UK Cryptoasset Authorisation Readiness
This page is built for firms preparing for the FCA's incoming cryptoasset regime. The immediate task is not to assemble a policy library. It is to confirm the permissions route, design a supervisable UK structure, build the right frameworks and procedures, and evidence that senior management can run the model under scrutiny.
Status note
This page is based on current FCA materials, including the gateway timetable and consultation package available as at 31 May 2026. Final policy statements and final rules remain pending, so firms should prepare against the current direction of travel rather than assume every point is fixed.
Official FCA sources: new regime overview and gateway timetable.
The FCA window is now live for planning
Firms no longer need to plan against a vague future regime. The FCA has published the expected gateway mechanics, which means timing, sequencing, and evidence build now matter in a concrete way.
11 May 2026
PASS requests open
Firms can request pre-application meetings through the FCA's pre-application support service.
July 2026
Meetings begin
The FCA has said pre-application meetings will take place from July 2026 as requests arrive.
30 Sep 2026
Expected application period opens
The FCA expects the application period for authorisation and variation applications to open on this date.
28 Feb 2027
Expected application period closes
Firms that miss the main window should not assume late submissions will be accelerated.
25 Oct 2027
Regime expected live
The regime is expected to commence on 25 October 2027, subject to the final rulemaking timetable.
Regulatory implications
- MLR registration does not convert automatically into FSMA authorisation.
- Already-authorised firms may need a variation of permission rather than a fresh start.
- The core challenge is evidencing day-one readiness before the application window closes.
- Late or thin submissions should not expect accelerated FCA treatment.
Immediate priority
Confirm day-one activities, UK structure, and existing control maturity first. Firms that skip that diagnostic usually spend time drafting documents that do not match the operating model.
What the regulator is likely to look for
The strongest external story is not that crypto regulation is coming. It is that the FCA is likely to test whether the real operating model is permissions-correct, supervisable, and evidence-backed.
Permissions, perimeter and UK nexus
- Correct mapping of day-one activities to the new regulated cryptoasset activities
- Clear UK structure, customer base, contracting model, and permissions route
- Evidence that group arrangements do not obscure who carries on the regulated activity
Governance, SM&CR and board ownership
- Named accountability for crypto activities, prudential oversight, financial crime, and customer outcomes
- Senior managers who can explain the operating model, not just approve policies
- Board and committee oversight that can challenge technology, custody, and outsourcing decisions
AML, sanctions, fraud and onboarding controls
- Business-wide risk assessment and control framework tailored to crypto typologies
- Wallet screening, transaction monitoring, alert handling, SAR governance, and escalation paths
- Clear allocation of first-line and second-line financial crime responsibilities across the group
Prudential resources and financial resilience
- Capital and liquidity analysis matched to the intended permissions and activity profile
- Credible stress testing, recovery planning, and wind-down assumptions
- Evidence that financial resources are available to the UK entity on a reliable basis
Custody, safeguarding and returnability
- Wallet architecture, reconciliation design, client asset records, and incident handling
- Clear segregation and return-of-assets logic under stressed and orderly scenarios
- Oversight of third-party custodians, wallet infrastructure, and key management dependencies
Consumer, disclosures and market conduct
- Fair retail journey, appropriate disclosures, and evidence of Consumer Duty thinking
- Controls around admissions, disclosures, market abuse, surveillance, and conflicts
- Support, complaints, and outcome monitoring that match the real customer journey
What firms need to have in place
The FCA is likely to expect a distinction between framework documents, underlying operating procedures, and the evidence that shows those arrangements are owned and can work in practice.
Policies / frameworks
The policy set still matters, but it must match the real model rather than a generic control library.
- Permissions and perimeter memo
- Governance and SM&CR framework
- AML / CTF / sanctions / fraud framework
- Prudential framework and wind-down approach
- Custody / safeguarding framework
- Consumer Duty, conduct, complaints, and market conduct framework
Operating manuals / procedures
The FCA will expect to see how the business actually operates on a daily basis, not just what the policy says.
- Onboarding, KYC, EDD, and sanctions procedures
- Transaction monitoring, alert handling, and SAR procedures
- Admissions review, disclosure, surveillance, and escalation procedures
- Client asset reconciliation, exception management, and returnability procedures
- Outsourcing oversight, incident response, change control, and access procedures
- Management information and committee reporting processes
Evidence / oversight
Authorisation files are assessed on proof of ownership and operating credibility, not on policy prose alone.
- Board and committee minutes with documented challenge
- Reconciliations, logs, breach registers, and issue escalation records
- Risk assessments, control testing, and monitoring outputs
- Third-party due diligence, service review packs, and information rights
- Training records, attestations, and senior management sign-off
- MI showing that leaders can oversee financial crime, prudential, custody, and customer outcomes
AML, sanctions and fraud need their own workstream
For retail-facing trading, custody, staking, and group models, financial crime is not a sub-point inside general governance. It is a front-rank FCA scrutiny area in its own right.
The regulator is likely to test whether the control framework reflects crypto-specific typologies, whether monitoring and escalation genuinely operate, and whether the UK entity can oversee any group or third-party financial crime dependencies.
AML / CTF / sanctions / fraud framework
Business-wide risk assessment, control framework, governance, and role allocation aligned to crypto-specific typologies.
Onboarding / KYC / EDD procedures
Customer classification, source of funds and wealth logic, unhosted wallet treatment, sanctions exposure, and enhanced due diligence triggers.
Transaction monitoring and alert handling
Rules, scenarios, on-chain analytics dependencies, escalation criteria, queue ownership, and alert closure standards.
SAR escalation and governance
Internal reporting, MLRO decision-making, tipping-off controls, and board visibility over significant issues.
First-line / second-line group allocation
Clear separation of operating ownership, oversight ownership, and intra-group dependency management.
Read-across for common crypto business models
The heaviest relevance is usually for trading platform, custody-led, staking, and retail distribution models, but the same structure also helps overseas groups assess their UK readiness burden.
Trading platform / exchange models
Focus tends to fall on permissions mapping, admissions controls, market abuse surveillance, conflicts, and retail conduct.
Custody / safeguarding models
The main challenge is operational credibility around wallet architecture, reconciliations, incident response, and asset returnability.
Staking / yield features
Firms need to explain the legal and operational model clearly, including customer disclosures, outsourcing, and prudential treatment.
Retail distribution models
The FCA is likely to focus on customer understanding, support, complaints, fair value, and the design of the end-to-end retail journey.
Overseas group structures
The UK entity must still be supervisable, accountable, and able to evidence control over delegated and intra-group functions.
Supervisability is a real application issue
Many crypto applications become more complex when key technology, custody, or compliance functions sit in an overseas group or with specialist third parties. The FCA is likely to focus on whether the UK entity can genuinely govern, oversee, and evidence those arrangements.
Typical FCA tests
- Material outsourcing inventory covering technology, custody, blockchain analytics, support, and compliance dependencies
- Intra-group service agreements that define services, standards, information rights, escalation, and termination arrangements
- Evidence that the UK entity can challenge providers and continue operating if group support is reduced or withdrawn
- Access to records, incidents, reconciliations, and control outputs held by third parties or group entities
- Board and SMF visibility over concentration risk, key-person risk, and operational dependencies
Current regulatory workstreams behind the regime
These are the main FCA paper clusters firms should track when designing readiness programmes and preparing application evidence.
This is the core permissions map for the new regime. Firms need to identify which proposed activities are in scope, how the UK nexus arises, whether an existing authorised entity needs a variation of permission, and how the UK legal entity and group model support effective supervision.
Typical build items
- ✓Map day-one activities to the regulated cryptoasset activity perimeter
- ✓Document the UK customer, contracting, distribution, and outsourcing model
- ✓Identify where group entities support, delegate, or carry out key functions
- ✓Show how the UK entity remains accountable and supervisable
The FCA is applying mainstream Handbook expectations to regulated cryptoasset activity rather than treating crypto as a stand-alone exception. That means governance, systems and controls, complaints, reporting, SM&CR, operational resilience, and conduct standards need to be translated into the crypto operating model.
Typical build items
- ✓Build a governance and SM&CR framework that matches the real control structure
- ✓Embed PRIN, SYSC, DISP, SUP, and relevant conduct obligations into BAU operations
- ✓Maintain management information, committees, escalation routes, and records
- ✓Demonstrate that customer support, complaints, and reporting can operate from day one
For stablecoin and custody models, the FCA focus is likely to fall on safeguarding architecture, reserve governance, reconciliation, returnability, and third-party oversight. This is one of the most operationally intensive workstreams in the package.
Typical build items
- ✓Define safeguarding and custody architecture for customer assets and reserves
- ✓Implement reconciliations, exception handling, and returnability procedures
- ✓Evidence oversight of custodians, wallet infrastructure, and key management arrangements
- ✓Show incident response, governance, and customer disclosure around custody risks
Trading platform and exchange models need to prepare for admission standards, disclosure obligations, surveillance, and market abuse controls. The FCA is signalling a regime that expects firms to run credible market discipline controls rather than lightweight listings processes.
Typical build items
- ✓Document admissions due diligence and decision-making criteria
- ✓Implement disclosures, escalation, and market-facing communication procedures
- ✓Design surveillance for insider dealing, manipulation, and suspicious activity
- ✓Maintain conflicts, insider information handling, and record-keeping controls
The prudential package is likely to be one of the hardest implementation areas for many applicants. The FCA will look beyond headline capital numbers into liquidity, wind-down, concentration risk, group support assumptions, and whether the UK entity is financially resilient in its own right.
Typical build items
- ✓Assess capital and liquidity against the expected prudential framework
- ✓Prepare stress testing, recovery thinking, and a credible wind-down plan
- ✓Explain treasury, concentration, and group dependency assumptions
- ✓Generate board-quality prudential MI and evidence of senior management challenge
Retail-facing crypto models need to show more than risk warnings. The FCA will expect the customer journey, support model, product governance, and outcome monitoring to reflect Consumer Duty thinking in practice, especially where products are complex or risky.
Typical build items
- ✓Map products, support, disclosures, and distribution against Consumer Duty outcomes
- ✓Document complaints, vulnerable customer handling, and retail escalation routes
- ✓Evidence price and value thinking where fees, spreads, or staking economics are material
- ✓Show monitoring of customer understanding, support demand, and poor outcomes
How MEMA structures support
Typical support is structured around diagnostic, framework design, application build, and mobilisation. The workstreams below show the kind of outputs firms usually need rather than a fixed one-size-fits-all package.
Diagnostic
Permissions and evidence baseline
- Permissions / perimeter memo
- Business-model and UK-structure assessment
- Gap assessment across governance, AML, prudential, custody, conduct, and outsourcing
Design
Framework and ownership design
- Governance and SMCR pack
- AML / financial crime framework
- Prudential and wind-down pack
- Custody / safeguarding framework
Application build
Submission-quality documentation
- Regulatory business plan
- Operating manuals and MI design
- Consumer Duty / conduct pack
- FCA Q&A and interview preparation pack
Mobilisation
Operating readiness
- Committee cadence and reporting
- Control implementation and evidence capture
- Remediation tracker and go-live support
Readiness self-assessment
Use this if you want an initial view of control maturity across six FCA focus areas before a more detailed diagnostic.
Step 1 of 6
Governance & SM&CR
Answer each question based on your firm's current position.
Does your firm have SM&CR-compliant governance arrangements in place (or a plan to implement them)?
Have prescribed responsibilities been mapped to named Senior Managers, including crypto-specific oversight?
Does the board (or governing body) have documented oversight of cryptoasset activities and associated risks?
Download the readiness briefing
A concise PDF summary of the timetable, FCA scrutiny themes, and implementation workstreams discussed on this page.
Download the Readiness Briefing
PDF summary of the current timetable, FCA scrutiny points, and core readiness workstreams.
Related guidance
Crypto-native explainers covering the main technical workstreams behind the service page.
Crypto Permissions and Perimeter
How to scope the UK authorisation route, legal structure, UK nexus, and downstream workstreams.
PrudentialCrypto Prudential Readiness
Capital, liquidity, wind-down, group support, and financial resilience issues under the incoming regime.
CustodyStablecoin and Custody Readiness
Safeguarding architecture, returnability, reconciliations, and third-party oversight for asset-control models.
Market conductAdmissions, Disclosures and Market Abuse
The governance and surveillance build behind trading platform and exchange-facing models.
Indicative next step
The most useful first step is a regulatory diagnostic that confirms the day-one activity set, the UK structure, and the evidence burden across permissions, governance, AML, prudential, custody, and conduct.
Discuss your UK cryptoasset readiness position
If you need help translating the FCA consultation package into a permissions, governance, AML, prudential, and evidence programme, we can structure that work around your actual operating model.
Phone: 0330 133 0811
Email: contact@memaconsultants.com
Office 1810a, 60 Tottenham Court Road, Fitzrovia, London, W1T 2EW