Crypto firms operating in the UK may need to ensure their processes, data and risk management systems align more closely with regulatory standards that apply to traditional financial institutions, under rules expected to come into effect in October 2027.
Firms operating crypto trading platforms, dealing in qualifying cryptoassets as principal or agent, arranging deals, providing custody services, issuing stablecoins, or offering qualifying staking are expected to fall within the scope of full Financial Conduct Authority (FCA) authorisation requirements. The regime reflects the ‘same risk, same regulatory outcome’ principle, under which firms doing similar activities face similar regulatory expectations, whether they involve cryptoassets or traditional financial products or arrangements.
As established under The Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, firms already registered with the FCA under the Money Laundering Regulations 2017 should not assume that existing permissions will automatically carry over into the new regime. The framework extends to encompass the regulated Senior Managers and Certification Regime (SM&CR), prudential capital requirements, operational resilience obligations, and a new market abuse regime covering insider dealing and market manipulation.
Governance, resources, operational resilience, financial crime controls, and individual accountability are likely to receive increased supervisory focus. Firms that approach the transition strategically and deploy more unified systems for risk management and record-keeping may benefit from greater efficiency as well as better compliance.
The FCA has indicated that it expects to open its authorisation application window from 30 September 2026 until the end of February 2027, with the new regime expected to come into force in October 2027. For many firms, this timeline suggests that preparation work may need to begin well in advance of the application window, particularly if governance arrangements, data capabilities, and control frameworks need development.
Firms that apply early and are authorised before commencement may be better positioned to retain a broader range of permissions and operational rights, subject to FCA approval. By contrast, those who delay applying may face a narrower transitional path, potentially being restricted to servicing pre-existing contracts under specified conditions, with the FCA retaining discretion to review or withdraw those transitional permissions. For asset managers in particular, “authorised status” is increasingly viewed as a new baseline for regulatory credibility, often cited by market participants as supportive of institutional capital allocation, particularly among US investors seeking jurisdictions with structured, enforceable rules.
As an initial step, firms may map their current activities against the new regulated activities list in the rules to identify the permissions likely to be required. Firms may also find value in establishing a dedicated authorisation steering group, with board-level SM&CR responsibility, well ahead of the September 2026 application gateway.
The FCA’s pre-application support service (Pass), expected to be available from 26 July 2026, is intended to provide firms with an opportunity to introduce their business model and stress-test their application before submission.
One of the more significant operational challenges lies in data. Many crypto firms operate across fragmented data environments that reflect the sector’s rapid technical evolution. On‑chain transaction data may sit across multiple blockchains and protocols, while off‑chain customer and counterparty data may be held in separate know-your-customer (KYC), customer relationship management (CRM), and trading systems. Wallet attribution, third‑party risk intelligence, and market surveillance data frequently sit alongside these in disconnected environments.
The FCA’s Consultation Paper CP25/42 sets out capital, liquidity, and risk management expectations for authorised cryptoasset firms. For asset managers and custodians, this may translate into requirements more closely aligned with those applied to banks, particularly in relation to reserve management and financial resilience. Governance frameworks are also expected to reflect FCA Handbook standards, including senior manager roles holding approved person status and clear accountability maps under SM&CR.
Conduct of business rules would extend best execution, order handling, and conflict-of-interest obligations to cryptoasset intermediaries, broadly mirroring standards that traditional investment managers already navigate.
Under FSMA, supervisory assessments may go beyond data availability to include data lineage and traceability. This can include evidencing customer orders, executions, transfers and asset movements across both traditional systems and distributed ledger components. Depending on the current infrastructure, addressing these expectations may involve changes to the underlying data architecture rather than incremental solutions added to existing platforms.
Firms may also be expected to demonstrate risk-based anti-money laundering (AML) and counter terrorist financing frameworks supported by transaction monitoring that brings together on-chain and off-chain intelligence. Sanctions considerations may extend to wallet addresses and transaction flows, alongside more traditional customer and counterparty information.
In parallel, suspicious activity report (SAR) workflows may be required to translate complex on‑chain behaviors into narratives suitable for law enforcement. For some firms, this could surface gaps in technology capability, specialist resourcing, or governance oversight.
FSMA introduces new expectations around operational resilience. Firms are expected to identify their important business services, such as trading execution, custody, transfers or staking, and set tolerances for disruption. They are also expected to map dependencies across internal systems and third‑party providers, and conduct scenario testing against severe but plausible events.
For many crypto firms, these dependencies may span validators, nodes, custodians, exchanges, cloud infrastructure providers, and decentralized protocols. Testing resilience in this context may require greater operational visibility and coordination.
As crypto firms prepare for FSMA authorisation, some of the most complex challenges are likely to sit at the intersection of customer due diligence, third‑party exposure and ongoing risk oversight. The FCA’s expectations around governance, financial crime controls, operational resilience, and data traceability increasingly point toward the need to view KYC, sanctions, monitoring, and third‑party risk management as interconnected components of a broader compliance framework, rather than discrete functions.
By bringing together identity verification, beneficial ownership, sanctions and adverse media data with third‑party risk assessment and monitoring workflows, firms may be better positioned to develop a more coherent risk picture across customers, counterparties and critical partners. When aligned with broader governance and operational resilience frameworks, this approach may support firms’ FSMA readiness efforts around more consistent data, documented controls, and accountable decision‑making.
