The UK financial regulatory landscape has visibly diverged from the EU since Brexit. The UK retained its own AML regime, designed its own cryptoasset registration framework and adopted a distinct Travel Rule interpretation; the loss of single-market passporting means an EU- or Turkey-based fintech entering the UK now needs a standalone authorisation. This guide is a practitioner's reference to the FCA, PRA, PSR architecture, MLR 2017 as the AML backbone, JMLSG sectoral guidance, the FCA cryptoasset registration regime, EMI authorisation and the UK Travel Rule.
By the end you should be able to identify which UK regulatory gateway applies to your business, what the realistic cost and timeline are, and where UK rules diverge from the EU and Turkish frameworks you may already operate under.
Quick reference
- FCA (Financial Conduct Authority) is the conduct regulator for most UK financial services firms.
- PRA (Prudential Regulation Authority) sits inside the Bank of England and handles prudential supervision of major banks, deposit takers and insurers.
- PSR (Payment Systems Regulator) is an independent economic regulator for UK payment systems (Faster Payments, BACS, Visa, Mastercard), operating within the FCA structure.
- MLR 2017 is the UK's AML/CTF cornerstone — formally "The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017" (SI 2017/692), in force from 26 June 2017, originally transposing EU 4AMLD.
- JMLSG (Joint Money Laundering Steering Group) publishes sectoral AML guidance recognised by HM Treasury and used by the FCA and the courts.
- FCA cryptoasset registration has been mandatory since 10 January 2020 for cryptoasset exchange providers and custodian wallet providers. Historical pass rates have run around 12–15%.
- The UK Travel Rule came into force on 1 September 2023, with a £1,000 threshold for transfers between hosted and unhosted wallets and £0 for CASP-to-CASP transfers.
- EMI authorisation is governed by the Electronic Money Regulations 2011; the regime distinguishes "small EMI" from "authorised EMI", with the latter requiring £350,000 initial capital.
1. The UK regulatory architecture — three doors
UK financial regulation, even before Brexit, was not a single-regulator model. Responsibility is deliberately split across several authorities.
FCA (Financial Conduct Authority)
The FCA is the conduct regulator covering market integrity, consumer protection and behaviour for almost all financial services firms. Payment institutions, e-money institutions, investment firms, insurance intermediaries and FCA-registered cryptoasset firms all fall under FCA supervision. For the scope of this guide, every UK regulatory path runs through the FCA.
PRA (Prudential Regulation Authority)
Part of the Bank of England, the PRA handles prudential supervision (capital adequacy, liquidity, resolution risk) for major UK banks, deposit takers and insurers. Large firms operate under dual regulation, reporting to both PRA and FCA.
PSR (Payment Systems Regulator)
The PSR regulates the economics and access conditions of UK payment systems and card schemes. It is an independent statutory regulator operating within the FCA's structure.
HM Treasury and the NCA
HM Treasury (HMT) owns AML policy as the legislator behind MLR 2017. The National Crime Agency (NCA) is the UK's Financial Intelligence Unit; suspicious activity reports go to the NCA as SARs (Suspicious Activity Reports). Note that the UK uses "SAR" rather than the EU-style "STR" terminology.
2. MLR 2017 — the UK AML backbone
The full name of MLR 2017 is The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692). It came into force on 26 June 2017 and originally transposed the EU's 4AMLD into UK law. Because the UK is no longer obliged to implement subsequent EU directives (AMLD5, AMLD6) or the upcoming AMLR, the UK now amends MLR 2017 independently.
Our UK MLR 2017 explainer goes deeper into the regulated entity categories, CDD/EDD standards, beneficial ownership rules and reporting obligations.
Three practical points stand out:
- Risk-based approach: A regulated firm must produce a written risk assessment of its own business; no MLR compliance is possible without it.
- Senior management ownership: AML policies must be approved by senior management — MLR's "tone at the top" requirement is explicit.
- Sectoral guidance matters: MLR 2017 is general; sectoral interpretation comes through JMLSG.
3. JMLSG guidance — the sectoral overlay
The Joint Money Laundering Steering Group is an industry body composed of UK financial trade associations. It publishes AML guidance that is formally recognised by HM Treasury; both the FCA and the courts treat compliance with JMLSG as relevant to MLR compliance.
JMLSG guidance comes in three parts:
- Part I: General approach — risk-based CDD, EDD, monitoring, reporting, training.
- Part II: Sector-specific guidance for banks, payment institutions, investment firms, insurers and others.
- Part III: Specialist topics — and this is where the Sector 22: Cryptoasset Service Providers chapter was added in 2022 and updated in 2023 to include the UK Travel Rule interpretation.
JMLSG compliance is not strictly mandatory by statute, but non-compliance is hard to defend in front of the FCA or a court. In practice, regulated firms use JMLSG as their primary working reference.
4. FCA cryptoasset registration — the UK crypto regime
Since 10 January 2020, MLR 2017 has been amended to bring cryptoasset exchange providers and custodian wallet providers within AML scope. Any firm wishing to carry on these activities by way of business in the UK must register with the FCA cryptoasset firms register.
Our FCA cryptoasset registration walkthrough covers the full process: pre-application meeting, business plan, financial crime framework, customer due diligence policies, governance, fit-and-proper assessments and ongoing reporting. A realistic application takes 12–18 months and costs £200,000 to £500,000 in legal, consulting and technical build-out.
An important nuance: the UK has no equivalent of MiCA yet. HM Treasury launched a consultation in February 2023 setting out a future framework for cryptoassets to be brought into the regulated activities order under FSMA, but legislation is still being worked through. Today, operating in the UK as a cryptoasset business requires only FCA registration under MLR 2017; an FSMA-based licensing regime is on the horizon. See our MiCA explainer for the contrasting EU approach.
Success rate
FCA cryptoasset registration has historically been extremely selective. Between 2020 and 2023, roughly 85–88% of applications were either refused or withdrawn. Approved firms across the entire period stayed below 100.
Typical refusal grounds:
- Inadequate business plan
- Weak financial crime framework
- Insufficient compliance experience in senior management
- Lack of Travel Rule infrastructure
- Insufficient technical architecture
5. The UK Travel Rule — JMLSG Sector 22
The UK Travel Rule came into force on 1 September 2023, implemented through amendments to MLR 2017. The UK approach differs from the EU's TFR in important ways:
- Threshold: £1,000 for transfers between hosted and unhosted wallets; £0 for CASP-to-CASP transfers (all transfers in scope).
- Sunrise notice: The UK regulator explicitly recognised the "sunrise" concept — if the counterpart cannot receive Travel Rule information, the firm can take a risk-based decision and proceed while keeping records.
- Geographic scope: A UK CASP's outbound international transfers are in scope.
Our UK Travel Rule and JMLSG guidance breaks down Sector 22, the operational flow, and how the UK rule compares to the EU TFR.
The UK Travel Rule is one national application of the general FATF Travel Rule logic we cover in the FATF Travel Rule guide; the threshold and sunrise approach are UK-specific. Our Travel Rule by jurisdiction comparison places Turkey, the EU and the UK side by side.
6. EMIs and payment institutions — the UK authorisation route
Conducting e-money business in the UK requires FCA authorisation under the Electronic Money Regulations 2011 (EMRs). There are two regimes:
- Small EMI: Average monthly outstanding e-money below €5 million. Simplified regime, nominal capital requirement, no passporting rights and per-customer e-money limits.
- Authorised EMI: Full authorisation. £350,000 initial capital plus ongoing capital requirements, broader governance, reporting and audit obligations.
Our UK EMI FCA authorisation roadmap covers pre-application, the FCA application form, regulatory business plan, financial projections, IT systems, the safeguarding plan, Senior Managers and Certification Regime (SMCR) compliance and gateway requirements.
For the EU equivalent, see our EMD2 explainer — before Brexit, the UK applied EMD2 through FCA; afterwards, the UK has maintained its own regime independently.
The realistic picture: a new authorised EMI typically takes 9–15 months to gain authorisation and costs £150,000 to £400,000 in legal and consulting fees. About 30% of FCA gateway applications are withdrawn or refused.
7. The Senior Managers and Certification Regime (SMCR)
SMCR allocates individual accountability to senior management in UK financial firms. It came into force for banks in 2016, for insurers in 2018 and for other FCA-authorised firms in 2019.
SMCR has three layers:
- Senior Manager Regime (SMR): Defines certain senior roles as "Senior Management Functions" (SMFs); each SMF holder gets a written statement of responsibilities and bears personal accountability.
- Certification Regime: Annual fit-and-proper certification for individuals whose roles can significantly affect customers or pose material risk.
- Conduct Rules: Behavioural rules applied to all staff.
Operating as an EMI or FCA-registered cryptoasset firm in the UK requires SMCR compliance. The compliance officer (often the same person as the MLRO — Money Laundering Reporting Officer) is typically appointed as SMF17.
8. Post-Brexit divergence — EU vs UK
Brexit has visibly separated EU and UK regulatory paths. International fintechs need different strategies for each market.
| Topic | EU | UK |
|---|---|---|
| AML framework | AMLD5/6, upcoming AMLR | MLR 2017 |
| AML authority | AMLA (operational 2025–2028) | FCA + NCA |
| Crypto regulation | MiCA (2024) | FCA registration under MLR; framework in development |
| Travel Rule | TFR (€0 — every transfer) | £1,000 unhosted; £0 CASP-CASP |
| Stablecoins | MiCA EMT/ART | New UK stablecoin regime in development |
| Passporting | EU-wide single licence | UK licence valid only for UK |
| Consumer compensation | Member-state DGS | FSCS (crypto not covered) |
| Suspicious activity reporting | Member-state FIU (STR) | NCA SAR |
Our EU financial regulation guide covers the EU side in depth; the Turkey AML/KYC compliance guide handles the Turkish framework. Firms operating across all three jurisdictions should read the three pillars together.
9. UK market entry roadmap
For an international (Turkey-based or EU-based) fintech entering the UK, a practical phased framework looks like this:
Phase 0 — Market feasibility (1–2 months)
- Product-market fit assessment, UK competitive analysis
- Identify the applicable regime (cryptoasset / EMI / payment institution / authorised firm)
- Estimate total investment envelope (typically £500K–£2M)
Phase 1 — Pre-application (2–4 months)
- Select UK counsel and compliance consultant
- Establish UK presence (FCA expects applicants to have UK physical presence and UK-based decision makers)
- Request a pre-application meeting with the FCA
- Draft the business plan, financial crime framework and IT architecture
Phase 2 — Application (1–2 months prep)
- FCA gateway online submission
- Full supporting documentation (typically 50–100 pages)
- Application fees (£5K–£25K depending on regime)
Phase 3 — FCA assessment (9–18 months)
- FCA Requests for Information (RFIs)
- Regulatory meetings
- Iteration and revision cycles
Phase 4 — Post-approval operational set-up (3–6 months)
- Bank accounts, customer routing
- SMCR appointments and formalisation
- Ongoing reporting and audit cadence
Realistic total timeline: 12–24 months. The home-country main operation needs to fund the UK expansion through an entire pre-revenue runway. A standalone UK Ltd entity with UK-resident senior management is effectively required.
10. Common pitfalls for international firms in the UK
Two recurring pitfalls international firms hit during UK entry:
1. "Tick-box" compliance: The FCA quickly identifies and rejects applications where the documentation is thick but the operating model does not actually address the AML risk profile. Volume of paperwork does not pass — operational realism does. Expect an RFI storm if the AML controls have not been thought through in practice.
2. Hollow SMCR appointments: A common mistake is naming a UK Senior Manager who has no real decision-making authority while the real decisions are made in head office (in Istanbul, Frankfurt, etc.). SMCR is about personal accountability — if the appointed SMF holder cannot influence the firm's actions, the FCA notices and consequences fall on both the firm and the individual.
Frequently asked questions
How does FCA cryptoasset registration differ from MiCA?
FCA cryptoasset registration is solely an AML/CTF registration — it brings firms under MLR 2017 scope. MiCA is a comprehensive crypto regulatory framework covering authorisation, capital, governance, consumer protection, market abuse rules, stablecoin (EMT/ART) regulation and more. HM Treasury announced in February 2023 a consultation to design a similarly comprehensive framework for the UK, but the legislation is still being worked through. Today an FCA registration under MLR 2017 is sufficient to operate as a cryptoasset business in the UK; an FSMA-based regime will be added in the next few years.
Is FCA registration the only route to operate cryptoasset business in the UK?
Effectively yes — if you carry on cryptoasset exchange or custodian wallet activity by way of business in the UK, FCA cryptoasset register inclusion is required. Some banks or FCA-authorised firms can have ancillary or indirect crypto exposure (for example, providing information to customers) without registration, but they cannot act as a cryptoasset business. Edge cases like custody of stablecoins inside a savings product remain in a grey area pending the new framework.
Can I rely on EU passporting to operate in the UK?
No. Brexit ended the EU single-market passporting rights. An EU-licensed firm wishing to operate in the UK must either incorporate a UK entity and obtain its own FCA authorisation, or have been in the Temporary Permissions Regime (TPR) — but TPR is being wound down and was always intended as a bridge to full FCA authorisation.
What is the legal weight of JMLSG guidance versus MLR 2017?
MLR 2017 is binding law — breaches carry criminal and administrative penalties. JMLSG is industry guidance; HM Treasury-recognised but not itself binding. In practice, FCA supervisors and courts treat compliance with JMLSG as evidence of good practice in interpreting MLR. Failing to follow it makes a firm's position harder to defend. So JMLSG is not strictly mandatory in law, but it is operationally near-mandatory.
What is the typical total cost of UK market entry for a mid-size international fintech?
A mid-size international fintech obtaining authorisation as either an authorised EMI or an FCA-registered cryptoasset firm and reaching operational state in the UK typically spends £500,000 to £1,500,000 end-to-end. This covers UK legal counsel (£100K–£250K), compliance consultancy (£75K–£200K), technical build (£100K–£500K), UK-resident senior management and staff (£200K+ annually), regulatory capital (£350K for authorised EMI), FCA application fees and operational set-up. UK entry is a medium-to-long-term investment — expect a 12–24 month runway before revenue.
How Legichain helps
International fintechs expanding into the UK typically need a single compliance infrastructure that operates correctly across home market (e.g. MASAK in Turkey), EU (TFR, AMLD) and UK (FCA + JMLSG) — without three parallel stacks. The Legichain platform exposes one API layer with jurisdiction-aware policies: if the customer is UK-resident, the UK Travel Rule threshold (£1,000) applies; if EU-resident, TFR (€0) triggers; reports are auto-formatted for NCA SAR or MASAK STR depending on the route. Our AML screening API keeps the UK and EU sanctions, PEP and adverse media data layers updated in real time. The Travel Rule infrastructure is aligned with JMLSG Sector 22. See our solutions for crypto exchanges and for e-money institutions for UK-specific integration architectures.
Next steps
- How to get FCA cryptoasset registration — process and practical tips.
- UK MLR 2017 explained — regulated categories and obligations.
- UK Travel Rule and JMLSG guidance — Sector 22 in detail.
- UK EMI FCA authorisation roadmap — e-money authorisation path.
- EU financial regulation guide — compare with the EU.
- Turkey AML/KYC compliance guide — the Turkish framework.