UK Cryptoassets
Law & Regulation

UK Cryptoasset Law & Regulation

There are two primary regulations in the UK for VASP activities (including custody, exchange services and token sales) within the UK:

  • the Cryptoasset AML Registration Regime (CARR); and
  • the Financial Promotion Regime (FinProm).

The first applies to UK based businesses and the second has global application. In practice, the two regimes work together such that unless you are already an authorised person, or registered under CARR you need any cryptoasset financial promotion to be approved by an authorised person unless it is fully exempt (e.g. offers to professional investment firms). This is the case for all overseas firms that are not authorised by the FCA (or passported into the UK from Gibraltar).

See Gateway Regime below for the method by which non-UK firms can offer cryptoassets in compliance with the FinProm restrictions.

See also our latest post about the proposed new UK authorisation regime under FSMA.

The Financial Promotion Regime
(FinProm)

Most firms have faced significant challenges preparing for the financial promotions regime The challenges have been concentrated in preparing for the ‘back end’ financial promotion rules such as those relating to the 24-hour cooling off period and appropriateness assessment. These rules require significant system builds and operational changes. In contrast, the ‘front end’ financial promotions are more straightforward to implement.
FCA UK Financial Conduct Authority

FinProm

The Financial Promotion Regime (FinProm)

Overview

Key Aspects of the FinProm Regime

  • Qualifying Cryptoassets: In addition to regulated security tokens, most unregulated cryptoassets are within scope of FinProm under the definition of qualifying cryptoassets. E-money tokens (which includes some stablecoins) are already covered by the e-money regime.
  • Broad Scope: FinProm applies to a wide range of cryptoasset promotions, including websites, social media, and apps, capable of having an effect in the UK.
  • General Promotion Restriction: Firms can only communicate cryptoasset promotions, which qualify as Restricted Mass Market Investments (RMMI) if they meet the general promotion requirements and the back end rules for offers to purchase.
  • Banned Products: Some crypto products (e.g. derivatives, unregulated funds and ETNs) are banned for UK retail customers and therefore not permitted to be promoted.
  • Legal Routes for Promotion: Firms can comply with FinProm through authorisation, approval, registration or exemption.
  • Direct Offer Financial Promotions (DOFPs): DOFPs, which are direct offers to invest, are subject to additional requirements (known as Back End Rules) including a 24-hour cooling-off period, personalised risk warnings, client categorisation, and appropriateness assessments.

Even if a firm is not providing services in or from the UK, the UK has rules that regulate such businesses if they offer cryptoassets in or to the UK. The regime applies to financial promotions that are capable of having an effect in the UK. 

All retail clients are in scope and only professional institutional investors are not considered retail (i.e. high net worth individuals and sophisticated investors are within the definition of retail client).

The regime is implemented into the existing Financial Services and Markets Act 2000 (FSMA) by way of the (Financial Promotion) (Amendment Order) 2023 from 08 October 2023. The Financial Services and Markets Act 2023 (FSMA 2023) amends the definition of “investment activities”, to bring invitations and inducements relating to cryptoassets within the regulatory framework and therefore within the FCA’s regulatory reach. 

It applies to a wide range of persons and communications:

  • It applies to crypto asset service providers (including custodians, and persons exchanging crypto-crypto and crypto-fiat) as well as SAFTs, ICO’s and other token sales.
  • It also applies to some intermediaries that enable investments by way of business (e.g. affiliates providing links to another website under a paid referral scheme).
  • Not all cryptoassets are in scope (e.g. genuine NFTs that do not have a payment or investment function or features are excluded).
  • Many related DeFi services are also in scope, including complex yield cryptoasset models or arrangements (e.g. borrowing, lending and staking). The FCA takes the view that some of these are unlawful collective investment schemes which are covered by different financial services rules.
 
The rules contained in the FCA Handbook are subject to the following guidance by the FCA:

These obligations apply to all cryptoasset financial promotions, regardless of whether they constitute a DOFP (See Back End Rules below):

  • Fair, Clear, and Not Misleading: This is a fundamental requirement for all financial promotions, emphasising truthful and transparent communication. Firms must ensure their promotions are easily understandable and do not mislead retail clients about potential risks or returns.
  • Risk Warning: All cryptoasset promotions must include a prescribed risk warning. The FCA mandates specific wording and allows firms to tailor an accompanying risk summary to the investment’s specifics while recording their rationale for changes. The risk warning’s prominence is crucial, requiring clear visibility across different mediums.
  • Ban on Incentives to Invest: Promotions cannot offer monetary or non-monetary benefits that incentivise investment, such as “refer-a-friend” bonuses. However, benefits intrinsic to a cryptoasset’s function or business model are not considered incentives.
  • Compliance with Consumer Duty: Authorised firms communicating or approving cryptoasset promotions targeted at retail clients are subject to the Consumer Duty. This duty underscores the obligation to act in good faith, avoid foreseeable harm, and enable consumers to pursue their financial objectives.
  • Due Diligence: Firms must conduct due diligence on all claims made in their promotions, ensuring their accuracy and fairness. This extends to understanding and disclosing the wider risks associated with cryptoassets, not just verifying specific claims. 

Promotions include websites, blog posts, mobile phone apps, videos (e.g. YouTube promoters) and social media channels (X, LinkedIn etc). The FCA expect that the vast majority, if not all, of websites and apps that enable a UK person to invest in cryptoassets will be in scope of the financial promotions regime.

Financial promotions are unlikely to be considered to be fair, clear and not misleading unless an offer or promotion sets out with sufficient clarity and prominence the:

  • Proof of ownership of the underlying commodity/asset;
  • Evidence of the underlying commodity/asset;
  • Evidence of the custodian (if any) responsible for the underlying assets and the relationship with the issuer, including where the commodity/asset is held;
  • Clear terms of redemption for clients;
  • The risk the client will lose some or all of their money in the event the issuer becomes insolvent or otherwise fails;
  • Any further reasonably foreseeable dependencies (and risks) that may significantly impact the value or volatility of the underlying asset.

 

Anyone who communicates a financial promotion for a cryptoasset should have sufficient evidence, and carry out due diligence, on the substance of a promotion and underlying cryptoasset before communicating it to accurately disclose risks to clients in a way that is fair, clear and not misleading.

Due diligence is a key component of the financial promotions regime. To help firms understand their obligations, the FCA set out guidance in FG23/3 on conducting due diligence before communicating a financial promotion on both the cryptoasset or cryptoasset service being promoted and claims made in the promotion.

The FCA Guidance states that a firm may need to consider (amongst other things):

  • The authenticity and accuracy of the proposition described in the relevant promotion;
  • Ensuring the cryptoasset is not linked to fraudulent activity, scams, money laundering or other financial crime;
  • Understanding the operational or technological risks;
  • Understanding the environmental, social and governance risks associated with the cryptoasset;
  • Conducting relevant legal and compliance checks, such as whether they are satisfied that the cryptoasset does not constitute a specified investment and that their activities in relation to the cryptoasset do not constitute regulated activities for which permission or exemption under FSMA would be required.

 

There are 3 main reasons why firms will need to conduct due diligence.

Disclosing of risks. To ensure a financial promotion is fair, clear and not misleading firms will need to conduct due diligence on the cryptoasset or cryptoasset service to understand its relevant risks. This is to enable firms to accurately and clearly disclose those risks in the promotion, including in the required risk summaries, and to assess consumers’ understanding of those risks as part of the appropriateness assessment through the customer journey.

Accuracy and fairness of claims made. To ensure a financial promotion is fair, clear and not misleading firms should conduct due diligence on any claims made in the promotion. For example, claims about how a form of stability is maintained and claims on how advertised rates of return are achieved.

Supporting good consumer outcomes. Beyond being able to ensure that a promotion is fair, clear and not misleading, authorised persons communicating or approving cryptoasset financial promotions may need to conduct additional due diligence. This is to meet their obligations under the Duty, where relevant, to ensure promotions support good consumer outcomes and avoid causing foreseeable harm.”

A general financial promotion is any communication inviting or inducing someone to engage in investment activity. This could be an advert, website content, or any other material aimed at promoting financial products or services.

  • Risk Warning Obligation:
    • As part of the obligation to include clear, fair, and not misleading information, firms must provide appropriate risk warnings that give potential investors a clear understanding of the risks involved in the product or service being promoted.
    • The FCA’s rules (COBS 4) state that financial promotions must be balanced, meaning that both benefits and risks need to be adequately communicated.
    • Standard Risk Warnings: For certain high-risk products (e.g., contracts for difference, unregulated investments, or cryptoassets), the FCA mandates specific risk warnings: “Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment and you should not expect to be protected if something goes wrong.
    • Risk warnings must be prominent and clear in the financial promotion itself, often positioned early in the material or in a place that the customer is likely to see before acting on the promotion. This is to ensure that consumers understand the risks before engaging.

 

Example: An online advert for an investment product targeting retail clients would need to include prominent risk warnings upfront, especially if the investment involves high-risk products like cryptoassets or leveraged derivatives.

Financial incentives to purchase cryptoassets (including refer-a-friend bonuses) will be unlawful. The FCA rules do however clarify when an intrinsic benefit is permissible:

We wish to clarify that we would not consider benefits that are intrinsic to the cryptoasset or exclusively bound up with its function and/or business model to be considered an ‘incentive’. This might include features or benefits that are part of the terms and conditions associated with a particular cryptoasset. For example, cryptoassets that serve to provide the owner with voting rights, and which are used for the purpose of establishing governance arrangements for a particular platform or project would not be considered an incentive.

The requirements for promoting invitations to purchase qualifying cryptoassets – (known as Direct Offer Financial Promotions (DOFPs) – to clients are referred to as the additional ‘back end’ rules and they include:

  • 24-hour cooling-off period
  • personalised risk warnings
  • client categorisation
  • appropriateness assessments

 

A DOFP is defined as: 

a financial promotion that contains: 

  1. an offer by the firm or another person to enter into a controlled agreement with any person who responds to the communication; or 
  2. an invitation to any person who responds to the communication to make an offer to the firm or another person to enter into a controlled agreement 

and which specifies the manner of response or includes a form by which any response may be made.

Retail consumers must be given a 24-hour cooling-off period before they can proceed with an investment following the promotion of high-risk financial products, such as cryptoassets. This applies to first-time investors in these products to give them adequate time to reflect on the risks before committing funds.

In a DOFP, firms must ensure that clients are provided with all relevant risk information before they make a final decision to invest. This often involves providing a detailed risk disclosure document at the point where the client is about to execute the transaction.

The risk warning must be tailored to the product being offered and placed in a clear and prominent manner at the point where the client is taking action. This can be viewed as a “back-end” obligation because it applies at the final step where the client decides to purchase the product.

Suitability or Appropriateness Considerations: If the promotion leads to a suitability check or an appropriateness test, this would also factor into ensuring that the client understands the risks at the point of sale.

DOFPs can only be made to investors that have already been categorised as:

  • Restricted investors (any individual that is not HNW or Sophisticated client) and confirms they have not in the previous 12 months or will not in the next 12 months invest more than 10% of their net assets 
  • Certified High Net Worth individuals (Article 48 of the FPO); and
  • Certified Sophisticated investors (Article 50 of the FPO). 

 

The categorisations require the investor to sign a declaration stating that they meet the relevant criteria to fall within the relevant category. Sophisticated investors can not self-certify. Declarations are only valid for a 12-month period. This means firms will need to re-categorise investors again after the 12-month period has expired if they wish to make further direct DOFPs. 

Less Restrictive Financial Promotions: You can communicate more complex or high-risk products to HNW and Sophisticated clients without needing to meet all the stringent requirements that apply to retail clients. However, firms must still include appropriate risk warnings.

The aim of appropriateness is to determine whether the client has the necessary knowledge and experience to understand the risks associated with the financial product they want to buy. This check ensures that the client is not investing in a product that is too complex for them to understand. COBS 10 includes the rules on Appropriateness.

Firms must assess whether the qualifying cryptoasset is appropriate for the consumer before they process an application or order in response to a DOFP. This requires the firm to assess that the consumer has the necessary experience and knowledge to understand the risks associated with the specified cryptoasset. 

Guidance in the FCA handbook include the topics the FCA would expect firms to include is intended to set a baseline standard and help firms understand their obligations. Firms may need to ask additional or alternative questions to ensure that the retail client has the necessary knowledge to understand the risks involved in the specific type of cryptoasset offered. FCA rules are not prescriptive on how appropriateness assessment should be conducted. 

Note: for persons providing advice on cryptoassets the suitability requirements are also relevant.

Suitability requirements are contained in COBS 9 which distinguishes between suitability checks (for ensuring that a product is in line with a client’s personal financial situation and goals) and appropriateness checks (which ensure the client has the knowledge to understand the risks of the specific product). 

Client categorisation

The financial promotions regime applies to all firms marketing cryptoassets to UK consumers regardless of whether the firm is based overseas and whatever technology is used to make the promotion.

  • Financial promotions do not need to be specifically directed at UK consumers to be capable of having an effect in the UK.
  • If a UK consumer can access and respond to cryptoasset promotions to engage in cryptoasset activities, such as through websites, apps and/or social media, it is likely that those promotions will be capable of having an effect in the UK.

There are now only 4 routes to legally promoting cryptoassets to retail customers:

  • The promotion is communicated by an authorised person;
  • The promotion is made by an unauthorised person but approved by an authorised person (a regulatory gateway permission is being made available for authorised firms wishing to approve financial promotions for unauthorised persons);
  • The promotion is communicated by (or on behalf of) a cryptoasset business registered with the FCA under the MLRs in reliance on the exemption in Article 73ZA of the FPO (i.e. the Crypto Asset Registration Regime explained below);
  • The promotion is otherwise communicated in compliance with the conditions of an exemption in the Financial Promotion Order. 

Firms that are not authorised or registered under CARR rely on authorised firms, known as “s21 approvers,” (Financial Promotion Approvers) to approve their financial promotions targeted at UK clients.

The Financial Promotion Gateway Regime, is a new regulatory framework in the UK that aims to enhance control over the approval of financial promotions by authorised firms on behalf of unauthorised persons. It ensures the FCA have oversight in real-time of the types of promotions being approved by authorised persons in behalf others.

FSMS 2023 amended section 21 of FSMA to introduce the s21 gateway. This gateway requires authorised firms seeking to approve financial promotions for unauthorised persons to obtain explicit permission from the FCA, signifying a shift from a system where approval was a general entitlement to one where it is a specific permission granted based on the FCA’s continuous assessment of the firm’s competence and capabilities. 

Approvers are required to notify the FCA within one week using the FCA connect platform when they approve a financial promotion for a qualifying cryptoasset, or a product subject to a retail mass marketing restriction.

The rules relating to corporate clients are different and allow for certain promotions to qualifying corporates, associations and trusts. 

While some exemptions that apply to traditional financial promotions are not applicable to cryptoassets, certain general exemptions within the Financial Promotion Order (FPO) apply, as long as their conditions are met.

The main one is the Investment Professionals Exemption, which allows communications to individuals considered investment professionals, including banks, investment firms, and other entities whose regular business activities involve the subject of the communication. It includes trusts, partnerships and companies having above specified financial asset thresholds.

This exemption also covers governments, local authorities, and international organisations.

Payment companies, social media companies and advertisers are also required to ensure that illegal financial promotions are not communicated to UK consumers by unregistered cryptoasset firms. 

This led some banks and payment companies to shut down UK crypto payments activities until they were clearer on how to comply. CoinDesk – Why Some Crypto Firms Are Suspending Services in the U.K.

Now that the FinProm regime for cryptoassets is more settled it is possible to navigate the relevant issues with payment companies and media organisations.

In addition, if a business model involves receiving economic benefits to encourage persons to invest in cryptoassets (there are many persons using affiliate links on social media platforms including X and Youtube) then they can also be caught by the general financial promotion restriction even if they are not directly providing the cryptoasset custody, exchange or investment services:

A hypertext link may or may not be a financial promotion in itself. This will depend on the nature of the hypertext link and the context in which it is placed. However, taken in isolation, a hypertext link which is purely the name or logo of the destination will not be a financial promotion in its own right. More sophisticated links, such as banners or changeable text, may be financial promotions. This will depend upon the facts in each case.

…In some cases, however, the operator (‘O’) of a website which hosts a link to another website, may be causing the communication of a financial promotion on that other website. This will only arise when O has made arrangements with the operator of the other website under which O is to procure users of his site to access the link provided with a view to their engaging in investment activity.” (FCA – PERG, 8.22)

FAQs

FAQ: Frequently Asked  Questions about FinProm

Token Sales & Airdrops

Are all Token Sales/ICOs/SAFTs in scope?

Yes if they involve an offer to subscribe for qualifying cryptoassets being fungible and transferable cryptoassets that are not limited network tokens or within scope of other rules (e.g. e-money tokens, other regulated investment tokens).

There’s no explicit guidance on whether airdrops fall under the UK’s financial promotion regime. Airdrops vary significantly. Some might be simple giveaways, while others might require users to perform actions (like holding another token or participating in a network) which could be seen as an “investment.” This makes it difficult for the FCA to issue a blanket ruling.

  • In scope: If an airdrop involves any element of investment or could be perceived as encouraging investment in a cryptoasset, it could fall under the finprom regime. This means promoters might need to be authorised by the FCA or have their promotions approved by an authorised firm.
  • Out of scope: If the airdrop is a genuine giveaway with no strings attached and no expectation of future investment, it should fall outside the FinProm regime.

Out of Scope  CryptoAssets

Banned Cryptoasset Products

Cryptoasset derivative products and crypto ETNs remain banned for UK retail clients. In addition the rules on Non-Mass Market Investments also apply and prohibit promotions for:

 

The FCA will however permit the listing of ETNs on a case by case basis for professional investors subject to the retail client ban.

Limited use cryptoassets, are excluded from the definition of “qualifying cryptoassets” and therefore are not subject to the same financial promotion restrictions.

A cryptoasset is considered “limited use” if it can only be redeemed with the issuer and cannot be otherwise transferred or sold; and it meets one of the following conditions:

  1. it allows the holder to acquire goods or services only from the issuer;
  2. it is issued by a professional issuer and allows the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer; or
  3. it may be used only to acquire a very limited range of goods or services.
    1.  

The cryptoasset restriction applies only to cryptoassets that are fungible and transferable (such as tokens and cryptocurrencies).

It does not extend to non-fungible tokens that do not have an investment or payment function. NFTs are currently generally treated as collectibles rather than financial investments. However, care is needed with edge cases (such as fan tokens) which may have the characteristics of an investment depending in their structure and the manner in which they are marketed.

Cryptoassets that meet the criteria of one of the other types of controlled investment, or electronic money or fiat currency will not constitute qualifying cryptoassets however  they will be within scope of the other applicable regimes.

Cryptoassets that can only be used in a limited way are also excluded –  in line with the limited network exclusion that applies in relation to payment services.

UK financial services law and the FinProm regime distinguish regulated tokens and unregulated cryptoassets and tokens:

Regulated tokens

  • Security tokens: These are tokens that amount to a ‘Specified Investment’ under the Regulated Activities Order (RAO), excluding e-money. These may provide rights such as ownership, repayment of a specific sum of money, or entitlement to a share in future profits. They may represent an interest in a collective investment scheme or be transferable securities or other financial instrument under the EU’s Markets in Financial Instruments Directive II (MiFID II). These tokens are usually inside the FCA’s regulatory perimeter.
  • E-money tokens: These are tokens that meet the definition of e-money under the Electronic Money Regulations (EMRs). See Stablecoins below.

Unregulated tokens

  • Any tokens that are not security tokens or e-money tokens are unregulated tokens. This category includes utility tokens which can be redeemed for access to a specific product or service that is typically provided using a DLT platform. Despite being described as unregulated they are subject to the FinProm regime for qualifying crypto-assets (i.e. the mass market investments promotion rules described above).
  • The category also includes tokens such as Bitcoin, Litecoin and equivalents, and often referred to as ‘cryptocurrencies’, ‘cryptocoins’ or ‘payment tokens’. These tokens are usually decentralised and designed to be used primarily as a medium of exchange. They are used as a means of exchange or for investment.

With a few exceptions, the FinProm regime also applies to unregulated tokens (known as ‘qualifying cryptoassets‘).

Exempt Clients

Are any types of clients exempt?

Yes. Only professional investors (e.g. government bodies and agencies, banks, investment funds, venture capital firms, insurers, higher value trusts, partnership and companies) are out of scope of the FinProm restrictions for promoters.

CARR

The Crypto Asset Registration Regime (CARR)

Overview

Key Aspects of the AML/CTF Registration Regime

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), provide that many activities related to cryptoassets require registration for anti-money laundering and counter terrorist financing (AML/CTF) purposes.

UK-based firms carrying out these activities (including exchanging and custody on a customer’s behalf) must be registered with the UK Financial Conduct Authority (FCA)  If such firms are not registered, they are at risk of being subject to the FCA’s criminal and enforcement powers.

Registrants must have suitable due diligence procedures in place and implement adequate AML/CTF systems and controls. However, CARR requires the submission of a range of information that is more akin to the full prudential regime and goes much further than what is actually required to assess the suitability of a business to combat criminal misuse of their services.

The requirements  are substantial and resulted in only a few successful registrations when it was first implemented and many operators left the UK market.  In addition, the success rate for applicants is consistently below 15%.

The MLRs provide that many activities related to cryptoassets require FCA registration for anti-money laundering and counter terrorist financing purposes (AML & CTF), even when they are not regulated financial services activities requiring Financial Conduct Authority (FCA) authorisation.  

The relevant in scope cryptoasset activities are those carried out by:

  • cryptoasset exchange providers:

“a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services—

(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,

(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or

(c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets” (MLR 14A(1)).

 

  • custodian wallet providers:

a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer—

(a) cryptoassets on behalf of its customers, or

(b) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets, when providing such services” (MLR 14A(2)).

 
The FCA has issued a range of guidance:
 
In addition, the JMLSG Guidance (Part II) provides further detail on the expected in-scope and out of scope activities.
 

NFTs

The position with respect to NFTs and the AML regime is not crystal clear and it has not been clarified by the FCA or in JMLSG Guidance (i.e. specifically stated as being in or out of scope). The definition is arguable wide enough to include NFTs particularly if they are not standard collectible items or represent a higher AMl risk. We also note that FATF guidance excludes such tokens from being within the scope of their guidance on suitable national AML requirements. 

The boundary issues for NFTs have also not been subject to any public enforcement action. by the FCA or UK court cases that would help understand if and when NFTs should be considered as in-scope stores of value or contractual value tokens.

In practice, the nature of the NFTs and the context is crucial to assess whether they give contractual rights or appear to operate as a fungible store of value (similar to cryptoassets in scope of financial services rules) and are therefore likely to be the type of token which the FCA wishes to bring within the regulatory perimeter. 

We also await the follow up to the closed Treasury consultation ‘Improving the effectiveness of the Money Laundering Regulations‘ as this may result in regulatory clarity as to if or when NFT issuers or platforms should be considered in scope for AML purposes, particularly once the FSMA authorisation regime is in place for cryptoassets (since they will not usually be within scope of that regime).

 

The following businesses are definitely caught by the two relevant cryptoasset exchange and custodian definitions:

  • Cryptoasset Exchange Services:
    • Firms providing services to exchange cryptoassets for money (fiat currency), cryptoassets for other cryptoassets, or vice versa.
    • Cryptocurrency exchanges and over-the-counter (OTC) services that offer buying or selling cryptoassets on behalf of clients.
  • Cryptoasset Custody Services:
    • Firms offering custodial or safeguarding services, such as holding, managing, or storing cryptoassets on behalf of clients.
  • Cryptoasset ATM Operators:
    • Companies or individuals operating cryptocurrency ATMs, where customers can buy or sell cryptoassets using cash or cards, also need to be registered.
  • Issuers of Cryptoassets:
    • Some firms that issue cryptoassets (depending on how their activities are structured) may fall within the scope of registration if their services involve facilitating cryptoasset transactions or transfers for customers. This could apply to a SAFT/token seller based in the UK.
  • Cryptoasset Transfer Services:
    • Businesses facilitating the transfer of cryptoassets, either from one wallet to another or between different platforms or customers.
  • Cryptoasset Brokers:
    • Brokers or intermediaries who arrange or make transactions on behalf of others (including dealing platforms) are required to be registered with the FCA if they are involved in exchanging or transferring cryptoassets.

CARR Flowchart

CARR requires a UK presence for persons wishing to register under the MLRs (which also enables them to take advantage of the exemption in respect of financial promotions of cryptoassets for such persons under FinProm).

The following definitely constitute a qualifying UK presence for the purposes of the MLRs:

  1. a UK registered company managed from the UK.
  2. a registered office in the UK with a place of business for UK activities effectively managed from the UK.
  3. a UK head office of an overseas business that is effectively managed in the UK (this in effect a UK business for both regulatory and tax purposes).

 

Note: if you are not an authorised firm by the FCA or registered under CARR you can not make financial promotions of cryptoassets in the UK without approval by an authorised firm.

The FCA website sets out the various steps, documents and requirements for registering as a VASP under the UK CA AML/CTF Regime. Applicants must register from a UK establishment.

  • Registration platform: Applicants apply via the Connect platform: Registration: Connect | FCA 
  • Pre-application Meeting: Applicants can request a pre-application meeting to seek clarity on the application process.
  • Registration Fee: Category 6 Authorisation and registration application fees | FCA – currently £10,880. Annual Fees are calculated using an annual income multiplier 
  • Success Rate: the current success rate for applicants is approximately 14% – Cryptoasset AML / CTF regime: feedback on good and poor quality applications | FCA 
  • Timelines: The FCA has a service level target of 3 months to reach a decision however this service level only applies once an application is deemed to be complete. In practice, applicants should assume the whole process will take between 9-18 months.
  • Application information: What information is required to be included with an FCA application? – see below.

The FCA website sets out the information the FCA expect in an AML/CTF application.

Summary

To register a cryptoasset business in the UK, you need to provide the FCA with a comprehensive overview of your operations, including:

Business details:

  • What your business does: Specifically, which cryptoasset services you offer.
  • Business plan: Your objectives, target audience, staffing, governance structure, financial projections, and future plans.
  • Organisational structure: How your business is organised, including any outsourcing arrangements.
  • Global operations: A list of all jurisdictions where your business operates, including any regulatory oversight.

 

Technical & Compliance:

  • IT systems: Details of your IT infrastructure, security policies, and procedures.
  • AML/CTF framework: Your policies, procedures, and training materials for combating money laundering and terrorist financing.
  • Risk assessments: Business-wide and customer-specific risk assessments, including your methodology and control framework.
  • Financial promotions: Your policy and procedures for ensuring compliance with FCA rules.
  • Travel Rule compliance: Your policies and procedures for meeting the Travel Rule requirements for cryptoasset transfers.
  • Cryptoasset addresses: All public keys/wallet addresses used by your business.
  • Customer due diligence: Your on-boarding process, including screening tools for sanctions, PEPs, and adverse media.
  • Ongoing monitoring: Your processes for detecting and escalating suspicious activity.
  • Record-keeping: Your procedures for maintaining accurate records and notifying the FCA of any changes.

 

Fit and Proper Test:

  • Individuals: Details of all key personnel, including directors, officers, managers, and beneficial owners, demonstrating their good reputation, knowledge, and experience.
  • Compliance officer: Confirmation that you have a designated individual responsible for AML/CTF compliance.
  • Disclosure: Full disclosure of any issues that may affect the fit and proper assessment, including convictions or penalties.

 

This information helps the FCA assess your business’s legitimacy, financial stability, and compliance with AML/CTF regulations. It’s crucial to be thorough and accurate in your application to avoid delays or rejection.

The JMLSG guidance gives some examples of activities likely to be out of scope and some borderline cases:

22.11 The definition [of a cryptoasset exchange provider] is broad, providing for exchanging as well as “arranging or making arrangements with a view to the exchange.” This may include activities relating to a dedicated peer-to-peer platform. However, it is not intended to capture a firm that only provides a forum where buyers and sellers can post their bids and offers, such as a bulletin board where the availability of the assets are merely made known and the parties trade at an outside venue either through individual wallets or other wallets not hosted by the forum or a connected firm. Such business models will, however, be considered on a case-by-case basis.

22.12 Software developers and other providers connected to a decentralized cryptoasset exchange and payment system may fall outside of the scope of the definition, and are more likely to do so if they derive no income or benefit from consequent transactions (also see paras 22.25 and 22.26 below).”

Technological Neutrality

However, we note that this guidance seems overly restrictive and does not appear to be technologically neutral.

In the regulated payments sector it is clear that companies that are not involved in the payment flows, e.g. AISPs, are out of scope of AML/CTF obligations because it is not proportionate on a risk based approach to apply the same to them.

In addition, the Payment Services Directive (which is still implemented in the UK) provides:

“…Where agents act on behalf of both the payer and the payee (such as certain e-commerce platform), they should be excluded [from being a regulated payment service provider] only if they do not, at any time enter into possession or control of client funds” (Recital 11, PSD2)

In our view, a technology provider that does not handle client funds or cryptoassets should be able to defend themselves from a claim that they must register for AML/CTF under the UK Cryptoasset Registration Regime since it is not proportionate or risk based to apply the regime to them. Whether they are in scope of the FinProm regime is a different matter.

The JMLSG Guidance appears to conflate AML/CTF risks and obligations with wider regulatory boundary issues (i.e. intermediary activities). It would be much better to separate the two issues and for the UK to decide which activities require authorisation or registration permissions for financial services activity and which for AML/CTF risks (the two are not the same).

However, we caution that to the extent that a technology provider operated a marketplace that enables and promotes the regular sale or exchange of qualifying cryptoassets and they receive a benefit from each transaction then it would be harder to resist being in-scope.

The UK implemented the Travel Rule from 1 September 2023 for VASPs (defined as crypto businesses). The Travel Rule in the UK only applies to UK-based crypto-businesses being ‘cryptoasset exchange providers’ or ‘custodian wallet providers’ (as defined in the MLR) also known as Virtual Asset Service Providers (VASPs).

Sending VASP Obligations:

A sending VASP is the VASP initiating the transfer on behalf of the sender (originator).

  • Collect and Verify Originator Information: The sending VASP must collect the following minimum details:

    • The name of the originator and the beneficiary; 
    • The registered name of the originator or beneficiary if they are a legal entity (or trading name if no registered name); 
    • The account number of the originator and the beneficiary (or unique transaction identifier if there is no account number). Account numbers should be and remain unique to a customer.
  • Verification: The sending VASP’s obligation is focused on verifying the originator’s identity (the person initiating the transaction).
  • Transmit Information: The sending VASP must transmit this data to the receiving VASP (or financial institution) either before or alongside the cryptoasset transfer.

Additional Information on individuals versus legal entities

Upon request, for intra-UK transfers, and for all cross-border transfers the following additional info is required:

  • If the originator is a legal entity:
    • Customer identification number (or where there is a relevant Legal Entity Identifier (LEI) this may be helpful).
    • Address of originator’s registered office (or principal place of business if none or different) 
  • If the originator is an individual, one of the following:
    • Customer identification number; or 
    • Address; or
    • Birth certificate number, passport number or national identity card number (or individual’s date and place of birth).

Receiving VASP Obligations:

A receiving VASP is the VASP receiving crypto-assets on behalf of the beneficiary (recipient).

  • Obtain and Assess Information: The receiving VASP must obtain the transmitted information from the sending VASP, including the originator and beneficiary details.

  • Verify Beneficiary Information: The receiving VASP is responsible for verifying the beneficiary’s identity.

  • Report Suspicious Activity: If a VASP identifies any suspicious activity or discrepancies in the transmitted information, they must report it under AML/CTF rules to the relevant authorities (such as the National Crime Agency in the UK).

Compliance Requirements

  • Verification: The VASP sending the cryptoassets must ensure they have collected and verified the necessary details of the sender. When third-party services are used, responsibility remains with the VASP to ensure compliance.
  • Risk-Based Approach: Firms are expected to apply enhanced scrutiny based on a risk assessment, particularly when dealing with high-risk transactions or transfers involving unhosted wallets (private wallets not controlled by another VASP).

 

Challenges and Additional Considerations

  • De Minimis Threshold: There is no de minimis threshold, meaning even small transactions must comply, though the information required for transfers under €1,000 is more limited to the standard requirements (if the transfer isn’t part of a linked series of transfers or there is no suspicion of money laundering).
  • Jurisdictional Issues: Obtaining information from counterparties in jurisdictions without Travel Rule implementation can be a significant challenge for compliance, and this remains a pain point for businesses.
  • FCA’s Role: The FCA has acknowledged these challenges and is actively working with industry stakeholders to develop guidance to help navigate the Travel Rule requirements.

 

Further Guidance

The FCA has issued guidance on how it expects regulated firms to comply. 

In addition, the JMLSG has issued Cryptoasset Transfer Guidance.

The Regulation of Stablecoins

Overview

Currently stablecoins are not explicitly covered by the Electronic Money Regulations 2011 (EMRs). However, the FCA interprets stablecoins functioning as digital representations of fiat currency—redeemable at par and used for payments—as falling within the e-money definition under the EMRs. This interpretation obliges issuers to comply with safeguarding, redemption, and conduct requirements under the existing e-money framework​

The Financial Services and Markets Act 2023 (FSMA 2023) provides the statutory authority to implement this phased regulation. It enables the government to extend existing regimes, including e-money rules, or create bespoke requirements tailored to stablecoins and cryptoassets with the Financial Conduct Authority (FCA) and the Bank of England (BoE) playing key roles in developing and enforcing specific rules.

In order to provide greater clarity, the UK government is implementing a phased approach to regulate stablecoins explicitly, initially focusing on fiat-backed stablecoins intended for payments (Phase 1) and later expanding to encompass a broader range of cryptoassets (Phase 2) as part of the wider proposed changes to the authorisation regime (see above).The regulatory changes aim to address stablecoins more broadly, including those that might not strictly fit the e-money definition but still pose potential risks to consumers or the financial system.

  • Systemic Stablecoins: Those deemed “systemic” determined by their widespread use or potential impact on financial stability in payments will likely fall under the EMRs and be subject to stricter oversight by the BoE to ensure the resilience and integrity of payment systems. They will face enhanced requirements like stringent capital backing (e.g., central bank deposits), enhanced safeguarding measures, and limitations on redemption fees​. Examples: These would include stablecoins that could be widely adopted for everyday transactions, similar to cash or card payments, potentially forming part of systemic payment systems recognised by HM Treasury (HMT)
  • Non-Systemic Stablecoins: These will likely be regulated by the FCA under the Financial Services and Markets Act (FSMA) 2023 and potentially the Electronic Money Regulations (EMRs), depending on their function and structure.  While such stablecoins might not play a critical role in systemic payment infrastructure, they must still ensure safeguards like asset backing and redemption mechanisms. The interaction with e-money rules and how non-systemic stablecoins are classified under EMRs is yet to be fully clarified.
  • Systematic versus non-systemic: The distinction hinges on a stablecoin’s role in payments and its potential systemic importance. The BoE’s proposed regulation emphasises stability for widely used payment systems, while the FCA focuses on broader consumer protection and market integrity for less critical use cases.

The initial focus of stablecoin regulation is on fiat-backed stablecoins, defined as cryptoassets pegged to and backed by one or more specified fiat currencies. This phase prioritises regulating activities like issuance, custody, and the use of stablecoins in payment chains.

  • FCA’s Role: The FCA is tasked with regulating firms involved in issuing and providing custody services for fiat-backed stablecoins in or from the UK. This involves:
    • Authorisation: Firms wishing to engage in these activities will require authorisation from the FCA.
    • Prudential Requirements: The FCA will set rules for backing assets, including their composition, segregation, and protection in case of insolvency.
    • Redemption Rights: Rules will ensure consumers have the right to promptly redeem their stablecoins at par value.
    • Financial Crime Rules: The FCA will apply existing financial crime regulations to stablecoin issuers and custodians, ensuring they operate with the same standards as traditional financial institutions.
    • Overseas Stablecoins: HM Treasury is exploring a pathway for approving overseas stablecoins for use in UK payments, subject to equivalent standards.
  • BoE’s Role: The BoE will regulate operators of systemic payment systems that use stablecoins as settlement assets. This includes:
    • Systemic Importance: Only stablecoins used in payment systems deemed systemically important by HM Treasury will fall under the BoE’s remit.
    • Resilience and Risk Management: The BoE will focus on ensuring the financial and operational resilience of these payment systems, requiring robust risk management frameworks and safeguards.
    • Safeguarding and Redemption: The BoE will set requirements for safeguarding customer funds and ensuring prompt redemption at par value, even in times of stress.
    • Holding Limits: The BoE is considering imposing holding limits on individual stablecoin holders to mitigate potential risks to financial stability from large-scale outflows from bank deposits.

Dual Regulation: Some stablecoin entities may fall under the regulatory purview of both the FCA and the BoE. A Memorandum of Understanding between the authorities will clarify how this dual regulation will function, ensuring a coordinated and streamlined approach.

Future Outlook

Final Thoughts

Compliance is Crucial: Firms operating from the UK or in the UK cryptoasset market must understand both CARR and FinProm to avoid legal and regulatory risks.

Navigating the Regulatory Regimes: UK-based firms should carefully consider FCA CARR registration requirements and the stringent application process and both UK and  overseas firms must ensure they meet the FinProm promotion requirements.

Strategic Partnerships: Cryptoasset firms can leverage partnerships with authorised UK firms to navigate the complexities of FinProm and access the UK market.

Staying Updated: The regulatory landscape is evolving rapidly, and firms must stay informed about upcoming changes, such as the proposed full authorisation regime (wider than FinProm) and the proposed stablecoin regulations.

Future Outlook

We expect a full authorisation regime similar to that which applies to CASPs under MiCA to be brought into law in 2025. The recent HMT consultation sets out the framework for a number of different activities which HMT considers the highest risk and specific regulatory requirements for these activities. An authorisation regime will also open up the possibility of Gibraltar implementing a similar regime and enabling passporting from Gibraltar under the GAR regime.

In addition, we await the conclusion to the FCA and BoE consultations on fiat stablecoins and the interaction with the e-money regime: Ramparts – UK Stablecoin Discussion Papers 

 

News & Insights

December 15, 2025

Gibraltar E-Commerce & VAT

Mandatory VAT Defences:Mastering the Two-Item Rule and managing the Fixed Establishment Trap.

Flag Map of the EU
November 10, 2025

MiCAR Implementation Update

Latest updates on the latest implementation status of the Markets in Crypto-Assets Regulation (MiCAR).

More >>

Our Crypto Asset & DLT Team

Peter Howitt

Peter Howitt

Managing Director

peterhowitt@ramparts.gi
accounting, fund administration, tax filing and company set up

Heather Adamson

Head of Fiduciary

heatheradamson@ramparts.gi
employment law, payments law, payroll, e-money and crypto assets

David Borge

Practice Director

davidborge@ramparts.gi
Nicholas Borge

Nicholas Borge

Director

nicholasborge@ramparts.gi
company administration, fund administration, outsourced compliance

Tyrene Edwards

Trainee Lawyer

tyreneedwards@ramparts.gi