Cryptoasset FSMA Authorisation: The Complete Guide for UK Crypto Firms
Applications for authorisation under FSMA open on 30 September 2026. The new regime is expected to go live on 25 October 2027 — and it applies to every UK cryptoasset firm, including those already registered under the Money Laundering Regulations. This guide explains what is changing, what the FCA will expect, and the people your application will depend on.
The UK’s regulatory treatment of cryptoasset businesses is going through its most consequential change since the FCA became the anti-money laundering supervisor of the sector in January 2020. For six years, the regulatory perimeter for most UK crypto firms has been defined by registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — the MLRs. Registration is an AML and counter-terrorist financing regime. It tests a firm’s financial crime framework, its systems and controls, and the fitness and propriety of its Money Laundering Reporting Officer. It does not test the wider matters that full financial services regulation is built on: governance, prudential resources, conduct of business, operational resilience, or the personal accountability of senior managers.
That is what changes. Under the new regime being introduced through the Financial Services and Markets Act framework, firms carrying out regulated cryptoasset activities in the UK will need authorisation under FSMA — the same statutory gateway that banks, investment managers, payment institutions and every other authorised financial services firm passes through. The FCA has confirmed that applications for authorisation will open on 30 September 2026, with the regime expected to start on 25 October 2027. Critically, the requirement applies to firms that are already registered under the MLRs: an existing registration does not carry over, and it does not guarantee authorisation.
For founders and boards of cryptoasset businesses, this is not simply a compliance project. FSMA authorisation reshapes what your firm needs to look like — its governance, its capital, its senior team, and the individuals who will hold personal regulatory accountability for the first time. This guide covers the regime in detail, and then turns to the question FD Capital is best placed to answer: the people your application will stand or fall on.
From the MLRs to FSMA: what is actually changing
Since 10 January 2020, UK cryptoasset exchange providers and custodian wallet providers have been required to register with the FCA under the MLRs before trading. The FCA’s role has been that of AML/CTF supervisor: assessing whether an applicant’s anti-money laundering framework, business-wide risk assessment, customer due diligence arrangements and MLRO meet the standard the regulations require. The FCA’s guidance on who needs to register and how to apply for registration sets out the current framework in full.
Registration was always understood to be a staging post. HM Treasury consulted on the UK’s broader approach to cryptoassets as far back as January 2021, and the Financial Services and Markets Act 2023 created the statutory architecture to bring cryptoasset activities — including stablecoin issuance — inside the regulatory perimeter. The Financial Services and Markets Act 2023 is the enabling legislation; the detail arrives through secondary legislation and FCA rules, with the FCA consulting through 2025 and 2026 on stablecoin issuance, cryptoasset custody, trading platforms, and a prudential regime for cryptoasset firms.
The practical differences between the two regimes are stark, and they are worth setting out clearly because they define the scale of the work ahead:
Scope of assessment
MLR registration assesses financial crime controls. FSMA authorisation assesses the whole firm — the FCA’s threshold conditions cover legal status, location of offices, effective supervision, appropriate resources (both financial and non-financial), suitability, and the business model itself. An authorisation case officer will examine your governance arrangements, the composition and competence of your board, your regulatory business plan, your financial projections, your operational resilience arrangements, and your outsourcing dependencies — none of which the MLR gateway tests in comparable depth.
Personal accountability
Registered cryptoasset firms are not subject to the Senior Managers and Certification Regime. Authorised firms are. From the point of authorisation, cryptoasset firms will need individuals holding FCA-approved Senior Management Functions — typically SMF1 (Chief Executive), SMF3 (Executive Director), SMF16 (Compliance Oversight) and SMF17 (Money Laundering Reporting Officer) — each with a Statement of Responsibilities, each personally accountable under the regime, and each assessed for fitness and propriety before approval. For a sector in which almost no firms have ever put an individual through SMF approval, this is arguably the single biggest cultural change the new regime brings. Our guide to SMF16 and SMF17 in cryptoasset firms covers this dimension in detail.
Prudential requirements
Cryptoasset-registered firms currently face no regulatory minimum capital requirement, although the FCA expects adequate financial resources in all cases. The FCA’s final prudential regime, published on 30 June 2026 (PS26/12), sits in two new sourcebooks — COREPRU and CRYPTOPRU — setting own-funds, liquidity and risk-management requirements in the style of the Investment Firms Prudential Regime. Financial projections, capital planning and prudential reporting become core disciplines, and they land on the finance function. Our crypto CFO regulatory guide examines what this means for finance leadership.
Conduct and ongoing supervision
Authorised firms sit under the FCA Handbook and the full supervisory toolkit: thematic reviews, supervisory visits, RegData regulatory reporting, skilled persons reviews under section 166, and the complete range of enforcement powers. Registered firms have experienced a lighter supervisory touch. That changes on authorisation day.
The timeline: what happens when
The dates that matter are now fixed, and they compress the preparation window more than many firms appreciate.
30 September 2026 — the gateway opens. The FCA begins accepting applications for authorisation under FSMA for regulated cryptoasset activities. Firms already registered under the MLRs must apply like everyone else; there is no grandfathering. The FCA has stated that where a firm applies for MLR registration after 30 September 2026, it will accept the information contained in the firm’s FSMA authorisation application as information relevant to the MLR application — subject to the firm confirming it wants this — with a single application fee set at the higher of the two. Our companion guide on MLR registration versus FSMA authorisation works through the sequencing decision for new entrants in detail.
30 September 2026 to 28 February 2027 — the savings-provision window. Alongside the gateway opening, the FCA’s final rules set a window for the savings and transitional provisions: firms already operating in UK cryptoasset markets that want to keep trading while their authorisation is assessed must apply within this window. Applying early within it maximises the period a firm can continue specified activities under the transitional arrangements; firms that apply after 28 February 2027 cannot rely on these provisions and may have to cease relevant activities until authorised. This is the single most important date many existing firms have not yet planned around.
25 October 2027 — the regime is expected to start. From this point, carrying on regulated cryptoasset activities in the UK without authorisation becomes a breach of the general prohibition under FSMA — the same offence that applies to unauthorised deposit-taking or investment business. Firms that have not secured authorisation, or an appropriate transitional arrangement, cannot lawfully continue in-scope activities.
Thirteen months separates the gateway opening from the expected regime start. FCA authorisation for financial services firms routinely takes six to twelve months from submission to determination, and the FCA will be processing an entire sector’s applications simultaneously. Firms that submit early, with complete and well-prepared applications, will be determined first; firms that submit late or incomplete applications risk running into the regime start date without permission to trade. The preparation work — regulatory business plan, financial projections, governance build-out, senior manager identification and approval — realistically needs to be underway now for a firm intending to file in the first application window.
What the FCA will expect in an application
The FCA has been explicit, through both its cryptoasset registration guidance and its broader authorisation practice, about what distinguishes a successful application. The following areas are where cryptoasset applicants should expect the deepest scrutiny.
The regulatory business plan
Every FSMA application is built around a regulatory business plan: a comprehensive description of the products and services the firm will offer, its target customer base, its fee structures, its distribution model, its projected financials, and — critically — how the regulated activities map to the permissions applied for. The FCA’s existing cryptoasset registration guidance already requires a clear description of which activities require registration and which sit outside the perimeter; under FSMA the mapping exercise becomes more demanding, because the permissions regime is more granular. Firms whose business models span issuance, custody, exchange and lending will need to work through the perimeter analysis activity by activity.
Governance and management structure
The FCA expects a description and chart of the proposed management structure, the roles and responsibilities of key individuals, and their relevant expertise. Under FSMA this hardens into the SMCR framework: named senior managers, Statements of Responsibilities, a management responsibilities map for larger firms, and evidence that the board has the collective skill to direct a regulated business. Authorisation case officers routinely probe whether governance is real or cosmetic — whether the non-executives genuinely challenge, whether the compliance function has independence and authority, and whether accountability for each area of the business is clear.
Key personnel — and the timing trap
This is the area firms most often underestimate. The individuals named in an application are assessed as part of it. The FCA’s current guidance on cryptoasset registration states plainly that it expects the MLRO to be heavily involved in the preparation of an application and to remain in place throughout the application process and beyond — and that changing the MLRO mid-application may result in significant delays. The same logic will apply with greater force under FSMA, where SMF16 and SMF17 candidates undergo individual approval including, where the FCA considers it necessary, fitness and propriety interviews conducted in person.
The practical consequence: your compliance leadership needs to be hired before the application is written, not after it is submitted. An application drafted by consultants and inherited by a later-hired Head of Compliance is visibly weaker under FCA questioning than one prepared by the individual who will own it. FD Capital’s cryptoasset compliance recruitment practice exists for exactly this stage — identifying SMF-ready compliance officers and MLROs with crypto-sector credibility, early enough in the process for them to shape the application they will defend.
Financial resources and projections
Applicants must provide realistic financial information: projections, capital plans, and evidence of adequate resources against the threshold conditions. Under the final prudential regime this is a quantified exercise with defined own-funds requirements. Cryptoasset firms with treasury operations in digital assets face an additional layer — demonstrating how volatile, on-chain assets are valued, controlled and reflected in the capital position. The finance leader who prepares these projections needs regulated-firm experience; a growth-company CFO without financial services background will find the prudential sections unfamiliar territory.
Systems, controls and operational resilience
Custody arrangements, private key management, wallet segregation, outsourcing oversight and operational resilience will all feature. The final rules confirm custody of cryptoassets as a regulated activity in its own right, with client-asset protections under a new CASS 17 sourcebook covering ownership rights, record-keeping, reconciliation and a technology-agnostic approach to private key management. Firms should expect their technology and security arrangements to be examined at a depth the MLR gateway never reached.
Who is in scope
The perimeter of the new regime is defined by secondary legislation made under the Financial Services and Markets Act 2023, and covers the main activities of the UK cryptoasset market: operating a cryptoasset trading platform, dealing in cryptoassets as principal or agent, arranging deals, cryptoasset custody, staking arrangements, and the issuance of qualifying stablecoins. Stablecoin issuance carries its own regime with distinctive requirements around backing assets and redemption — covered in our dedicated stablecoin issuer compliance guide — and, at systemic scale, joint oversight with the Bank of England under the joint FCA and Bank approach to systemic stablecoin issuers published on 30 June 2026.
Overseas firms serving UK customers should take particular note. The current MLR regime already captures firms carrying on cryptoasset business in the UK, and the financial promotions regime restricts marketing to UK customers by unregistered firms. The FSMA regime continues the territorial logic: firms dealing with UK retail customers will generally need UK authorisation, with the location of offices and the UK presence of senior management — including the MLRO — attracting close FCA attention.
How the transition compares internationally
The UK is not moving in isolation. The EU’s Markets in Crypto-Assets Regulation (MiCA) is fully live, with authorisation requirements for cryptoasset service providers and issuers across the single market. In the United States, the GENIUS Act has established a federal framework for payment stablecoin issuers, with one-to-one backing requirements and prudential standards. The UK’s approach — full FSMA authorisation, an FCA-run stablecoin sandbox informing final rules, and Bank of England oversight of systemic issuers — is deliberately positioned as equivalent in rigour. For firms with multi-jurisdiction ambitions, the practical effect is that regulatory capability has become a core competency everywhere: the compliance and finance leaders who can carry a firm through the FCA gateway are the same profiles who can manage MiCA passporting or a US state trust charter conversation.
The people your application depends on
Strip away the legal architecture and an FSMA application is a test of people. The FCA authorises firms it believes will be run soundly, and it forms that belief in large part through the individuals it meets. Our experience placing compliance and finance leaders into FCA application processes — payments, e-money, consumer credit, investment management, and cryptoasset registration — points to four appointments that determine outcomes.
The MLRO (SMF17). The FCA assesses the MLRO’s fitness, propriety, knowledge of UK regulation, and specific understanding of cryptoasset risk. It scrutinises MLROs based outside the UK. It expects the MLRO to lead the financial crime sections of the application and to attend interviews in person. A crypto-competent, FCA-experienced MLRO is the scarcest profile in this market — our crypto MLRO guide covers the role in depth, and our MLRO recruitment and fractional MLRO services cover the hiring routes.
The Head of Compliance (SMF16). The compliance oversight function owns the application end to end in most firms: the regulatory business plan, the policies and procedures suite, the perimeter analysis, and the relationship with the case officer. At smaller firms SMF16 and SMF17 are often combined in one individual — a legitimate model the FCA accepts where the individual has capacity — which places even more weight on getting that single hire right.
The CFO or Finance Director. Financial projections, the capital plan, prudential calculations and the adequate-resources threshold condition all sit with finance. Firms preparing for authorisation frequently engage an interim CFO with FCA submission experience for the application period, converting to a permanent appointment after the grant.
The board. Authorisation is the moment many crypto firms appoint their first independent non-executives and formalise board governance. The FCA reads board composition as a signal of how seriously a firm takes its regulatory obligations.
Frequently asked questions
Does existing MLR registration carry over to the new regime?
No. Firms already registered under the MLRs must apply for FSMA authorisation like any other firm, and registration does not guarantee authorisation. The FCA has been explicit on both points. Registered firms do start with advantages — an established financial crime framework, an FCA supervisory history, and an MLRO who has already been assessed — but the authorisation application tests far more than the registration did.
When should we start preparing?
Now, if you intend to file in the first application window. Working backwards from a 30 September 2026 submission: the regulatory business plan and financial projections typically take three to six months to prepare well; senior manager recruitment for SMF16/17-calibre candidates typically runs three to six months including notice periods; and the FCA expects those individuals to shape the application rather than inherit it. Firms starting in the summer of 2026 are already sequencing hires against the gateway date.
How long will authorisation take once submitted?
The FCA’s statutory deadline for complete applications under FSMA is six months (twelve for incomplete applications), but experience across payments and e-money suggests firms should plan for six to twelve months in practice — and the volume of simultaneous cryptoasset applications may stretch determination times. Early, complete, well-prepared applications will move fastest.
Can we keep trading during the application?
The FCA’s final rules set savings and transitional provisions that let firms already operating in UK cryptoasset markets continue specified activities while their authorisation is assessed — but only if they apply within the savings window, which runs from 30 September 2026 to 28 February 2027. Firms that apply within the window may continue until their application is determined; firms that miss it may have to cease relevant activities until authorised. Note also that authorised firms will no longer register separately under the MLRs — authorisation replaces registration rather than sitting alongside it.
We are a new entrant — should we seek MLR registration first or wait for the FSMA gateway?
It depends on your launch timeline. The FCA has said firms may apply for registration at any time before the new regime begins, but should only do so if confident they can be registered early enough for it to be worthwhile. After 30 September 2026 the combined-application route with a single fee changes the calculation. Our guide on MLR registration versus FSMA authorisation works through the decision.
Related guides and services
- Cryptoasset Compliance Recruitment — our dedicated recruitment service for crypto MLRO, SMF16/17 and compliance hires
- The Crypto MLRO: Regulation 21, FCA Expectations and the Candidate Profile
- MLR Registration vs FSMA Authorisation for Crypto Firms
- Stablecoin Issuer Compliance: The UK Regime
- SMF16 and SMF17 for Cryptoasset Firms
- The Crypto CFO: Prudential Requirements and the FSMA Regime
- FCA Authorisation vs Registration: What Is the Difference
External resources
- FCA — Registration under the MLRs ahead of the new FSMA regime
- FCA — Cryptoassets: how to apply for registration
- FCA — What we expect to see in your application
- Financial Services and Markets Act 2023
- Money Laundering Regulations 2017
- FCA — Cryptoassets regime policy statements (30 June 2026)
- ICAEW Financial Services Faculty
About the Author
Adrian Lawrence FCA is the founder of FD Capital Recruitment and a Fellow of the Institute of Chartered Accountants in England and Wales (ICAEW member record). Adrian holds a BSc from Queen Mary College, University of London and an ICAEW practising certificate in his own name.
FD Capital has been placing compliance officers, MLROs, CFOs and finance leaders into FCA application processes since 2018 — across payments, e-money, consumer credit, investment management and cryptoasset registration mandates. Our network includes SMF-approved compliance leaders with crypto-sector experience, and Adrian personally screens candidates for regulated appointments given the personal accountability dimensions involved. FD Capital Recruitment Ltd (Companies House no. 13329383) is associated with Adrian’s ICAEW registered practice.
Preparing a cryptoasset FSMA application? The compliance officer, MLRO and CFO who will carry it need to be in place before it is written. Call FD Capital on 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss your hiring timeline against the 30 September 2026 gateway.




