AML Rules for Crypto Businesses in the UK: What You Must Do in 2025
UK Crypto AML Compliance Cost Calculator
Calculate Your Compliance Costs
Estimate registration and annual compliance costs based on your business size and operations.
Compliance Cost Estimate
Running a crypto business in the UK isn’t just about building tech or attracting users. If you’re handling digital assets, you’re now part of a tightly controlled financial system. The AML rules for crypto businesses in the UK are not suggestions-they’re legal requirements with real penalties. Miss a step, and your business could be shut down, fined, or worse, barred from operating entirely. As of 2025, the landscape has shifted again. What worked last year might not cut it today.
Who Exactly Needs to Comply?
If your business does any of these, you’re regulated:
- Exchanges that trade crypto for fiat (like GBP) or other crypto
- Custodial wallet providers who hold crypto on behalf of customers
- Any firm that facilitates crypto payments or transfers
It doesn’t matter if you’re based in London, Manchester, or Brighton. If you serve UK customers-or even just have a website accessible here-you need to register with the Financial Conduct Authority (FCA). Non-resident firms can’t dodge this either. The FCA has been cracking down on offshore operators targeting UK users.
There are no exceptions for startups. Even if you’re small, you still need to register before you launch. The FCA doesn’t care if you’re a team of three or a funded unicorn. The rules apply equally.
The Core Requirements: What You Can’t Skip
Registration is just the first hurdle. Once approved, you’re locked into a strict compliance routine. Here’s what you must do daily:
1. Know Your Customer (KYC) with Real Verification
You can’t just ask for an email and a selfie. The FCA requires customer due diligence (CDD) using at least two independent, reliable sources. That means:
- Government-issued ID (passport, driver’s license)
- Proof of address (utility bill, bank statement under 3 months old)
- Live facial verification (not just a photo upload)
For higher-risk customers-like those from sanctioned countries or politically exposed persons (PEPs)-you need enhanced due diligence (EDD). This includes deeper background checks, source-of-funds documentation, and ongoing monitoring. The FCA found that 62% of failed applications had weak or missing CDD processes.
2. The Travel Rule: Track Every Big Transfer
Since 2022, the UK has enforced the FATF’s Travel Rule. If a customer sends or receives more than £1,000 in crypto, you must collect and share:
- Full name of sender and receiver
- Account or wallet numbers
- Address (if available)
- Reason for transfer
This applies to both incoming and outgoing transfers. You can’t just rely on the other party to send the info-you’re legally responsible for making sure it’s there. Many firms failed because they assumed their partner exchange would handle it. The FCA says: “You are responsible, even if someone else is supposed to do it.”
3. Ongoing Monitoring and Suspicious Activity Reporting
You’re not done after onboarding. You must continuously monitor transactions. Systems need to flag:
- Unusual spikes in activity
- Transactions linked to known blacklisted wallets
- Structuring-breaking large transfers into smaller ones to avoid thresholds
If something looks off, you must file a Suspicious Activity Report (SAR) with the National Crime Agency (NCA). Failure to report can lead to criminal charges. Between 2022 and 2025, 39% of rejected applications had no functional monitoring system.
4. Record Keeping for Five Years
Every KYC document, transaction record, SAR, and internal review must be stored securely for five years. That’s not a suggestion-it’s a legal requirement. The FCA can audit you at any time. If you can’t produce records, you’re in violation.
The Registration Process: Harder Than You Think
Getting registered isn’t a form you fill out and submit. It’s a months-long process with multiple checkpoints.
First, you submit an application to the FCA. Then, you wait. The average processing time is 9.2 months. Some firms wait over a year. During that time, you can’t operate.
Why so slow? Because 87.3% of applications fail the first time. Common reasons:
- Incomplete risk assessment (62.1%)
- No clear AML policy signed by senior management (48.7%)
- Weak transaction monitoring tools (39.4%)
- Missing documentation on ownership structure
Many firms spend over £287,500 just to get through the process. Annual compliance costs average £142,300. That’s not startup money-it’s enterprise-level spending.
What’s Changing in Late 2025?
The current system is temporary. The Financial Services and Markets Act (FSMA) 2025 is replacing the old Money Laundering Regulations. By Q1 2026, the FCA will move from a registration regime to a full licensing system.
Here’s what changes:
- 10% ownership change trigger: If any person or entity buys 10% or more of your company, you must notify the FCA. Previously, it was 25%.
- Counterparty due diligence: You now need to verify not just your customers, but also the exchanges or wallets you send crypto to-even if they’re not your clients.
- Dual registration ends: Once FSMA kicks in, you won’t need both MLR registration and a separate FSMA license. But you’ll need to reapply under the new rules.
This isn’t a minor tweak. It’s a complete overhaul. Firms that barely passed under the old system will likely fail under the new one.
How the UK Compares to Other Countries
The UK is stricter than most. Here’s how it stacks up:
| Requirement | UK | EU (MiCA) | US | Singapore (MAS) |
|---|---|---|---|---|
| Registration Authority | FCA (single) | National regulators | Multiple (FinCEN, SEC, CFTC) | Monetary Authority of Singapore |
| Travel Rule Threshold | £1,000 | €1,000 | $1,000 | $1,000 |
| Ownership Change Notification | 10% | 20% | No fixed threshold | 25% |
| First-Time Registration Pass Rate | 12.7% | ~35% | ~30% | 38.4% |
| Penalty for Non-Compliance | Fines, ban, criminal liability | Fines, license revocation | Fines, civil penalties | Fines, license suspension |
The UK’s 10% ownership rule is the strictest in the world. It’s designed to prevent hidden control. But critics say it adds paperwork without real security gains. Professor Nicholas Ryder called it “administrative overkill.”
Singapore has a higher pass rate because its system is simpler and more predictable. The UK, by contrast, is unpredictable. One firm gets approved after 14 months; another gets rejected for the same documents.
Real Stories from the Front Lines
One founder, who runs a small crypto exchange in Leeds, spent 18 months and £520,000 on consultants before finally getting approved. “We had everything right-KYC, monitoring, policies. But the FCA kept asking for more. We didn’t know what they wanted until they said no.”
Another, a custodial wallet provider in Edinburgh, said: “Once we passed, our investor confidence shot up. We got a £10M funding round. The FCA stamp became a trust signal.”
But the cost is real. The average firm hires external compliance teams, buys specialized software, and trains staff for 35 hours a year. Many can’t afford it. That’s why the number of registered firms dropped from 184 in January 2024 to 147 in June 2025.
What Happens If You Don’t Comply?
Ignoring the rules isn’t an option. The FCA doesn’t warn you twice.
- You can be fined up to ÂŁ1 million or more
- Your website can be blocked by UK ISPs
- Senior executives can be personally prosecuted
- Your business can be permanently banned from operating in the UK
And it’s not just the FCA. HMRC can audit your taxes. OFSI can freeze assets if you transact with sanctioned addresses. The NCA can refer you to the police.
In 2024, the UK seized over ÂŁ120 million in crypto linked to illicit activity. Most of it came from unregistered firms.
How to Succeed in 2025
If you’re serious about operating in the UK:
- Start early. Don’t wait until you have users. Begin compliance prep six months before launch.
- Hire a specialist AML consultant with UK crypto experience-not a general lawyer.
- Invest in real-time blockchain analytics tools. Don’t use free or outdated screeners.
- Train your team. 82.7% of compliant firms use dedicated AML training platforms.
- Document everything. If you didn’t write it down, the FCA assumes it didn’t happen.
- Prepare for FSMA. Even if you’re registered now, you’ll need to reapply under the new system in 2026.
The UK isn’t trying to kill crypto. It’s trying to clean it up. The firms that survive are the ones that treat compliance like a core product-not a cost center.
Final Reality Check
There’s no shortcut. No loophole. No “just get started and sort it later.” The UK’s crypto AML rules are among the toughest in the world. But they’re also the clearest-if you’re willing to pay the price.
By 2027, experts predict only 85 to 95 firms will remain fully compliant. That’s down from over 200 just two years ago. The market is shrinking-but the survivors will be trusted, well-funded, and built to last.
If you’re building a crypto business in the UK, you’re not just coding. You’re building a legal and financial fortress. And that takes more than tech. It takes discipline, resources, and patience.
Do I need to register with the FCA if I’m a crypto business outside the UK?
Yes-if you serve UK customers or have a website that targets them. The FCA regulates based on where users are, not where your company is incorporated. Even if you’re based in the US or Estonia, if a UK resident uses your exchange or wallet, you must register. The FCA has already blocked several foreign platforms for failing to comply.
Can I operate while my FCA application is being reviewed?
No. You cannot legally provide crypto services in the UK until your registration is approved. Operating without registration is a criminal offense. Many firms make the mistake of launching early to gain traction, only to be shut down by the FCA with no warning. The 9.2-month average processing time means you need to plan ahead.
What happens if I miss the FSMA transition deadline in 2026?
Your current registration will expire. You will lose your legal status to operate in the UK. The FCA will not allow you to continue under the old MLR regime after Q1 2026. You must apply for a full FSMA license before the deadline. There will be no grace period. Firms that delay risk being permanently excluded from the UK market.
Is the Travel Rule enforced for all crypto types, or just Bitcoin?
It applies to all cryptoassets, including Bitcoin, Ethereum, stablecoins, and tokens. The rule doesn’t care about the type of asset-only the value. Any transfer over £1,000, regardless of the coin, triggers the requirement to collect and share originator and beneficiary details. This includes DeFi protocols if they’re operated by a regulated entity.
How do I know if my transaction monitoring system is good enough?
The FCA expects systems to screen against at least 12 global sanctions lists, including OFSI, OFAC, and UN lists, updated in real time. Your system should flag unusual patterns like rapid deposits and withdrawals, mixing services, or transactions with known darknet wallets. The average false positive rate should be below 20%. If your system generates more than 28% false alerts, it’s likely insufficient. Many firms upgrade after failing their first FCA audit.
neil stevenson
lol UK wants to regulate crypto like it's 2008 banking... we're talking decentralized tech here. 🤷‍♂️