UK Crypto License: FCA Registration (MLR 2017) and the 2027 FSMA Regime

There is no single "UK crypto license." Today, a crypto business operating in Britain must hold FCA registration under the Money Laundering Regulations 2017, an anti-money-laundering supervision only. A separate, broader FSMA authorisation regime is expected to commence on 25 October 2027.

That distinction matters more than any other fact on this page. Search engines and applicants alike use the word "license," but the Financial Conduct Authority (FCA) does not issue a crypto license in the colloquial sense. It registers cryptoasset businesses for money-laundering supervision now, and from late 2027 it will authorise them across a wider set of regulated activities. Conflating the two is the single most common and most costly mistake we see founders make. This guide keeps the current regime and the future regime strictly separate, cites the FCA directly throughout, and leads with the figure most advisors omit: historically, around 87% of UK crypto applications were rejected, refused or withdrawn.

By Magnus Müller · Reviewed by Magnus Müller · Last updated: 2026-06-14

Is there a "UK crypto license"? The short answer

No single license exists. Today, UK cryptoasset businesses must register with the FCA under the Money Laundering Regulations 2017 (an AML/CTF registration). A distinct FSMA authorisation regime, created by a 2026 statutory instrument, is expected to commence on 25 October 2027. The two are separate permissions.

So when a founder asks "how do I get a UK crypto license," the honest answer is two-part. Right now, the only mandatory crypto-specific permission is registration under the MLRs, supervised by the FCA, which has been the UK's anti-money-laundering supervisor for cryptoasset businesses since 10 January 2020. From 25 October 2027, a much fuller FSMA authorisation regime is expected to take effect, at which point "authorisation" replaces "registration" as the operative word. Both are explained below, in that order, so you never mistake one for the other.

If you are weighing the UK against other markets, it helps to compare crypto licence jurisdictions side by side before committing to any single regulator.


Who must register with the FCA as a cryptoasset business?

Two categories of firm must register before they begin operating in the UK: cryptoasset exchange providers and custodian wallet providers, as defined in Regulation 14A of the MLRs. Registration is mandatory and must be in place before any in-scope activity starts.

The trigger is carrying on those activities "by way of business in the UK." That phrase does the heavy lifting, and it is not a simple test. The two registrable categories are set out below.

Cryptoasset exchange providers

Under Regulation 14A, a cryptoasset exchange provider is a firm that exchanges, or arranges or makes arrangements for the exchange of, cryptoassets for money or for other cryptoassets. The definition is deliberately wide and captures:

• exchanging cryptoassets for fiat money, or one cryptoasset for another;
• operating an automated machine (a cryptoasset ATM) for such exchange;
• peer-to-peer exchange providers;
• issuers of new cryptoassets, including initial coin offerings (ICOs) and initial exchange offerings (IEOs).

If your business model touches any of these, you fall inside the perimeter and must register.

Custodian wallet providers

A custodian wallet provider safeguards, or safeguards and administers, cryptoassets on behalf of customers, or holds the means of access to those cryptoassets, such as private keys, on a customer's behalf. The FCA's definition covers any firm that holds, or controls access to, customers' crypto. Wallet software where the user retains sole control of their own keys generally sits outside the definition, but the line is fact-specific, and you should assess it carefully before assuming you are out of scope.

Do overseas crypto firms need to register?

The answer is nuanced, and a blanket "yes" is unsafe. Registration turns on the "by way of business in the UK" test, which is a question of fact and degree rather than a simple presence rule. A purely overseas firm with no UK establishment may, depending on how and to whom it offers services, fall outside the MLR registration requirement.

The financial promotions regime is a different and clearer story. It separately catches firms based overseas that market cryptoassets to UK consumers, regardless of where the firm itself sits. So an overseas firm can be outside MLR registration yet firmly inside the promotions rules. Because the territorial scope of the MLRs is fact-sensitive, we assess registration obligations per firm rather than apply a one-size-fits-all rule.

Registration vs authorisation: what FCA registration actually covers

This is the core legal point of the entire page. FCA registration under the MLRs is anti-money-laundering and counter-terrorist-financing supervision. It is not a prudential or conduct authorisation under FSMA, and it does not assess your firm's financial soundness, capital adequacy, or consumer-conduct standards. The FCA is explicit on this.

The table below sets out what today's registration covers and what the upcoming FSMA authorisation will add. Calling MLR registration a "license" without this distinction is exactly the conflation that misleads applicants.

AML/CTF supervision only, not a prudential or conduct license

In plain terms, MLR registration confirms that the FCA is satisfied with your money-laundering controls. It does not vouch for your solvency, your governance more broadly, or how you treat customers commercially. The FCA does not assess financial soundness or business viability at the MLR stage. That is precisely why the 2027 FSMA regime is being introduced: to add the prudential and conduct layer that AML registration was never designed to provide. Treat registration as a necessary AML clearance, not as a seal of full financial regulation.


How to apply for FCA crypto registration: process, fee and timeline

Applying is a structured process run through the FCA's Connect system, assessed by a named case officer, and subject to a three-month statutory determination clock that only starts once your application is complete. The application fee sits in the FCA's Category 6 pricing band; confirm the current figure on the FCA fees page before budgeting.

The application process step by step

The MLR registration journey runs through five stages, drawn from the FCA's how-to-apply guidance and its interim registration advice:

1. Pre-application preparation: review the MLRs and the application forms, build your AML/CTF documentation, and consider requesting an optional pre-application meeting.
2. Submit your application through the FCA Connect system and pay the application fee.
3. An assigned case officer assesses the file. Information requests are very likely, and the FCA may engage on a "minded to" basis where it signals concerns before a formal decision.
4. A senior decision-maker decides on the case officer's recommendation.
5. Outcome: registered, refused, withdrawn, or rejected.

The most important practical point is that incomplete submissions never reach assessment. In the FCA's own words, it will reject your submission without conducting an assessment if it does not contain the minimum information requested.

Cost: the Category 6 application fee

Cryptoasset registration is a Category 6 application under the FCA's pricing categories. The FCA sets the exact pound figure on its application fees page, and it changes periodically, so confirm the live amount there rather than relying on a quoted number. We do not publish a fixed figure here precisely because an out-of-date fee can mislead a budget.

How long it takes: the 3-month statutory clock

Once the FCA has all the information it needs, it has three months to decide. The catch is that the clock effectively runs from a complete application, and the FCA returns or rejects incomplete submissions without starting assessment. In practice, because of repeated information requests, the end-to-end timeline commonly runs many months and sometimes over a year. We frame this honestly: anyone promising a fixed, short timeline is not accounting for how the determination period actually works.

Why the FCA rejects so many crypto applications

Historically, around 87% of UK crypto applications were rejected, refused or withdrawn. In the FCA's 2023/24 data, only 4 of 35 applications determined that year were approved, up from roughly 85% rejection the prior year. Since January 2020, of about 359 applications, only around 44 firms have been registered.

These figures are FCA-reported but surfaced through reputable secondary press, so we attribute them carefully and recommend cross-checking against the latest FCA annual report before relying on any single headline number. Even with that caveat, the message is unambiguous: the FCA's bar is high, and a weak application is the norm, not the exception.


The top refusal reasons

The FCA has consistently named the same shortcomings behind crypto refusals. According to its reported annual data, the leading causes are:

• weak customer due diligence (CDD);
• inadequate business-wide and customer risk assessments;
• insufficient transaction and ongoing monitoring;
• poor governance and management information.

Each of these maps directly to the ongoing obligations covered later in this guide. Applications fail not because the rules are obscure, but because the AML framework behind them is thin.

How approval rates are changing since 2025

There is a more encouraging recent trend. Since April 2025, acceptance has reportedly risen to around 45%, with high-profile approvals including major institutions. The fair framing is "historically very high rejection, recently improving." That improvement does not lower the substantive bar; it reflects better-prepared applicants and a more responsive FCA, not a softer standard. The lesson stands: invest in your AML systems before you apply.

Ongoing obligations for FCA-registered crypto firms

Registration is the start, not the finish. A registered firm must maintain a full AML/CTF framework, appoint an MLRO, monitor transactions, report suspicious activity, comply with the Travel Rule, and obtain prior FCA approval for any change in control. Failing to maintain these is what tips a firm back into the FCA's enforcement attention.

AML/CTF systems, MLRO and customer due diligence

Under the MLRs, a registered cryptoasset firm must maintain business-wide and customer risk assessments, full AML/CTF policies and procedures, and appoint a Money Laundering Reporting Officer (MLRO) and a nominated officer. It must run customer due diligence and enhanced due diligence where risk requires, conduct ongoing and transaction monitoring, file suspicious activity reports, and keep records. These are precisely the controls whose weakness drives most refusals, so they deserve continuous investment, not a one-off build for the application. For the underlying framework, see our guide to AML and KYC requirements.

The Travel Rule and change-in-control approval

UK cryptoasset businesses are subject to the crypto Travel Rule, requiring originator and beneficiary information to accompany transfers; the effective date is commonly cited as 1 September 2023, which should be confirmed before being asserted. For how this works in practice, see the crypto Travel Rule. Separately, it is a criminal offence to acquire or increase control of an FCA-registered cryptoasset firm without prior FCA approval, and operating in-scope activities without registration at all is itself a criminal offence.

The cryptoasset financial promotions regime (in force since 8 October 2023)

Wholly separate from registration, the cryptoasset financial promotions regime has been in force since 8 October 2023. It extends the section 21 FSMA restriction to qualifying cryptoassets and applies to all firms marketing crypto to UK consumers, including firms based overseas. A breach is a criminal offence punishable by up to two years' imprisonment, an unlimited fine, or both, with detailed rules in PS23/6 and guidance in FG23/3.

This regime is one of the biggest gaps on older UK crypto guides. Crucially, it overlaps with registration: route 3 below means that holding MLR registration is also the practical gateway that lets a crypto firm lawfully promote to UK consumers in its own name.


The four lawful routes to promote crypto to UK consumers

There are exactly four lawful ways to communicate a cryptoasset promotion to UK consumers, set out by the FCA:

1. communicated by an FCA authorised person;
2. made by an unauthorised person but approved by an FCA authorised person;
3. communicated by a cryptoasset business registered with the FCA under the MLRs;
4. otherwise compliant with an exemption in the Financial Promotion Order.

Route 3 is why MLR registration carries weight beyond AML: without it, an unauthorised crypto firm has no straightforward way to market to UK consumers in its own name.

Consumer-protection rules: risk warnings, cooling-off and the incentives ban

Promotions must be fair, clear and not misleading, and must carry prescribed risk warnings. The regime adds positive frictions, including a 24-hour cooling-off period for first-time investors with a firm, a ban on incentives to invest such as refer-a-friend schemes and new-joiner bonuses, plus client categorisation and an appropriateness assessment before a consumer can proceed. These rules bite on user-acquisition models that are routine elsewhere, so any UK-facing marketing plan must be designed around them from the outset.

The new FCA crypto authorisation regime coming in 2027

A genuinely new regime is on the way, and it is the biggest freshness gap on most existing UK guides. HM Treasury has made a statutory instrument creating new regulated cryptoasset activities under FSMA, expected to commence on 25 October 2027. It is not in force as of writing. Keep it strictly separate from today's MLR registration.

SI 2026/102 and the nine new regulated activities

The instrument, referenced by the FCA as SI 2026/102, amends the FSMA 2000 (Regulated Activities) Order 2001. The exact short title and "made" date should be confirmed on legislation.gov.uk before being stated, as secondary sources cite 4 February 2026. It introduces nine new regulated cryptoasset activities:

• issuing a qualifying stablecoin in the UK;
• safeguarding qualifying cryptoassets or relevant specified investment cryptoassets;
• arranging for another person to safeguard;
• operating a qualifying cryptoasset trading platform (QCATP);
• dealing in qualifying cryptoassets as principal;
• dealing as agent;
• arranging (bringing about) deals in qualifying cryptoassets;
• making arrangements with a view to transactions;
• qualifying cryptoasset staking.

This is far broader than the two registrable categories under today's MLR regime, which is why a fresh authorisation, not a simple upgrade, is required.

The authorisation gateway timeline (PASS, application window, commencement)

The FCA has published a clear sequence for the gateway, drawn from its gateway guidance and its new-regime overview:

• pre-application support (PASS) meetings begin 11 May 2026;
• the authorisation application window runs 30 September 2026 to 28 February 2027, with a saving provision letting pending firms keep operating;
• the regime commences 25 October 2027.

Firms that want to be authorised at commencement should aim to apply within the window so a determination can be expected before the regime goes live.


No automatic conversion from MLR registration

This warning deserves emphasis. Firms registered under the MLRs will not be automatically converted into FSMA-authorised firms. They must separately secure FSMA authorisation through the gateway. An MLR registration is neither a guarantee of, nor a prerequisite for, future authorisation, and an MLR refusal does not bar a later successful FSMA application. Plan for two distinct permissions, not one that morphs into the other.

Should you register now under the MLRs or wait for 2027?

The decision hinges on timing and value. MLR registration is still required and meaningful today, both for AML compliance and for lawful promotions under route 3. But the FCA advises applying only if you are confident registration can be granted early enough to be worthwhile, and it advises not applying for MLR registration after about 31 July 2027, because an application started after that point is unlikely to be determined before the FSMA regime commences.

For most firms launching now, the practical answer is to pursue MLR registration without delay while building toward FSMA readiness in parallel, since the AML systems behind a strong MLR application are the same foundations the FSMA gateway will scrutinise. For firms still months from launch, the calculus shifts toward preparing directly for the 2027 gateway. The right path depends on your launch date, your activities, and how far your AML framework already extends.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisors, no commitment. Book a Call

How the UK compares with other crypto-license jurisdictions

The UK sits in a cluster of major financial centres, each with a different licensing architecture. Today the UK offers AML registration with a fuller authorisation regime arriving in 2027, while peer jurisdictions already run more comprehensive licensing frameworks. The qualitative comparison below positions the UK against three common alternatives.

For deeper jurisdiction-by-jurisdiction detail, see Singapore's MAS DPT regime, Hong Kong VATP licensing, and Switzerland's FINMA paths. To weigh all of them at once, our pillar guide lets you compare crypto licence jurisdictions against the UK on cost, timeline, and regulatory depth.

From our practice

Across the UK applications we support, the pattern behind the FCA's high rejection rate is consistent: firms underestimate how deep the AML framework must go before submission. The applications that succeed treat the MLRO appointment, the risk assessments, and the monitoring framework as live operational systems with evidence behind them, not as documents written for the regulator. Where a firm is also planning for the 2027 FSMA gateway, building those AML foundations once, properly, serves both permissions. We do not promise outcomes or timelines, because the determination clock and the FCA's information requests sit outside any advisor's control, but we do help firms arrive at the Connect submission with a complete, defensible file rather than the thin application the FCA routinely returns.