UK Crypto AML Rules 2026: FCA Registration, Travel Rule & FSMA Changes

UK Crypto AML Rules 2026: FCA Registration, Travel Rule & FSMA Changes
Carolyn Lowe 3 July 2026 0 Comments

If you run a cryptocurrency business in the United Kingdom, ignoring anti-money laundering (AML) rules isn't just risky-it's illegal. Since January 10, 2020, the Financial Conduct Authority (FCA) has strictly supervised cryptoasset firms under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.

The landscape is shifting fast. As we move through 2026, the transitional "dual regulatory regime" is ending. The comprehensive licensing framework under the Financial Services and Markets Act (FSMA) is now fully active. This means the days of simple registration are over; you now need full authorization to operate.

This guide breaks down exactly what these rules mean for your operations, from customer due diligence to the new counterparty checks that caught many firms off guard in late 2025.

Who Needs to Comply?

You might think only exchanges need to worry about AML. That’s a dangerous assumption. The regulations apply specifically to two main types of entities:

  • Cryptoasset Exchange Providers: Platforms that match buyers and sellers of cryptocurrencies.
  • Custodian Wallet Providers: Services that hold private keys on behalf of customers to secure their digital assets.

If you fall into either category, you must be authorized by the FCA. Unregistered businesses operating after the transition period face severe penalties, including criminal charges and unlimited fines. As of mid-2026, the FCA register shows approximately 147 fully compliant firms, down from earlier peaks because many failed to meet the stricter standards required for the new FSMA licenses.

Core Compliance Requirements

Compliance isn’t a one-time checkbox. It’s an ongoing operational layer. Here are the non-negotiable pillars of the current UK AML framework for crypto:

1. Customer Due Diligence (CDD)

You must identify and verify your customers before providing services. The rule of thumb? Use at least two independent sources. For individuals, this usually means a government-issued ID and proof of address. For corporate clients, you need to dig deeper into beneficial ownership. You cannot rely solely on self-declared information.

2. Enhanced Due Diligence (EDD)

High-risk scenarios trigger EDD. This includes dealing with Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, or complex transaction structures. In 2025, data showed that crypto firms had to perform 37.8% more enhanced due diligence steps than traditional finance firms due to the opaque nature of some blockchain transactions. You need senior management approval for these relationships.

3. Ongoing Monitoring

Verification doesn’t stop at onboarding. You must monitor transactions in real-time. If a customer suddenly starts moving millions in stablecoins after years of small trades, your system needs to flag it. Records of all CDD and monitoring activities must be kept for five years.

The Travel Rule: What You Need to Know

Implemented in 2022, the Travel Rule requires you to share specific data when transferring funds. If a transaction exceeds £1,000, you must collect and pass along the originator’s name, account number, and address to the beneficiary institution.

Why does this matter? Because anonymity is no longer a shield. If you fail to provide this data, receiving institutions can reject the transfer or freeze the funds. For cross-border transfers, ensure your counterparties are also compliant. The UK aligns with the FATF standard here, so if you’re working with global partners, this requirement is universal.

Detailed etching of blockchain chains under scrutiny for travel rule compliance

New 2026 Standards: Counterparty Due Diligence

This is where things got tighter. The draft amendments published in April 2025, now enforced under the FSMA regime, introduced Counterparty Due Diligence (CPDD). Previously, you only checked your direct customers. Now, you must verify the legitimacy of the entities you transact with, even if they aren’t your direct clients.

For example, if you send funds to another exchange, you must confirm that exchange is properly regulated. This aligns with FATF Recommendation 15 on New Technologies. Many firms initially struggled with this, as integrating blockchain analytics with traditional KYC systems cost an average of £185,000 in customization alone.

Change in Control: The 10% Threshold

Ownership transparency is critical. Under the old rules, you notified the FCA if someone bought 25% of your shares. That threshold has dropped to 10%. Any acquisition of 10% or more of voting rights or shares triggers a mandatory notification.

Professor Nicholas Ryder from the University of Bristol criticized this as an "unnecessary administrative burden," but the FCA views it as essential for preventing hidden ownership by illicit actors. Make sure your shareholder registry is updated in real-time to avoid accidental breaches.

Comparison of Key AML Metrics: Old vs. New Regime
Requirement Pre-2026 (MLR Focus) 2026+ (FSMA Integrated)
Registration Type AML Registration Only Full FSMA Authorization
Change in Control Threshold 25% Shareholding 10% Shareholding/Voting Rights
Due Diligence Scope Direct Customers Only Customers + Counterparties (CPDD)
Regulatory Body FCA (AML Supervision) FCA (Prudential & Conduct)
Etching showing scales balancing 10% ownership threshold and regulatory checks

Costs and Implementation Reality

Let’s talk money. Compliance is expensive. According to industry surveys from 2025, the average initial setup cost for AML compliance was £287,500. Annual ongoing costs hover around £142,300 per firm. These figures include software licenses, staff training, and external consultancy fees.

Many founders underestimate the time factor. The FCA’s average processing time for applications remains around 9 months. During this period, you cannot legally operate. Most successful applicants spend 6-9 months preparing their documentation before even submitting. Hiring external compliance consultants is common-78.3% of firms did so in 2025-to navigate the complex requirements.

Penalties for Non-Compliance

The consequences of getting this wrong are severe. The FCA has shown zero tolerance for inadequate risk assessments. Common reasons for rejection or enforcement action include:

  • Inadequate risk assessments (cited in 62.1% of failures).
  • Lack of senior management oversight (48.7%).
  • Poor transaction monitoring systems (39.4%).

Beyond fines, unregistered businesses face asset freezes and potential imprisonment for directors. The Office of Financial Sanctions Implementation (OFSI) noted in July 2025 that 23.7% of analyzed crypto transactions involved high-risk jurisdictions, highlighting the sector’s vulnerability and the regulator’s focus.

Next Steps for Your Business

If you are launching or expanding in the UK, start with a gap analysis. Compare your current processes against the FSMA requirements. Ensure your technology stack can handle real-time sanctions screening against at least 12 major lists. Train your staff-35 hours annually per compliance officer is the mandated minimum.

Don’t try to cut corners. The UK aims to be a "premium but selective" jurisdiction. While this drives some businesses away, it builds long-term trust with institutional investors who prioritize security and legality over speed.

Do I need FCA registration if I only offer cold storage wallets?

Yes. If you hold private keys on behalf of customers, you are classified as a Custodian Wallet Provider. This falls squarely under the AML regulations and requires full FCA authorization under the FSMA framework effective 2026.

What is the penalty for failing to report a change in control?

Failure to notify the FCA of a change in control exceeding the 10% threshold is a criminal offense. Penalties can include unlimited fines and up to seven years in prison for responsible individuals. The FCA may also revoke your license immediately.

How does the UK Travel Rule differ from the EU's MiCA?

While both follow FATF standards, the UK implements the Travel Rule via secondary legislation under MLRs and FSMA, whereas the EU integrates it into the broader Markets in Crypto-Assets (MiCA) regulation. The UK currently uses a £1,000 threshold, matching the global standard, but operates within a centralized FCA supervision model rather than the EU's distributed national competent authority approach.

Can I use automated KYC providers for compliance?

Yes, and most firms do. However, you remain legally responsible for the outcome. You must ensure your third-party provider meets UK data protection laws (GDPR) and AML standards. Relying solely on automation without human oversight for high-risk cases is a common reason for FCA rejection.

When does the FSMA regime fully replace the old registration system?

The transition was completed in early 2026. All existing registered firms were required to apply for full FSMA authorization. Operating under the old "registration-only" status is no longer valid for new businesses, and legacy firms must maintain their new licenses to continue operating legally.

Similar Posts

UK Crypto AML Rules 2026: FCA Registration, Travel Rule & FSMA Changes

A complete guide to UK crypto AML rules in 2026. Learn about FCA registration, the Travel Rule, CPDD, and FSMA changes affecting crypto businesses.