UK Regulatory Update, April 2026
2026 is shaping up to be a defining year for UK crypto regulation. Cryptoasset firms have been subject to anti-money laundering supervision by the Financial Conduct Authority under the Money Laundering Regulations 2017 since 2020. However, the forthcoming authorisation regime under the Financial Services and Markets Act 2000 represents a significant shift in how firms will be assessed.
This change is particularly relevant for two groups: firms that are newly in scope and preparing to build their financial crime frameworks for authorisation, and firms already registered under the MLRs that will need to transition to a broader, FSMA-style supervisory environment.
It is not solely driven by changes in financial crime requirements, but by the transition to a full-scope regulatory framework. Under FSMA, firms will be assessed holistically, including governance, prudential soundness, operational resilience, and consumer protection, with financial crime controls forming a critical component of that broader assessment.
As a result, the focus is increasingly on whether financial crime frameworks are not only compliant, but demonstrably effective, well-governed, and capable of operating at scale within an authorised environment.
While full authorisation requirements are expected to take effect in 2027, supervisory scrutiny is already intensifying. Firms that treat this period as transitional, rather than as an opportunity to enhance and evidence control effectiveness, risk being underprepared when the authorisation gateway opens.
Regulatory Direction of Travel
The UK Government is bringing cryptoasset activities within the scope of FSMA through the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026. While the new regime is expected to come fully into force on 25 October 2027, several key milestones sit ahead of this:
- July 2026 – launch of the Pre-Application Support Service for firms considering authorisation
- 30 September 2026 to 28 February 2027 – authorisation application window
Importantly, registration under the Money Laundering Regulations 2017 will not convert into authorisation. For firms not yet registered, this means building a financial crime framework that can meet authorisation standards from the outset. For firms already registered, it means demonstrating that existing controls are sufficiently mature, scalable, and aligned to FSMA expectations.
In practice, to meet the FCA’s “ready, willing and organised” threshold, firms will need to demonstrate that their financial crime frameworks are appropriate, effective, and aligned to the scale and nature of their business, particularly where those controls have already been operating under the MLR regime.
Business-Wide Risk Assessment (BWRA): Foundation of the Framework
A robust Business-Wide Risk Assessment (BWRA) remains fundamental. Firms are expected to maintain a comprehensive and well-documented view of their exposure to money laundering and terrorist financing risks, taking into account products, services, customers, geographies, and delivery channels.
For newer firms, this involves developing a BWRA that clearly identifies inherent risks and informs the design of controls. For more established firms, the expectation is that the BWRA is embedded, regularly updated, and actively used to calibrate and justify control effectiveness.
For cryptoasset firms, this should explicitly cover sector-specific risks such as the use of mixers or tumblers, exposure to decentralised finance (DeFi), cross-chain transactions, and sanctions evasion typologies.
The BWRA should be dynamic, regularly reviewed, and clearly linked to the design and calibration of controls, including customer risk assessments, transaction monitoring, and enhanced due diligence measures.
Enhanced Due Diligence (EDD) : From Existence to Effectiveness
Regulatory attention has moved beyond the existence of EDD to its quality and application in practice.
Firms seeking authorisation will need to demonstrate that EDD frameworks are appropriately designed and risk-based. Firms already operating under the MLR regime will be expected to evidence consistent application and effective oversight in practice.
Firms are expected to show that EDD is applied consistently to higher‑risk relationships, clearly documented with reasoned outcomes, proportionate to the firm’s risk profile, and subject to senior management review and challenge.
In practice, this means evidencing a clear understanding of source of wealth and source of funds, demonstrating how identified risks have informed the level of scrutiny applied, and ensuring that enhanced monitoring is appropriately calibrated and maintained throughout the customer lifecycle.
Travel Rule: Supervision in Practice
The UK Cryptoasset Travel Rule has applied since September 2023. By 2026, the question is no longer implementation, but supervision.
Newly in-scope firms will need to ensure Travel Rule compliance is built into their operating model from day one. Firms already subject to the rule will need to demonstrate that controls are operating effectively and are supported by clear decision-making and documentation.
The FCA expects firms to evidence their ability to collect and transmit required originator and beneficiary information, identify counterparties operating without equivalent regimes, take risk‑based decisions where information is missing or incomplete, and document escalation and risk‑mitigation outcomes. Crypto transfers are expected to be subject to safeguards comparable to traditional wire transfers.
Governance and Senior Management Accountability
Governance remains a supervisory priority. For firms preparing for authorisation, this means establishing clear ownership and governance structures. For existing firms, the focus is increasingly on how governance operates in practice and the quality of oversight and challenge.
Firms should be able to demonstrate clear ownership of financial crime risk, a suitably empowered and resourced MLRO, effective escalation pathways, and management information that supports informed decision making at senior management and board level.
Regulatory assessments are increasingly focused on how governance works in practice, not just how it is described in policies.
Transaction Monitoring and Blockchain Analytics
Transaction monitoring continues to attract close scrutiny. Firms entering the regime will need to implement monitoring frameworks that are proportionate and scalable. More established firms will be expected to demonstrate ongoing effectiveness, continuous improvement, and integration into wider risk management.
Firms are expected to move beyond mechanical alert handling and demonstrate meaningful use of blockchain analytics within their broader risk frameworks. This includes proper investigation of alerts, integration of findings into customer risk assessments, clear documentation of methodologies and thresholds, and regular review of monitoring effectiveness.
In a crypto context, this also extends to the effective management of sanctions risk, including wallet and address screening, identification of exposure to sanctioned entities (including indirect exposure through transaction chains), and the ability to assess and respond to risks arising from interactions with high-risk or unhosted wallets.
The ability to explain how on‑chain intelligence informs risk decisions is becoming a core supervisory expectation.
What Firms Should Be Doing Now
As firms prepare for authorisation, attention should be directed to strengthening core financial crime foundations:
- Robust, accurate and dynamic risk assessments;
- Up-to-date policies, tailored to the business and approved by senior management;
- Operational procedures aligned to policies;
- Risk mitigating controls, subject to independent monitoring and effectiveness testing;
- Role specific training for relevant personnel;
- Clear senior management accountability for risks, controls and oversight;
- Proportionate and effective governance arrangements;
For newer firms, the focus is on building a complete and credible financial crime framework. For established firms, the emphasis is on demonstrating that frameworks are operating effectively, consistently applied, and capable of withstanding increased supervisory scrutiny.
Summary
UK cryptoasset firms are moving towards operating within a full-scope regulatory framework, where financial crime controls will be assessed alongside broader requirements relating to governance, prudential soundness, and operational resilience.
For firms entering the regime, the challenge is to build frameworks that meet authorisation standards from the outset. For those already operating under the MLRs, the challenge is to transition from compliance-focused supervision to a model that emphasises effectiveness, scalability, and evidencing.
Firms that use this period to prepare, whether by building or enhancing their frameworks will be better positioned when the authorisation gateway opens. Supervisory tolerance for weak or underdeveloped frameworks is likely to be limited.
