FCA Crypto Authorization Requirements for Exchanges: UK Rules Explained

Running a cryptocurrency exchange in the United Kingdom is no longer just about building a secure platform and attracting users. Since January 2020, the landscape has shifted dramatically under the watch of the Financial Conduct Authority, the UK's financial regulatory body responsible for overseeing conduct standards and market integrity. If you are planning to launch or scale a crypto business that touches UK customers, you need to understand exactly what it takes to get authorized. The stakes are high: operating without proper status can lead to severe penalties, including criminal charges and being forced to shut down operations.

The core issue isn't just about technology; it is about legal permission. The FCA distinguishes between simple registration under anti-money laundering laws and full authorization under financial services legislation. As we move through 2026, this distinction is becoming sharper. New rules under the Financial Services and Markets Act (FSMA) are bringing crypto activities closer to traditional finance regulations. This means exchanges must prove they are not only safe from fraud but also robust enough to protect consumer assets and maintain market stability.

Current Baseline: Money Laundering Registration

Right now, if your business operates as a cryptoasset exchange provider or a custodian wallet provider, you likely already know about the registration requirement. This process falls under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. It became mandatory in January 2020. Without this registration, you cannot legally offer these services in the UK. However, registration is not the same as authorization. It is a baseline check focused primarily on preventing financial crime.

To register, you must demonstrate that you have effective systems to prevent money laundering and terrorist financing. The FCA expects you to follow specific guidance, particularly from the Joint Money Laundering Steering Group (JMLSG). Their Part II, Chapter 22 provides detailed instructions for crypto firms. You need to show how you identify customers, assess risks, and monitor transactions. The application process can result in four outcomes: approval, rejection, withdrawal, or refusal. Many firms struggle here because they treat compliance as an afterthought rather than a core part of their business model.

• Customer Due Diligence: You must verify the identity of every user. This includes checking government-issued IDs and understanding the source of funds.
• Risk Assessment: Your firm needs a documented risk assessment that covers all your products and customer types.
• Ongoing Monitoring: One-time checks aren't enough. You must continuously monitor transactions for suspicious activity.

If you fail to meet these standards, the FCA will refuse your application. More importantly, even if you are registered, the FCA retains the power to remove your status if you breach the rules. Recent enforcement actions show that the regulator is willing to act quickly against firms that neglect these obligations.

The Shift to FSMA Authorization

Registration is just the beginning. The real change comes with the implementation of new provisions under the Financial Services and Markets Act 2000 (FSMA). These changes bring crypto activities into the realm of regulated financial services. Instead of just registering, firms will need to be authorized. This is a much more rigorous process that mirrors the requirements for banks and investment firms.

Under the new framework, five core activities require FCA authorization:

1. Operating a qualifying cryptoasset trading platform: This covers exchanges where users buy and sell cryptoassets against each other.
2. Dealing in qualifying cryptoassets as principal: When your firm buys or sells crypto for its own account.
3. Dealing in qualifying cryptoassets as agent: When your firm executes trades on behalf of clients.
4. Arranging deals in qualifying cryptoassets: Facilitating transactions between third parties.
5. Safeguarding qualifying cryptoassets: Holding client funds or digital assets securely.

Additionally, two other activities have separate authorization paths: issuing qualifying stablecoins and providing qualifying cryptoasset staking services. Each of these has distinct requirements. For example, stablecoin issuers face stricter capital and reserve requirements because they promise a fixed value, similar to cash. Staking providers must ensure they can manage validator nodes responsibly and handle potential slashing events without losing client funds.

This shift means that crypto exchanges will need to adopt higher standards of corporate governance, risk management, and financial reporting. The FCA wants to see evidence that your firm can withstand market volatility and operational failures. You will need to appoint key personnel who are fit and proper to hold their roles. This includes directors, senior managers, and compliance officers. The FCA will scrutinize their backgrounds, experience, and integrity.

Territorial Scope: Who Needs Authorization?

A common question is whether overseas firms need UK authorization. The answer depends on who your customers are. The new FSMA rules introduce complex territorial scope provisions. Generally, any firm dealing directly or indirectly with UK consumers requires authorization. A "consumer" is defined as an individual acting outside their trade, business, or profession. This means retail investors fall under this definition.

If you are an overseas exchange serving UK retail customers, you must obtain UK authorization. There is no exemption for simply having servers outside the country. The FCA looks at where the service is provided, not just where the company is incorporated. However, there is a critical exception. If you deal with UK consumers through a UK-authorized intermediary who holds the necessary permissions, you may not need separate authorization. This prevents an endless chain of firms from needing licenses. But beware: the intermediary must take responsibility for the relationship with the consumer.

Institutional clients are treated differently. Overseas firms serving only UK institutional customers do not need UK authorization for trading platforms, dealing, or arranging deals. Institutional clients are considered sophisticated enough to protect themselves. They are expected to conduct their own due diligence. This exemption recognizes the global nature of wholesale markets while still protecting retail investors. But remember, the institutional client must not be acting as an intermediary for retail consumers. If they are, the overseas firm could still trigger authorization requirements.

Stablecoins and Physical Presence

Stablecoin issuance stands apart from other crypto activities. The rules here focus on physical presence rather than customer location. To issue qualifying stablecoins, a firm must carry on the activity from an establishment in the United Kingdom. This means you need a physical office or branch in the UK. Simply targeting UK users from abroad is not enough. This approach reflects the unique risks associated with stablecoins. Because they peg to fiat currencies like the pound or dollar, they can impact monetary policy and financial stability if they fail.

This physical presence test creates a barrier for international stablecoin projects. They must set up local entities to operate in the UK. This involves hiring local staff, establishing banking relationships, and complying with UK corporate law. The FCA uses this requirement to ensure it has direct supervisory access to the issuer. It can inspect books, interview management, and enforce rules effectively. For exchanges offering stablecoin pairs, this means you need to vet your partners carefully. Working with unauthorized issuers could expose you to regulatory risk.

High-Level Standards and Supervision

Once authorized, your firm must adhere to high-level standards similar to those applied to traditional financial institutions. The FCA applies Threshold Conditions (COND) and General Provisions (GEN) to crypto firms. These cover solvency, resources, and organizational structure. You must prove you have enough capital to absorb losses and continue operating during stress periods. The Principles for Businesses (PRIN) also apply, though with some modifications.

For instance, Principle 1 (Integrity) and Principle 2 (Skill, Care and Diligence) are disapplied for transactions executed on qualifying trading platforms by members. This acknowledges that the platform operator sets the rules, and members agree to them. Similarly, Principle 6 (Customers' Interests) and Principle 9 (Relationships of Trust) are adjusted for professional clients. The logic is that professionals are capable of looking out for themselves. However, for retail clients, these principles remain fully active. You must always act in their best interest and avoid conflicts.

Supervision (SUP) provisions give the FCA broad powers to oversee your firm. They can request information, appoint skilled persons to audit your systems, and vary or cancel your permissions if needed. Stablecoin issuers and custodians face specific CASS (Client Asset Sourcebook) audit requirements. These audits ensure that client assets are properly segregated and protected. You cannot mix client funds with your own operational accounts. This segregation is crucial for protecting users if your firm goes bankrupt.

Recent Changes: Retail Access to cETNs

In October 2025, the FCA made a significant move by allowing retail access to crypto exchange-traded notes (cETNs). Previously, since January 2021, the sale of derivatives referencing unregulated cryptoassets was banned for retail clients. This reversal opens new opportunities for exchanges and investment firms. However, there are strict conditions. These cETNs must trade on FCA-approved, UK-based Recognised Investment Exchanges. This ensures that the market infrastructure meets high standards of transparency and liquidity.

For exchanges, this means you can now offer listed products to retail investors, provided they are traded on approved venues. It does not mean you can sell over-the-counter derivatives freely. The FCA remains cautious about complex products. The goal is to provide retail investors with safer, regulated ways to gain exposure to crypto markets. This development signals a maturing market where innovation is balanced with investor protection. Exchanges should consider partnering with recognized exchanges to offer these products to their user base.

Application Process and Documentation

Applying for authorization is not a quick task. It requires comprehensive documentation and a deep understanding of regulatory expectations. The FCA expects you to reference official guidance documents in your application. This includes the JMLSG guidance, the FCA Financial Crime guide, and FATF recommendations on virtual asset service providers. You should also consider the FCA Guidance FG17/6 on Politically Exposed Persons (PEPs).

Before submitting your formal application, consider booking a pre-application meeting with the FCA. This allows you to discuss your business model and get feedback on potential issues. The FCA conducts engagement events to help applicants prepare. Use these opportunities to clarify doubts and align your strategy with regulatory goals. Your application must demonstrate how you will comply with all relevant rules from day one. Vague promises are not enough. You need concrete plans, policies, and procedures.

Expect the process to take several months. The FCA reviews applications thoroughly. They may ask for additional information or clarification. Be prepared to respond promptly and accurately. Delays can hurt your business timeline. Having a dedicated compliance team or external advisors can streamline this process. They can help you navigate the complexities and ensure your submission is complete and robust.

Next Steps for Exchanges

If you are running a crypto exchange today, you must assess your current status. Are you registered under MLRs? Do you plan to expand into activities requiring FSMA authorization? Start by mapping your services against the five core regulated activities. Identify gaps in your compliance framework. Engage with legal experts who specialize in UK financial regulation. They can help you design a roadmap for authorization.

Prepare your internal systems for greater scrutiny. Implement robust KYC (Know Your Customer) and AML (Anti-Money Laundering) controls. Ensure your IT infrastructure is secure and resilient. Document your risk management processes clearly. Train your staff on regulatory obligations. Culture matters. Compliance must be embedded in your organization's DNA, not just a box-ticking exercise.

Monitor regulatory developments closely. The FCA continues to refine its approach. Consultation papers and policy statements will provide further details on technical standards. Stay informed through official channels and industry associations. Adaptability is key. The regulatory environment will evolve, and your business must evolve with it.