AML Rules for Crypto Businesses in the UK: What You Need to Know in 2025

Starting a crypto business in the UK isn’t just about building a platform or launching a wallet. It’s about surviving a regulatory gauntlet designed to stop money laundering before it starts. If you’re running a crypto exchange, custodial wallet service, or even a payment processor that touches digital assets, the AML rules for crypto businesses in UK aren’t optional. They’re the price of entry. And as of 2025, that price just got higher.

Who Has to Comply?

If your business handles cryptoassets in the UK - whether you’re exchanging Bitcoin for pounds, storing crypto for clients, or facilitating payments - you’re regulated. The Financial Conduct Authority (FCA) enforces this under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as updated in 2020 and again in 2025. Only two types of firms fall under this requirement: cryptoasset exchange providers and custodian wallet providers. That means if you’re just trading crypto for yourself, you’re fine. But if you’re helping others do it, you’re in the system.

There’s no gray area. The FCA doesn’t give warnings. You register, or you shut down. As of June 2025, only 147 firms were officially registered. That’s down from 184 a year earlier. The rest? They either failed the process, walked away, or got blocked. The FCA’s own data shows 87.3% of first-time applicants didn’t make it past the initial review. That’s not a typo. Nearly nine out of ten failed.

The Core Requirements: What You Can’t Skip

There are five non-negotiables. Get any one wrong, and your application gets rejected.

• Customer Due Diligence (CDD): You must verify every customer’s identity using at least two independent, reliable sources. That means government-issued ID plus a utility bill, bank statement, or live video verification. No exceptions. Even if someone’s been using your service for years, you still have to re-verify them every two years.
• Enhanced Due Diligence (EDD): If a customer is from a high-risk country, is a Politically Exposed Person (PEP), or has a history of suspicious activity, you need to dig deeper. That includes checking their source of funds, getting senior management approval, and monitoring transactions more closely. The FCA says 37.8% more EDD is required for crypto firms than for traditional banks - and it’s not because crypto is riskier. It’s because regulators assume it is until proven otherwise.
• Transaction Monitoring: Your system must flag unusual behavior automatically. A sudden £50,000 transfer from an unknown wallet? A customer sending small amounts to 20 different addresses every day? Those are red flags. The average crypto firm gets 28.7% false positives - meaning almost one in three alerts is a mistake. That’s more than double the rate in traditional banking. You need staff to review them all.
• The Travel Rule: Since 2022, any transaction over £1,000 must carry sender and receiver details. Name, account number, address, and ID number. This applies even if the other party is on a different platform. If your system can’t send or receive this data, you’re non-compliant. Many firms spent six months and over £150,000 just to build this feature.
• Record Keeping: You must keep all customer data, transaction logs, and internal reports for five years. Not three. Not four. Five. And they must be searchable, exportable, and auditable. The FCA doesn’t ask for them often - but when they do, you have 48 hours to deliver.

The New Rules Coming in 2025-2026

The current registration system is a stopgap. It’s being replaced by the Financial Services and Markets Act (FSMA) framework, which rolls out fully in Q1 2026. This isn’t a tweak - it’s a rewrite.

Here’s what’s changing:

• 10% Control Threshold: If someone buys just 10% of your company’s shares or voting rights, you must notify the FCA. Previously, it was 25%. This means even small investors trigger reporting. Critics say this adds bureaucracy. The FCA says it prevents hidden ownership.
• Counterparty Due Diligence (CPDD): You now have to check the identity and risk profile of anyone you transact with - even if they’re not your customer. If your exchange sends Bitcoin to a wallet on another platform, you must verify that platform’s AML controls. This is new. And it’s brutal for small firms.
• Dual Registration Ends: Once FSMA is live, you won’t need both an FCA registration and a separate AML license. One license covers everything. But you’ll need to meet higher standards to get it.

The FCA’s message is clear: if you’re still operating under the old rules after March 2026, you’re breaking the law.

Costs and Real-World Pain Points

Let’s talk money. The average crypto firm spends £287,500 just to get registered. That’s not a monthly fee. That’s a one-time setup cost. Then, every year after that, you’ll spend £142,300 on ongoing compliance: staff salaries, software licenses, audits, training, and legal advice.

One Reddit user, ‘CryptoComplianceUK’, spent 14 months and over £500,000 on consultants before finally getting approved. Another firm, ‘BlockchainComply’, said the process was brutal - but once they passed, their international clients trusted them more. That’s the trade-off: pain now for credibility later.

Here are the most common reasons firms fail:

• 62.1% had weak or missing risk assessments
• 48.7% lacked clear oversight from senior management
• 39.4% couldn’t prove their transaction monitoring worked
• 41.6% couldn’t screen against all 12+ global sanctions lists in real time
• 63.2% got flagged for misleading ads - like promising “guaranteed returns” or hiding risks

Training is another hidden cost. Every compliance officer needs 35 hours of AML training per year. Most firms use specialized platforms that cost £10,000-£25,000 annually. And if you’re not doing it, you’re not compliant.

How the UK Compares to the Rest of the World

The UK isn’t the strictest - but it’s one of the most unpredictable.

Compared to the EU’s MiCA framework, which gives firms one license to operate across all 27 countries, the UK’s system is fragmented and slow. Singapore’s Monetary Authority (MAS) approves 38.4% of applicants on first try. The UK? Just 12.7%.

The US has multiple regulators - FinCEN, SEC, CFTC - which can be confusing. But at least firms can apply in parallel. In the UK, you go through one gate. Fail, and you’re out.

And while the US uses a $1,000 Travel Rule threshold like the UK, the EU uses €1,000. The UK’s version is stricter because it applies to *all* crypto transactions, not just fiat-to-crypto. That means even stablecoin-to-stablecoin transfers over £1,000 trigger the rule.

The bottom line: the UK wants to be seen as a global leader in financial regulation. But it’s doing it by making the bar so high that only well-funded firms can clear it.

What Happens If You Don’t Comply?

The FCA doesn’t play around. They’ve shut down over 200 unregistered crypto firms since 2020. Some were fined millions. Others were forced to freeze assets. In one case, a firm that claimed to be “regulated” on its website was prosecuted for fraud - even though it never applied.

And it’s not just the FCA. HMRC tracks crypto transactions for tax purposes. OFSI monitors for sanctions violations. If you’re sending crypto to someone on a sanctions list - even unknowingly - you could face criminal charges.

The risk isn’t just financial. It’s reputational. Investors, partners, and banks won’t touch you if you’re not registered. Banks are already closing accounts of unregistered crypto firms. The UK’s financial system is closing ranks.

Can You Still Start a Crypto Business in the UK?

Yes - but only if you’re serious. This isn’t a side hustle. It’s a full-time regulatory operation.

If you’re thinking about launching a crypto service in the UK, here’s your checklist:

1. Start at least 12 months before you plan to launch
2. Hire a compliance consultant with FCA registration experience - not just any lawyer
3. Build your KYC/AML system before you take your first customer
4. Train your team on the Travel Rule and EDD requirements
5. Set aside at least £300,000 for setup, and £150,000 per year for upkeep
6. Prepare for a 9-month approval process - no shortcuts

There’s no magic software. No quick fix. The FCA wants proof you’ve thought this through - down to the last detail. If you’re ready to do that, the UK offers a clear, respected market. If you’re not? You’ll be out before you even open your doors.

What’s Next?

The UK’s crypto AML regime is evolving fast. By 2027, experts predict only 85-95 firms will remain registered - down from 147 today. That’s not a collapse. It’s a purification. The firms that survive will be the ones with strong governance, real compliance teams, and transparent operations.

The goal isn’t to scare people away. It’s to keep criminals out. And if you’re building something legitimate? The rules, as harsh as they are, give you something valuable: trust.