FCA Crypto Authorization Requirements for Exchanges in the UK

Ben Bevan 28 November 2025 24 Comments

If you're running a crypto exchange or planning to serve UK customers, you need to understand the FCA crypto authorization requirements. The rules aren't simple, and they’re changing fast. What worked last year might get you blocked today. The UK’s Financial Conduct Authority (FCA) doesn’t just want you to register - it wants you to prove you’re built to last, with real systems, real controls, and real accountability.

What You Must Do Right Now: MLR Registration

Before anything else, if you’re offering crypto exchange services or custodial wallet services in the UK, you must register with the FCA under the Money Laundering Regulations (MLRs). This isn’t optional. It’s the minimum legal entry point. Since January 2020, any firm handling crypto transactions for UK customers has needed this registration. Without it, you’re operating illegally.

The FCA doesn’t just stamp your application. They dig. They check your anti-money laundering (AML) procedures, your staff training records, your customer due diligence processes, and how you handle politically exposed persons (PEPs). You need to show you’ve read and applied the Joint Money Laundering Steering Group (JMLSG) guidance - specifically Chapter 22, which lays out exactly how crypto firms should manage risk. Missing one detail? Your application gets rejected.

There are four outcomes: approved, rejected, withdrawn, or refused. Rejection means you can’t try again for six months. Withdrawn means you backed out - maybe because you realized you weren’t ready. Refused means the FCA saw something serious: weak controls, unclear ownership, or ties to high-risk jurisdictions. You don’t get a second chance after refusal.

The Big Shift: FSMA Authorization Is Coming

The MLR registration is just the start. By 2026, the Financial Services and Markets Act 2000 (FSMA) will replace it as the main legal framework. This isn’t an upgrade - it’s a complete overhaul. Under FSMA, crypto businesses will need full FCA authorization, just like banks or brokers. No more light-touch registration. You’ll need to prove you meet the same standards as traditional financial firms.

Five core activities now require authorization:

Operating a qualifying cryptoasset trading platform
Dealing in qualifying cryptoassets as principal
Dealing in qualifying cryptoassets as agent
Arranging deals in qualifying cryptoassets
Safeguarding qualifying cryptoassets and relevant specified investments

Plus two more: cryptoasset staking and issuing qualifying stablecoins. These aren’t afterthoughts - they’re central to the new rules. If you offer staking rewards or run a stablecoin, you’re in the crosshairs.

Overseas Exchanges: You Can’t Hide Behind Borders

A lot of crypto platforms think they’re safe if they’re based in Singapore, Malta, or Dubai. They’re wrong. If your platform is accessible to UK retail customers - even if you don’t advertise there - you need FCA authorization. The FCA’s territorial rules are broad. It doesn’t matter if your servers are in Iceland. If a UK person signs up, trades, or holds crypto through you, you’re subject to UK law.

There’s one escape hatch: if you work through a UK-authorized intermediary. For example, if a UK-based firm with FCA permission acts as your agent, you don’t need your own authorization. But this isn’t a loophole - it’s a compliance pathway. The FCA will watch closely to make sure you’re not just outsourcing your responsibilities.

Here’s the catch: if you only serve UK institutional clients - hedge funds, family offices, corporate treasuries - you don’t need authorization for trading or arranging deals. The FCA assumes these clients know the risks. But if you’re safeguarding assets for them, or offering staking, you still need permission. The rules are layered, not black and white.

Transparent stablecoin issuance hub with GBP-pegged core and audit documents, drawn in silver and blue ink.

Stablecoins Have Their Own Rules

Stablecoin issuers face a different test. You only need FCA authorization if you’re issuing qualifying stablecoins from a physical office in the UK. That’s it. No consumer test. No jurisdictional reach. Just presence. So if you’re a US-based stablecoin issuer with no UK office, you’re not required to register - even if your coin is used by thousands of Brits.

But if you open a London office, even a small one, you’re in. The FCA wants control over the source. They care about reserve audits, redemption guarantees, and transparency. If your stablecoin is pegged to the pound or euro, expect extra scrutiny. The goal is to prevent another TerraUSD-style collapse from hitting UK users.

What Happens After You Get Authorized?

Getting approved isn’t the finish line. It’s the starting line. Once authorized, you’re bound by the same Principles for Businesses (PRIN) as banks - except some are waived for crypto platforms. Principles 1 (Integrity), 2 (Skill, Care and Diligence), 6 (Customers’ Interests), and 9 (Relationships of Trust) don’t fully apply to trading platforms. Why? Because the FCA sees these as venues, not advisors. You’re not giving advice - you’re enabling trades.

But you still need:

CASS audits for client asset protection
Regular reporting to the FCA
Clear rules for how trades are executed
Systems to detect market abuse
Staff trained on financial crime risks

The FCA can send in a skilled person to audit your systems. They can demand you change your rules. They can cancel your permission if you slip up. One major breach - like a hack due to poor custody controls - and you’re out.

Wrist-worn cETN device showing Bitcoin price with FCA shield, connected to London Stock Exchange tower in metallic sketch.

What’s New in October 2025: Retail Access to cETNs

In a major shift, the FCA lifted its ban on retail access to crypto exchange-traded notes (cETNs) on October 8, 2025. This reverses the 2021 prohibition on derivatives and ETNs tied to unregulated cryptoassets. Now, UK retail investors can buy cETNs - but only if they trade on FCA-approved UK investment exchanges. These aren’t普通的 crypto platforms. They’re recognized investment exchanges like the London Stock Exchange, with strict listing rules and oversight.

This doesn’t mean you can now trade Bitcoin directly on Robinhood-style apps. It means you can buy a note that tracks Bitcoin’s price, backed by a regulated exchange. The FCA is testing a middle ground: letting retail investors get exposure without letting them hold risky, unregulated crypto directly.

How to Prepare

If you’re not ready, here’s what to do now:

If you haven’t registered under MLRs - do it immediately. The FCA is actively shutting down unregistered platforms.
Review your business model against the five FSMA regulated activities. Are you doing any of them? If yes, start building your authorization application.
Map your customer base. Are you serving UK retail? Then you need authorization. Only institutional? You may have some breathing room - but not forever.
If you issue stablecoins, assess whether you have a UK presence. If yes, prepare for authorization.
Start training your compliance team on JMLSG Chapter 22 and the FCA’s Financial Crime Guide.
Consider a pre-application meeting with the FCA. They offer them. Use them.

There’s no shortcut. The FCA isn’t trying to kill crypto. They’re trying to stop fraud, protect consumers, and bring order to chaos. The firms that survive are the ones who treat compliance like part of their product - not a cost center.

What Happens If You Ignore This?

The FCA doesn’t warn twice. In 2024, they shut down over 120 unregistered crypto firms. Many were based overseas but still had UK customers. Their websites disappeared. Their bank accounts froze. Their founders were named in public enforcement notices. Some faced criminal investigations.

Operating without authorization isn’t a gray area. It’s a red line. The FCA works with UK police, HMRC, and international regulators. If you’re breaking the rules, they’ll find you.

Do I need FCA authorization if my crypto exchange is based outside the UK?

Yes, if you serve UK retail customers directly or indirectly. The FCA’s rules apply based on who you’re serving, not where you’re based. If a UK person can sign up, trade, or hold crypto on your platform, you need authorization - unless you’re working through a UK-authorized intermediary.

What’s the difference between MLR registration and FSMA authorization?

MLR registration is a basic compliance step focused on anti-money laundering. FSMA authorization is a full financial services license. It covers more activities, requires stronger governance, and subjects you to the same rules as banks. MLR is temporary - FSMA is the future.

Can I still operate if my FCA application is pending?

No. You cannot offer crypto services to UK customers while your application is under review. Operating without approval - even if you’ve submitted paperwork - is illegal and risks rejection or enforcement action.

Are stablecoin issuers treated differently under FCA rules?

Yes. Stablecoin issuers only need FCA authorization if they operate from a physical establishment in the UK. Unlike other crypto services, there’s no consumer-based test. If you issue stablecoins from outside the UK, you don’t need permission - even if UK users hold them.

What’s a cETN, and why can retail investors now buy them?

A cETN is a crypto exchange-traded note - a financial product that tracks the price of a cryptoasset like Bitcoin, but is listed on a regulated UK exchange. The FCA lifted its ban in October 2025 because cETNs are issued by authorized institutions with strict oversight, reducing direct exposure to unregulated crypto markets.

What happens if I fail an FCA audit?

You’ll be given a chance to fix the issues. But if you don’t, the FCA can suspend your permissions, impose fines, or cancel your authorization entirely. In serious cases, they may refer you to law enforcement. Failing an audit is not a minor setback - it’s a major regulatory event.