Crypto Compliance in 2026: What the UK's New Regulatory Regime Means for Your Firm

If you work in compliance at a firm that touches cryptoassets, you’ve probably got a date circled in your diary: 25 October 2027. That’s when the UK’s comprehensive new cryptoasset regulatory regime comes into force. But the work to get ready starts now — and for some firms, it started months ago.

The landscape has shifted dramatically over the past year. Here’s where things stand and what your firm should be doing about it.

How We Got Here

The UK has been regulating crypto in piecemeal fashion for a while. Since 2021, crypto businesses have needed to register with the FCA under anti-money laundering rules — and the FCA has rejected over 87% of applications, largely over concerns about inadequate AML controls. Since October 2023, financial promotions rules have applied to crypto marketing.

But the big change is the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, which were made by Parliament in February 2026. For the first time, a broad range of cryptoasset activities will be brought fully within the UK’s financial services regulatory perimeter.

What’s Actually Being Regulated

The new regime creates three categories of cryptoassets:

• Qualifying cryptoassets — the core category covering most tokens
• Qualifying stablecoins — a subset with additional requirements around issuance and backing
• Specified investment cryptoassets — tokens that also meet the definition of traditional financial instruments

More importantly, it designates specific activities as regulated, meaning firms carrying them out in or into the UK will need full FCA authorisation. These include operating a cryptoasset trading platform, dealing in or arranging transactions, custody and safeguarding, issuing stablecoins, and staking services.

Running any of these activities without FCA permission after October 2027 will be a criminal offence — the same as carrying on unauthorised securities business.

The FCA’s Proposed Rulebook

The FCA has been consulting extensively on how its rules will apply. Three major consultation papers landed in late 2025, with further consultations continuing into 2026. The key areas:

Trading platforms face the most comprehensive framework — governance, conflicts of interest management, fair and orderly trading obligations, and client protection rules. The FCA is proposing that platforms apply objective admission criteria and conduct due diligence before listing any token. Each listed cryptoasset will need a Qualifying Cryptoasset Disclosure Document (QCDD).

Intermediaries — firms dealing in or arranging transactions — will face rules broadly aligned with traditional investment intermediaries, adapted for crypto-specific risks. Think best execution, order handling, and client reporting.

Market abuse gets its own regime (MARC), modelled on the existing UK Market Abuse Regulation but applied to crypto. Insider dealing, unlawful disclosure, and market manipulation will all be prohibited. The FCA has proposed that larger trading platforms conduct on-chain monitoring and cross-platform information sharing.

Prudential requirements mirror the Investment Firms Prudential Regime — minimum capital based on fixed minimums, overheads, or activity-based risk metrics, plus internal capital assessments, stress testing, and wind-down planning.

The Application Gateway — Timing Matters

This is where it gets urgent. The FCA plans to open a cryptoasset application gateway from 30 September 2026 to 28 February 2027. When you apply has real consequences:

• Apply during the gateway window: Your application gets assessed before the regime goes live. Even if the FCA hasn’t decided by October 2027, you can continue operating pending their decision.
• Apply after the gateway but before October 2027: If your application hasn’t been determined by the commencement date, you may be unable to take on new business and limited to a narrow contractual run-off for existing arrangements.
• Apply after October 2027: No transitional provisions. You cannot carry on regulated cryptoasset activities until authorised.

Pre-application meetings are available through the FCA’s PASS service from May 2026. Firms should be booking those now.

What About the EU and MiCA?

The EU’s Markets in Crypto-Assets Regulation (MiCA) has been fully applicable since December 2024. Any UK firm serving EU clients needs to comply with MiCA’s requirements — which means many firms are now navigating two parallel regimes.

The UK framework shares some DNA with MiCA (stablecoin regulation, market integrity rules) but differs in important ways. The UK is taking a more tailored approach, adapting existing FSMA concepts rather than creating an entirely separate regime. For firms operating in both markets, the compliance burden is significant — but the principles are similar enough that building one programme to address both is achievable.

Practical Steps for Compliance Teams

If your firm will be caught by the new regime, here’s what to focus on right now:

Scope your activities. Map everything your firm does with cryptoassets against the new regulated activity categories. Don’t forget indirect exposure — are you providing services to other crypto firms that will need to demonstrate their own compliance?

Assess your permissions. Work out which FCA permissions you’ll need and whether any exclusions apply. If you’re already FCA-authorised, you may need variations of permission rather than a fresh application.

Prepare for the gateway. The 30 September 2026 opening is closer than it sounds. The FCA expects firms to be “substantively prepared” at the point of submission, even though some final rules are still being consulted on. Start your application preparation now.

Review your disclosures. If you’ll be admitting tokens to trading, start building your QCDD framework. The disclosure requirements are detailed and the FCA will expect high-quality documentation from day one.

Get your house in order on AML. The FCA’s experience with the existing crypto registration regime has shown that AML controls are where most firms fall down. Robust transaction monitoring, KYC processes, and suspicious activity reporting aren’t optional extras — they’re table stakes.

Train your team. The Senior Managers and Certification Regime will apply to authorised crypto firms. Individuals in senior positions will be personally accountable for the areas they oversee. Make sure your people understand what that means.

The Bigger Picture

The UK government has been clear that it wants to be a competitive jurisdiction for crypto — but not at the expense of market integrity or consumer protection. The new regime is a significant regulatory tightening, but it also provides something the industry has been asking for: clarity.

Firms that treat this as a compliance burden to be minimised will struggle. The ones that see it as an opportunity to demonstrate credibility and build trust with clients and counterparties will be better positioned in what’s becoming an increasingly professionalised market.

The clock is ticking. October 2027 is the deadline, but 30 September 2026 is when the real race starts.