UK Cryptoasset Regulation 2026

What Crypto Firms Need to Know About FCA Authorisation and Compliance

Key Takeaways

•      Firms should commence preparation of their FCA authorisation applications immediately for submissions within the window of 30 September 2026 to 28 February 2027. A thorough application can take three months or longer to prepare.

•      The new regime extends authorisation requirements to a broad range of cryptoasset activities, including issuing qualifying stablecoins, safeguarding cryptoassets, operating trading platforms, dealing in qualifying cryptoassets as principal or agent, arranging transactions, and arranging staking services.

•      Regulatory scope is determined by the substance of operations. Automation, decentralisation, or the use of blockchain or distributed ledger technology does not automatically exempt a firm from authorisation requirements.

•      Operating regulated cryptoasset activities without FCA authorisation is a criminal offence under UK law, carrying penalties of up to two years' imprisonment, unlimited financial fines, or both, as well as potentially rendering contracts unenforceable.

Introduction

The United Kingdom's updated cryptoasset regulatory framework represents one of the most significant shifts in the country's financial services landscape in recent years. Following a period of consultation and legislative development, the Financial Conduct Authority (FCA) is now preparing to implement a comprehensive authorisation and supervision regime for firms conducting regulated cryptoasset activities. The new regime takes full effect on 25 October 2027, but the window for submitting authorisation applications opens significantly earlier, on 30 September 2026, and closes on 28 February 2027.

This compressed timeline means that businesses already operating in the UK crypto market, as well as those intending to enter it, have limited runway in which to assess their obligations, build the necessary compliance infrastructure, and submit complete applications to the FCA. Preparing a thorough application is a substantive undertaking that can take three months or longer, and firms are advised to begin that process without delay.

To support firms ahead of the formal application window, the FCA has been accepting requests for pre-application support meetings since 11 May 2026, with the first sessions expected to begin in July 2026. These meetings represent a valuable opportunity for firms to engage with the regulator in advance and to clarify the scope of their proposed activities.

However, a significant challenge remains. The exact boundaries of the new regime are not yet fully settled. The FCA launched a consultation on proposed Perimeter Guidance, intended to clarify where the new rules apply, with that consultation closing on 3 June 2026. Final guidance is not expected until September 2026, meaning firms must navigate a period of regulatory uncertainty while simultaneously preparing their applications. This makes early legal analysis and proactive compliance planning all the more important.

The new regime is built on the Financial Services and Markets Act (FSMA) framework, bringing cryptoasset activities within a statutory authorisation and supervisory structure comparable to that which governs traditional financial services. It introduces requirements relating not only to authorisation but also to governance and systems controls, market abuse prevention, anti-money laundering and counter-terrorist financing obligations, and the appointment of qualified individuals in key compliance roles.

Firms that treat the transition as a strategic programme, addressing governance, operational resilience, data management and control frameworks well in advance of the application window, will be better positioned to meet both the FCA's expectations and the operational demands of the new regime.

Key Regulatory Dates

•      11 May 2026: FCA pre-application support meeting requests open.

•      3 June 2026: FCA Perimeter Guidance consultation closes.

•      September 2026: Final Perimeter Guidance expected.

•      30 September 2026: Authorisation application window opens.

•      28 February 2027: Authorisation application window closes.

•      25 October 2027: New regime fully takes effect.

New Cryptoasset Activities Coming Under Regulation

Under the Cryptoassets Regulations, the FCA gains authority to authorise and supervise firms conducting specified cryptoasset activities. The regime defines three principal categories of cryptoasset that fall within scope: qualifying cryptoassets; qualifying stablecoins; and relevant specified investment cryptoassets (SICs), such as tokenised versions of existing regulated investments, where safeguarding activities are involved.

The regulated activities introduced under the new framework are as follows.

•      Issuing qualifying stablecoins: firms that create and put into circulation stablecoins meeting the qualifying definition will require authorisation.

•      Safeguarding cryptoassets: the custody of qualifying cryptoassets and specified investment cryptoassets, including the holding and administration of private keys on behalf of clients, will be a regulated activity.

•      Arranging cryptoasset custody or safeguarding services: intermediaries that facilitate custody arrangements, rather than holding assets directly, will also fall within scope.

•      Operating a qualifying cryptoasset trading platform (CATP): exchanges and other multilateral trading systems that bring together buyers and sellers of qualifying cryptoassets will require FCA authorisation.

•      Dealing in qualifying cryptoassets as principal: firms that buy and sell qualifying cryptoassets for their own account in the course of business will be subject to authorisation requirements.

•      Dealing in qualifying cryptoassets as agent: executing transactions on behalf of clients will similarly constitute a regulated activity.

•      Arranging transactions involving qualifying cryptoassets: introducing or facilitating transactions, including brokerage-style activities, will be regulated.

•      Arranging cryptoasset staking services: intermediaries that facilitate staking on behalf of clients will require authorisation, alongside the substantive providers of such services.

In addition to defining the regulated activities themselves, the FCA's consultation paper on Perimeter Guidance sets out how the regulator intends to assess three further questions in borderline cases. First, whether an activity is carried out by way of business: casual or genuinely one-off activity may fall outside scope, but commercial regularity will generally bring a firm within the perimeter. Second, whether the activity takes place in the UK: the regime has a broad territorial reach, and overseas firms that actively sell to or serve UK consumers will generally need UK authorisation unless their activities are intermediated by a UK-authorised firm. Third, whether any exemptions or exclusions apply: firms should not assume that exemptions available in traditional finance automatically translate to the cryptoasset context without careful legal analysis.

Businesses already operating in the crypto sector should review their existing activities carefully. Some firms may already have been conducting activities that required authorisation under pre-existing financial services rules and may face scrutiny of their historic operations as part of the authorisation process.

Existing UK Crypto Regulation

The incoming regime does not arise in a vacuum. The UK already operates a number of regulatory frameworks that affect cryptoasset businesses, and firms must understand how those existing requirements interact with the new authorisation obligations.

Historically, many exchange tokens and utility tokens have fallen outside direct financial regulation in the UK, whilst certain categories of cryptoasset have been treated as existing regulated instruments. Security tokens, being cryptoassets that constitute a specified investment such as a share, debt instrument, or unit in a collective investment scheme, have always been subject to existing investment regulation under FSMA, regardless of the technological form in which they are issued or transferred. E-money tokens, being tokens that meet the definition of electronic money, have historically fallen under the Electronic Money Regulations 2011. Under the new framework, however, the definition of e-money is amended to exclude qualifying stablecoins, which are instead brought within the new FSMA-based regime. Firms previously operating as e-money institutions with respect to stablecoin products will need to transition to full FSMA authorisation.

In addition to these product-specific frameworks, the UK already requires certain cryptoasset service providers to register with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended. This registration regime focuses on anti-money laundering and counter-terrorist financing controls rather than broader conduct and prudential standards, and has applied to a range of crypto businesses since January 2020.

It is critical to understand that existing AML registration does not constitute authorisation under the new regime. Firms currently operating under AML registration, e-money institution status, or payment institution permissions must apply for full FSMA authorisation to continue conducting regulated cryptoasset activities after the new regime takes effect. Transitional provisions will allow firms to continue certain pre-existing contractual arrangements whilst their applications are assessed, but new contracts with clients may be restricted during that period.

The UK also operates financial promotion rules that restrict how cryptoassets and related products may be marketed or advertised to UK consumers. These rules, which were significantly tightened in recent years, apply regardless of whether the promoting firm is itself authorised or registered, and impose obligations on firms to ensure communications are fair, clear and not misleading.

Firms should note that the FCA explicitly highlights in its Perimeter Guidance consultation the importance of conducting a thorough legal analysis of existing and planned operations to determine whether they fall within the scope of the new rules, given the differences between the new regime and prior frameworks in both instrument definitions and activity descriptions.

Traditional Financial Concepts May Not Apply Neatly to Crypto

One of the most significant practical complexities of the new regime is that concepts familiar from traditional financial services regulation do not always translate straightforwardly into the cryptoasset context. Firms and their legal advisers must resist the temptation to assume that structures or arguments that avoided regulation in conventional finance will achieve the same result in the crypto environment.

Substance Over Form

When assessing whether a cryptoasset activity falls within regulatory scope, the FCA has made clear that it will focus on the substance of what a firm does, not the language it uses to describe itself or its operations. Marketing terms, technical architecture choices, or the commercial framing of a product do not determine regulatory status. What matters is whether the activity, in practice, corresponds to one of the defined regulated activities.

Automation and Decentralisation

Claims that a system operates autonomously, through smart contracts, or without central direction do not automatically exempt it from regulation. The FCA has signalled that where an identifiable individual or entity sets the operational parameters of a system, controls its key features, receives commercial benefit from its operation, or exercises ongoing influence over it, that entity may be treated as conducting a regulated activity, even if the day-to-day execution is automated.

Similarly, a firm cannot rely on characterising itself as a decentralised protocol to avoid the authorisation requirement. The regulator will look through the technical structure to identify whether there is in fact an entity that is, in substance, operating a regulated activity in or from the UK.

Blockchain and Distributed Ledger Technology

The use of blockchain or distributed ledger technology as the underlying infrastructure for an activity does not, of itself, remove the presence of intermediaries or alter the regulatory analysis. If an entity is conducting an activity that would be regulated were it performed using conventional technology, the fact that it is performed on-chain does not change the outcome.

Territorial Scope

The new regime has a wide territorial reach. Overseas firms that actively market, sell, or provide regulated cryptoasset activities to UK consumers will generally be required to obtain UK authorisation, unless those activities are intermediated by a UK-authorised platform or dealer. Simply incorporating outside the UK or hosting technology infrastructure abroad does not exempt a firm if it is in practice serving the UK market.

Compliance Infrastructure

Authorised firms will be required to meet the FCA's standards across a range of areas that go beyond simply obtaining a licence. Obligations under the FCA Handbook will apply, including the Principles for Businesses and the Senior Management Arrangements, Systems and Controls (SYSC) requirements. Market abuse rules covering insider dealing, unlawful disclosure, and market manipulation will apply to cryptoasset markets. Full anti-money laundering, counter-terrorist financing, and proliferation financing frameworks will be required, along with the appointment of a suitably qualified Money Laundering Reporting Officer (MLRO) with genuine oversight capacity.

Risks of Operating Without Authorisation

The consequences of conducting regulated cryptoasset activities without FCA authorisation are severe. Unauthorised activity is a criminal offence under FSMA, and the FCA has demonstrated a willingness to pursue enforcement action, including where firms have sought to argue they fall outside regulatory scope.

The consequences of unauthorised activity include the following.

•      Imprisonment for up to two years for individuals responsible for the unauthorised conduct.

•      Unlimited financial penalties, which may be imposed in addition to, or instead of, custodial sentences.

•      Unenforceability of contracts: agreements entered into in the course of unauthorised regulated activity may be rendered void or unenforceable, with potentially severe commercial consequences including the obligation to return client funds.

•      Reputational damage, including the FCA's public Financial Services Register identifying unauthorised firms and warning notices.

•      Regulatory action against authorised firms: where a firm that holds FCA authorisation carries out activities beyond the scope of its existing permissions, it too faces enforcement risk. Authorisation for one cryptoasset activity does not extend to others not covered by the permission.

The risk of operating without authorisation is not confined to firms that are clearly conducting regulated activities. Given the current period of regulatory uncertainty, particularly with Perimeter Guidance not yet finalised, firms may inadvertently stray into regulated territory whilst incorrectly assuming they remain outside scope. This makes ongoing legal review, active monitoring of regulatory developments, and early engagement with the FCA through pre-application meetings all the more critical.

Firms should also be alert to the position of their employees and senior managers. Under the FSMA Senior Managers and Certification Regime (SMCR), individuals in senior roles may bear personal regulatory liability for failures occurring within their areas of responsibility. Ensuring that senior managers have a clear understanding of the firm's regulatory obligations, and that those obligations are being met, is both a regulatory requirement and a matter of personal exposure.

The FCA has also indicated that firms already operating under AML registration, which provided a transitional basis for operating prior to full FSMA authorisation, should not assume that registration status provides ongoing protection once the new regime takes effect. Firms that do not obtain full FSMA authorisation by the time the regime becomes operative on 25 October 2027 risk being required to cease regulated activities entirely.

Recommended Next Steps

Given the complexity of the new regime and the compressed timeline to the application window, firms should treat compliance preparation as an immediate business priority. The following actions are recommended.

•      Conduct a comprehensive activity mapping exercise to identify all current and planned operations that may constitute regulated cryptoasset activities under the new framework.

•      Commission a formal legal analysis of regulatory scope, taking into account the substance of operations rather than their technical or commercial description.

•      Initiate a gap assessment against the FCA Handbook requirements, including governance arrangements, SYSC standards, market abuse controls, and AML frameworks.

•      Request a pre-application support meeting with the FCA at the earliest opportunity to clarify scope and application expectations.

Monitor the publication of final Perimeter