification Regime (SM&CR) accountability, financial and operational resilience, safeguarding and wind-down, and the benefits of engaging early with the FCA via the Pre-Application Support Service (PASS).

Footnotes

[1] Financial Conduct Authority, “CP25/41: Regulating cryptoassets: Admissions & disclosures and market abuse regime for cryptoassets,” 20 February, 2026.

[2] Financial Conduct Authority, “New regime for cryptoassets regulation – Introduction to anti-money laundering regulations [Webinar],” 18 March, 2026.

[3] Financial Conduct Authority, “Cryptoassets: What we expect to see in your application for registration | FCA,” 22 March, 2026. 

[4] Financial Conduct Authority, “Firms’ customer due diligence processes and controls: our findings,” 8 April, 2026.