BizLegal-AIStart Free
regulatory

UK Crypto Regulation 2027: FCA Consultation Guide for Firms

UK crypto regulation 2027 is taking shape now. Understand FCA's consultation requirements, licensing obligations, and what your firm must do before the regime launches.

BizLegal-AI Intelligence DeskgbFCA

UK Crypto Regulation 2027: FCA Consultation Guide for Firms

The FCA's Discussion Paper DP25/1, published in March 2025, set out the regulator's thinking on conduct rules, market abuse frameworks, and admission requirements for the incoming UK cryptoasset regime — a regime that HM Treasury has confirmed will go live under the Financial Services and Markets Act 2000 (as amended by the Financial Services and Markets Act 2023) no earlier than 2027. Firms that missed the DP25/1 consultation window closed in June 2025 are already behind. The next consultation paper is expected in late 2026, and the authorisation gateway will open before the regime's effective date.

That timeline is tighter than it looks.

TL;DR

  • The UK's full cryptoasset regulatory regime is targeted for 2027, built on FSMA 2000 as amended by FSMA 2023.
  • FCA DP25/1 (March 2025) covered market abuse, admission and disclosure, and trading platform conduct — responses closed June 2025.
  • A further Consultation Paper (CP) is expected H2 2026, with final rules and a Handbook update to follow.
  • Firms already registered under the MLR 2017 crypto regime are not automatically authorised; a full FSMA authorisation application will be required.
  • Acting now on gap analysis, governance, and systems readiness is the difference between a smooth gateway application and a last-minute scramble.

What This Regulation Actually Requires

The Legislative Foundation

FSMA 2023 inserted a new regulated activity framework for cryptoassets into FSMA 2000. HM Treasury's secondary legislation will designate specific cryptoasset activities as "specified activities," triggering the general prohibition under FSMA 2000 s.19. Operating without authorisation once the regime is live will be a criminal offence carrying up to two years' imprisonment under s.23.

The activities expected to be captured include: operating a cryptoasset trading platform (CATP), dealing in cryptoassets as principal or agent, arranging deals, providing custody, and issuing cryptoassets to the public. Stablecoin issuance and custody already have a separate track under the Payment Services regime, but the broader regime will sweep in most exchange and brokerage activity.

DP25/1: The Three Core Pillars

Market Abuse. The FCA proposes a cryptoasset market abuse regime (CMAR) modelled closely on the UK Market Abuse Regulation (UK MAR). This means insider dealing prohibitions, market manipulation rules, and suspicious transaction and order reporting (STOR) obligations for trading platforms. The FCA is consulting on whether the CMAR should apply to assets traded on UK-authorised platforms only, or extend to assets with a UK nexus regardless of where they trade — a significant jurisdictional question for firms with cross-border order books.

Admission and Disclosure. CATPs will be required to produce and publish admission documents before listing a cryptoasset. The FCA is considering a "CATP-led" model where the platform, not the issuer, bears primary responsibility for due diligence and disclosure adequacy. This is a meaningful departure from the prospectus model and places substantial liability on exchange operators.

Trading Platform Conduct. DP25/1 proposes rules on best execution, conflicts of interest, order handling, and the segregation of proprietary trading from agency business. Firms running vertically integrated models — exchange, broker, and market-maker under one roof — will face the sharpest structural questions here.

What Comes Next: The CP and Final Rules

The FCA has signalled a Consultation Paper in H2 2026 covering the full Handbook text. That CP will include the Threshold Conditions for authorisation, the Senior Managers and Certification Regime (SM&CR) application to crypto firms, financial resilience requirements, and the consumer duty obligations. Final rules are expected Q1 2027, with the regime effective date to follow.

The FCA has also confirmed it will publish a "gateway" process for existing MLR-registered firms to apply for FSMA authorisation. No automatic grandfathering. Every firm starts from scratch on the authorisation application.

What This Means for Your Company

If you're operating a UK-facing crypto exchange, custody provider, or brokerage today under the MLR 2017 registration, your current permissions are time-limited. The MLR registration covers anti-money laundering obligations only. It says nothing about your fitness to conduct regulated activities under FSMA. The FCA will assess your business model, governance, financial resources, and systems against Threshold Conditions it hasn't yet finalised — which is precisely why engaging with the consultation process matters.

For firms currently outside the UK but marketing to UK retail customers: the FCA's overseas persons exemption is unlikely to survive the new regime in its current form. The FCA has been explicit in multiple speeches that it intends to close the gap between UK-registered and overseas-based platforms accessing UK consumers.

Stablecoin issuers face a dual-track problem. If your stablecoin is used as a means of payment, you're already in scope of the Payment Services regime amendments. If it's traded on a CATP, you'll also need to satisfy the admission and disclosure requirements. Two regulatory frameworks, potentially two sets of obligations, one product.

Venture-backed startups planning a 2026 or 2027 UK launch need to build authorisation timelines into their fundraising and product roadmaps now. The FCA's average determination period for complex FSMA applications has historically run 12-18 months. That clock starts when you submit a complete application — not when you decide to apply.

How to Operationalize

Step 1: Map your activities against the proposed specified activities list. Pull HM Treasury's February 2023 consultation response and DP25/1 Annex 1. For each business line, determine whether it falls within a proposed specified activity. Document your analysis. This becomes the foundation of your authorisation application.

Step 2: Conduct a gap analysis against DP25/1 proposals. Even though final rules aren't published, the FCA's direction of travel is clear enough to identify gaps in your market surveillance systems, conflicts of interest policies, best execution frameworks, and admission due diligence processes. Start closing those gaps now.

Step 3: Appoint or designate SM&CR candidates. The FCA will apply SM&CR to authorised crypto firms. Identify your likely Approved Persons for Chief Executive, Chief Risk Officer, Chief Compliance Officer, and Money Laundering Reporting Officer functions. Assess their fitness and propriety against FCA FIT standards. If gaps exist, address them before the gateway opens.

Step 4: Engage with the H2 2026 Consultation Paper. When the CP drops, respond. The FCA reads responses. Firms that engage constructively on workable implementation timelines, technical standards for market surveillance, and admission document requirements have historically influenced final Handbook text. This is not box-ticking — it's regulatory relationship management.

Step 5: Prepare your Regulatory Business Plan. The FCA's authorisation process requires a detailed RBP covering your business model, target market, revenue projections, risk appetite, and compliance arrangements. Drafting this document forces internal alignment and surfaces gaps. Start a working draft now, even if it's incomplete.

Step 6: Assess financial resources. The FCA will set capital requirements for CATPs and custody providers. While the exact numbers aren't finalised, DP25/1 signals alignment with investment firm prudential standards. Model scenarios against the Investment Firms Prudential Regime (IFPR) thresholds as a planning assumption.

Step 7: Monitor FCA publications and set internal deadlines. Assign a named owner for regulatory horizon scanning. Set calendar alerts for the H2 2026 CP publication, the consultation response deadline, and the expected gateway opening. Missing a consultation window is a recoverable mistake. Missing the authorisation gateway is not.

Common Mistakes and How to Avoid Them

Assuming MLR registration is a head start on FSMA authorisation. It isn't. The FCA has been clear: MLR registration demonstrates AML compliance, not fitness to conduct regulated activities. Firms that conflate the two will be surprised by the depth of the FSMA application requirements. Treat them as entirely separate processes.

Waiting for final rules before starting preparation. The FCA's consultation papers are not drafts that might change beyond recognition. DP25/1's core proposals — CMAR, admission documents, conduct rules — reflect settled policy thinking. Firms that wait for the final Handbook text before beginning gap analysis will have 6-9 months to implement what should have been an 18-month programme.

Underestimating the admission and disclosure burden. If you operate a CATP, you will be responsible for the adequacy of admission documents for every asset you list. That's a due diligence and legal review function that doesn't exist in most crypto exchange compliance teams today. Building it takes time and specialist resource.

Ignoring the overseas nexus question. If your platform is incorporated offshore but has UK users, UK-based staff, or UK-directed marketing, you are likely in scope. The FCA's enforcement record on unauthorised business — including its 2024 actions against several overseas platforms for breaching the financial promotions regime — signals it will pursue overseas firms aggressively under the new regime.

Treating the consumer duty as a separate workstream. The FCA will apply the Consumer Duty to authorised crypto firms serving retail customers. This isn't a bolt-on. It affects product design, pricing disclosure, customer support standards, and outcome monitoring. Integrate it into your authorisation preparation from day one.

FAQ

Q: Does the 2027 regime apply to DeFi protocols? A: The FCA's current position, reflected in DP25/1, is that genuinely decentralised protocols without an identifiable responsible person fall outside the proposed regime. However, the FCA has flagged this as an area of ongoing policy development. If your "DeFi" protocol has a centralised front-end, an identifiable operator, or a governance token controlled by a small group, don't assume you're out of scope. The FCA will look through structure to substance.

Q: Will existing FCA-authorised firms (e.g., investment firms) need a separate cryptoasset authorisation? A: Yes, in most cases. FSMA authorisation for investment business doesn't automatically cover the new specified cryptoasset activities. Existing authorised firms will need to apply for a variation of permission (VoP) to add cryptoasset activities. The FCA has indicated a streamlined VoP process for firms with existing permissions, but "streamlined" still means a substantive application.

Q: What happens to firms that are operating when the regime goes live but haven't yet received authorisation? A: HM Treasury is expected to provide a transitional period — likely 12-24 months — during which firms that have submitted a complete authorisation application can continue operating. The exact terms will be set in secondary legislation. Firms that haven't applied by the gateway opening date will have no transitional protection and will need to cease UK-regulated activities.

Q: How does the UK regime interact with MiCA in the EU? A: There's no mutual recognition between the UK regime and MiCA. A MiCA authorisation in an EU member state gives you no rights to passport into the UK. Firms operating in both jurisdictions will need separate authorisations and will need to comply with two distinct regulatory frameworks. Where the rules diverge — and they do, particularly on stablecoins and market abuse — you'll need jurisdiction-specific compliance programmes.

Q: When will the FCA publish the authorisation gateway? A: The FCA hasn't confirmed a specific date. Based on the legislative timeline and the expected H2 2026 CP, the gateway is most likely to open in Q1-Q2 2027, ahead of the regime's effective date. Watch for FCA Policy Statements following the 2026 CP for the confirmed date.

Sources

  • FCA Discussion Paper DP25/1, Cryptoassets: Admissions and Disclosures, Market Abuse and Trading Platforms (March 2025) — available at fca.org.uk
  • HM Treasury, Future Financial Services Regulatory Regime for Cryptoassets: Consultation and Call for Evidence (February 2023) — available at gov.uk
  • Financial Services and Markets Act 2023, Part 5 (Cryptoassets) — legislation.gov.uk
  • FCA, Cryptoasset Registration guidance and MLR 2017 supervisory expectations — fca.org.uk

Disclaimer

This article is produced by BizLegal-AI Intelligence Desk for informational purposes only. It does not constitute legal advice and does not create a solicitor-client or adviser-client relationship. Regulatory requirements are subject to change; readers should verify current rules with the FCA and seek qualified legal counsel before making compliance or business decisions. BizLegal-AI makes no representations as to the completeness or accuracy of information regarding pending or proposed regulatory changes.

FCAcryptoassetsUK crypto regimeregulatory consultationUKcrypto licensing UKFCA crypto consultationcryptoasset authorisationFSMA 2000HM Treasury
Turn this guide into a plan

Get your jurisdiction-specific compliance risk score

BizLegal-AI maps your structure against this exact regulation and tells you what's missing — before a regulator does. Free preview, no card required.

Run my free risk check →

Used by founders & counsel across 50+ jurisdictions · Not legal advice

Related

Regulatory changes, before they cost you

One email when a rule that affects crypto, fintech, or cross-border deals actually changes. No noise. Unsubscribe anytime.

Disclaimer: BizLegal-AI produces regulatory intelligence and working drafts. It is not legal, financial, or tax advice. Consult qualified counsel for specific situations.