Legichain

How to Get FCA Cryptoasset Registration: Process and Practical Tips

A step-by-step guide to UK FCA cryptoasset registration: the pre-application meeting, business plan, financial crime framework, fit-and-proper assessment, realistic 12-18 month timelines and £200K-£500K cost ranges.

Legichain Team 13 min read 26 May 2026

Any firm wishing to carry on cryptoasset exchange or custodian wallet activity by way of business in the UK must register on the FCA cryptoasset firms register. This regime, introduced through amendments to MLR 2017 effective 10 January 2020, is among the most selective AML regimes anywhere: between 2020 and 2023, roughly 85-88% of applications were either refused or withdrawn, and the total approved population has stayed under 100 firms across the entire period. This guide breaks the application into nine practical steps — from pre-application through ongoing reporting — and surfaces the specific pitfalls international firms typically hit.

Quick reference

  • Legal basis: MLR 2017 as amended on 10 January 2020 — definitions of cryptoasset exchange provider and custodian wallet provider.
  • Process: pre-application meeting → online application via Connect → RFI rounds → decision. Typical duration 12-18 months, some cases 24+ months.
  • Cost: legal, consulting and technical build typically £200,000-£500,000.
  • Historical pass rate: roughly 12-15% — most applications are either refused or withdrawn by the applicant before refusal.
  • Most critical documents: business plan, financial crime framework, CDD policy, fit-and-proper individual forms.

Who falls within scope?

MLR 2017 Regulation 14A defines two categories:

  1. Cryptoasset exchange provider — firms exchanging cryptoassets for fiat or for other cryptoassets, operating multilateral platforms, or carrying on ICO/STO activity by way of business.
  2. Custodian wallet provider — firms holding or controlling cryptoasset private keys or wallet access on behalf of others.

If you carry on these activities by way of business in the UK (commercial scale, not hobbyist), registration is mandatory. The "by way of business in the UK" test is not strictly geographical: offering crypto services to UK customers from outside the UK (UK-accessible site, UK customer acceptance) can fall in scope. The FCA assesses substance over form.

Step 1: Pre-application meeting

The FCA strongly recommends a formal pre-application meeting for cryptoasset applications. Requested through the online portal, the meeting is typically 60 minutes.

Bring to the meeting:

  • A short business model summary (1-2 pages)
  • A clear list of cryptoasset activities in scope
  • The UK nexus (legal entity, customer base, office)
  • Senior management structure and key-person CVs
  • Existing compliance infrastructure

Practical value of pre-application: the FCA may signal early that "this model is not registerable" or that certain elements need rethinking. If you decide not to apply after the meeting, no withdrawal is recorded — your record remains clean for a future attempt.

Typical trap: arriving at pre-application underprepared. If the FCA gets a signal that the firm is "not ready yet" and the same signal persists in the formal application, scepticism increases markedly.

Step 2: Business plan

The business plan is the single most important application document, typically 30-60 pages. It should cover:

(a) Executive summary — the firm, founders, vision in one page.

(b) Business model — cryptoasset activities in detail, customer segments (retail / professional / institutional), revenue model, fee structure.

(c) Market analysis — the UK crypto market, competitors, positioning.

(d) Financial projections — three- to five-year revenue and cost forecasts, capital adequacy, customer volumes, average ticket sizes.

(e) Operational architecture — supported blockchains, custody approach (hot/cold wallet split), settlement and banking partners.

(f) Risk management — written policies covering financial crime, operational, cyber and market risk.

(g) Governance — board, committee structure, lines of authority.

The FCA expects the business plan to be structurally consistent with the rest of the package. A firm that describes itself as a "DEX aggregator" but writes "we will perform full KYC on all customers" in the opening of the CDD policy creates a contradiction signal.

Step 3: Financial crime framework

This is the most critical technical document. The FCA uses the term "financial crime framework" literally — it expects:

  • Money laundering risk assessment: product, customer, geographic and distribution-channel risk mapped against the UK National Risk Assessment and the HM Treasury sectoral risk assessment.
  • Sanctions screening policy: how OFSI (UK), OFAC, UN, EU and other relevant lists are screened, how matches are handled. Our sanctions screening guide covers the operational framework.
  • PEP policy: definition, screening, EDD approach.
  • Travel Rule policy: mandatory since 1 September 2023. See our UK Travel Rule and JMLSG guidance.
  • On-chain risk monitoring: which addresses or wallets are screened, how mixer/darknet/sanctions labels feed into decisions. Framework details in our blockchain AML guide.
  • Transaction monitoring: scenarios (structuring, rapid layering, geography risk) and the path from alert to SAR.
  • MLRO appointment and reporting line: who holds SMF17, what authority they have.

Generic template documents are quickly identified by the FCA and leave a negative note on the file. The framework must match the business model with concrete detail.

Step 4: Customer due diligence (CDD) policy

The CDD policy sits on top of MLR 2017 Part 3. It should cover:

  • Standard CDD: identity verification methods, document lists, digital verification approach (NFC chip reading, liveness, video verification).
  • EDD triggers: high-risk countries, PEP status, correspondent relationships, unusual transaction patterns.
  • Simplified CDD: when applicable (limited in UK practice).
  • Ongoing monitoring: periodic refresh cycle.
  • Beneficial ownership: identification of 25%+ owners for corporate customers.
  • Reliance: rules for relying on third-party CDD.

If you use digital onboarding, the technical flow must be documented end-to-end — for example, "NFC chip reading via vendor A + liveness from vendor B + internal risk scoring engine" with vendor names, contracts and SLAs referenced.

Step 5: Governance and fit-and-proper

The FCA applies a fit-and-proper test at founder and senior manager level. Each senior manager completes the Form A (Application to Perform Controlled Functions) pack:

  • Personal details, education, professional history
  • Prior regulatory history, investigations, sanctions if any
  • Bankruptcy, unsatisfied judgments, criminal record
  • Reference letters (typically two professional references)

The FCA pays particular attention to:

  • Documented compliance / AML experience (a generic "10 years in banking" is not enough; AML/financial crime specific experience is expected)
  • UK regulatory knowledge
  • Reasons for leaving previous firms

Common refusal ground: an international firm names a UK Senior Manager as a "title only" appointment while real decisions remain in the home office. The FCA detects this pattern through interviews with the named SMF and refuses on "fit but not proper" grounds — competent in principle but without genuine authority to manage the UK firm.

Step 6: Application via the Connect portal

The FCA cryptoasset firm application is submitted through the Connect online portal. The submission covers:

  • Firm details, corporate structure, ownership
  • Senior management list and fit-and-proper packs
  • Business plan (uploaded)
  • Financial crime framework (uploaded)
  • CDD policy, Travel Rule policy, sanctions policy
  • Financial statements / projections
  • IT architecture and cyber security note

The application fee is typically £10,000 for cryptoasset firms (the range is £5K-£25K depending on the regime).

Once submitted, the FCA assigns a case officer — the single point of contact for the application.

Step 7: The RFI (Request for Information) process

As the FCA reviews the application, it issues Requests for Information (RFIs). A typical case sees three to seven RFI rounds, each with 10-30 questions; the standard response window is four to six weeks.

Common RFI themes:

  • Custody technical detail (HSM, multisig, signing-key distribution)
  • Travel Rule operational detail (which network, which counterparts)
  • Quality of on-chain risk data vendor
  • MLRO authority and reporting line
  • Capital adequacy and financial sustainability
  • Genuine role of UK-resident key personnel

Responding to RFIs well is a strong positive signal. But if after two or three rounds the FCA is still asking foundational questions, the case officer will question whether the applicant is genuinely ready. Typical trap: leaving RFIs to external counsel only — the case officer wants technical specificity, not legal templates.

Step 8: Decision and possible outcomes

The FCA reaches one of three outcomes:

  1. Approval — the firm is added to the cryptoasset firms register. After a 28-day appeal period the decision is final.
  2. Refusal — a written reasoned decision; right of appeal to the Upper Tribunal.
  3. Minded to refuse letter — an FCA letter indicating likely refusal; the applicant typically withdraws rather than receive a formal refusal (the record looks cleaner for any future attempt).

Pre-decision withdrawal rates are high — particularly when the case stalls around MLRO suitability or clarity of business model.

Step 9: After registration — ongoing obligations

Approval is the start, not the end. Ongoing obligations include:

  • Annual Financial Crime Report (REP-CRIM): detailed AML metrics (SAR volumes, EDD cases, sanctions hits, etc.).
  • Periodic regulatory returns: revenue, customer count, transaction volume metrics.
  • Principle 11 notifications: timely notification of significant AML or operational incidents.
  • Material change notifications: business model, product, ownership or senior management changes.
  • SAR reporting: to the NCA, whenever a suspicious transaction is identified.
  • JMLSG Sector 22 compliance: ongoing tracking as the guidance is updated.

Realistic cost and timeline

A typical mid-size application breaks down as follows:

Item Range
UK legal counsel / authorisation adviser £75,000 - £200,000
Compliance / AML consultancy £50,000 - £150,000
Business plan / financial projection consultancy £20,000 - £60,000
Technical build-out (custody, Travel Rule, screening integration) £100,000 - £300,000
FCA application fee £5,000 - £25,000
UK-resident senior management (Year 1) £150,000 - £300,000
Total £400,000 - £1,000,000

Additional line items to account for: UK Ltd incorporation, office (virtual acceptable), banking (notoriously hard to obtain for crypto firms in the UK), insurance.

Timeline: 12-18 months from pre-application to decision is typical. Complex cases (novel business models, unusual ownership structures) run to 24 months or beyond.

Common pitfalls for international firms

1. No genuinely UK-resident MLRO: an MLRO based in the head office is appointed to the UK firm; the FCA does not accept this structure. A UK physical presence and a UK-resident SMF17 with real decision-making authority is required.

2. Presenting the UK firm as an "export channel" of the home operation: the FCA wants to see a UK legal entity serving UK customers, with its own governance. Treating UK as a distribution arm of the head office is a gateway-stage refusal signal.

3. "We will implement Travel Rule" instead of "we have Travel Rule": post-1 September 2023, the FCA expects Travel Rule infrastructure to be live, not aspirational. "We will build it on approval" is unacceptable.

4. No on-chain risk vendor selected: "we will use blockchain analytics" is insufficient; the FCA expects named vendors, scope and integration detail.

5. Senior management with no crypto-specific experience: "20 years in banking" alone does not satisfy the FCA for a crypto MLRO. AML experience specifically applied to digital assets is expected.

Frequently asked questions

How long does FCA cryptoasset registration take?

A typical application takes 12 to 18 months from pre-application meeting to final decision. Complex business models (DeFi-adjacent, prime brokerage, fiat-onramp + offramp + custody combined) often run 24 months or longer. Timeline is largely a function of application quality and RFI response speed. Well-prepared applications attract fewer RFIs and can close in 9-12 months.

Does prior regulatory authorisation in another jurisdiction help?

Marginal advantage only. Operational maturity, AML/CDD documentation and technical infrastructure being already in place reduces rebuild effort. But the FCA performs its own independent assessment; prior registration elsewhere does not create a "presumed compliance" position. UK-specific Travel Rule interpretation, MLR 2017 Part 3 CDD detail and the SMCR framework must all be built specifically for the UK.

If the FCA refuses, can I reapply?

Yes, but the refusal decision remains on the file and complicates any future application. A withdrawal before formal refusal looks cleaner on the file. Before a new application, the substantive grounds of the previous refusal or withdrawal must be visibly addressed — business model changes, new senior management, technical infrastructure rebuild. The FCA quickly identifies a "same application again" pattern.

How does FCA cryptoasset registration compare with MiCA?

FCA cryptoasset registration is solely an AML/CTF registration — capital, governance, consumer protection and market manipulation rules are not in scope. Our MiCA explainer covers the EU's comprehensive crypto regulatory approach. HM Treasury opened a consultation in February 2023 for a similarly comprehensive UK framework; an FSMA-based regulated-activities order is in development but not yet in force. Today, FCA registration under MLR 2017 is sufficient to operate in the UK.

Which documents are legally mandatory in the application?

MLR 2017 Schedule 6 Form 1 (cryptoasset firm registration form) is filed with supporting documents: founder / controller documentation, fit-and-proper forms (for each senior manager), business plan, financial crime framework, CDD policy, capital adequacy evidence. The FCA Connect portal shows a checklist for each form; incomplete submissions are not processed. A typical application pack runs to 200-500 pages.

How Legichain helps

Much of the RFI traffic on FCA cryptoasset applications traces back to technical infrastructure gaps: "how is Travel Rule operationalised?", "which on-chain risk vendor, with what scope?", "how are screening matches resolved?" Legichain's AML screening API keeps UK OFSI and global sanctions, PEP and adverse media data current in real time; the blockchain AML module provides ready-built wallet scoring across mixer, darknet, sanctions and scam categories; the Travel Rule infrastructure delivers a live JMLSG Sector 22-aligned messaging flow. Showing the case officer "here is our live system on named vendors with audit logs" is a far stronger position than "we will build it after approval". See our crypto exchange solutions page for UK-specific integration architectures.

Next steps

Legichain Team· Compliance editorial

Written by Legichain's compliance editorial team — regulated-financial-services veterans who built and integrated AML platforms for banks and crypto exchanges across EMEA.

Related reading

You may also like

uk-regulation

UK Travel Rule and JMLSG Guidance for VASPs

The UK Travel Rule for cryptoasset transfers came into force on 1 September 2023 through amendments to MLR 2017. The UK regime differs from the EU TFR in two important ways: a £1,000 threshold for transfers between hosted and unhosted wallets (TFR uses €0 for all transfers), and a risk-based 'sunrise' flexibility where counterpart VASPs cannot exchange Travel Rule data. This guide covers the JMLSG Sector 22 interpretation, threshold and geographic scope, beneficiary VASP verification, FCA expectations, the common operational failure modes and a side-by-side comparison with the EU TFR — written for compliance and product teams at UK-registered cryptoasset firms and international CASPs serving UK customers.

Read article
uk-regulation

UK MLR 2017 (Money Laundering Regulations) Explained

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692) is the UK's core AML/CTF regulation. In force since 26 June 2017, the 2020 amendment brought cryptoasset firms into scope and the 2023 amendment introduced the UK Travel Rule. This guide covers regulated entity categories, the risk-based approach, CDD/EDD standards, PEP rules, beneficial ownership identification, the SAR reporting line to the NCA, the multi-supervisor regime (FCA/HMRC/professional bodies) and the practical compliance checklist for international firms expanding into the UK market.

Read article
uk-regulation

UK Financial Regulation Guide: FCA, MLR 2017, and JMLSG

UK financial regulation rests on the FCA, PRA and PSR architecture, with AML rules anchored in MLR 2017 and operationalised through JMLSG guidance. This guide walks through the FCA cryptoasset registration regime, MLR 2017 obligations, JMLSG Sector 22 and the UK Travel Rule, EMI authorisation, and the most important post-Brexit divergences from EU rules. Written for compliance, legal and product leaders weighing UK market entry, with realistic costs and timelines.

Read article

Be screen-ready in an afternoon.

Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.

Start freeBook 30 min with sales