When will the UK cryptoasset regulatory regime take effect?

The FCA has indicated that the FSMA Part 4A authorisation gateway for cryptoasset activities is expected to open in 2026, with a 24-month transitional window for existing MLR-registered firms. Firms should begin readiness programmes now to meet threshold conditions at the point of application.

Do I need FCA authorisation if I already have MLR registration?

Yes. MLR registration covers anti-money laundering obligations only. The new regime will require firms conducting cryptoasset activities to hold FSMA Part 4A authorisation, which covers governance, prudential requirements, conduct of business, consumer protection, and operational resilience — significantly broader than MLR registration.

What are the main areas the FCA will scrutinise for crypto authorisation?

The FCA is expected to scrutinise six core areas: governance and SM&CR arrangements, financial resources and prudential adequacy, business model viability, financial crime controls, operational resilience, and consumer/market protection. Each area requires specific evidence and documentation.

How long does the crypto authorisation readiness programme take?

A typical readiness programme takes 16+ weeks, split into four phases: readiness review (weeks 1-3), evidence build (weeks 4-10), application and submission (weeks 11-16), and FCA engagement (week 17 onwards). Timelines depend on the firm's starting position and complexity of activities.

Crypto Regulatory Readiness

Cryptoasset Regulatory Readiness

The UK cryptoasset regime is taking shape. Firms seeking FCA authorisation under FSMA Part 4A will face scrutiny across governance, financial crime, prudential resources, and operational resilience. MEMA helps you build the evidence the FCA expects — before the gateway opens.

Assess Your Readiness Download the Guide Call: 0330 133 0811

2026

Gateway opens

24 months

Transitional window

Jan 2026

Earliest applications

Why the Timing Matters

The FCA's cryptoasset regime will bring currently MLR-registered firms into full prudential regulation under FSMA. Firms that hold an existing MLR registration will benefit from a transitional window — but only if they demonstrate readiness by the gateway date.

Firms without an MLR registration face a cold-start process: building governance, financial crime frameworks, prudential resources, and operational resilience evidence from scratch. The FCA has signalled that it expects applicants to meet threshold conditions at the point of application, not after authorisation.

Cross-registration friction is real. Firms currently operating under temporary registration must decide whether to apply under the new regime or exit. The window is narrow, and early movers will benefit from structured FCA engagement before volumes peak.

Indicative Timetable

A structured programme from readiness review to FCA engagement

Weeks 1–3

Readiness Review

Weeks 4–10

Evidence Build

Weeks 11–16

Application & Submission

Weeks 17+

FCA Engagement

FCA Scrutiny Points

Six areas the FCA will probe during the authorisation assessment

Governance & SM&CR

Board composition and crypto expertise
Prescribed responsibilities for cryptoasset activities
Statements of Responsibilities and management maps
Certification and conduct rules regime

Financial Resources

Capital adequacy against MIFIDPRU or IPRU-INV
Liquid asset buffers and stress testing
Wind-down planning and cost estimation
Financial projections covering at least 3 years

Business Model Viability

Revenue model and fee structures
Customer journey end-to-end
Permissions scope (dealing, arranging, advising, custody)
Market analysis and competitive positioning

Operational Resilience

IT outsourcing register and due diligence
Incident response and cyber security
Business continuity for custody and key management
Important business service mapping

Consumer & Market Protection

Consumer Duty outcome mapping
Market abuse surveillance controls
Complaints handling (DISP compliance)
Financial promotions and risk warnings

Systems & Controls

Compliance monitoring programme
Management information and reporting
Conflicts of interest register
Record-keeping and audit trail

Evidence Expectations

What the FCA expects

Regulatory business plan with clearly articulated customer journey and operational model
Compliance monitoring programme tailored to cryptoasset-specific risks
Financial crime framework covering AML, CTF, sanctions, and proliferation finance
Capital adequacy evidence with financial projections and stress scenarios
Outsourcing register with due diligence records for all material providers

What firms underestimate

⚠Controller forms and fit-and-proper evidence for beneficial owners, including source of wealth documentation
⚠Prudential depth — the FCA expects more than a capital number; it wants to see methodology, assumptions, and stress tests
⚠Consumer Duty integration — not a standalone policy but embedded into product design, distribution, and outcome monitoring
⚠SM&CR mapping complexity — prescribed responsibilities for crypto activities must be specific, not generic
⚠Financial promotions compliance — the s21 gateway and strengthened rules for high-risk investments apply from day one

AML & Financial Crime Workstream

The financial crime framework is one of the most heavily scrutinised areas for crypto applicants. The FCA will expect compliance with the Money Laundering Regulations, JMLSG guidance, and crypto-specific risk factors.

Risk assessment methodology

Business-wide and customer-level risk assessments reflecting crypto-specific typologies (mixer usage, unhosted wallets, DeFi exposure)

Transaction monitoring design

On-chain analytics capability, rule-based and behavioural monitoring, calibration for crypto transaction patterns

Screening framework

Sanctions screening, PEP screening, adverse media — applied to both fiat and crypto counterparties

SAR procedures

Suspicious Activity Report procedures with named MLRO, deputy, escalation paths, and tipping-off controls

Training programme

Role-based AML training covering crypto-specific red flags, with completion tracking and annual refresh

FCA Handbook Rule Clusters

Key sourcebooks that apply to cryptoasset firms under the new regime. Each cluster carries specific obligations that the FCA will assess during the authorisation process.

The eleven Principles underpin every FCA authorisation. For crypto firms, Principle 2 (skill, care, and diligence), Principle 6 (customers' interests), and Principle 11 (dealing with regulators) carry particular weight. The FCA will assess whether your governance, disclosures, and operational conduct demonstrate each Principle in practice — not just on paper.

Key obligations

✓Act with integrity and treat customers fairly
✓Maintain adequate financial and non-financial resources
✓Communicate with clients in a way that is clear, fair, and not misleading
✓Deal openly and cooperatively with the FCA

SYSC governs internal governance, risk management, and accountability. For crypto firms, the FCA will probe board composition, SM&CR implementation, IT risk management, and the robustness of compliance oversight — especially where technology and custody arrangements involve novel risks.

Key obligations

✓Appoint Senior Managers with prescribed responsibilities for crypto activities
✓Implement compliance monitoring and management information frameworks
✓Maintain adequate systems and controls for operational resilience
✓Ensure conflicts of interest are identified and managed

COBS sets out conduct standards for investment-related activities. Crypto firms dealing, arranging, or advising on cryptoassets that qualify as specified investments must comply with suitability, appropriateness, and disclosure requirements. Financial promotions must meet the FCA's strengthened rules for high-risk investments.

Key obligations

✓Assess appropriateness and/or suitability before providing services
✓Provide clear risk warnings, especially for high-risk cryptoassets
✓Comply with financial promotion rules (including the s21 gateway)
✓Maintain records of client communications and investment decisions

CASS governs the safeguarding of client money and custody assets. For crypto firms holding client cryptoassets or fiat, the FCA will expect robust custodial controls, segregation arrangements, reconciliation processes, and adequate insurance or capital backing. This is among the most scrutinised areas for crypto authorisation.

Key obligations

✓Segregate client assets from proprietary holdings
✓Implement daily and periodic reconciliation of client positions
✓Appoint a CASS oversight officer (CF10a) where applicable
✓Maintain records demonstrating compliance with custody requirements

MAR addresses market abuse, insider dealing, and market manipulation. Crypto firms involved in trading, exchange, or arranging activities will need surveillance systems capable of detecting manipulative patterns — including wash trading, layering, and insider information misuse within the cryptoasset context.

Key obligations

✓Establish trade surveillance and market abuse detection systems
✓Implement suspicious transaction and order reporting (STORs)
✓Maintain insider lists where applicable
✓Train staff on market abuse obligations specific to cryptoasset markets

SUP covers the FCA's supervisory expectations post-authorisation: regulatory reporting, notifications, change in control, and waivers. Crypto firms must be prepared for proactive supervision — the FCA has signalled it will apply enhanced oversight during the transitional period to ensure new entrants meet threshold conditions on an ongoing basis.

Key obligations

✓Submit regulatory returns and notifications on time
✓Notify the FCA of material changes (controllers, Senior Managers, business model)
✓Cooperate with supervisory information requests
✓Maintain a compliance culture that evidences ongoing threshold condition adherence

Outsourcing & Group Governance

The FCA expects crypto firms to maintain meaningful oversight of outsourced functions — particularly technology, custody, and compliance. Group structures add complexity: the FCA will probe delegation arrangements, intra-group service agreements, and the ability of the UK entity to operate independently if group support is withdrawn.

Technology outsourcing must be evidenced with due diligence, contractual controls, and exit strategies
Group governance arrangements should demonstrate the UK entity retains decision-making authority
Delegation of regulated activities requires clear accountability and oversight mechanisms
Outsourced compliance functions must have unrestricted access to records and management

FCA focus areas for outsourcing

Technology & Infrastructure

Cloud hosting, blockchain node providers, wallet infrastructure, key management services

Counterparty & Liquidity

Exchange counterparties, OTC desks, liquidity providers — due diligence and concentration risk

Group Structure

Intra-group agreements, delegation registers, independence of the UK regulated entity

MEMA Support Structure

A structured programme covering every workstream the FCA will assess

Readiness gap analysis against FCA scrutiny points

Regulatory business plan drafting and review

SM&CR governance mapping and Statements of Responsibilities

Financial crime framework build (AML, CTF, sanctions, SAR procedures)

Prudential assessment and capital adequacy evidence

Outsourcing register and third-party due diligence

Consumer Duty outcome mapping and evidence framework

Compliance monitoring programme design

Application pack compilation and FCA submission

FCA query management and interview preparation

Post-authorisation onboarding and BAU compliance support

Market abuse surveillance design (where applicable)

Interactive Tool

Readiness Self-Assessment

Answer questions across six FCA scrutiny areas to understand your current readiness position and identify gaps.

Governance & SM&CR

Financial Resources

Business Model

Financial Crime

Operational Resilience

Consumer & Market Protection

Step 1 of 6

Governance & SM&CR

Answer each question based on your firm's current position.

Does your firm have SM&CR-compliant governance arrangements in place (or a plan to implement them)?

Have prescribed responsibilities been mapped to named Senior Managers, including crypto-specific oversight?

Does the board (or governing body) have documented oversight of cryptoasset activities and associated risks?

Download the Readiness Guide

Our 16-page regulatory briefing covers FCA scrutiny points, evidence expectations, rule clusters, and programme structure.

Download the Readiness Guide

16-page regulatory briefing covering FCA scrutiny points, evidence expectations, and programme structure.

Ready to Assess Your Regulatory Position?

Speak with our crypto regulatory team about your firm's readiness and application strategy.

Book a Consultation Email Us

Phone: 0330 133 0811

Email: contact@memaconsultants.com

Suite 1810, Unit 3a, 34-35 Hatton Gardens, Holborn, EC1N 8DX