FCA Cryptoasset Regime: What UK Crypto Firms Must Do Before the Authorisation Gateway Closes

Last updated: July 2026

A firm running a UK crypto exchange or custody desk has, until now, operated on a Money Laundering Regulations registration, a light-touch anti-money-laundering permission and little else. On 30 June 2026 that arrangement stopped being enough. The FCA published the final rulebook for the FCA cryptoasset regime, and the rulebook treats an existing registration as a starting point rather than a licence to keep trading. Firms that read their AML registration as a ticket into the new framework will find the authorisation gateway has shut behind them.

The regime rests on the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, SI 2026/102, which was made on 4 February 2026 and amends the Regulated Activities Order so that a defined set of cryptoasset activities become regulated activities for the first time. The FCA’s 30 June package, five policy statements running from PS26/9 to PS26/13, turns that statutory perimeter into operating rules. The mandatory regime is expected to take effect on 25 October 2027, and there is a single authorisation window before it: applications open on 30 September 2026 and close on 28 February 2027.

For a reporting and compliance function the questions are narrow. Which of our activities are caught, when do we have to be authorised, and what do we have to build to keep operating. Timing drives all three, because the gateway is a one-time window and not a rolling process.

Related reading: Bank of England systemic stablecoin rules for UK issuers

What the FCA cryptoasset regime package published on 30 June 2026

The 30 June announcement is a package rather than a single document: five final policy statements, three pieces of finalised guidance and two guidance consultations, each mapping onto a different part of the new Handbook. Reading them as one blob is the first mistake a project team makes, because the obligations sit in different sourcebooks with different owners inside a firm.

The five policy statements are PS26/9 on the admissions and disclosures regime and the market abuse regime for cryptoassets, PS26/10 on stablecoin issuance, PS26/11 on regulated cryptoasset activities covering trading platforms, intermediation, custody, lending and borrowing and staking, PS26/12 on the prudential regime, and PS26/13 on the application of the FCA Handbook to regulated cryptoasset activities. Alongside them the FCA finalised guidance on the Consumer Duty for cryptoasset firms (FG26/5), cryptoasset operational resilience (FG26/6) and its approach to international cryptoasset firms (FG26/7), and consulted through GC26/4 and GC26/5 on the overall risk assessment expectations under the new COREPRU and CRYPTOPRU sourcebooks.

Those policy statements are final rules, not proposals. The consultation phase ran through 2025 and into 2026 across CP25/40 on regulated activities, CP25/41 on admissions and market abuse, CP25/14 on stablecoin issuance and custody and CP25/42 on the prudential regime, among others. When you cite an obligation internally, cite the policy statement and the Handbook chapter, not the consultation paper it grew out of, because some figures moved between consultation and final rules.

Which cryptoasset activities now need FCA authorisation

SI 2026/102 works by amending the Regulated Activities Order. That matters, because the Order is the same instrument that defines regulated activities for banks, investment firms and payment services. Cryptoasset activity is being folded into the mainstream perimeter rather than parked in a separate crypto silo, which is why the FCA can apply so much of its existing Handbook to it.

The new regulated activities include issuing a qualifying stablecoin, safeguarding qualifying cryptoassets and relevant specified investment cryptoassets, operating a qualifying cryptoasset trading platform, dealing in qualifying cryptoassets as principal or as agent, arranging deals in qualifying cryptoassets, and qualifying cryptoasset staking. The Regulations also create designated activities for qualifying cryptoasset public offers, admissions to trading and market abuse, which is where PS26/9 and CRYPTO 3 and CRYPTO 4 come in.

The perimeter test turns on the word qualifying and on whether the activity is carried on in or to the UK. A firm outside the UK that serves UK users can be caught, and the FCA set out how it will treat those firms in FG26/7. Where teams get this wrong is at the edges. Staking that is packaged as a reward feature inside a wallet, or an arranging function buried in a group entity that never touches a UK client directly, still needs to be tested against the regulated-activity definitions rather than waved through because it feels incidental.

The authorisation gateway is a window, not a queue

The gateway is the part of this regime that a compliance calendar has to respect first. The FCA expects the application period to open on 30 September 2026 and to close on 28 February 2027. Pre-application support meetings are available from July 2026, and the FCA has been explicit that it wants firms in early rather than at the deadline.

The saving provision is the reason the dates are load-bearing. A firm that submits a complete application inside the window and has not received a final decision by 25 October 2027 can continue to provide its cryptoasset services until its application is determined, including through any reference to the Upper Tribunal. A firm that misses the window does not get that protection. The FCA has also flagged that applications arriving very late, after around 31 July 2027 on the AML track, are unlikely to be determined before the regime starts.

I treat the window as the immovable object in any transition plan and work backwards from it. That means locking the perimeter analysis, the regulatory business plan, the financial projections and the senior-manager appointments to a submission date in the first quarter of the window, not the last, so there is room to answer FCA queries before the file goes cold. A firm that leaves the application to February 2027 is betting its ability to keep trading on a clean first-time submission, and first-time crypto authorisations rarely are clean.

Why an MLR 2017 registration does not carry you across

This is the single most expensive misunderstanding in the whole transition. Firms providing crypto exchange or custodian wallet services in the UK currently register with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. That registration is an anti-money-laundering permission. It is not authorisation under FSMA, and the FCA has stated plainly that there will be no automatic conversion.

Being registered under the MLRs does not guarantee authorisation under FSMA. They are separate assessments with separate outcomes, even when the FCA looks at them at the same time. From 25 October 2027, an MLR registration alone will not let a firm carry on regulated cryptoasset activities in the UK, because those activities will require FSMA authorisation. An existing registrant has to apply through the gateway like everyone else. The financial-crime obligations that came with the MLR registration do not disappear either; they continue to bite until the FSMA regime takes over, and much of that expectation is rebuilt inside the new Handbook. Our note on the FCA’s June 2026 financial crime priorities for UK regulated firms sets out where the supervisor’s attention is going.

The practical trap is resourcing. A firm that has only ever staffed for MLR compliance, with a nominated officer and a transaction-monitoring stack, is not staffed for FSMA authorisation. FSMA brings capital requirements, conduct rules, the Consumer Duty, governance under the Senior Managers and Certification Regime and prudential reporting. None of that is inferable from an AML registration file, and building it takes longer than the gateway window if you start when the window opens.

The prudential regime: COREPRU and CRYPTOPRU

PS26/12 introduces two new prudential sourcebooks. COREPRU sets the core prudential rules that apply across firm types, and CRYPTOPRU sits on top with the cryptoasset-specific requirements. This is a genuine capital regime, with a permanent minimum requirement, an own-funds requirement driven by the nature and scale of the activity, and a risk assessment obligation that GC26/4 and GC26/5 describe as the overall risk assessment under COREPRU 7 and CRYPTOPRU 7.

For stablecoin issuers the headline number moved between consultation and final rules. At consultation in CP25/42 the FCA floated a capital coefficient tied to the value of stablecoins issued, and in the final rules it set that coefficient at 1 percent of issued value, below the 2 percent it had proposed. Read the primary policy statement before you model this, because the coefficient interacts with the base own-funds requirement and with the backing-asset rules rather than standing alone.

Where teams misread the prudential regime is by treating it as a one-off authorisation hurdle. It is an ongoing calculation. The own-funds requirement recalculates as positions and volumes change, the overall risk assessment has to be documented and refreshed, and the numbers feed regulatory returns after authorisation. A firm that scrapes together minimum capital to pass the gateway and then lets its risk assessment go stale has only deferred the breach it was trying to avoid.

Stablecoins and safeguarding: CASS 16 and CASS 17

Safeguarding is where the new regime is most concrete and least forgiving. PS26/10 and PS26/11 build two client-asset regimes. CASS 16 governs the backing assets of an authorised stablecoin issuer, and CASS 17 governs the safeguarding of client cryptoassets by custodians, with CASS 7 amended for the client money that arises around these activities. The point of both is the same as it has always been in client-asset rules: the assets have to be identifiable, segregated and returnable if the firm fails.

UK stablecoin issuance is moving toward joint supervision by the FCA and the Bank of England, with the Bank taking the systemic issuers once its own regime is in force. The Bank published its policy statement and draft Code of Practice for systemic sterling stablecoin issuers on 22 June 2026, with the consultation open until 22 September 2026 and finalisation expected by the end of 2026, so treat the Bank side of the model as not yet operative. If you issue or plan to issue a sterling-referenced stablecoin at scale, the two-supervisor model changes your reporting lines and your engagement plan. The detail of the Bank’s side sits in its own rulebook, which we cover in the Bank of England systemic stablecoin rules for UK issuers.

The operational detail that catches custodians is reconciliation. A CASS-style regime is enforced through the discipline of internal and external reconciliations and a resolution pack that lets an insolvency practitioner return assets. On-chain assets do not remove that duty; they change its mechanics, because your records now have to reconcile to wallet addresses and keys rather than to a custodian statement. The FCA has already shown, in traditional custody, that it will act on client-asset control failures, as the CACEIS UK censure over financial crime and client-asset controls illustrates.

Conduct, the Consumer Duty and the Handbook

PS26/13 is the section that surprises firms coming from the crypto-native world rather than from regulated finance. It applies large parts of the existing FCA Handbook to regulated cryptoasset activities, with modifications. That means the Consumer Duty, conduct-of-business rules in COBS, systems and controls in SYSC, operational resilience, and the Senior Managers and Certification Regime.

The Consumer Duty is not a marketing overlay. FG26/5 explains how the Duty applies to cryptoasset firms, and it requires firms to evidence good outcomes across products, price and value, consumer understanding and consumer support, with board-level monitoring behind it. Firms that already operate under the UK conduct framework will recognise the machinery; the 2026 SM&CR reforms and accountability changes feed straight into how senior-manager responsibilities have to be mapped for a newly authorised crypto firm. The confusion point is scope: the Duty and the SM&CR apply to the authorised entity, so a group that runs its UK crypto activity through one legal vehicle has to give that vehicle real governance, not a thin conduit around an offshore parent.

What actually changes in your reporting framework

Authorisation is the gate; reporting is the standing obligation on the other side of it. Once authorised, a cryptoasset firm becomes an FCA reporting firm, which means periodic regulatory returns submitted through the FCA’s RegData system rather than the narrower reporting a registrant files today. The prudential regime generates its own returns off the COREPRU and CRYPTOPRU calculations, the Consumer Duty generates board reporting and outcomes monitoring, operational resilience brings incident and mapping obligations, and the financial-crime reporting that existed under the MLRs is carried into the authorised world.

The financial-promotions regime is the part firms often forget because it is already live. Since 8 October 2023, under PS23/6 and FG23/3 and the Financial Services and Markets Act 2000 (Financial Promotion) (Amendment) Order 2023, any promotion of qualifying cryptoassets to UK consumers has had to be communicated or approved by an authorised person, or made by an MLR-registered firm, or fall within an exemption. As the MLR route winds down under the new regime, firms that relied on their registration to communicate their own promotions need to re-plan around FSMA authorisation. There is also a tax reporting layer arriving separately through the Cryptoasset Reporting Framework, which we cover in the guide to CARF crypto tax reporting, and it should be scoped alongside the FCA work rather than after it.

When I scope a reporting build for a firm coming through this gateway, the long pole is almost always data lineage. A regulatory return is only as good as the ledger behind it, and crypto ledgers were rarely designed to produce a prudential position, a client-asset reconciliation and a market-abuse surveillance feed from the same source of truth. That plumbing is the long pole, and it is why the reporting build should start in parallel with the authorisation application, not after the permission lands.

How this differs from the EU’s MiCAR

Firms with an EU footprint reach for their MiCAR mapping and try to reuse it. That is the onshoring trap. The UK regime is a domestic FSMA framework, not a copy of the EU Markets in Crypto-Assets Regulation, and the two diverge in structure as well as detail. MiCAR runs on white papers, authorisation as a crypto-asset service provider and a passport across the EU; the UK runs on amendments to its own Regulated Activities Order, FCA authorisation under FSMA and no EU passport. Our explainers on MiCAR reporting obligations and the end of the MiCA CASP transitional period show how different the EU machinery looks.

The trap is assuming equivalence of concepts. A MiCAR CASP authorisation does not grant UK permissions, a MiCAR white paper is not a UK admissions-and-disclosures document under PS26/9, and the EU’s stablecoin categories of asset-referenced and e-money tokens do not line up cleanly with the UK’s qualifying stablecoin definition. A firm operating on both sides of the Channel needs two mappings and two sets of returns, and the reconciliation between them is a control in its own right, not a copy-paste.

Frequently Asked Questions

When does the FCA cryptoasset regime actually take effect?

The mandatory regime is expected to take effect on 25 October 2027. Before that, the authorisation window runs from 30 September 2026 to 28 February 2027, and pre-application support meetings are available from July 2026. The enabling legislation, SI 2026/102, was made on 4 February 2026.

Does our existing MLR registration convert to FSMA authorisation?

No. The FCA has stated there is no automatic conversion. An MLR registration is an anti-money-laundering permission and does not guarantee FSMA authorisation. Firms registered under the Money Laundering Regulations 2017 must apply through the gateway to carry on regulated cryptoasset activities after 25 October 2027.

What happens if we do not get a decision before the regime starts?

If you submitted a complete application inside the window and the FCA has not determined it by 25 October 2027, a saving provision lets you continue providing your cryptoasset services until the application is finally determined, including through the Upper Tribunal. Firms that did not apply in the window do not get that protection.

Which activities are caught by the new regime?

Issuing a qualifying stablecoin, safeguarding qualifying cryptoassets, operating a qualifying cryptoasset trading platform, dealing in qualifying cryptoassets as principal or agent, arranging deals, and qualifying cryptoasset staking. Public offers, admissions to trading and market abuse are treated as designated activities under SI 2026/102 and PS26/9.

What are the prudential requirements for cryptoasset firms?

PS26/12 introduces the COREPRU and CRYPTOPRU sourcebooks. They set a permanent minimum requirement, an own-funds requirement scaled to the activity, and an overall risk assessment obligation described in GC26/4 and GC26/5. For stablecoin issuance the final rules set a capital coefficient of 1 percent of issued value, reduced from the 2 percent proposed at consultation. Confirm the exact figures against the policy statement before modelling.

Do the cryptoasset financial promotion rules still apply?

Yes. The cryptoasset financial promotions regime has applied since 8 October 2023 under PS23/6 and the Financial Services and Markets Act 2000 (Financial Promotion) (Amendment) Order 2023. Promotions to UK consumers must be communicated or approved by an authorised person, made by an MLR-registered firm, or fall within an exemption. As the MLR route winds down, firms relying on it to promote their own products need to re-plan around FSMA authorisation.

How is this different from complying with MiCAR in the EU?

The UK regime is a domestic FSMA framework built on amendments to the Regulated Activities Order, not a version of MiCAR. There is no EU passport, the authorisation and disclosure concepts differ, and the stablecoin definitions do not map one-to-one. A firm active in both markets needs separate authorisations and separate reporting.

Related Articles

Key Takeaways

  • The FCA cryptoasset regime is built on SI 2026/102, made on 4 February 2026, and the final rules in PS26/9 to PS26/13, published on 30 June 2026. It becomes mandatory on 25 October 2027.
  • The authorisation window runs from 30 September 2026 to 28 February 2027. A complete application inside the window carries a saving provision that lets the firm keep operating until determined; missing the window does not.
  • An MLR 2017 registration does not convert to FSMA authorisation. There is no automatic conversion, and registration does not guarantee authorisation.
  • The prudential regime lives in the new COREPRU and CRYPTOPRU sourcebooks (PS26/12), including an overall risk assessment obligation and, for stablecoins, a capital coefficient set at 1 percent of issued value in the final rules.
  • Client assets are governed by CASS 16 for stablecoin backing assets and CASS 17 for custodied cryptoassets, enforced through reconciliation and a returnability regime.
  • PS26/13 applies the Consumer Duty, COBS, SYSC and the SM&CR to authorised crypto firms, so governance must sit in the authorised UK entity.
  • Reporting shifts from narrow MLR filing to full FCA regulatory returns through RegData, plus the live financial promotions regime and the separate CARF tax layer.
  • The UK regime is not the EU’s MiCAR. Reusing a MiCAR mapping without re-testing it against the UK Regulated Activities Order is a control failure, not a shortcut.

Sources and References

  • FCA press release, “FCA sets landmark crypto rules to cement the UK’s place as a global hub”, 30 June 2026: fca.org.uk
  • FCA, “Overview of our cryptoassets regime policy statements” (PS26/9 to PS26/13, FG26/5 to FG26/7, GC26/4, GC26/5): fca.org.uk
  • FCA, “A new regime for cryptoasset regulation”: fca.org.uk
  • FCA, “Cryptoassets: How the gateway will operate”: fca.org.uk
  • FCA, “Cryptoasset firms: Registration under the MLRs ahead of the new FSMA regime”: fca.org.uk
  • The Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, SI 2026/102: legislation.gov.uk
  • FCA, CP25/40 “Regulating cryptoasset activities”: fca.org.uk
  • FCA, CP25/41 “Regulating cryptoassets: Admissions & disclosures and market abuse regime for cryptoassets”: fca.org.uk
  • FCA, CP25/14 “Stablecoin issuance and cryptoasset custody”: fca.org.uk
  • FCA, CP25/42 “A prudential regime for cryptoasset firms”: fca.org.uk (PDF)
  • FCA, PS23/6 “Financial promotion rules for cryptoassets”: fca.org.uk
  • FCA, FG23/3 “Finalised non-Handbook Guidance on cryptoasset financial promotions”: fca.org.uk
  • FCA, “Crypto Roadmap”: fca.org.uk (PDF)

Where a compliance function should start this quarter

The dates decide the plan. Between now and 30 September 2026, the work is scoping: run the perimeter analysis against SI 2026/102 and PS26/11, decide which UK legal entity will hold the permissions, and take a pre-application support meeting while they are freely available. Between the gateway opening and the end of 2026, the work is building the application and the prudential and reporting machinery in parallel, so the return that the permission triggers is not a scramble after the fact. The firms that struggle are the ones that treat 25 October 2027 as the deadline. The real deadline is the close of the window on 28 February 2027, and the saving provision only rewards firms that beat it.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts