UK crypto regulation 2027: FCA gateway in 2026 and what firms must build under the new FSMA regime
If you serve UK clients through a crypto exchange, brokerage, OTC desk, or custody model, the UK is moving toward a permissions-based regime that will change how you operate. This is not only another consultation cycle. It is a transition from today’s framework toward FSMA authorisation for defined cryptoasset activities.
This guide explains the UK timeline the FCA and HM Treasury have published, what the “gateway” means in practice, and how to prepare an evidence-driven compliance build in 2026. If you wait for 2027, you will be preparing under pressure, with limited room to fix data, governance, and product-perimeter mismatches.
Publish Date
29 Jan 2026
Reading Time
10 minutes
Category
Legal News
Jurisdiction
Global
The shift: from AML registration to FSMA authorisation
The UK direction is to bring key cryptoasset activities inside the Financial Services and Markets Act 2000 perimeter. That means authorisation becomes the operating right for firms carrying on the new regulated activities.
For operators, this changes the compliance posture. A permissions regime typically demands stronger governance evidence, clearer accountability, and more formal controls around customer outcomes, safeguarding, and operational resilience.
Timeline: FCA gateway in September 2026 and expected commencement on 25 October 2027
The FCA has framed a two-step practical timeline:
- September 2026: the authorisation gateway is expected to open.
- 25 October 2027: the new cryptoasset regime is expected to come into force.
Treat the gateway as the real planning trigger. It is the point when firms should be ready to engage with authorisation expectations in a structured way, not the point to start building.
| Milestone | What it means | What to do now |
|---|---|---|
| Gateway (Sep 2026) | Start of structured authorisation engagement. | Build your perimeter map, governance model, and evidence pack through 2026. |
| Regime in force (25 Oct 2027) | FSMA permissions expected to be required for in-scope activities. | Plan for authorisation readiness and operational continuity before go-live. |
Reference materials:
What activities will be regulated: why perimeter mapping is the first project
HM Treasury’s draft materials are designed to define cryptoasset activities as regulated activities under FSMA. One practical example is the operation of a cryptoasset trading platform.
For most firms, the hardest part is not reading the rule text. It is mapping real product flows to the perimeter. “Spot trading” can be straightforward. Blended products often are not.
Your perimeter map should be flow-based:
- who the client is,
- what asset is in scope,
- who controls execution,
- who holds custody,
- who sets terms and fees,
- how funds move in and out.
Reference:
HM Treasury: Draft Cryptoassets Order 2025 (policy note)
What the FCA is focusing on in the “final step” consultation cycle
The FCA has described its latest consultation step as the final stage of its crypto rule programme. The themes it has flagged are operational, not theoretical.
Expect the FCA’s focus to land on:
- Consumer Duty alignment and conduct standards,
- safeguarding and custody-style protection themes,
- complaints handling and redress posture,
- the approach to international firms serving UK customers.
For operators, these themes translate into one priority: controls must be evidenced, not described.
Cross-border reality: serving UK clients from abroad is not a loophole
The FCA has explicitly raised its approach to international cryptoasset firms. If you serve UK clients from an offshore hub, you should not assume the regime is “UK entities only.”
The practical planning step is to document your UK footprint:
- UK client types and acquisition channels,
- where contracts are formed,
- where key decisions and control functions sit,
- how you handle UK complaints and escalation,
- which entities touch custody and settlement.
This perimeter work usually determines the structure decision: UK entity, UK branch, or cross-border model with a UK-facing governance posture.
What breaks in practice for UK-facing crypto firms
Most failures are evidence failures. Firms can talk about governance, but cannot show decisions, accountability, and escalation in records.
The second failure is scope ambiguity. If your customer flow does not match your permitted activities, the gap becomes a deal-breaker, not a refinement.
The third failure is operational: safeguarding logic, outsourcing oversight, and complaint handling are often designed “later.” In a permissions regime, “later” is where timelines collapse.
UK crypto authorisation readiness checklist for 2026
Use this as a build plan, not a document list. The goal is to produce a working control environment that you can demonstrate.
- Build a product-and-flow perimeter map.
- Define governance ownership for UK perimeter decisions.
- Document your safeguarding model and reconciliation logic.
- Formalise complaints and redress pathways.
- Create a financial promotions control model for UK-facing marketing.
- Implement outsourcing governance for critical vendors.
- Define incident handling, escalation, and post-mortem routines.
- Prepare AML case quality evidence and QA routines.
- Align policies to Consumer Duty outcomes and monitoring.
- Create an internal evidence pack with version control and sign-offs.
- Run a dry-run assessment against the authorisation posture you expect.
- Plan staffing and SMF-style accountability, even before labels are final.
Decision checklist for founders and investors
- Define your perimeter and the activities you perform.
- Lock the timeline to the 2026 gateway and 2027 commencement.
- Build evidence early for governance, safeguarding, and redress.
- Choose a structure that matches your UK footprint.
- Plan for partner scrutiny from banks and PSPs, not only the FCA.
How Legasset helps with UK crypto regulation planning
We help operators translate UK perimeter and consultation signals into an execution plan. That includes product classification mapping, structural options, and an evidence pack that supports authorisation discussions.
We also support diligence preparation for investors acquiring UK-facing crypto businesses. The focus is operational reality, not presentation.
Schedule a consultation right now.
UK crypto regulation 2027: practical questions for exchanges and brokers
What is the FCA “gateway” and why does it matter?
It is the expected point when firms start structured engagement ahead of the new regime. Treat it as the trigger for readiness work, not as a start date.
Is the 2027 date fixed?
The FCA describes an expected commencement date. Firms should plan to that timetable while tracking updates through the consultation process.
What should a UK-facing exchange do first?
Map product flows to the perimeter. Without that, governance and controls will be built around the wrong assumptions.
How will this affect international firms serving UK customers?
The FCA is explicitly consulting on its approach to international firms. If you have UK clients, assume you will need a UK-facing compliance posture and evidence.
What does “authorisation-ready” mean in practice?
It means you can show operating evidence: governance records, safeguarding logic, outsourcing oversight, and complaints/redress controls that work in real cases.
