The FCA is actively supervising virtual asset service providers. Firms without a robust AML programme face registration refusal, restrictions, or enforcement. Here's what compliant looks like in practice.
Under the Money Laundering Regulations 2017 (as amended), any business offering cryptoasset exchange or custodian wallet services in the UK must register with the FCA as a cryptoasset business. This is broader than many firms realise.
🏛️ Operating as an unregistered cryptoasset business in the UK is a criminal offence. The FCA has cancelled registrations, issued warnings, and referred firms for prosecution. Registration alone is not enough — the FCA expects to see a genuinely functioning AML programme behind it.
NFT platforms and DeFi protocols currently sit in a grey area, but the UK government has signalled that a wider range of crypto activities will come into scope. Building compliance infrastructure now is far easier than retrofitting it under regulatory pressure.
The FCA's registration process requires firms to demonstrate a complete, functioning AML framework — not a policy document assembled from templates. The regulator has rejected the majority of applications it has received from crypto firms. The common failure is not the business model: it is the compliance documentation.
The FATF Travel Rule requires originator and beneficiary information to travel with virtual asset transfers above the £1,000 threshold. In practice, this means your firm must exchange customer data with the counterparty VASP on every qualifying transaction — and you need documented procedures for what to do when the counterparty cannot or will not provide that data.
Most crypto firms understand they need a Travel Rule solution. Far fewer have documented the procedures around it — what happens at onboarding, how you handle non-compliant counterparties, how you treat transfers to unhosted wallets. These gaps are exactly what the FCA examines during a supervisory review.
⚠️ Selecting a Travel Rule technical solution is not the same as being Travel Rule compliant. The FCA expects to see written procedures governing how your firm uses that solution — including how you handle edge cases and exceptions.
Having supported numerous crypto businesses through FCA registration and regulatory reviews, these are the failures we see most often — and the ones that cause the most damage.
A BWRA that reads like a template rather than reflecting the specific risks of the business. The FCA can tell immediately.
Applying the same CDD to all customers regardless of risk. A privacy coin trader and a small retail buyer are not the same risk profile.
Having a technical solution but no documented procedure for how to use it — especially for unhosted wallets and non-compliant counterparties.
Blockchain analytics tools that generate alerts but no documented process for reviewing, closing, or escalating them.
Policies that exist on paper but have never been communicated to the people responsible for implementing them.
An MLRO in name only — no annual report, no management information, no documented escalation decisions.
We design and document end-to-end AML frameworks for crypto businesses — from Business-Wide Risk Assessment to staff training. Every programme is built from scratch around your specific business model, not adapted from a generic template.
Book a free 15-minute consultation and we'll tell you exactly what your programme needs — and what it will cost to build it.
15 minutes. No cost. No commitment. We'll assess your current compliance position and give you a clear action plan.
Fixed fees · No hourly billing · Strictly confidential