The UK crypto asset sector is approaching a regulatory inflection point. After several years operating under a primarily anti‑money laundering (AML) framework, crypto asset activities are being brought within the Financial Services and Markets Act (FSMA) perimeter. For many crypto firms active in or serving the UK market, this transition represents a substantial regulatory change, re-defining the framework under which these businesses operate in the UK.
Under the new framework, firms undertaking in‑scope crypto asset activities will be subject to FCA authorization and ongoing supervision, aligned with the standards applied across regulated financial services. Governance, resources, operational resilience, financial crime controls, and individual accountability all move to the foreground. Firms who approach the transition as a strategic program, rather than a compliance exercise, may be better positioned as the market enters a new phase of regulation.
The timeline set out by the FCA and HM Treasury is compressed. The FCA has stated that the authorization application window will open on September 30, 2026, and close on February 28, 2027, with the new regime expected to come into force in October 2027. Where a firm submits an application during the application period, HM Treasury includes a “saving provision” that may allow continued provision of in-scope services while the application is assessed. FCA materials describing the transitional provision show that, in certain circumstances, activity may be limited to the performance of pre-existing contracts and that firms "will not be able to enter into new contracts."
Although October 2027 may appear distant, the practical runway is actually shorter. The FCA has said that authorization assessments will reflect the breadth and complexity of the new regime. For many firms, this suggests preparation work might need to begin well in advance of the application window, particularly if governance arrangements, data capabilities, and control frameworks need development.
At present, many UK‑facing crypto firms operate under AML registration, payments or e‑money permissions, or through financial promotion arrangements approved by third parties. These won’t automatically carry forward into the FSMA crypto regime, with the FCA stating: “Firms wishing to undertake any of the new crypto asset regulated activities will need to be authorized by us under the Financial Services and Markets Act 2000 (FSMA) with permission to undertake those activities”.
HM Treasury’s Crypto assets Regulations expand the list of regulated activities under FSMA to include a broad range of crypto asset services. Such activities could include:
Firms already authorized for other FSMA activities could still need to apply for crypto‑specific permissions or vary existing ones, while firms currently registered only under the Money Laundering Regulations may need to apply for full authorization for the first time. In effect, the regime represents a material shift in the regulatory baseline for the sector.
Across its consultation program, the FCA has consistently applied the principle of “same risk, same regulatory outcome”. In other words, where crypto asset activities present risks comparable to those seen in traditional finance, the regulatory response is intended to be comparable.
As a result, applications for authorization may be assessed against a range of FCA Handbook requirements that are relevant to the firm’s business model and activities, including:
One of the most significant operational challenges lies in data. Crypto firms may be operating across fragmented data estates that reflect the sector’s technical evolution. On‑chain transaction data may sit across multiple blockchains and protocols, while off‑chain customer and counterparty data is held in separate KYC, CRM, and trading systems. Wallet attribution, third‑party risk feeds and market surveillance data frequently sit alongside these in disconnected environments.
Under FSMA, requirements and supervisory assessment may extend beyond data availability to include data lineage and traceability. This can include evidencing customer orders, executions, transfers and asset movements across both traditional systems and distributed ledger components. Depending on current infrastructure, this may involve changes to underlying data architecture rather than incremental solutions added onto existing platforms.
Financial crime controls beyond AML registration
The move from AML registration to FSMA authorization expands the scope of requirements relevant to financial crime controls. While existing AML frameworks provide a foundation, the new regime points towards more integrated and crypto‑specific approaches.
Firms may be asked to demonstrate risk-based AML and counter terrorist financing frameworks calibrated to crypto asset specific typologies, supported by transaction monitoring that brings together on chain and off chain intelligence. Sanctions considerations may include wallet addresses and transaction flows, alongside more traditional customer and counterparty information.
In parallel, Suspicious Activity Report (SAR) workflows may be required to translate complex on‑chain behavior into narratives suitable for law enforcement. For some firms, this could highlight gaps in technology capability, specialist resourcing, and governance oversight.
Operational resilience is another area where FSMA introduces new expectations. Under SYSC 15A, firms are asked to identify their important business services, such as trading execution, custody, transfers or staking, and set tolerances for disruption. They are also asked to map dependencies across internal systems and third‑party providers and conduct scenario testing against severe but plausible events.
For many crypto firms, these dependencies may often span validators, nodes, custodians, exchanges, cloud infrastructure providers, and decentralized protocols. Testing resilience in this context could require greater operational visibility and coordination to be developed.
Once the regime begins, carrying on in-scope regulated crypto asset activities without the relevant permission could risk breaching the FSMA general prohibition, so October 2027 represents a new regulatory boundary.
Against this backdrop, firms who approach the next 18–24 months as a structured transformation addressing governance, data, financial crime, and operational resilience in parallel could be better placed to engage constructively with the authorization process and to operate sustainably in the regulated crypto market.
As crypto firms prepare for FSMA authorization, some of the most complex challenges sit at the intersection of customer due diligence, third‑party exposure and ongoing risk oversight. The FCA’s expectations around governance, financial crime controls, operational resilience, and data traceability increasingly require firms to view KYC, sanctions, monitoring, and third‑party risk management as connected components of a broader compliance framework, rather than discrete functions.
Moody’s KYC, Third‑Party Risk Management, and Compliance solutions can assist firms in developing an integrated view of risk. By bringing together identity verification, beneficial ownership, sanctions and adverse media data with third‑party risk assessment and monitoring workflows, firms may be better positioned to develop a more coherent risk picture across customers, counterparties and critical partners. When aligned with broader governance and operational resilience frameworks, this approach can support firms’ FSMA readiness efforts around consistent data, documented controls, and accountable decision‑making.
To explore how Moody’s solutions can support your business in the context of FSMA crypto regulation, please get in touch with the team any time. We would love to hear from you.
*Disclaimer: This content is for informational purposes only and does not constitute legal, financial, compliance or other professional advice. Please consult with a qualified professional for specific legal, financial, compliance, or other professional advice. For more terms and conditions pertaining to Moody’s products and services, refer to the https://www.moodys.com/web/en/us/legal/global-disclaimer.html on Moody’s website.
Sources:
https://www.regulationtomorrow.com/2025/09/fca-cp25-25-application-of-fca-handbook-for-regulated-cryptoasset-activities/
https://www.fca.org.uk/firms/new-regime-cryptoasset-regulation
https://coinalertnews.com/news/2026/01/09/uk-fca-crypto-licensing-september-2026
https://paymentexpert.com/2026/01/29/fca-launches-crypto-regulation-roadma/