The UK is shifting cryptoasset regulation from a largely financial-crime and promotions perimeter to a full financial-services authorisation model under FSMA. The direction is now set: legislation has been laid to create new regulated activities for cryptoassets, and the regulator has been building out the rulebook through a sequence of discussion and consultation papers.
For legal and compliance leaders, the practical implication is that crypto is becoming less like a “special case” and more like a regulated market with permissioning, conduct standards, prudential expectations, market integrity controls, and supervisory scrutiny. The work is no longer only interpreting definitions; it is redesigning operating models so that governance, controls, disclosures, recordkeeping, and oversight can stand up to a financial regulator.
A clear timeline is emerging – and it matters for sequencing decisions
The regulator has signalled an application window from 30 September 2026 to 28 February 2027, with the new regime expected to come into force on 25 October 2027. That creates an unusual dynamic: there is time, but there is also a lot to build – especially for firms that have never operated under FSMA authorisation before.
In parallel, consultation has been moving from “directional thinking” to “detailed rules.” A key consultation on regulated cryptoasset activities (covering trading platforms, intermediaries, lending/borrowing, staking and decentralised finance) ran from 16 December 2025 to 12 February 2026, with final rules expected to be set out in policy statements during 2026.
What’s inside the perimeter: regulated activities and the new taxonomy
At the legislative level, the regime introduces a set of new definitions and activities that will sit within the RAO framework. The model distinguishes crypto-native products (including “qualifying cryptoassets” and a subset of “qualifying stablecoins”) from tokenised forms of traditional instruments (sometimes described as cryptoassets that also meet the definition of another specified investment).
The regulated-activity set is intentionally broad. It includes, among others:
- Stablecoin issuance
- Safeguarding (custody-style activity)
- Operating a qualifying cryptoasset trading platform
- Dealing as principal / dealing as agent
- Arranging deals
- Qualifying cryptoasset staking
Two perimeter choices are especially important for legal interpretation. First, most activities are scoped to “qualifying” cryptoassets and stablecoins, while safeguarding is wider, reaching certain tokenised versions of traditional assets as well – reflecting an emphasis on operational and technology risks rather than only financial characteristics. Second, “truly decentralised” DeFi is positioned as outside authorisation where no person can be said to be carrying on the activity by way of business, but there is an explicit acknowledgement that drawing that boundary will be difficult and may need additional guidance.
The transition: from MLR registration to FSMA authorisation
One of the most material shifts is structural: the new framework is designed to supersede the current AML registration model for cryptoasset firms. A transitional pathway has been contemplated for firms already registered under the MLRs, allowing continued operation while seeking full authorisation – whereas firms not already registered would need authorisation before offering services.
This is the point where many businesses underestimate the uplift. Registration-focused compliance tends to concentrate on financial crime controls and basic governance; authorisation asks a broader question: is the firm fit to operate a market-facing financial service, across conduct, systems and controls, conflicts, resilience, and (in some cases) prudential resources.
What the rulemaking signals: integrity, transparency, conflicts, and retail protection
Even before final rules, the regulator’s direction of travel is visible in the themes repeated across its papers.
1) Trading venues: “market-like” expectations applied to crypto trading platforms
The regulatory model pushes trading platforms toward a recognisable market-operator posture: operating under non-discretionary rules, managing conflicts (including conflicts created when a platform also trades on its own venue or lists its own issued assets), and improving public access to pre- and post-trade data.
There is also a strong emphasis on recordkeeping and supervisory access to data. For example, expectations have been articulated around maintaining customer transaction records for five years and being able to provide that information on request.
A second-order issue is cross-border delivery. For overseas firms serving UK retail clients, regulators have explored approaches intended to preserve access to international liquidity while strengthening consumer protection – potentially including expectations around a UK presence alongside the authorised entity.
2) Intermediation: best execution logic and conflict separation
For intermediaries, the proposals move toward familiar conduct mechanics: procedures to ensure prompt and fair execution, possible best-execution rules for certain customer categories, and explicit conflict management – down to structural separation between principal trading and client execution. “Payment for order flow” has been described as prohibited.
3) Lending/borrowing and use of credit: a likely tightening for retail
For lending and borrowing products, regulators have questioned whether these products are suitable for retail in their current structure and have explored constraints designed to reduce risk. Separately, restrictions have been considered on using credit to purchase cryptoassets, with a stated exception for qualifying stablecoins.
4) Staking: a crypto-specific focus on safeguarding, disclosures, and liability
Staking is being treated as a distinct risk category. Proposed approaches have included: requiring explicit advance consent on key terms, providing a “key features” style disclosure document (including implications for ownership), maintaining separate wallets for consumers’ staked assets, and conducting reconciliations and maintaining accurate records. There is also a stated expectation that firms manage operational resilience and third-party dependency risk, with liability and capital considerations linked to retail consumer losses.
What legal teams should do now: a pragmatic readiness agenda
The organisations that will navigate this transition best are treating it as permissioning + operating model + product governance, not as a one-off legal interpretation exercise. Three moves tend to create disproportionate leverage.
1) Build a permission map that reflects reality, not org charts
Start with how the business actually operates: where execution happens, where custody sits, how assets are listed, how staking is offered, and how clients are onboarded (including whether there is any UK retail touch). Then map those flows to the regulated activity set. The aim is to identify where the firm is effectively acting as a venue, a broker, a custodian, an issuer, or multiple roles at once – because that is where conflicts and control expectations stack up quickly.
2) Treat transparency, conflicts, and recordkeeping as “build” items
For many firms, the hardest gap will not be policy writing. It will be building the capabilities to do things repeatedly and provably: conflict identification and mitigation, publication of trade data, durable record retention, and the ability to reconstruct events for supervisory review. These are engineering and process problems as much as legal ones.
3) Work backwards from the authorisation window
With an application period already signposted and a commencement date indicated, the critical planning task is sequencing: what must be in place to apply credibly, what can be built in parallel, and what must be proven in practice (controls operating effectively, not just designed). Firms that wait for final rules risk compressing implementation into an unrealistic timeframe; firms that move too early without architectural clarity risk building the wrong thing.
The bottom line
The UK cryptoasset regime is no longer an abstract “future framework.” It is progressing through concrete legislation and detailed consultation toward a system where crypto activities are treated as regulated financial services – with authorisation as the entry ticket and operating-model resilience as the price of staying in.
