Cryptoassets: AML / CTF regime

We are the anti-money laundering and counter-terrorist financing (AML/CTF) supervisor of UK cryptoasset businesses under the money laundering regulations. Learn more about the regime.

Cryptoasset businesses must register with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017[3] (MLRs), and comply with these regulations, if they intend to provide certain cryptoasset services by way of business, and if this service will be in the course of business carried on by them in the UK.

This includes cryptoasset businesses who communicate financial promotions in the UK, since the Government extended the financial promotions regime[4] in 2022.

Scope of cryptoasset services

Cryptoasset businesses who, by way of business, provide one or more of the following services summarised in the table below and set out in Regulation 14A[5] of the MLRs must comply with the MLRs.

Scope of services

Cryptoasset service	As described in the MLRs
Cryptoasset exchange provider (including cryptoasset automated teller machine (ATM), peer-to-peer providers, issuing new cryptoassets, such as initial coin offerings (ICO) or initial exchange offerings.	A firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services – (a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets, (b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or (c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.
Custodian wallet providers	A firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer – cryptoassets on behalf of its customers, or private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services.

Cryptoasset service

As described in the MLRs

Cryptoasset exchange provider (including cryptoasset automated teller machine (ATM), peer-to-peer providers, issuing new cryptoassets, such as initial coin offerings (ICO) or initial exchange offerings.

A firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services –

(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.

Custodian wallet providers

A firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer –

cryptoassets on behalf of its customers, or
private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services.

Registration

Cryptoasset businesses must register with the FCA before starting any in-scope services while acting in the course of business carried on by them in the UK.

Registration under the MLRs is a legal requirement to carry on business. It is not a recommendation or endorsement of your business.

Registered cryptoasset businesses should avoid using language that suggests that FCA registration is an endorsement or recommendation.

Find out more about registration[6]

New regulatory regime for cryptoassets

In December 2025, the government laid draft legislation[7] which, if it becomes law, will create a new regime for cryptoasset regulation in the UK.

This new regime[8] is expected to come into force on 25 October 2027.

Firms wishing to carry out any of the new cryptoasset regulated activities will need to be authorised by us under the Financial Services and Markets Act 2000 (FSMA).

If your firm is considering applying for registration under the MLRs, you should also review how authorisation will work for cryptoasset activities[9].

We're hosting a webinar on Thursday 29 January to help firms get ready for authorisation.

Change in control for registered cryptoasset firms

A person who decides to acquire or increase control over an FCA-registered cryptoasset firm – so that they become a beneficial owner within the meaning of Regulation 5[11] or Regulation 6[12] of the MLRs – must submit a change in control notification and await FCA approval before completing the transaction.

It is a criminal offence to acquire control of an FCA-registered cryptoasset firm without FCA approval.

For further information see Schedule 6B[13] of the MLRs and our change in control[14] pages.

A person that decides to acquire or increase control in an FCA-authorised firm, which has FSMA and cryptoasset permissions, will be assessed under Part XII[15] of FSMA.

Supervision

Our supervisory approach to cryptoasset businesses is in line with our approach to other businesses under the MLRs[16].

It is risk based, so businesses that pose the greatest money laundering and terrorist financing risk receive an increased level of supervisory focus. If we have reason to believe serious misconduct has taken place, we may start an enforcement investigation.

Find out more about how we supervise under the MLRs[16].

Consumer protections and disclosure

Our responsibility under this regime is limited to AML/CTF registration, supervision and enforcement only.

Being registered with the FCA as a cryptoasset business does not mean your customers benefit from the protections of the Financial Ombudsman Service[17] or the Financial Services Compensation Scheme (FSCS)[18].

Make sure you do not mislead customers about what protections apply and the status of your FCA registration.

You should consider whether your business’s cryptoasset services are within scope of the:

Financial Ombudsman
FSCS

If not, you must inform customers of this fact before starting a business relationship or transaction. (See Regulation 60A[19] of the MLRs.)

As most cryptoassets are not specified investments under the Financial Services and Markets Act 2000 (FSMA), it is unlikely that customers will have access to the Financial Ombudsman or the FSCS.

Check our guidance on which types of cryptoassets fall within our regulatory remit and how this impacts consumer protection:

Cryptoasset services involving security tokens, for example, are regulated tokens which will provide the same protections as specified investments set out in the Regulated Activities Order[20].
Cryptoasset services which fall in the unregulated space, as defined in our guidance[21], will not have the same consumer protections.

How to disclose if customers are not protected

It is up to each business to decide how best to meet this requirement.

We do not expect a business to make several disclosures of this fact. But we do expect you to disclose this fact where it is relevant, and in a manner appropriate, to the consumer.

Here are some disclosure-related factors you should consider:

Timing Where

Timing

You should disclose this fact before carrying on services in relation to the business or before concluding a transaction.

It is down to you to consider your business model and when it is best to make this disclosure.

Where

It is for you to consider how your business targets and sells to consumers, and whether these are repeat or one-off clients, or a mix. The purpose of the obligation is that investors are aware of this information before deciding to proceed.

In considering where to make this disclosure you may wish to consider:

Is there key information or regulatory information that a business discloses to the consumer, and where it may be appropriate to include this information, with equal prominence?
How do you target consumers and should you include this information with key marketing information, on your main website, or in your terms and conditions (if it's clear to consumers)?

You will need to decide how best to disclose this information, particularly if your business is doing a mix of FSMA regulated and unregulated cryptoasset or other service. For businesses only carrying on services in relation to unregulated cryptoassets, we would suggest wording along the following lines:

'The Financial Ombudsman Service or the Financial Services Compensation Scheme do not apply to the cryptoasset services carried on by [Name of cryptoasset business].’

Reporting requirements

Each year, all registered cryptoasset businesses must submit a REP-CRIM return (Annual financial crime reporting) via our RegData system[22].

You should submit the report within 60 business days of the business's Accounting Reference Date (ARD).

Find out more in the Cryptoasset Direction[23] with guidance notes[24] for completing the return.

Contact us

For any questions about the regime, email [email protected].

06/02/2026 : System update no content change

21/01/2026 : Information added New regulatory regime for cryptoassets. Editorial updates to disclosure and supervision sections.

16/12/2025 : Editorial amendment Edits throughout for clarity.

05/12/2025 : System update No content change

15/01/2024 : Editorial amendment

22/03/2023 : Editorial amendment Updates to page as part of website refresh

17/03/2023 : Information changed Change in control for registered cryptoasset firms update and page refresh

11/08/2022 : Information added change in control for registered cryptoasset firms

30/03/2022 : Information added

28/10/2019: Link added Added link to CP19/29 under Timeline and payment section

First published: 21/10/2019 Last updated: 06/02/2026 See all updates