AML Rules for Crypto Businesses in the UK: What You Must Know in 2025
UK Crypto AML Compliance Cost Calculator
Calculate Your Compliance Costs
Estimated Costs
Enter your business details to see estimated compliance costs.
Note: The average UK crypto firm spends £287,500 for initial registration and £142,300 annually. Costs vary based on business complexity, service type, and regulatory requirements.
If you're running a crypto business in the UK, you’re not just dealing with blockchain tech or wallet apps-you’re navigating one of the strictest AML regimes in the world. The rules aren’t suggestions. They’re legal requirements enforced by the Financial Conduct Authority (FCA), and failing to follow them can shut down your business overnight. As of 2025, the landscape has changed again. New rules are coming, old ones are tightening, and the cost of getting it wrong is higher than ever.
Who Needs to Register with the FCA?
Not every crypto company in the UK needs to register-but if you’re doing one of these things, you absolutely do: running a crypto exchange, offering custodial wallet services, or facilitating crypto-to-fiat conversions. That’s it. If you’re just building a blockchain tool, mining coins, or trading for yourself, you’re not in scope. But if you’re handling other people’s money or assets, the FCA needs to know about you.
The registration system started in January 2020, after the UK adopted the EU’s Fifth Anti-Money Laundering Directive. Since then, 184 firms applied. By June 2025, only 147 remained on the official register. That’s a 20% drop in just 18 months. Why? Most didn’t meet the bar. The FCA doesn’t just want paperwork-they want proof you can actually stop money laundering.
What the FCA Actually Checks
It’s not enough to say you have policies. The FCA wants to see them working. Their 2025 review found that 62.1% of failed applicants had weak risk assessments. That means you can’t just copy a template from the internet. You need to map out every possible way your business could be used for fraud-whether it’s through anonymous wallets, high-risk countries, or rapid transaction flows.
Senior management oversight is another big one. Forty-eight point seven percent of rejections came from firms where the CEO or CFO didn’t have real control over compliance. If your head of compliance reports to your head of marketing, you’re already in trouble. The FCA expects the compliance officer to answer directly to the board.
And then there’s transaction monitoring. Nearly 40% of applicants failed because their systems couldn’t catch suspicious activity. They’d get flagged for normal behavior-like someone buying £5,000 in Bitcoin every month-or miss real red flags because the software was outdated. The FCA doesn’t care if you’re using open-source tools. They care if your system catches 90% of high-risk transactions, not 50%.
The Travel Rule: What It Means for You
Since 2022, the UK has enforced the FATF’s Travel Rule. If you’re sending or receiving more than £1,000 in crypto, you must collect and share specific data with the other party. That includes names, addresses, account numbers, and ID numbers for both the sender and receiver.
This isn’t optional. The FCA treats it like a bank wire. And here’s the catch: you’re responsible even if the other side doesn’t comply. If you send £1,500 to a wallet that won’t give you their details, you have to block the transaction. No exceptions. Many firms tried to ignore this at first. The FCA fined three companies in 2024 for letting transactions slip through without full data.
And it’s not just about your direct customers. Starting in 2025, you must also verify counterparties-even if they’re not your customers. If your exchange connects to a DeFi protocol or another platform, you need to check that they’re compliant too. This is called Counterparty Due Diligence (CPDD), and it’s new. Most firms didn’t even know it was coming until the FCA started asking for proof in audits.
Change in Control: The 10% Rule
Here’s a hidden trap: if any person or group buys 10% or more of your company’s shares or voting rights, you must notify the FCA within 14 days. That’s not 25% like in the EU. It’s 10%. And it applies to investors, partners, even family members who inherit shares.
One London-based crypto firm didn’t realize their angel investor had quietly bought another 8% from a co-founder. When the FCA found out during a routine check, they paused the firm’s registration for six months. The company had to refile everything, pay £120,000 in legal fees, and lose a major funding round. That’s the cost of not knowing the rule.
The UK is the only major jurisdiction with this low threshold. It’s meant to prevent hidden ownership. But as Professor Nicholas Ryder from the University of Bristol pointed out in June 2025, it’s creating paperwork nightmares for startups with dozens of small investors.
Costs and Time: What to Budget For
Don’t think you can do this on a shoestring. The average UK crypto firm spends £287,500 just to get registered. That’s consultants, software, staff training, audits, legal fees. Once you’re approved, you’re looking at £142,300 a year just to stay compliant.
And the timeline? The FCA says you have three months to apply after you start operating. But the average processing time is 9.2 months. Some firms wait over a year. Reddit user CryptoComplianceUK spent 14 months and over £500,000 before getting approved. Meanwhile, BlockchainComply, a successful registrant, said once they cleared the hurdle, the FCA’s clear rules made it easier to expand into Europe and Asia.
Most firms hire external compliance teams. A MyComplianceOffice survey found 78.3% of applicants used consultants. Why? Because the FCA’s guidance is detailed, but not always clear. One firm spent £185,000 just to connect their blockchain analytics tool to their KYC system. That’s not a bug-it’s normal.
What’s Changing in Late 2025 and 2026
The current registration system under the Money Laundering Regulations 2017 is ending. By Q1 2026, it will be replaced by the Financial Services and Markets Act (FSMA) 2025. This isn’t just a name change. It’s a full overhaul.
Under FSMA, you won’t just register-you’ll apply for a full license. That means stricter capital requirements, mandatory insurance, and ongoing supervision like banks have. The FCA is also dropping the dual-regulation model. If you’re already registered under MLR, you’ll need to reapply under FSMA. There’s no grandfathering.
The new rules will also remove the 10% change-in-control threshold for firms licensed under FSMA, replacing it with a more flexible approach. But for now, the 10% rule still applies. And if you’re not ready, you’ll be forced to shut down.
Real-World Consequences
Two firms in Manchester shut down in early 2025 after the FCA found they were processing transactions linked to sanctioned Russian entities. They didn’t screen against OFSI’s list properly. One had 23.7% of their transactions flagged as high-risk-way above the sector average.
Another firm in Birmingham lost its license because they advertised crypto as a "guaranteed return" in their Instagram ads. The FCA’s 2025 review found 63.2% of crypto firms broke advertising rules. No hype. No promises. No "earn 20% monthly" claims. Just facts, risks, and disclaimers.
On the flip side, firms that got it right are thriving. One UK-based custodian now serves clients in Canada, Australia, and Singapore because their compliance is stronger than most EU firms. The FCA’s reputation for rigor is becoming a selling point.
What You Should Do Now
If you’re not registered: stop operating. The FCA doesn’t give warnings. They issue cease-and-desist orders.
If you’re trying to register: start now. The FSMA transition window is narrow. You’ll need:
- A risk assessment tailored to your business model-not a generic template
- Senior leadership actively involved in compliance
- A transaction monitoring system that flags real threats, not false positives
- Staff trained for 35 hours a year on AML rules
- Proof you’re checking every counterparty, not just your customers
- A plan to update your systems before Q1 2026
Don’t wait for the FCA to come knocking. The average firm spends 6-9 months preparing. If you’re reading this in November 2025, you’re already behind.
Final Thought
The UK isn’t trying to kill crypto. It’s trying to clean it up. The firms that survive aren’t the ones with the fanciest tech or the loudest marketing. They’re the ones who treat compliance like their core product. Because in the UK, trust isn’t earned with a whitepaper-it’s earned with paperwork.
Do I need to register with the FCA if I run a crypto exchange in the UK?
Yes. Any business that exchanges crypto for fiat, or offers custodial wallet services, must register with the FCA under the Money Laundering Regulations 2017. This applies even if you’re a small startup. Operating without registration is illegal and can result in fines or criminal charges.
What is the Travel Rule in the UK’s crypto AML framework?
The Travel Rule requires crypto businesses to collect and share the names, addresses, and account details of both the sender and receiver for any transaction over £1,000. This rule, implemented in 2022, applies to all transfers between regulated entities and is enforced by the FCA. Failure to comply can lead to registration suspension or revocation.
What happens if my crypto business fails FCA registration?
If you fail registration, you must stop all regulated activities immediately. You cannot legally operate as a crypto exchange or custodian in the UK. You may appeal or reapply, but you’ll need to fix the deficiencies identified by the FCA-such as weak risk assessments, poor transaction monitoring, or lack of senior oversight. Most firms take 6-12 months to reapply successfully.
Is the 10% change-in-control rule real?
Yes. Under current UK rules, any change in ownership of 10% or more of your company’s shares or voting rights must be reported to the FCA within 14 days. This applies to investors, family members, or corporate entities. It’s stricter than the EU’s 20% threshold and has caught many firms off guard, leading to registration delays or penalties.
Will the new FSMA regime make compliance easier?
Not necessarily. The FSMA 2025 replaces the current registration system with a full licensing regime, which is more rigorous. While it will eventually streamline oversight by ending dual regulation, the initial transition will be complex. Firms must reapply under new rules by Q1 2026. The FCA expects higher capital reserves, better governance, and stronger systems. Short-term, it’s harder. Long-term, it may reduce red tape for compliant firms.
How much does AML compliance cost for a UK crypto business?
The average initial setup cost is £287,500, covering consultants, software, training, and legal fees. Annual ongoing costs average £142,300 per firm. This includes monitoring tools, staff training, audits, and reporting. Firms that fail registration and reapply often spend over £500,000 total. The cost isn’t optional-it’s the price of operating legally in the UK.
Can I use open-source tools for AML compliance in the UK?
You can use open-source tools, but the FCA doesn’t care what software you use-they care if it works. Your system must screen against 12+ global sanctions lists in real time, detect suspicious patterns, and generate auditable reports. Many firms using free tools failed because their systems couldn’t handle real-world transaction volumes or false positives. The FCA expects reliability, not cost savings.
What happens if I don’t report a change in ownership?
Failure to report a change in control of 10% or more is a breach of the MLR 2017. The FCA can suspend your registration, impose fines, or initiate criminal proceedings. In 2024, a London-based crypto firm lost its registration for three months after an investor quietly acquired 12% of shares without notification. The firm had to reapply from scratch and lost key clients.
Are crypto advertising rules strict in the UK?
Extremely. The FCA bans any advertising that implies guaranteed returns, downplays risk, or uses misleading comparisons (e.g., "better than stocks"). In 2025, 63.2% of crypto firms failed compliance checks on ads. Promotions must include clear risk warnings, disclose fees, and avoid emotional language. Social media ads are monitored just like TV or print.
How many crypto firms are currently registered in the UK?
As of June 30, 2025, there were 147 registered crypto businesses in the UK. This is down from 184 in January 2024, reflecting a 20.1% attrition rate due to registration failures. The FCA expects this number to drop further to 85-95 by 2027 after the FSMA 2025 transition, as only the most compliant firms will survive.