BTC $67,420 ▲ +2.4% ETH $3,541 ▲ +1.8% BNB $412 ▼ -0.3% SOL $178 ▲ +5.1% XRP $0.63 ▲ +0.9% ADA $0.51 ▼ -1.2% AVAX $38.90 ▲ +2.7% DOGE $0.17 ▲ +3.2% DOT $8.42 ▼ -0.8% MATIC $0.92 ▲ +1.5% LINK $14.60 ▲ +3.6% BTC $67,420 ▲ +2.4% ETH $3,541 ▲ +1.8% BNB $412 ▼ -0.3% SOL $178 ▲ +5.1% XRP $0.63 ▲ +0.9% ADA $0.51 ▼ -1.2% AVAX $38.90 ▲ +2.7% DOGE $0.17 ▲ +3.2% DOT $8.42 ▼ -0.8% MATIC $0.92 ▲ +1.5% LINK $14.60 ▲ +3.6%
Thursday, April 9, 2026
Crypto Currencies

UK Crypto Exchange License: Registration, Compliance Architecture, and Operational Requirements

The UK does not issue a standalone “crypto exchange license.” Instead, firms facilitating crypto asset activities must register with the Financial Conduct…
Halille Azami Halille Azami | April 6, 2026 | 10 min read
Global Crypto Adoption
Global Crypto Adoption

The UK does not issue a standalone “crypto exchange license.” Instead, firms facilitating crypto asset activities must register with the Financial Conduct Authority (FCA) under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). This registration grants anti-money laundering supervision but not prudential or conduct regulation for most crypto activities. The distinction matters because operators often conflate registration with authorization. Registration allows you to operate legally in the UK for AML purposes, but it does not confer the protections or permissions that come with a full Financial Services and Markets Act authorization. This article walks through the registration mechanics, the compliance obligations that attach, and the edge cases that cause denial or withdrawal.

Registration Scope and Activities Covered

FCA registration under the MLRs applies to cryptoasset exchange providers (firms that exchange fiat for cryptoassets or cryptoassets for other cryptoassets) and custodian wallet providers (firms that safeguard private keys on behalf of users). If your platform only facilitates peer to peer transactions without taking custody or executing the exchange itself, you may not fall within scope, though the FCA interprets “exchange provider” broadly to include order matching where the firm controls the settlement mechanism.

Decentralized exchange interfaces hosted by UK entities occupy a gray zone. If the interface operator does not control funds or execute transactions onchain, they may argue they fall outside the custodian or exchange definitions. However, the FCA has indicated that fee collection, protocol governance token holdings, or providing liquidity from company wallets can pull the operator into scope. The test centers on whether the firm exercises control over the transaction execution or asset custody at any point, not whether the underlying protocol is noncustodial.

Application Requirements and FCA Assessment Criteria

The application process requires submission of detailed operational information through the FCA’s Connect portal. Core components include:

Ownership and control structure: full disclosure of all beneficial owners holding 10% or more of voting rights or shares, including ultimate beneficial owners obscured by corporate layers. The FCA will reject applications where ownership cannot be traced to natural persons.

AML systems and controls: documented policies covering customer due diligence, transaction monitoring, sanctions screening, and suspicious activity reporting. The FCA expects real systems in production, not aspirational frameworks. If your firm has no transaction history, you must demonstrate how systems will function at scale, typically through third party vendor contracts or detailed technical specifications.

Risk assessment: a formal assessment of ML/TF risks specific to your business model, customer segments, geographic exposure, and transaction types. Generic templates copied from other submissions lead to rejection. The FCA looks for evidence that senior management understands the specific vulnerabilities in the platform’s design, such as how mixer interactions are detected or how peer to peer transfer limits are enforced.

Nominated officer: designation of an individual responsible for AML compliance, typically styled as the Money Laundering Reporting Officer. This person must have sufficient seniority and resources to influence platform design and halt suspicious activity. Firms placing MLRO responsibility on a junior compliance hire without escalation authority fail the FCA’s fit and proper test.

Financial crime controls around travel rule compliance: while the UK has not yet implemented a full travel rule, the FCA expects firms to document how they will capture and share originator and beneficiary information when the rule becomes operative. Platforms routing withdrawals through unhosted wallets must explain how they will verify customer ownership of destination addresses.

The FCA approval timeline historically stretched from 12 to 24 months, with extended delays during the 2020 to 2023 period when the regulator implemented stricter standards and rejected a large share of applications. Timeframes remain unpredictable. Firms should not assume they can begin operations within a set window.

Operational Compliance Obligations After Registration

Once registered, firms enter a continuous compliance posture. Key obligations include:

Annual AML return: submission of data on transaction volumes, customer counts, suspicious activity reports filed, and control testing results. The FCA uses this data to prioritize supervisory interventions.

Change in control notifications: any acquisition or disposal of 10% or more control triggers a mandatory notification and FCA approval process. The firm cannot complete the transaction until the FCA clears the new controller.

Systems and controls testing: the FCA expects regular independent audits of AML systems, typically annually. Audit reports must reach the board and document testing of specific control points such as enhanced due diligence trigger accuracy and sanctions list update latency.

Senior management accountability: the FCA can pursue individuals under its senior managers and certification regime if it expands the regime to cryptoasset firms. Even without formal SMR application, the regulator has signaled it will use enforcement powers against directors and officers who fail to resource AML functions adequately or ignore red flags in customer behavior.

Crossborder Operations and Jurisdictional Conflicts

FCA registration does not passport to EU member states following Brexit. If your platform serves customers in the EU, you must comply with local licensing or registration rules in each member state or limit service to professional clients under applicable exemptions. Some firms attempted to rely on reverse solicitation carveouts (where the customer initiates contact without firm marketing), but recent guidance from EU regulators narrowed these exemptions substantially.

For non UK entities offering services into the UK, the FCA applies a territorial test: if the firm targets UK residents through UK specific marketing, payment methods in GBP, or UK customer support, it must register regardless of where the company is incorporated. The regulator has issued warnings to offshore platforms operating without registration and has worked with payment processors to block fiat onramps for unregistered entities.

UK registered firms expanding into non UK jurisdictions often face duplicative or conflicting requirements. For example, some US states require separate money transmitter licenses with net worth and bonding requirements far exceeding those in the UK. Singapore’s Payment Services Act imposes technology risk management standards absent from the MLRs. Planning crossborder expansion requires mapping each jurisdiction’s rules independently rather than assuming registration in one market satisfies others.

Worked Example: Onboarding a High Volume Trader

A UK registered exchange onboards a customer who passes standard KYC checks: verified passport, proof of address, and source of funds declaration indicating salary savings. The customer begins depositing GBP via bank transfer and purchasing Bitcoin, with monthly volumes of approximately £15,000. This activity continues for four months within expected patterns for a retail investor.

In month five, the customer’s deposit volume jumps to £180,000 in a single week, sourced from a new bank account at a different institution. The customer immediately converts the full amount to Monero and withdraws to an external wallet. The transaction monitoring system flags this as anomalous based on volume spike and privacy coin selection.

The compliance team escalates to the MLRO, who conducts enhanced due diligence. The customer provides vague explanations for the funds, stating it represents a business sale but cannot produce documentation. The MLRO files a suspicious activity report with the National Crime Agency and freezes further withdrawals pending NCA guidance. The NCA requests the exchange maintain the relationship to gather additional intelligence.

Two weeks later, the customer attempts to deposit another £200,000. The MLRO, having received no update from the NCA, decides the ongoing risk outweighs the intelligence value and exits the relationship. The firm returns the frozen funds to the source bank account and closes the customer’s account. The FCA, during a later supervision visit, reviews the case and validates that the MLRO exercised appropriate judgment in both filing the SAR and ultimately exiting the relationship.

This example illustrates the real time decision loops required post registration. The firm cannot simply process transactions that meet baseline KYC standards. It must maintain dynamic risk assessment and be prepared to halt profitable customer relationships when red flags emerge.

Common Mistakes and Misconfigurations

  • Relying on automated KYC providers without independent verification procedures. The FCA expects firms to validate that third party identity verification actually confirms the claimed identity, not just that a set of credentials was presented. Firms that rubber stamp automated clearances without sampling or audit trails fail supervision reviews.

  • Treating all stablecoins as equivalent risk. Fiat backed stablecoins held with transparent reserve attestations present different AML risk than algorithmic stablecoins or those with opaque reserve structures. Transaction monitoring calibrated for Bitcoin but applied uniformly to Tether without adjustment leads to underdetection of suspicious patterns.

  • Inadequate documentation of decisions not to file SARs. When analysts identify potentially suspicious activity but decide it falls below the reporting threshold, that decision and its rationale must be documented. Lack of an audit trail suggests the firm is not actually reviewing flagged transactions.

  • Failing to update sanctions lists in real time. Delays of even a few hours between OFSI or UN list updates and internal screening system updates create windows where designated persons can transact. The FCA expects same day implementation of new designations.

  • Underestimating travel rule preparation work. Firms assuming they can implement travel rule compliance quickly once the UK adopts a formal requirement often underestimate the technical integration with wallet providers, the data schema standardization, and the customer communication needed to collect beneficiary information. Starting design work only after regulation publication leaves insufficient implementation runway.

  • Ignoring indirect exposure to unregistered entities. Accepting deposits from customers who openly state they are withdrawing from unregistered offshore exchanges can create secondary liability. The FCA expects firms to scrutinize whether they are facilitating evasion of UK registration requirements.

What to Verify Before You Rely on This

  • Current FCA registration status of any exchange or custodian you plan to use. The FCA publishes a register of cryptoasset firms, but it does not update in real time. Confirm registration status directly with the firm and verify it matches the FCA register.

  • Whether the FCA has expanded the regulatory perimeter beyond MLRs for specific activities. Proposals to bring certain stablecoins or DeFi interfaces under prudential or conduct regulation remain in consultation as of this writing. Check for finalized rules before launching new product lines.

  • The operational status of firms that received temporary registration during the transition period. Some firms operated under temporary registration for extended periods while the FCA processed applications. Not all transitioned to full registration. Verify that temporary registration has converted to permanent status.

  • Specific transaction monitoring thresholds and enhanced due diligence triggers in your platform’s AML policy. These should reflect current typologies from NCA and FCA publications, not static thresholds set at launch.

  • Geographic restrictions in your terms of service compared to actual customer access patterns. If your terms prohibit service to certain jurisdictions but you have not implemented IP blocking or payment method restrictions, you may still face liability for serving those markets.

  • The legal status of specific tokens under UK law. Whether a token constitutes a specified investment, an e-money token, or remains unregulated affects which permissions you need to offer it. This classification can change as tokens evolve in functionality or as regulatory guidance develops.

  • Your obligations under the Payment Services Regulations if you offer fiat currency accounts or payment card services alongside crypto exchange. PSR authorization or registration as a small payment institution may apply in addition to MLRs registration.

  • The FCA’s current position on staking services, yield products, and lending. These products may trigger separate authorization requirements under the Regulated Activities Order if structured as deposit taking or investment management.

  • Whether your insurance coverage includes regulatory defense costs and customer restitution. Standard professional indemnity policies often exclude regulatory penalties and compensation orders.

  • The technical specifications for any custodial infrastructure you rely on, including key management procedures, disaster recovery capabilities, and insurance coverage for asset loss. The FCA increasingly scrutinizes these operational resilience elements even though they are not formal registration requirements.

Next Steps

  • Map your current or planned activities against the MLRs definitions of cryptoasset exchange provider and custodian wallet provider to confirm whether registration is required. If you fall into a definitional gray area, consider requesting informal FCA guidance before launching.

  • Engage a law firm with specific FCA cryptoasset registration experience to conduct a gap analysis of your AML systems against recent successful applications. Generic AML consultants often lack the crypto specific expertise the FCA expects.

  • Build your transaction monitoring and SAR decision framework before launch, using historical transaction data if available or simulated scenarios if not. The FCA wants evidence of real system performance, not theoretical capability.

Category: Crypto Regulations & Compliance

Filed under: Crypto Currencies Crypto Derivatives Crypto Exchanges Crypto Investment Strategies Crypto Market Analysis Crypto News Crypto Portfolio Tracking Crypto Price Prediction Crypto Ratings Crypto Regulations Crypto Security Crypto Taxes Crypto Trading Crypto Wallets

Related Stories