On 3 June 2026, the Financial Conduct Authority (FCA) published a set of responses to questions raised by firms on the introduction of anti-money laundering (AML) regulations for cryptoasset firms, specifically, on the interaction between the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) and the forthcoming Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 (Cryptoassets Regulation), alongside the FCA’s expectations across a range of financial crime compliance topics.
The Cryptoassets Regulations come into force on 25 October 2027.
Practical Takeaways
The responses cover a number of areas for firms to consider before the cryptoasset regime comes into force, including:
- Regulatory perimeter, regimes and transition: The FCA makes clear that there will be no automatic conversion from MLR registration and that firms will need to obtain FCA authorisation. Firms that already authorised under the Financial Services and Markets Act 2000 (FSMA) for other regulated activities will need to vary their existing permissions if they wish to offer one of the new cryptoasset regulated activities. The FCA will start accepting applications for authorisation under FSMA from 30 September 2026. The FCA encourages new firms to focus on securing authorisation under FSMA rather than applying for MLR registration. That said, firms that still wish to apply for MLR registration after 30 September 2026 should contact the FCA’s Pre-application Support Service (PASS) to explain their plans and rationale.
- Authorisation expectations and application quality: The FCA sets out its expectations of firms’ systems, controls, AML and financial crime governance when applying under the new cryptoasset regime. Firms should plan for a financial crime assessment that is broader than the current MLR registration process, encompassing governance, systems and controls, resources and overall readiness. Innovative or “pure on-chain” models should focus on evidencing a risk-based AML, counter-terrorist financing (CTF), counter-proliferation financing (CPF) approach calibrated to the firm’s transaction flows.
- AML governance, MLRO and senior management arrangements: Firms seeking FSMA authorisation must comply with FCA expectations regarding governance, leadership and resourcing. The FCA expects firms to demonstrate clear senior ownership and accountability for financial crime risk management, effective escalation routes, and management information that enables sufficient oversight, in line with the FCA’s Senior Management Arrangements, Systems and Controls (SYSC) 3. Individuals in key AML roles, including the Money Laundering Reporting Officer (MLRO), must be competent and appropriately experienced for the activities and risks in scope, and have sufficient time and resources to discharge their responsibilities effectively.
- AML framework design, documentation and risk: The FCA expects firms to maintain a risk-based AML framework that is proportionate and tailored to the firm’s cryptoasset activities. The business-wide risk assessment (BWRA) is described as a foundational document, which should be in place before a firm seeks registration or authorisation and should be kept up to date whenever there are material changes for example, new products, customer types, geographies, delivery channels, or changes to transaction flow. Firms may use templates as a starting point, but policies and procedures must be appropriately tailored and embedded in day-to-day operations.
- Crypto-specific risk assessment: The FCA expects firms to demonstrate how the BWRA drives their customer due diligence, monitoring and wider control framework. The BWRA should consider products and services offered, customer types and expected use cases, geographic exposure, delivery channels, transaction risk, and how the firm interacts with third parties or counterparties.
- Transaction monitoring, blockchain analytics and surveillance: Where firms use blockchain analytics or transaction monitoring tools (whether in-house or third-party), they should be able to explain why the solution is appropriate, what it covers and does not cover, how it is configured, the outcomes it produces, and how effectiveness is tested and overseen.
- Travel Rule and information sharing: The Travel Rule obligations form part of the MLRs and operate concurrently with the new FSMA regime. Firms should consider whether their activities bring them within scope of the MLRs, with Travel Rule applicability assessed on a firm-by-firm basis taking account of the firm’s individual business and operating model.
- Sanctions, fraud and broader financial crime controls: The FCA expects firms to recognise that AML, CTF, CPF controls sit alongside other relevant financial crime obligations and risks, including sanctions and fraud. This should be reflected in governance, risk assessments, monitoring and escalation processes, and in how controls operate end-to-end.
- Operational resilience and cross-border considerations: The FCA expects firms to recognise the close links between operational resilience and financial crime controls. Firms should demonstrate how they have identified their important business services and, where they rely on common infrastructure or concentrated third-party providers, consider the operational resilience and financial crime implications of those dependencies.
- Cross-border activity and international alignment: The FCA notes that firms operating across multiple jurisdictions should ensure their UK AML framework meets UK regulatory requirements and is implemented effectively in respect of UK in-scope activity, regardless of where group policies, systems, or overseas operations are located.