UK Cryptoasset Authorisation: What Firms Must Do Before October 2027

UK cryptoasset authorisation is moving from a narrow anti-money laundering registration regime to full Financial Services and Markets Act 2000 (FSMA) authorisation — the most significant change to UK crypto regulation since the sector first came under FCA supervision. The Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, made by Parliament in February 2026, designate specified cryptoasset activities as regulated activities for the purposes of FSMA. The commencement date is 25 October 2027. The FCA gateway for new applications opens in September 2026. This article explains what the new regime means, which activities require authorisation, what firms must prepare, and the transitional provisions for currently registered firms.

What Is the New UK Cryptoasset Authorisation Regime?

The new UK cryptoasset authorisation regime brings specified cryptoasset activities within the scope of FSMA 2000 for the first time. Under the current regime, cryptoasset firms register with the FCA under the Money Laundering Regulations 2017 for AML supervision only — they are not subject to FCA conduct of business rules, prudential capital requirements or the full range of FCA supervisory and enforcement powers. The new regime changes this fundamentally. From 25 October 2027, carrying on a specified cryptoasset activity in the UK without FSMA authorisation will be a criminal offence — exactly as it is for firms providing traditional financial services such as banking, investment management or insurance without authorisation. The regime is designed to bring the UK's approach to cryptoasset regulation into alignment with its approach to traditional financial services, providing equivalent consumer protection, market integrity and prudential standards.

Who Must Obtain FSMA Cryptoasset Authorisation?

This requirement will apply to:

• Operators of cryptoasset trading platforms (centralised exchanges, matching engines and order book operators)
• Firms dealing in cryptoassets as principal (proprietary trading, market-making)
• Firms arranging deals in cryptoassets (brokers, intermediaries, arrangers)
• Cryptoasset custody providers holding customer assets or private keys
• Firms providing cryptoasset staking services on behalf of customers
• Firms providing cryptoasset lending or borrowing services
• Firms advising on cryptoassets where the advice constitutes a personal recommendation
• Issuers of certain cryptoassets (subject to specific provisions in the regulations)

The scope is substantially broader than the current MLR registration regime, which covers only exchange providers and custodian wallet providers. Activities such as staking, lending, arranging and dealing as principal — which are currently unregulated in the UK — will require FSMA authorisation for the first time.

Key Regulatory Requirements Under the New Regime

Prudential capital requirements. The new regime introduces capital requirements for cryptoasset firms based on the nature and scale of their regulated activities. The FCA is expected to publish detailed prudential rules in its consultation papers, drawing on principles from the existing MIFIDPRU regime for investment firms and the PSRs 2017 regime for payment institutions. Firms should expect minimum initial capital requirements and ongoing own funds obligations calculated based on activity-specific metrics. The capital requirements will be significantly more demanding than the current MLR regime, which imposes no minimum capital.

Conduct of business obligations. FSMA authorisation brings cryptoasset firms within the scope of FCA conduct of business rules for the first time. This includes requirements for fair treatment of customers, clear and not misleading communications, conflicts of interest management, best execution obligations for trading platforms, suitability and appropriateness assessments for advisory services, and complaints handling procedures. The FCA Consumer Duty will apply to cryptoasset firms serving retail customers — requiring firms to demonstrate that their products deliver good outcomes, provide fair value, and are supported by effective consumer understanding and support.

Governance and senior management. Firms will need to establish governance structures consistent with FCA expectations under SYSC (Senior Management Arrangements, Systems and Controls). Key individuals will need to be approved by the FCA under the Senior Managers and Certification Regime (SM&CR). Directors and senior managers will be subject to fitness and propriety assessments and will hold personal regulatory accountability for the areas within their responsibility.

Operational resilience. Cryptoasset firms will be subject to the FCA's operational resilience framework, requiring identification of important business services, impact tolerance setting, scenario testing and remediation of vulnerabilities. This is particularly significant for trading platforms and custody providers where service interruption can directly impact customer access to assets.

AML framework. The AML requirements from the current MLR regime will continue to apply, but will be supplemented by the broader FSMA framework. Firms will need to maintain their existing AML programmes and integrate them with the new conduct, governance and reporting requirements.

The Transition Process: Step by Step

Step 1 — Regulatory perimeter assessment. Map all current and planned cryptoasset activities against the new regulated activity definitions. Identify which activities require FSMA authorisation and which may fall outside scope. Timeline: complete by Q2 2026.

Step 2 — Gap assessment. Compare the firm's current regulatory infrastructure (AML programme, governance, systems, controls) against the full FSMA authorisation requirements. Identify gaps in capital, governance, conduct of business, operational resilience and reporting. Timeline: Q2–Q3 2026.

Step 3 — Remediation and build. Address identified gaps: raise capital, appoint approved senior managers, build conduct of business frameworks, implement operational resilience requirements, upgrade AML programmes to integrate with broader FSMA compliance. Timeline: Q3 2026 – Q2 2027.

Step 4 — Application preparation. Prepare the FSMA authorisation application including regulatory business plan, governance structure, capital adequacy assessment, compliance monitoring programme, conduct of business policies and Individual Questionnaires for all senior managers. Timeline: 8–14 weeks.

Step 5 — Application submission. Submit via the FCA gateway (opening September 2026). Currently registered firms should submit early in the transitional period to avoid the risk of a backlog as the October 2027 deadline approaches. Timeline: submit by Q1 2027 at the latest.

Common Mistakes and Why Firms Will Fail

The most significant risk is complacency — firms assuming that current MLR registration will carry them through the transition without substantial additional work. The gap between MLR registration (AML supervision only) and FSMA authorisation (full regulatory supervision) is enormous. Firms that begin preparation in mid-2027 will not have time to build the required infrastructure.

Second, underestimating capital requirements. Current MLR-registered crypto firms operate with no minimum capital. The introduction of prudential capital requirements will require firms to raise capital or restructure — this cannot be done overnight.

Third, inadequate governance. Many crypto firms operate with informal, founder-led governance structures. FSMA authorisation requires formal board structures, approved senior managers, segregation of duties and documented decision-making. Building these structures takes months.

Fourth, treating the transition as an AML upgrade rather than a full regulatory build. The AML programme is only one component of FSMA authorisation — firms must also build conduct of business, governance, capital, operational resilience and reporting frameworks from scratch.

What Firms Should Do Now

1. Map every cryptoasset activity against the new regulated activity definitions — determine which of your current and planned activities will require FSMA authorisation.
2. Conduct a comprehensive gap assessment comparing current compliance infrastructure against FSMA requirements — prioritise capital, governance, conduct of business and operational resilience.
3. Begin raising capital immediately if your current capital position is insufficient for the anticipated prudential requirements.
4. Review governance structures and identify which roles will need FCA approval under SM&CR — begin recruitment or internal development of candidates for approved functions.
5. Engage with the FCA's published guidance and consultation papers as they are released — the detailed rules will emerge through FCA consultations during 2026.
6. Plan to submit the FSMA application as early as possible once the gateway opens in September 2026 — do not wait until mid-2027 when application volumes will peak.

Regulatory Context and Outlook

The UK is positioning itself as a global centre for cryptoasset regulation, and the FSMA regime is designed to provide the regulatory certainty that institutional participants require. The Treasury and FCA have been clear that the new regime is intended to be comprehensive, proportionate and competitive with international frameworks including the EU's Markets in Crypto-Assets Regulation (MiCA). The FCA's approach draws on its experience with traditional financial services regulation — firms should expect the assessment process, ongoing supervision and enforcement approach to be consistent with how the FCA regulates banks, investment firms and payment institutions. The September 2026 gateway opening is closer than most firms appreciate — firms that are not actively preparing by mid-2026 risk being unable to meet the October 2027 deadline and may need to cease cryptoasset activities.

Regulatory Counsel advises UK cryptoasset firms on the transition from MLR registration to FSMA authorisation and manages the full application process. Our team combines traditional FCA authorisation experience with cryptoasset sector knowledge. Firms seeking specialist support with UK cryptoasset authorisation can contact Regulatory Counsel for a free initial consultation. See our licensing and authorisation service for details.