BizLegal-AIStart Free
enforcement

FCA Leads First Enforcement Op Against Illegal Crypto P2P Trading

FCA illegal crypto trading enforcement hits peer-to-peer operators hard. What the UK's first coordinated P2P crackdown means for your compliance posture.

BizLegal-AI Intelligence DeskgbFCA

FCA Leads First Enforcement Op Against Illegal Crypto P2P Trading

The FCA's coordinated action against unregistered peer-to-peer crypto trading networks — executed alongside HMRC and the National Crime Agency in late 2024 — marked a structural shift in UK crypto enforcement. For the first time, the regulator moved beyond warning lists and financial promotions takedowns to pursue the informal trading infrastructure that has operated in plain sight for years. If your business touches P2P crypto flows in any capacity, the compliance calculus just changed.

TL;DR

  • The FCA, HMRC, and NCA jointly targeted unregistered P2P crypto trading operations under the Money Laundering Regulations 2017 (MLR 2017) and the Financial Services and Markets Act 2000 (FSMA).
  • Operating as a cryptoasset exchange provider or custodian wallet provider without FCA registration is a criminal offence carrying up to two years' imprisonment.
  • P2P platforms and informal brokers are not exempt — the "person-to-person" framing does not sidestep MLR 2017 registration requirements if you're facilitating exchanges as a business.
  • HMRC's parallel interest means tax evasion charges can stack on top of FCA/AML violations.
  • Remediation is possible but the window for voluntary disclosure is narrowing fast.

What This Regulation Actually Requires

The MLR 2017 Registration Obligation

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — as amended by the Cryptoasset Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Regulations 2022 — require any business carrying on "cryptoasset exchange provider" or "custodian wallet provider" activity in the UK to register with the FCA before commencing operations.

The definitions are deliberately broad. A cryptoasset exchange provider includes any person who, by way of business, exchanges cryptoassets for money, money for cryptoassets, or one cryptoasset for another. That language captures informal brokers, Telegram-based OTC desks, and community trading groups that charge a spread or fee. The "by way of business" threshold is low — regularity and commercial purpose are enough. You don't need a website or a company registration to fall inside it.

FSMA and the Regulated Activities Order

Separately, certain crypto activities can constitute regulated activities under FSMA 2000 and the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001. Arranging deals in investments, operating a multilateral trading facility, or dealing as principal in qualifying cryptoassets (particularly following the FCA's expanded perimeter under the Financial Services and Markets Act 2023) can trigger the general prohibition under FSMA s.19. Breach carries criminal liability and renders contracts unenforceable.

Financial Promotions Regime

Since October 2023, cryptoasset financial promotions must either be issued by an FCA-authorised person, approved by one, or fall within a specific exemption. The FCA has issued over 450 alerts against firms — including P2P platforms — for non-compliant promotions since the regime went live. Promoting an unregistered P2P service to UK consumers is itself a standalone offence.

AML/CTF Obligations for Registered Firms

For those who are registered, the obligations are substantive. Customer due diligence (CDD) on all customers, enhanced due diligence (EDD) for high-risk relationships, transaction monitoring, suspicious activity reporting to the National Crime Agency, and record-keeping for five years. P2P platforms have historically struggled with CDD because the peer model creates ambiguity about who the "customer" is. The FCA's position: if you operate the platform, you own the CDD obligation for both sides of the transaction.

The Travel Rule

From 1 September 2023, the UK's implementation of the FATF Travel Rule (via the Wire Transfer (Information on the Payer) Regulations 2017, as amended) requires cryptoasset businesses to collect and transmit originator and beneficiary information for transfers above £1,000. P2P operators who route transfers between wallets without capturing this data are in breach — and the FCA has flagged Travel Rule non-compliance as a priority supervisory concern for 2025-2026.

What This Means for Your Company

The enforcement action signals three things that should recalibrate your risk assessment.

First, the FCA is no longer treating P2P as a grey zone. The joint operation with HMRC and the NCA demonstrates institutional coordination that informal operators have historically relied on not existing. Asset freezes, dawn raids, and criminal referrals are now live tools in this space.

Second, the "we're just a platform" defence is dead. Facilitating P2P trades — even if you never touch the crypto yourself — can constitute operating as a cryptoasset exchange provider if you're matching buyers and sellers, setting or publishing exchange rates, or collecting fees. The FCA's supervisory guidance published in 2023 made this explicit.

Third, HMRC's involvement adds a second enforcement vector. Capital gains tax obligations on crypto disposals, income tax on trading profits, and VAT questions around fee income all sit alongside the FCA/AML exposure. Operators who've been running informal books face potential tax assessments going back years, with interest and penalties compounding the headline liability.

For registered firms, the message is different but equally pointed: the FCA's supervisory intensity on cryptoasset businesses has increased materially. The regulator rejected approximately 80% of cryptoasset registration applications between 2020 and 2023. Those that got through face ongoing scrutiny, and the P2P enforcement action signals that the FCA will use its MLR 2017 supervisory powers — including requirements to appoint a skilled person under Regulation 74A — more aggressively.

How to Operationalize

For unregistered operators currently facilitating P2P trades:

  1. Stop facilitating new transactions immediately pending legal advice. Continuing to operate while aware of the registration requirement aggravates criminal exposure.
  2. Engage specialist crypto regulatory counsel within 48 hours. The FCA's voluntary requirement process and HMRC's Contractual Disclosure Facility (CDF) both offer better outcomes than waiting for a knock.
  3. Preserve all records — wallet addresses, transaction logs, customer communications, fee records. Destruction of records after becoming aware of an investigation is a separate criminal offence.
  4. Assess whether your activity falls within the MLR 2017 definitions using the FCA's published guidance on cryptoasset registration. If there's genuine ambiguity, request a supervisory meeting with the FCA's Cryptoassets team.
  5. If registration is viable, prepare a complete application: AML/CTF policies, risk assessments, governance documentation, and fit-and-proper evidence for all beneficial owners and senior managers.

For registered cryptoasset businesses with P2P features:

  1. Map every P2P flow in your product against the Travel Rule thresholds. Document your compliance methodology and any gaps.
  2. Review your CDD framework to confirm it captures both sides of peer transactions — not just the account holder initiating the transfer.
  3. Conduct a financial promotions audit. Every piece of content promoting P2P functionality to UK users must comply with the October 2023 regime.
  4. Test your transaction monitoring rules specifically against P2P patterns: structuring below £1,000 to avoid Travel Rule capture, rapid wallet cycling, and high-frequency low-value transfers are all red flags the FCA has identified.
  5. Brief your board. The FCA expects senior management to own AML/CTF risk. A board paper documenting the enforcement landscape and your firm's response is both good governance and useful evidence of reasonable steps.

For legal and compliance advisers:

  • Update client risk assessments to reflect the expanded enforcement perimeter.
  • Check whether any clients operate informal crypto services that haven't been assessed against MLR 2017.
  • The FCA's Financial Crime Guide (FCG) and its Cryptoassets Registration guidance are the primary reference documents.

Common Mistakes and How to Avoid Them

Mistake 1: Assuming small scale means low risk. The MLR 2017 has no de minimis threshold for registration. A Telegram group facilitating £5,000 a month in crypto trades for a fee is as legally exposed as a platform processing millions. Scale affects penalty quantum, not liability.

Mistake 2: Relying on the "personal use" carve-out. The personal use exemption applies to individuals trading their own crypto for their own account. The moment you facilitate trades for others — even friends, even for free — the analysis changes. Charging a spread or fee removes any ambiguity.

Mistake 3: Treating FCA registration as a one-time event. Registration under MLR 2017 is a continuing obligation. Material changes to your business model, ownership structure, or product features require notification to the FCA and may require a fresh assessment. P2P operators who added new features post-registration without notifying the FCA have found themselves in breach of their registration conditions.

Mistake 4: Ignoring the financial promotions regime for P2P. Many P2P operators focus compliance resource on AML and forget that every tweet, Discord post, or referral link promoting their service to UK users is a financial promotion. The FCA has shown it will pursue promotions violations independently of registration status.

Mistake 5: Underestimating HMRC's data access. HMRC has information-sharing arrangements with major centralised exchanges and has issued bulk data requests to platforms operating in the UK. If your customers have used KYC'd accounts to fund P2P trades, HMRC may already have the data trail. Voluntary disclosure before HMRC makes contact produces materially better outcomes.

FAQ

Q: Does the MLR 2017 registration requirement apply if I'm based outside the UK but serve UK customers?

A: Yes. The FCA's position is that the registration requirement applies to any person carrying on cryptoasset exchange or custodian wallet activity "in the United Kingdom." The FCA has consistently interpreted this to include overseas operators who actively market to or serve UK customers, regardless of where the operator is incorporated. The financial promotions regime reinforces this — communicating a promotion to a UK person triggers UK law.

Q: What's the difference between MLR 2017 registration and FCA authorisation?

A: MLR 2017 registration is an AML/CTF supervisory regime — it doesn't confer permission to conduct regulated activities under FSMA. Authorisation under FSMA is a separate, higher bar that applies when your crypto activity constitutes a regulated activity (e.g., dealing in qualifying cryptoassets as principal, operating an MTF). Some businesses need both. The FCA's 2023 cryptoasset roadmap signals that more crypto activities will migrate from the MLR 2017 registration regime into full FSMA authorisation as the regulatory framework matures.

Q: Can I continue operating while my MLR 2017 registration application is pending?

A: No. The MLR 2017 requires registration before commencing business. There is no "pending application" safe harbour. If you're already operating, you're already in breach. The FCA has discretion over how it responds to voluntary applications from existing operators, but there's no legal protection for continued operation during the application process.

Q: What penalties can the FCA impose for unregistered P2P operation?

A: Criminal prosecution for operating without registration carries up to two years' imprisonment and/or an unlimited fine. The FCA can also apply for injunctions, asset freezes, and restitution orders. Civil penalties under MLR 2017 are unlimited. In practice, the FCA has used a combination of criminal referral (for the most serious cases), civil enforcement, and supervisory requirements. The NCA's involvement in the 2024 operation signals that proceeds of crime / money laundering charges are also in scope.

Q: If I shut down my P2P operation now, does that eliminate my exposure?

A: Ceasing operations reduces ongoing exposure but doesn't eliminate historic liability. The FCA and HMRC can pursue past conduct. Voluntary cessation combined with proactive disclosure is the strongest mitigating factor available, but it needs to be genuine and complete — partial disclosure or selective record production typically makes outcomes worse.

Sources

  • Financial Conduct Authority, Cryptoassets: AML/CTF regime — registration guidance, FCA.org.uk
  • HM Treasury, Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692 (as amended)
  • Financial Conduct Authority, Financial Crime Guide (FCG), FCA Handbook
  • HM Revenue & Customs, Cryptoassets Manual, HMRC internal manual (published guidance)

Disclaimer

This article is produced by BizLegal-AI Intelligence Desk for informational purposes only. It does not constitute legal advice and does not create a solicitor-client or adviser-client relationship. Regulatory positions described reflect publicly available information as of the date of publication and may not reflect subsequent developments. Readers should obtain independent legal advice tailored to their specific circumstances before taking or refraining from any action. BizLegal-AI makes no representations as to the completeness or accuracy of information derived from third-party regulatory sources.

FCAcrypto enforcementpeer-to-peer tradingHMRCukMLR 2017cryptoasset registrationfinancial promotionsAML compliancedigital assets
Turn this guide into a plan

Get your jurisdiction-specific compliance risk score

BizLegal-AI maps your structure against this exact regulation and tells you what's missing — before a regulator does. Free preview, no card required.

Run my free risk check →

Used by founders & counsel across 50+ jurisdictions · Not legal advice

Related

Regulatory changes, before they cost you

One email when a rule that affects crypto, fintech, or cross-border deals actually changes. No noise. Unsubscribe anytime.

Disclaimer: BizLegal-AI produces regulatory intelligence and working drafts. It is not legal, financial, or tax advice. Consult qualified counsel for specific situations.