AML Rules for Crypto Businesses in UK: What You Need to Know in 2026

Mar, 21 2026

Running a crypto business in the UK isn’t just about building a platform or launching a token. If you’re operating here, you’re under the microscope of one of the strictest anti-money laundering (AML) regimes in the world. The rules aren’t optional. They’re mandatory. And as of 2026, the system is changing - fast. If you’re trying to figure out what you actually need to do, here’s the real breakdown - no fluff, just what matters.

Who Needs to Register?

If your business handles cryptoassets in any way - whether you’re an exchange, a wallet provider, or even a payment processor - you must register with the Financial Conduct Authority (FCA). This isn’t a suggestion. It’s the law. Since January 2020, the UK brought crypto under its AML rules, and since then, the FCA has been the only body that can legally authorize these businesses to operate.

There are only two types of firms that must register:

Cryptoasset exchange providers - platforms that let users trade crypto for fiat (like GBP) or other crypto assets.
Custodian wallet providers - companies that hold or manage crypto on behalf of customers.

That’s it. If you’re not doing one of these two things, you might not need to register - but be careful. If you’re doing anything else that looks like financial activity (like staking rewards, lending, or yield farming), the FCA might still come after you. They don’t care what you call it. They care about what you do.

What Does Registration Actually Require?

Getting registered isn’t like signing up for a bank account. It’s more like applying for a license to run a bank. The FCA doesn’t just check your paperwork - they dig into your entire operation. Here’s what they demand:

Customer Due Diligence (CDD) - You must verify every customer’s identity using at least two independent sources. That means ID documents, proof of address, and sometimes even facial recognition. No exceptions.
Enhanced Due Diligence (EDD) - If a customer is from a high-risk country, has a history of financial crime, or is a politically exposed person (PEP), you need to go deeper. This includes source of funds checks and ongoing monitoring.
Transaction Monitoring - Your system must flag unusual activity automatically. The FCA expects you to catch suspicious transfers before they happen - not after. False positives are common, but if your system is generating more than 25% false alerts, they’ll call it inadequate.
Record Keeping - You must keep records of all customer interactions, transactions, and risk assessments for at least five years. Digital or paper - doesn’t matter. Just keep them.

And here’s the kicker: you need to prove you have a senior manager who is personally responsible for compliance. Not a junior officer. Not an outsourced consultant. Someone on your executive team. If something goes wrong, that person can be held personally liable.

The Travel Rule Is Live - And It’s Strict

In 2022, the UK implemented the FATF’s Travel Rule. That means if you’re sending or receiving a crypto transaction over £1,000, you must share specific details with the counterparty. Not just the wallet address. You need:

Name of the sender and recipient
Account number or wallet ID
Physical address (or national ID number if no address)
Transaction amount and currency

That’s a lot. And it’s not optional. If you’re a US-based exchange sending crypto to a UK user, you still have to comply. The FCA doesn’t care where you’re based - if you’re serving UK customers, you’re under their rules.

Many firms struggle here. Integrating this into legacy systems is expensive. One firm reported spending £185,000 just to connect their blockchain analytics tool with their KYC platform. And that’s just the tech. Training staff to handle the data correctly adds another £50k a year.

A crypto team watches failed paperwork crumble as their manager secures a compliance certificate for FSMA 2026.

Counterparty Due Diligence (CPDD) Is Coming

Even if you’re not directly dealing with a customer, you still need to check who you’re doing business with. That’s the new Counterparty Due Diligence rule, set to fully roll out in early 2026 under the Financial Services and Markets Act (FSMA).

For example: if your exchange partners with a decentralized finance (DeFi) protocol, you must verify that protocol’s operators - even if you never talk to them directly. Same if you use a third-party payment processor. The FCA says: if you’re connected to them, you’re responsible for their risk.

This is a big shift. Most crypto firms have never done this before. In traditional finance, banks have clear correspondent banking rules. In crypto? Most companies assumed they didn’t need to. They were wrong.

The Registration Failure Rate Is Shocking

Between 2020 and 2023, 87.3% of crypto firms failed their first FCA registration attempt. That’s not a typo. Almost nine out of ten.

Why? Here are the top three reasons:

Inadequate risk assessments - 62.1% of failed applicants didn’t properly map out where their risks came from. Did they consider ransomware payments? Darknet market traffic? Mixing services? If not, they failed.
Weak senior management oversight - 48.7% had compliance buried under marketing or engineering teams. The FCA wants the CEO to know what’s happening - not just the compliance officer.
Broken transaction monitoring - 39.4% had systems that couldn’t detect unusual patterns. Like a user sending £50,000 in ETH to 50 different wallets in 10 minutes. That’s a red flag. If your system didn’t catch it, you’re not ready.

And the cost? Firms spend an average of £287,500 just to get registered. Then they pay £142,300 a year to stay compliant. That’s not a startup budget. That’s enterprise-level spending.

What’s Changing in 2026?

The current registration system under the Money Laundering Regulations (MLR 2017) is being replaced. By Q1 2026, the Financial Services and Markets Act 2000 Order 2025 takes full effect. This isn’t a tweak - it’s a rewrite.

Here’s what changes:

Single licensing regime - No more dual registration. If you’re under FSMA, you’re licensed - no separate AML registration needed.
10% control threshold - If any individual or entity gains 10% or more ownership, you must notify the FCA. Previously, it was 25%. This makes it harder to quietly bring in hidden investors.
Stricter CPDD - You’ll need to verify not just direct partners, but any third party that touches your transactions.

The FCA expects 35-40% of current registered firms to disappear by the end of 2026. Why? Because they can’t afford the new costs. Or they don’t have the systems. Or they’re just not ready.

A chaotic crypto firm collapses beside a fortified compliant institution under the watchful FCA emblem.

How Does the UK Compare to Other Countries?

Compared to other places, the UK is tough - but not alone.

Comparison of Crypto AML Rules Across Jurisdictions
Region	Registration Threshold	Travel Rule Threshold	Change in Control Notice	First-Time Approval Rate
United Kingdom	Exchange & Custody Only	£1,000	10%	12.7%
United States	Multiple Agencies (FinCEN, SEC, CFTC)	$1,000	25%	45.2%
European Union (MiCA)	Single License	€1,000	20%	33.1%
Singapore (MAS)	Exchange & Custody	S$1,000	25%	38.4%

The UK is stricter than the EU and US on ownership transparency. But it’s harder to get through than Singapore. Why? Because the FCA doesn’t just want compliance - they want proof that you’ve built it into your DNA.

Real Stories From the Field

One firm, 'BlockchainComply', got approved in 11 months. They spent £520,000 on consultants, internal staff, and tech upgrades. But once approved, they say it paid off: “Investors now trust us. We’ve expanded into Germany and Japan because we can prove we’re clean.”

Another, a small DeFi startup, tried to register. They got rejected three times. Each time, the FCA said: “You don’t have a real compliance officer. You have a part-time developer who reads blogs.” They shut down.

Reddit threads are full of frustration. One user wrote: “14 months. 17 meetings. 3 revisions. £500k gone. And they still asked for a new risk assessment.”

But here’s the truth: the firms that survive? They’re not the ones with the fanciest tech. They’re the ones with the most disciplined culture. They train their staff. They audit themselves. They don’t wait for the FCA to tell them what’s wrong.

What Should You Do Right Now?

If you’re running a crypto business in the UK, here’s your checklist:

Are you registered with the FCA? If not, start now - you have 3 months from launch to apply.
Do you have a senior manager who owns compliance? If not, appoint one today.
Can your system detect transactions over £1,000 and pull the required data? If not, upgrade or partner with a vendor who can.
Are you tracking counterparties? Even if they’re not customers? Start mapping them.
Have you trained your team on the new FSMA rules? If not, budget for training - 35 hours per compliance staff member per year is mandatory.

The window for easy compliance is gone. The UK isn’t trying to stop crypto. It’s trying to clean it up. If you’re serious about operating here, you need to treat AML like a core product - not a box to check.

Do I need to register if I only accept crypto as payment?

No, not if you’re just accepting crypto as payment for goods or services - like a store taking Bitcoin for coffee. But if you’re converting it to fiat, holding it for customers, or trading it, you must register with the FCA. The key is whether you’re acting as a custodian or exchange. If you’re just a merchant, you’re exempt.

What happens if I operate without FCA registration?

You’re breaking the law. The FCA can shut down your website, freeze your bank accounts, and fine you up to £1 million. Individuals can be criminally prosecuted. Several unregistered firms have been taken offline in 2024 and 2025. There’s no warning. They act fast.

Can I outsource my AML compliance to a third party?

You can use third-party tools for KYC, transaction monitoring, or sanctions screening - but you can’t outsource responsibility. The FCA holds your firm’s leadership accountable. If your vendor fails, you still fail. You need internal oversight, not just a contract.

How long does FCA registration take?

On average, it takes 9.2 months. Some firms get approved in 6 months. Others take over a year. The FCA doesn’t publish timelines - they evaluate each application case by case. If your application is incomplete, they’ll ask for more info. And they’ll keep asking until they’re satisfied.

Will the new FSMA rules make registration easier?

Not for most. The FSMA rules are stricter. But they’re also clearer. Once you’re licensed under FSMA, you won’t need to deal with two separate systems. For firms that can meet the new standards, the long-term process will be smoother. But the barrier to entry is higher. Expect fewer players - but more solid ones.