If you're running a crypto business in the UK, you’re not just selling digital assets-you’re operating under one of the strictest anti-money laundering (AML) regimes in the world. The rules aren’t suggestions. They’re legal requirements enforced by the Financial Conduct Authority (FCA), and failing to follow them can mean fines, shutdowns, or criminal charges. As of 2026, the landscape has changed again. The old registration system is fading. A new licensing regime is taking over. And if you haven’t adjusted yet, you’re already behind.
Who Needs to Comply?
You don’t need to be a giant exchange to fall under UK AML rules. If your business handles cryptoasset exchanges or custodial wallet services, you’re covered. That means if you let customers trade Bitcoin for Ethereum, or you hold their private keys-even temporarily-you must register with the FCA. Payment service providers that convert crypto to fiat also count. But if you’re just running a personal wallet or a non-custodial DeFi app with no on-ramp/off-ramp, you’re likely outside the scope. The FCA’s 2025 register listed only 147 active firms, down from 184 in early 2024. That drop isn’t because the market shrank. It’s because 20% of firms couldn’t meet the bar.
The Core Rules: What You Can’t Skip
There are five non-negotiable pillars in the UK’s AML framework for crypto:
- Customer Due Diligence (CDD): You must verify every customer’s identity using at least two independent, reliable sources. That means government-issued ID plus a utility bill or bank statement. No selfies with IDs. No AI-only verification. The FCA rejected 62% of initial applications for weak CDD systems.
- Enhanced Due Diligence (EDD): If a customer is from a high-risk country (like Iran, North Korea, or Venezuela), or is a Politically Exposed Person (PEP), you need extra checks. The FCA says 37.8% more EDD is required for crypto than traditional finance-because crypto transactions are harder to trace.
- The Travel Rule: Any transaction over £1,000 must include originator and beneficiary details: full names, account numbers, and addresses. This applies whether you’re sending Bitcoin to another exchange or cashing out to a bank. The rule kicked in in 2022, but many firms still get it wrong. The FCA found 41% of firms couldn’t properly transmit this data in 2024.
- Ongoing Monitoring: You can’t just check a customer once and forget them. You need real-time transaction monitoring systems that flag unusual activity-like sudden large transfers, rapid cycling between wallets, or transactions with blacklisted addresses. False positives are common, averaging 28.7% compared to 12.3% in banks. But ignoring them is riskier.
- Record Keeping: Save everything. Customer IDs, transaction logs, risk assessments, training records. All for five years. The FCA doesn’t ask for them often-but when they do, you have 48 hours to produce them.
The New FSMA Regime: What’s Changing in 2026
The current system-based on the 2017 Money Laundering Regulations-is being replaced. Starting Q1 2026, the Financial Services and Markets Act (FSMA) 2000 Order will take full effect. This isn’t just an update. It’s a full overhaul.
- Dual registration ends: Under the old rules, firms had to register under both MLR and potentially other regimes. Now, FSMA becomes the single gateway. If you’re licensed under FSMA, you’re automatically compliant with AML rules.
- 10% control threshold: If any person or entity buys just 10% of your company’s shares or voting rights, you must notify the FCA. Previously, it was 25%. This change is designed to catch hidden owners-especially those trying to bypass sanctions.
- Counterparty Due Diligence (CPDD): You now need to verify not just your own customers, but the entities you transact with-even if they’re not your direct clients. If you send Bitcoin to an exchange in the US, you must check that exchange’s AML status. This is new, and it’s hard. Most firms haven’t built systems for it yet.
The FCA says the goal is to create a “cleaner, tougher” market. But the transition is messy. In Q1 2025, UK crypto venture capital investment dropped 17.3% year-over-year. Some firms are relocating to Singapore or Dubai. Others are shutting down.
Real Costs: What It Actually Costs to Comply
Let’s be clear: this isn’t cheap.
According to FCA data from March 2025, the average crypto firm spent £287,500 just to get registered. That includes legal fees, compliance software, staff training, and external consultants. Once approved, ongoing costs hit £142,300 per year. That’s not inflation-it’s the price of staying legal.
One firm on Reddit, ‘CryptoComplianceUK’, reported spending £500,000 and 14 months just to get approved. Another, ‘BlockchainComply’, said the process was brutal-but once they passed, their international clients trusted them more. That’s the trade-off: high upfront cost for long-term credibility.
Technical costs are the biggest surprise. Integrating blockchain analytics tools (like Chainalysis or Elliptic) with traditional KYC platforms can cost over £185,000 in customization alone. Real-time sanctions screening against 12+ global lists? That’s another £50,000+ per year in licensing fees.
Common Reasons Firms Get Rejected
The FCA doesn’t give vague rejections. They list exact failures. Here’s what most firms get wrong:
- Weak risk assessments (62.1% of failures): Many firms just copy-paste templates. The FCA wants customized, living documents that reflect your actual business model.
- No senior management oversight (48.7%): The CEO or CFO must be actively involved. You can’t outsource compliance to a junior staffer and call it done.
- Broken transaction monitoring (39.4%): Systems that flag every small transfer are useless. Systems that miss large, suspicious patterns are illegal.
- Advertising violations (63.2%): Saying “guaranteed returns” or hiding risk disclosures gets you flagged fast. The FCA has a 10-point checklist for crypto ads.
There’s no appeal process. If you fail, you reapply. And you pay again.
How the UK Compares to the Rest of the World
The UK isn’t the easiest place to launch a crypto business-but it’s one of the most respected.
| Region | Registration Success Rate | Travel Rule Threshold | Change in Control Threshold | Primary Regulator |
|---|---|---|---|---|
| United Kingdom | 12.7% | £1,000 | 10% | FCA |
| United States | Varies by state | $1,000 | 25% | FinCEN, SEC, CFTC |
| Singapore | 38.4% | S$1,000 | 20% | MAS |
| European Union | Not applicable (MiCA license) | €1,000 | 20% | National authorities |
The UK’s 10% control threshold is the strictest in the world. The EU and US use 20%. Singapore is more lenient and faster. But the UK’s advantage? Once you’re registered, you’re seen as credible globally. Banks in Europe and Asia are more willing to work with UK-licensed firms.
What Happens If You Don’t Comply?
Non-compliance isn’t a slap on the wrist. The FCA can:
- Issue unlimited fines
- Shut down your website and payment processors
- Block your directors from running any financial business in the UK
- Refer you to the National Crime Agency for criminal investigation
In 2024, the FCA took action against 19 unregistered crypto firms. One was fined £2.1 million for allowing unverified users to trade over £180 million in crypto. Another had its directors banned for life.
And it’s not just the FCA. HMRC tracks crypto taxes. OFSI watches for sanctions breaches. If you’re sending crypto to a sanctioned Russian entity-even unknowingly-you’re at risk.
What Should You Do Right Now?
If you’re already registered: review your systems. Are you ready for the 10% control rule? Can your software handle CPDD? Schedule a gap analysis with your compliance team before March 2026.
If you’re applying: don’t rush. The average processing time is 9.2 months. Start early. Hire a specialist. Use the FCA’s guidance documents-not third-party blogs. The FCA publishes all their expectations online. Read them. Then read them again.
If you’re thinking of starting a crypto business in the UK: ask yourself if you can afford the £300k+ upfront cost and the 6-9 month wait. There are easier places to launch. But if you’re serious about long-term growth, the UK’s reputation is worth the pain.
The UK isn’t trying to kill crypto. It’s trying to clean it up. The firms that survive this transition won’t be the flashiest. They’ll be the most careful. The most transparent. The ones who treat compliance not as a cost-but as a competitive advantage.
Do I need to register with the FCA if I run a crypto exchange in the UK?
Yes. Any business that exchanges crypto for fiat or other crypto, or holds customer funds (custodial wallets), must register with the FCA under the AML rules. This applies even if you’re a small startup. The only exceptions are non-custodial DeFi platforms with no on-ramp/off-ramp. If you’re unsure, consult the FCA’s official guidance on cryptoasset activities.
What is the Travel Rule and how does it affect my crypto business?
The Travel Rule requires you to collect and share the names, account numbers, and addresses of both the sender and receiver for any crypto transaction over £1,000. This applies to transfers between your customers and other crypto firms. You need systems that automatically capture and transmit this data. Most firms fail this requirement because their software can’t handle it. The rule has been active since 2022 and is strictly enforced.
How long does FCA registration take in 2026?
As of 2025, the average processing time is 9.2 months. Some firms get approved in 6 months. Others take over a year. The FCA doesn’t rush. They review every document. To speed things up, hire a compliance consultant with proven FCA experience. Submit a complete application the first time-revisions delay everything.
What happens if my crypto business fails FCA registration?
If you fail, you can reapply-but you’ll need to fix the exact issues the FCA identified. Common reasons include weak risk assessments, poor customer verification, or lack of senior oversight. You can’t operate legally while waiting to reapply. Continuing to trade without registration is a criminal offense and can lead to fines or prosecution.
Is the UK’s AML regime stricter than the EU’s?
Yes, in key areas. The UK’s 10% threshold for change in control is stricter than the EU’s 20%. The UK also requires counterparty due diligence on all external partners, while the EU’s MiCA framework focuses more on licensing than ongoing monitoring. The UK’s approach is more granular and reactive. The EU’s is broader but less detailed. Both are tough-but the UK has a higher failure rate for new applicants.
Can I use AI tools to automate AML compliance in the UK?
You can use AI for screening and monitoring, but not as your only system. The FCA requires human oversight at every stage. AI can flag transactions, but a qualified compliance officer must review and document each decision. Relying solely on AI has led to multiple rejections. The regulator wants transparency-not automation.
Do I need to train my staff on AML rules every year?
Yes. The FCA requires at least 35 hours of AML training per compliance staff member annually. This includes updates on new regulations, red flags, and internal procedures. Training records must be kept for five years. Many firms use specialized platforms like Know Your Customer (KYC) Academy or Compliancely to manage this. Skipping training is a top reason for registration failure.
Rod Petrik
January 18, 2026 AT 09:19They're using AML to kill crypto one compliance form at a time lol
Next they'll make you file a tax return for every satoshi you move
Who the hell thought this was a good idea
We're not banks we're pioneers
They don't want freedom they want control