Elliptic has indicated that the United Kingdom’s updated regulatory framework for crypto-assets has now moved from planning to a firm schedule. Lawmakers approved the scope of oversight earlier this year, and on 15 April 2026 the Financial Conduct Authority (FCA) issued Consultation Paper CP26/13, clarifying how the new boundaries will operate in practice.
Blockchain analytics firm Elliptic has also shared that firms can begin submitting authorization applications from 30 September 2026, with the full regime launching on 25 October 2027.
While the transition from Money Laundering Regulations (MLR) registration to full Financial Services and Markets Act (FSMA) authorization marks a significant shift, the FCA has made one message crystal clear: core expectations for a strong anti-money laundering (AML) program will remain unchanged.
Any investment made today in strengthening compliance will pay dividends when applications are assessed under the new rules.
For most businesses, the immediate priority is therefore straightforward: confirm that current practices already meet the standards the FCA demands today. The foundation of any credible AML program is a capable Money Laundering Reporting Officer (MLRO).
Regulators expect the MLRO to have sufficient time and resources, deep knowledge of crypto-specific money-laundering, terrorist-financing and proliferation-financing typologies, and unquestionable fitness and propriety. Although formal qualifications are not mandatory, proven experience in regulated financial crime roles carries significant weight.
Elliptic also pointed out that the MLRO must be able to articulate the firm’s business model and map the precise risks attached to every product and service offered. If artificial intelligence tools are deployed in controls, the MLRO must also explain how the algorithms function and what results they produce.
Elliptic further explained that small firms may combine the MLRO and compliance-head roles, but any potential conflicts—such as the MLRO also driving business development or managing multiple group entities—will raise red flags.
At the core of every successful application sits a robust business-wide risk assessment (BWRA). This document must systematically examine five risk categories—customers, geography, products and services, transactions, and delivery channels—in a manner that is specific to the firm’s digital-asset activities.
It should identify inherent risks, score them for likelihood and impact (commonly via a 5×5 heat map), detail tailored controls, test those controls (using dummy data where live operations do not yet exist), calculate residual risk, and demonstrate that the outcome aligns with the firm’s risk appetite.
The assessment must be clearly documented so senior management can understand and replicate the process.
Common weaknesses include confusing control failures with inherent risks (for example, treating late suspicious-activity-report submission as an inherent risk rather than a control shortcoming), overly generic language, or omitting crypto-specific typologies.
Equally important is the customer risk assessment (CRA), which translates the BWRA into individual client profiles.
The CRA determines the depth of due diligence, transaction-monitoring thresholds, and review frequency.
Rather than simply taking the highest single risk factor, it should apply a weighted methodology that reflects the firm’s broader risk picture.
Scoring logic, thresholds for low/medium/high risk, and override rules—such as automatically classifying politically exposed persons as high risk or flagging sanctioned-wallet exposure—must be fully explained. Any misalignment between the CRA and BWRA signals a lack of integrated risk understanding.
Transaction monitoring and Travel Rule compliance receive equally close scrutiny.
The FCA does not favour in-house or vendor solutions; it requires evidence of a deliberate, risk-based selection that fully covers every product and service. Rules and thresholds must be calibrated to the firm’s BWRA findings, encompassing both fiat flows and on-chain activity.
Firms must demonstrate the ability to block high-risk wallets and to screen and re-screen addresses.
Blockchain analytics tools must be shown to integrate seamlessly with identified risks. For the Travel Rule, regulators expect a clear explanation of the chosen solution—including any third-party involvement—supported by a flow-of-funds diagram.
Key points to address include counterparty identification (crypto-business versus unhosted wallet), policies for delaying funds until required data arrives, and handling of cross-border transfers with jurisdictions yet to adopt the rule.
The FCA welcomes artificial intelligence in AML controls provided firms can fully explain its outputs.
If an AI model assigns a customer a medium-risk rating, the business must describe the inputs and decision logic that led to that conclusion. Guidance from the Wolfsberg Group on responsible AI use in financial crime offers a helpful benchmark.
Tools that support analysts rather than replace human judgment—automating routine triage while leaving final decisions to staff—are viewed favorably.
Firms operating globally need not replicate every control locally, but any overseas functions must still satisfy UK standards, with the UK entity retaining effective oversight through quality assurance and audit trails.
The FCA’s pre-application support service opens in July 2026 for tailored guidance ahead of the September authorization window.
In the coming months, the most valuable work will focus on four areas: appointing the right MLRO, finalizing and testing the BWRA, ensuring the CRA mirrors the BWRA, and documenting transaction monitoring and Travel Rule processes end-to-end.
These elements define successful MLR registrations and will remain central under FSMA authorization. Getting them right now is probably the smartest investment any crypto-asset firm can make ahead of the new regime.