All You Need to Know About UK Crypto Regulations—2025 Guide 

As the British government clarifies its rules on virtual assets, crypto companies in the UK are having to navigate an increasingly complex regulatory landscape to avoid the risk of penalties. But how are regulations changing and how can businesses stay compliant? 

On September 11, 2024, the new Property (Digital Assets) Bill was introduced in Parliament seeking to clarify the legal status of digital assets in English and Welsh law, including cryptocurrencies. This bill aims to protect digital asset owners and companies from fraud and scams by applying protective legislation to assets like crypto and is currently under review in the House of Lords. 

While this specific bill only applies to England and Wales, the Scottish and Northern Irish governments are also considering similar measures.

These developments have long been expected in the UK. Following the collapse of FTX in 2022, HM Treasury released a consultation on the e Future Financial Services Regime for Crypto Assets in a bid to improve the regulatory framework and sector engagement. This advice is now being acted upon in English and Welsh law.The bill is part of a wider move in the UK towards a more regulated crypto industry over the next several years, with new protections designed to help the UK maintain its position as a leader in crypto assets while providing greater clarity for complex cases. To keep you up to date, we at Sumsub have prepared this guide explaining the UK’s crypto regulations and how to follow them.

Who is the regulator?

The Financial Conduct Authority (FCA) is the main financial regulator in the UK. It regulates crypto asset providers to ensure that they implement effective Anti-Money Laundering and Countering Terrorism Financing (AML/CFT) policies and procedures, while also adhering to strict UK advertisement and promotion standards.

The FCA maintains a register of crypto asset providers that fall under UK money laundering regulations (MLR 2017 with amendments) and issues guidelines.

Other UK institutions that regulate crypto include:

• HM Treasury
• The Bank of England

What are the main regulations?

Crypto companies in the UK have comply with the following to meet AML/CFT requirements:

• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, or simply MLR, which is the main regulation that outlines all the AML requirements and registration requirements. It has been amended several times since its original publication to implement the EU’s AMLD5 in 2019 and the Travel Rule in 2022.

Depending on the nature and type of assets a crypto firm deals with, the following laws and regulations can also apply:

• The Financial Services and Markets Act 2000 (“FSMA”) and the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (“RAO”), and the Financial Services and Markets Act 2023
• Electronic Money Regulations 2011 (“EMRs”) or the Payment Services Regulations 2017 (“PSRs”)

Who is affected?

Affected companies can be separated into two types, according to the MLR 2017 and its amendments. The first are “crypto asset service providers,” which include companies that conduct either of the following: 

• “Exchanging, or arranging or making arrangements with a view to the exchange of, crypto assets for money or money for crypto assets,
• Exchanging, or arranging or making arrangements with a view to the exchange of, one crypto asset for another, or
• Operating a machine which utilizes automated processes to exchange crypto assets for money or money for crypto assets.”

The second are “custodian wallet providers,” which provide services to safeguard and/or administer crypto assets—or private cryptographic keys for holding, storing, or transferring crypto assets—on behalf of customers. 

Who needs to register with the FCA? 

Companies that deal with security tokens must register with the FCA because they are considered “regulated tokens”. Due to the FCA’s financial promotions regime, all firms marketing crypto services to UK consumers now must also register with the FCA. New regulations targeting other tokens like stablecoins have also been proposed, meaning more firms dealing with crypto may need to register with the FCA.

How to register with the FCA

Before registering with the FCA, companies should answer the following questions: 

• Does the company advertise or act in a way that suggests it’s providing crypto asset services by way of business? 
• Does the company receive direct or indirect benefit from this service?
• How significant is the activity to the business’ other activities (crypto asset activities may be only part of the business)?
• Does the frequency of the activity suggest that it is being carried on as a business?
• Does the company have a registered or head office in the UK* and does the company carry on day-to-day management of these activities from this office, irrespective of where, geographically, the crypto asset activity is conducted?
• Does the company operate one or more ATMs in the UK?
• Does the company have any UK presence that is engaged in or facilitates crypto asset activities?
• Does the company market services to UK consumers?

*If there is no UK office or other activity in the UK, beyond having a client in the UK, the FCA is likely to consider the company not to be conducting business in the UK. 

However, FCA registration is always required if a crypto asset business wishes to market to UK customers (i.e., communicate their own crypto asset financial promotions). 

If a company answers “Yes” to any of these questions, then registration with the FCA is likely required. The full requirements for registration can be found on the FCA website.

AML requirements

Companies should take AML requirements very seriously, as failure to comply may lead to severe penalties. 

To stay compliant with the AML requirements introduced in the MLRs in 2017, companies have to implement a clear set of procedures. This includes at least the following:

• Appointing a Money Laundering Reporting Officer (MLRO)
• Staff training
• Risk assessment
• Conducting Customer Due Diligence (CDD), Simplified Due Diligence (SDD) and Enhanced Due Diligence (EDD) 
• Screening for persons on sanction lists, Politically Exposed Persons (PEPs) lists
• Transaction monitoring
• Ongoing monitoring of customer behavior and transactions
• Recordkeeping for at least five years from the date of the end of a business relationship or final transaction
• Reporting suspicious activity to the National Crime Agency

At the onboarding stage (KYC), at least the following information should be collected from users for verification:

• Full name
• Birth date
• Address

As a rule, such data is collected from government-issued documents. Proof of address documents can include current bank statements or credit/debit card statements issued by a regulated financial sector firm in the UK, in addition to utility bills. 

UK Crypto Travel Rule

Like many other jurisdictions around the world, the UK has adopted the Travel Rule requirement in its regulation of crypto asset service providers. The Travel Rule requires crypto companies to obtain information from the originator and beneficiary of crypto assets and share it with counterparty crypto asset service providers.

The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulation 2022 is the key law explaining the specifics of the Travel Rule in the UK.  There is no information regarding the de minimis threshold, which means that certain  information should be transferred regardless of the transaction amount. 

For certain transactions equal or exceeding 1,000 euros, there are some additional requirements. This includes international transfers as well as transactions involving unhosted wallets.

As a rule, CASPs (crypto asset exchange providers and a custodian wallet providers in the UK) have to take the following steps to comply with the Travel Rule:

1) In respect of an inter-crypto asset business transfer, the originating VASP must ensure that the transfer is accompanied by the following information: 

1. the name of the originator and the beneficiary
2. if the originator or beneficiary is a firm, the registered name of the originator or beneficiary (as the case may be), or if there is no registered name, the trading name
3. the account number of the originator and the beneficiary, or if there is no account number, the unique transaction identifier.

If the beneficiary CASP request additional information about the originator, the originating CASP should also transfer the following information within 3 days, provided each CASP is conducting business in the United Kingdom:

If the originator is a firm—

• the customer identification number or
• the address of the originator’s registered office, or, if there is none, its principal place of business

If the originator is an individual, one of the following—

• the customer identification number
• the individual’s address
• the individual’s birth certificate number, passport number, or national identity card number
• the individual’s date and place of birth.

If a CASPs is carrying out business outside the United Kingdom and the transaction is equal to or exceeding 1,000 euros in value, the originating CASP should ensure that the transfer is accompanied by all the information specified in Chapter 2, Regulation 64C(5), clauses (a), (b), and (c) of the Financial Services and Markets Act 2022.

More specifically, these clauses refer to: 

(a) the name of the originator and the beneficiary 

(b) if either is a firm, the registered name of the originator and the beneficiary (the trading name may be used if there is no registered name) 

(c) the account number of the originator and beneficiary (if there is no account number), a unique transaction identifier may be used.

2) Information relating to the originator must be verified by the originating CASP using documents or a reliable source independent of the person whose identity is being verified. 

3) When a Beneficiary CASP receives a crypto-asset as part of an inter-crypto asset business transfer it must, before making the crypto-asset available to the beneficiary, check whether —

(a) it has received the information required by regulation to be provided; and

(b) the information relating to the beneficiary corresponds with information verified by it during customer due diligence.

4) Where the Beneficiary CASP becomes aware that any information required by regulation to be provided is missing or does not correspond with information verified by it, it  must—

• request that the originating CASP provides the missing information;
• consider whether to make enquiries as to any discrepancy between information received and information verified during the CDD process; and
• where the Beneficiary CASP becomes aware that any information required to be provided is missing or does not correspond with information verified during customer due diligence, it must consider whether—

(i) to delay making the crypto asset available to the beneficiary until the information is received or any discrepancy is resolved; and

(ii) if the information is not received or if any discrepancy is not resolved within a reasonable time, to return the crypto asset to the crypto asset business of the originator.

5) The beneficiary CASP must report repeated failure by a crypto asset business to provide any information required as well as any steps the crypto asset business of the beneficiary has taken in respect of such failures to the FCA.

6) A crypto-asset business must respond fully and without delay to a request in writing from a law enforcement authority for any information in connection to these requirements.

Sumsub’s Travel Rule solution

In summary, the Travel Rule is the more common name for the Financial Action Task Force’s (FATF) Recommendation 16. Expanding on existing FATF Recommendations to make them cover virtual assets in 2019, this Recommendation requires anyone involved in virtual asset transfers to collect, share, and verify data regarding who is sending and who is receiving the transfer. 

The aim is to make sure people are who they really say they are by verifying their identities to combat fraud, money laundering, and terrorist financing taking advantage of the perceived anonymity of crypto assets. The suggestions in the Travel Rule are now a legal requirement in many jurisdictions, including the UK.

This means compliance is essential if sending or receiving crypto-assets in the UK. Sumsub’s Travel Rule Solution allows for quick compliance and minimal drop-offs.

The future of crypto regulations in the UK

For the last several years, the UK has been working towards a more regulated crypto industry. A major step signalling the expansion of crypto regulation in the UK is the Property (Digital Assets) Bill, which would recognize crypto assets (and other digital assets) as property in England and Wales, giving consumers and companies greater protections from scammers and fraud. As mentioned earlier, similar discussions are also underway in Scotland and Northern Ireland.  

This follows the British government’s plans announced in February 2023, showing what is likely to be expected, including:

• Strengthening rules for crypto trading platforms
• Creating a world-first regime for crypto lending
• Implementing new rules to protect customers from market manipulation (e.g., pump and dump schemes)

According to the “Future Financial Services Regime for Crypto Assets” Consultation document, the UK plans to widen the scope of regulated crypto activities, including activities with stablecoins. This includes: 

• Issuance 
• Payment 
• Exchange 
• Investment and risk management 
• Lending, borrowing, and leverage 
• Safeguarding and/or administration 
• Validation and governance 

The proposed regulatory regimes will be divided into phases. To learn more, you can read pages 27-28 here. 

The “Future Financial Services Regime for Crypto Assets” also specifies a primary aim to expand “specified investment”.

Moreover, HM Treasury now proposes monitoring crypto asset activities in the United Kingdom. This would monitor activities provided by UK firms to persons based in the UK or overseas (natural and legal), as well as those provided by overseas firms to UK persons (natural or legal). 

The FCA has announced a roadmap regarding the future of crypto policy, which shows an overview of likely considerations in years to come. This includes considerations of policies to prevent market abuses like insider trading and rules on intermediation, lending, and staking.

In summary, the UK looks set to continue with its plan to provide greater crypto regulations and protections in the years to come.

FAQ

• Is cryptocurrency legal in the UK?

  Cryptocurrency is legal in the UK, but it is not legal tender. Anyone can buy crypto assets from crypto asset providers and store them in digital wallets.

• Is cryptocurrency regulated in the UK?

  Yes, it is regulated. In accordance with the MLR, some companies working with crypto assets must register with the FCA and comply with AML requirements.

• What is the new UK crypto regulation?

  The UK is currently working to introduce more comprehensive crypto regulations. This includes:

  • Defining digital assets as legal property through the Property (Digital Assets) Bill
  • Applying advertising and promotion regulations to crypto assets
  • Introducing robust regulation of crypto asset activities
  • Strengthening rules for crypto trading platforms
  • Creating a world-first regime for crypto lending
  • Implementing new rules to protect customers from market manipulation (e.g., pump and dump schemes)
  • Providing a comprehensive regulatory framework for stablecoins
  • Widening the list of regulated activities

• How to use identity verification in business

  Identity verification is necessary for businesses to comply with regulations. At the same time, businesses can lose customers during the onboarding process, if applicants are overwhelmed by the number of documents they have to submit. That’s why it’s essential to build a user journey that spreads out the verification process across multiple stages and doesn’t request everything at once.

• What is the FATF Travel Rule?

  The Travel Rule is a term used to refer to FATF Recommendation 16, which aims to combat money laundering and terrorism financing (ML/TF). It requires financial institutions engaged in VA transfers and Virtual Asset Service Providers (VASPs) to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.

• What is the FATF Travel Rule threshold for transfer of personal data?

  The FATF recommends a de minimis threshold of 1,000 USD/EUR. If companies apply a lower threshold, they can enjoy less stringent requirements (e.g., less information may be transferred). However, it should be noted that countries can establish their own threshold or forego one altogether. For example, in the UK, there is no de minimis threshold, however there are particular requirements for transactions equal or exceeding 1,000 euros in value.