If you're running a crypto business and want to reach customers in the United Kingdom, you can't just set up a website and start trading. Since September 1, 2023, the Financial Conduct Authority (FCA) has required every virtual asset service provider (VASP) that markets to UK users to register officially. This isn't a suggestion. It's the law. And if you ignore it, you risk being blocked, fined, or even shut down.

Who Needs to Register?

Not every crypto company needs to register with the FCA. But if you do any of these things, you're in scope:

• You advertise your crypto services to UK customers - even just once
• You have a UK office or manage crypto operations from the UK
• You run a crypto ATM located in the UK
• You receive money from UK users or benefit financially from their activity

The FCA is clear: if you're targeting UK customers, you're doing business in the UK. It doesn't matter if your servers are in Singapore or your team is in Berlin. If your website uses English, accepts GBP, or has UK-specific promotions, you're subject to their rules.

The Core Requirements

Getting registered isn't about filling out a form. It's about proving you can operate safely, legally, and transparently. The FCA expects you to meet standards as strict as those for banks.

• Anti-Money Laundering (AML) and Know Your Customer (KYC): You must verify every customer's identity, monitor their transactions, and flag anything suspicious. This includes checking names against global sanctions lists and tracking unusual patterns like sudden large transfers or rapid trading cycles.
• Travel Rule Compliance: Starting in 2023, every crypto transfer over £1,000 must carry sender and receiver details - name, account number, address. This applies even if one party uses an unhosted wallet. You need systems that automatically collect and transmit this data. No exceptions.
• Financial Strength: You must prove you have enough capital to cover losses. This means submitting audited financial statements and showing you can handle cash flow shocks without collapsing.
• Cybersecurity: Your systems must be hardened against hacks. That includes encryption, multi-factor authentication, intrusion detection, and regular penetration testing. The FCA doesn't accept "we use AWS" as a security plan.
• Asset Segregation: Client funds must be kept completely separate from your company's operating money. No mixing. No borrowing. No using customer deposits to pay your rent.

The Application Process

You apply through the FCA's online portal called Connect. It's not a quick submission. You need to prepare at least six months in advance.

Here’s what you’ll need to submit:

• Company incorporation documents
• Organizational chart showing leadership and compliance roles
• Detailed AML/KYC policy manual
• Transaction monitoring system design
• Proof of cybersecurity measures
• Financial projections for the next three years
• Background checks on all directors and major shareholders

All key personnel must pass a "Fit and Proper" test. That means the FCA checks your criminal history, past financial misconduct, and whether you’ve ever been banned from financial services anywhere in the world. If you had a license revoked in Germany or got fined in Canada, it will come up.

Once submitted, your application is assigned to a dedicated case officer. There’s no set timeline. Some get approved in four months. Others wait over a year. Complexity matters more than volume. A simple exchange with 500 users gets reviewed faster than a DeFi platform with 50,000 users and multiple token types.

Why So Many Applications Get Rejected

Most rejections aren’t because the company is shady. They fail because they underestimate the depth of compliance needed.

• Weak KYC systems: Using just a passport scan and selfie? That’s not enough. The FCA requires document verification with live detection, biometric checks, and risk-based scoring.
• Missing Travel Rule infrastructure: Many firms think they can handle peer-to-peer transfers manually. They can’t. Automated systems are mandatory.
• No clear segregation of funds: If your accounting shows customer deposits sitting in the same account as your payroll fund, you’ll be asked to resubmit.
• Unrealistic financial projections: Saying you’ll hit £10M in revenue in six months without a clear customer acquisition plan raises red flags.

Even worse? Banking access. Many UK banks still refuse to open accounts for crypto firms. Without a bank account, you can’t deposit capital, pay staff, or process withdrawals. Some companies spend months just finding a payment processor willing to work with them.

What Happens After Registration?

Registration isn’t a one-time checkbox. It’s a continuous obligation.

• You must submit annual AML reports
• You must update your compliance manual every time you add a new service
• You must notify the FCA within 24 hours of any material cybersecurity incident
• You must undergo periodic audits - sometimes unannounced

The FCA can suspend or revoke your registration at any time. Recent examples include firms that failed to update their KYC procedures after new sanctions lists were released, or those that allowed users to bypass identity checks using third-party tools.

What About Businesses Outside the UK?

If you're based outside the UK and don’t market to UK customers, you don’t need to register. But here’s the catch: if you don’t actively block UK users, the FCA may still consider you in scope. A simple "UK users not served" banner isn’t enough. You need geolocation blocking, IP filtering, and currency restrictions.

Some firms use legal teams to argue they’re not targeting the UK. The FCA doesn’t care about your legal arguments. They care about your traffic logs. If 15% of your users are from London, and your site is in English with GBP pricing - you’re in.

Future Changes Coming in 2026

The FCA is expanding its oversight. By late 2026, expect:

• More detailed reporting on token classifications (utility vs. security)
• Stricter rules on staking and yield products
• Expanded Travel Rule to cover all transfers, regardless of amount
• Integration with the UK’s digital pound infrastructure

The FCA also plans new information sessions in Edinburgh and Manchester during autumn 2026. These aren’t sales pitches - they’re compliance deep dives. Attending them shows you’re serious.

Common Mistakes to Avoid

• Waiting until the last minute to start
• Using templates from other countries (EU rules don’t work in the UK)
• Assuming "registration" means approval - it doesn’t. You must prove compliance
• Thinking you can outsource compliance to a third party and forget about it
• Ignoring the banking problem - without a payment partner, registration is meaningless

Final Reality Check

The UK isn’t trying to scare crypto businesses away. It’s trying to make sure they don’t become tools for crime. The system is tough, but it’s not impossible. Companies like CoinJar and Bitstamp got approved by building systems from scratch - not by cutting corners.

If you’re serious about serving UK customers, treat this like building a bank. Document everything. Test everything. Train everyone. And never assume compliance is a form you fill out. It’s a culture.