BizLegal-AIStart Free
compliance

FCA Cryptoasset FSMA Registration: Pre-Application Meetings Guide

FCA opens pre-application support for cryptoasset firms under the FSMA regime. Learn what meetings require, timelines, and how to prepare your application.

BizLegal-AI Intelligence DeskgbFCA

FCA Cryptoasset FSMA Registration: Pre-Application Meetings Guide

The Financial Services and Markets Act 2000 (Financial Promotion) (Amendment) Order 2023 brought cryptoasset promotions under FCA oversight in October 2023, and the full FSMA-based authorisation regime for cryptoasset businesses is now the defining compliance challenge for UK crypto firms. The FCA's Pre-Application Support Service (PASS) is open for cryptoasset firms seeking early engagement before submitting a formal application — and firms that skip this step are learning the hard way that cold applications face brutal rejection rates.

TL;DR

  • The FCA's full FSMA cryptoasset authorisation regime requires firms to obtain FCA authorisation (or registration) before conducting regulated cryptoasset activities in the UK.
  • PASS meetings are available for cryptoasset firms and provide structured pre-application engagement with FCA supervisors before you file.
  • The FCA's historical rejection rate for crypto money laundering registration applications exceeded 80% — the FSMA regime will be no more forgiving.
  • Firms must demonstrate robust AML/CTF controls, adequate financial resources, fit-and-proper senior managers, and a credible business model.
  • Missing the authorisation window while continuing to operate is a criminal offence under FSMA s.19.

What This Regulation Actually Requires

The FSMA Cryptoasset Authorisation Framework

The UK government's Financial Services and Markets Act 2023 granted HM Treasury powers to bring cryptoassets within the FSMA regulatory perimeter. Secondary legislation is progressively designating specific cryptoasset activities as "specified activities" under the Regulated Activities Order (RAO). Once an activity is specified, any firm carrying it on by way of business in the UK must be authorised by the FCA under FSMA s.19 — the "general prohibition."

The activities being brought in include cryptoasset exchange, custody, staking, and lending. The FCA published its Consultation Paper CP24/20 in late 2024 setting out the detailed conduct rules, and the regime is expected to go live in phases from 2025 through 2026. Firms already registered under the Money Laundering Regulations (MLRs) for cryptoasset activities will need to upgrade to full FSMA authorisation — MLR registration does not grandfather into FSMA authorisation.

What "Authorisation" Actually Means

FSMA authorisation for a cryptoasset firm is not a rubber stamp. The FCA will assess:

Threshold Conditions — These are the minimum standards every authorised firm must meet on an ongoing basis. For cryptoasset firms, the five threshold conditions under Schedule 6 FSMA apply: legal status, location of offices, effective supervision, adequate resources, and suitability. The suitability condition is where most applications stumble. The FCA expects firms to demonstrate that their business model is sound, their governance is robust, and their senior managers are genuinely fit and proper.

Senior Managers and Certification Regime (SM&CR) — Cryptoasset firms will be subject to SM&CR. Every Senior Management Function (SMF) holder requires individual FCA approval. The Chief Executive, Chief Risk Officer, Chief Compliance Officer, and Money Laundering Reporting Officer (MLRO) will each need a Statement of Responsibilities and a Responsibilities Map.

Financial Promotions — Since October 8, 2023, cryptoasset financial promotions must be approved by an FCA-authorised person or communicated by a registered cryptoasset firm. Firms that have been operating under the financial promotions regime already have a head start on understanding FCA expectations, but the FSMA authorisation bar is considerably higher.

Prudential Requirements — The FCA is consulting on capital requirements for cryptoasset firms. Expect minimum capital thresholds, liquidity requirements, and wind-down planning obligations. The exact numbers are still being finalised, but firms should be modelling scenarios now.

The Pre-Application Support Service (PASS)

PASS is the FCA's structured mechanism for engaging with firms before they submit a formal application. For cryptoasset firms, PASS meetings typically involve:

  • A scoping call to confirm the firm's intended regulated activities and the applicable permissions
  • A substantive meeting with FCA supervisors covering business model, governance, AML/CTF framework, and technology infrastructure
  • Written feedback from the FCA identifying gaps the firm must address before applying

PASS is not a guarantee of authorisation. The FCA is explicit that PASS feedback does not constitute pre-approval. What it does do is dramatically reduce the risk of a rejected application — and a rejected application triggers a 12-month cooling-off period before you can reapply.

What This Means for Your Company

If you're operating a cryptoasset exchange, custody service, or any other activity that will fall within the FSMA perimeter, you are on a countdown clock. Operating without authorisation once the regime goes live is a criminal offence carrying up to two years' imprisonment under FSMA s.23, plus unlimited fines.

The FCA's track record with crypto firms is instructive. Between 2020 and 2023, the FCA processed over 300 applications for MLR cryptoasset registration. Fewer than 40 firms obtained registration without being withdrawn or rejected. The FCA cited inadequate AML controls, poor governance, and unacceptable business models as the primary reasons for refusal. The FSMA regime will apply the same scrutiny, plus the additional threshold conditions and SM&CR requirements.

Firms that went through MLR registration and survived should not assume their existing compliance infrastructure is sufficient. The FSMA regime requires a materially higher standard of documentation, governance, and control. A compliance framework that satisfied the MLR registration team in 2021 will not automatically satisfy the FSMA authorisation team in 2026.

Overseas firms targeting UK customers face the same requirements. The FCA's position is that if you're marketing to UK retail customers, you need UK authorisation. The FCA has already issued warnings against multiple unregistered overseas crypto firms and has worked with the National Crime Agency on enforcement actions.

How to Operationalize

Pre-PASS Preparation Checklist

Business Model Documentation

  • Draft a clear description of every cryptoasset activity you conduct or intend to conduct
  • Map each activity to the specific RAO article that will regulate it
  • Prepare a three-year financial model with capital adequacy projections
  • Document your wind-down plan — the FCA wants to see you've thought about orderly exit

Governance and SM&CR Readiness

  • Identify every individual who will hold an SMF
  • Conduct internal fit-and-proper assessments for each SMF holder (criminal record checks, regulatory history, financial soundness)
  • Draft Statements of Responsibilities for each SMF holder
  • Prepare a Responsibilities Map showing how accountability is allocated across the firm

AML/CTF Framework

  • Commission an independent AML audit against the JMLSG Guidance (Part III covers cryptoasset-specific requirements)
  • Document your customer due diligence procedures, including enhanced due diligence triggers
  • Prepare your Travel Rule compliance documentation — the UK Travel Rule came into force in September 2023
  • Evidence your transaction monitoring system with sample alerts and disposition records

Technology and Custody Controls

  • Document your custody arrangements, including key management procedures
  • Prepare a cybersecurity framework aligned with NIST CSF or ISO 27001
  • Evidence your business continuity and disaster recovery plans

Booking the PASS Meeting

  • Submit a PASS request through the FCA's Connect system
  • Allow 8-12 weeks for the FCA to schedule the initial scoping call
  • Prepare a concise pre-meeting pack (typically 20-40 pages) covering business model, governance, and AML framework

Post-PASS Steps

After receiving PASS feedback, firms typically need 3-6 months to remediate identified gaps before submitting a formal application. Build this into your project timeline. The formal application itself is submitted through Connect, and the FCA has a statutory 12-month determination period for complex applications, though the FCA aims to determine straightforward applications within 6 months.

Common Mistakes and How to Avoid Them

Treating PASS as a formality. Some firms book a PASS meeting with minimal preparation, expecting the FCA to tell them what to do. The FCA expects you to arrive with a substantive compliance framework already in place. Arriving underprepared signals to supervisors that the firm lacks the operational maturity for authorisation.

Underestimating SM&CR. Founders who have never operated in a regulated financial services environment consistently underestimate how demanding individual SMF approval is. The FCA will scrutinise every SMF holder's background. A co-founder with a prior regulatory sanction in any jurisdiction — not just the UK — can derail an entire application.

Copying MLR registration documentation verbatim. The FSMA regime requires materially more detailed documentation. An AML policy that was 15 pages for MLR registration needs to be a comprehensive framework document for FSMA authorisation. Firms that recycle old documentation without substantive enhancement are wasting everyone's time.

Ignoring the financial promotions track record. The FCA will look at your historical financial promotions compliance. If you've been issuing non-compliant promotions since October 2023, that history will surface in your authorisation assessment. Conduct a retrospective audit of your promotions and document any remediation steps taken.

Assuming the timeline is flexible. Once the FCA designates specific cryptoasset activities as regulated, firms have a defined window to apply for authorisation and continue operating under a "grandfathering" provision. Miss that window and you must cease the regulated activity immediately. The FCA has not historically been sympathetic to firms that missed regulatory deadlines due to poor planning.

FAQ

Q: Do we need FSMA authorisation if we already have MLR cryptoasset registration?

MLR registration and FSMA authorisation are separate regimes. MLR registration permits you to operate as a cryptoasset exchange or custodian wallet provider for AML/CTF purposes only. Once the FSMA regime designates your activities as regulated, you'll need full FSMA authorisation to continue. MLR registration does not grandfather into FSMA authorisation, and the FCA has confirmed this explicitly in its policy statements.

Q: How long does the full FSMA authorisation process take?

Realistically, 12-18 months from initial PASS engagement to receiving your authorisation. That includes 8-12 weeks to get a PASS meeting, 3-6 months of post-PASS remediation, and up to 12 months for the FCA to determine your formal application. Start now if you haven't already.

Q: Can we continue operating while our FSMA application is pending?

Yes, provided you apply within the grandfathering window that the FCA will specify when the regime goes live. Firms that apply in time can continue operating under their existing MLR registration (or without authorisation, if they weren't previously registered) until the FCA determines their application. Firms that miss the window must stop.

Q: What happens if the FCA rejects our application?

A rejected application triggers a 12-month cooling-off period before you can reapply. During that period, you cannot conduct the regulated activity. The FCA will issue a Decision Notice, which you can refer to the Upper Tribunal — but tribunal proceedings are expensive and slow. Prevention through thorough PASS preparation is far preferable.

Q: Does the FSMA regime apply to DeFi protocols?

The FCA's current position is that genuinely decentralised protocols without an identifiable legal entity may fall outside the FSMA perimeter. However, if there's a UK-based team, a legal entity, or a front-end interface that constitutes "carrying on" a regulated activity, the FCA will assert jurisdiction. The FCA has signalled it will publish further guidance on DeFi, but firms should not assume decentralisation provides a regulatory shield without specific legal advice.

Sources

  • Financial Services and Markets Act 2000, s.19 and Schedule 6 (Threshold Conditions)
  • FCA, Consultation Paper CP24/20: Regulating Cryptoassets — Admissions and Disclosures, and Market Abuse (2024)
  • HM Treasury, Financial Services and Markets Act 2023 (cryptoasset provisions)
  • FCA, PS23/6: Financial Promotion Rules for Cryptoassets (2023)

Disclaimer

This article is produced by BizLegal-AI Intelligence Desk for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently; verify current FCA guidance before taking action. Consult qualified legal counsel for advice specific to your firm's circumstances. BizLegal-AI is not a law firm and does not establish a solicitor-client relationship through this content.

FCAcryptoassetsFSMAcrypto registrationukPASSpre-application supportcrypto authorisationfinancial promotiondigital assets
Turn this guide into a plan

Get your jurisdiction-specific compliance risk score

BizLegal-AI maps your structure against this exact regulation and tells you what's missing — before a regulator does. Free preview, no card required.

Run my free risk check →

Used by founders & counsel across 50+ jurisdictions · Not legal advice

Related

Regulatory changes, before they cost you

One email when a rule that affects crypto, fintech, or cross-border deals actually changes. No noise. Unsubscribe anytime.

Disclaimer: BizLegal-AI produces regulatory intelligence and working drafts. It is not legal, financial, or tax advice. Consult qualified counsel for specific situations.