UK's new crypto rule: what the Financial Services and Markets Act 2026 means for screening

The Financial Services and Markets Act 2026 (FSMA 2026) received Royal Assent in January. It is the UK's first comprehensive crypto-asset regime and aligns, substantially but not identically, with the EU's MiCA framework. The rules come into phased effect over 2026 and 2027. This post walks through the compliance implications for wallet screening.

The Act creates a new regulated activity: operating a "qualifying crypto-asset service." Definition is broad, covering exchanges, custodians, wallet providers, and certain DeFi front-ends. Registration with the FCA is required before commencement of regulated activity. Existing money-laundering-registration holders have a twelve-month transitional period to convert to full authorisation.

Know-Your-Customer requirements are tightened. The 15,000-euro threshold in the current UK MLRs is replaced with a 1,000-GBP threshold for crypto-specific transactions, aligning (with a minor delta) with MiCA's ToFR. Occasional-transaction exemptions are narrower. Enhanced due diligence is explicitly required for transactions involving self-hosted wallets above a 1,000-GBP threshold.

The screening implications are significant. Every transfer involving a UK-authorised VASP above 1,000 GBP now requires counterparty information, and where that information cannot be obtained from the counterparty, the VASP must perform enhanced screening. Attribution quality of the counterparty address becomes a compliance linchpin.

Travel Rule. FSMA 2026 implements a UK-flavoured Travel Rule that requires originator and beneficiary information on all VASP-to-VASP transfers. The threshold is zero — every transfer qualifies. This matches FATF Recommendation 16 and aligns with MiCA's ToFR. Implementation must comply within six months of the Act taking full effect.

Self-hosted wallets. The Act takes an interesting middle path. Transfers to self-hosted wallets are not prohibited (as some jurisdictions have proposed) but are subject to enhanced due diligence. VASPs must implement risk-based measures to verify that self-hosted counterparty wallets are not used for illicit purposes. Risk-based in this context means: firms must document their procedures, demonstrate they are proportionate to risk, and retain records for audit.

Reporting to the FCA. A new suspicious activity reporting channel is being established, separate from the existing NCA SAR regime, for reports specifically about crypto. This is expected to improve the signal quality for authorities and reduce the noise burden on the NCA, which currently receives tens of thousands of crypto-related SARs per year.

Penalties. The Act introduces a tiered penalty framework with maximum fines of the greater of 10% of annual turnover or £12.5 million for serious breaches. Senior Management Function (SMF) accountability is extended to crypto — meaning named individuals can be held personally liable for compliance failures.

What to do now. If you are a UK-registered VASP, start the authorisation process. The FCA has signalled that it will prioritise applicants who engage early. If you are not yet registered, registration is no longer optional for most crypto activities targeting UK users. If you are a downstream user of a UK VASP (for example, using an exchange via API), expect tighter controls on transfers, more detailed beneficiary information requests, and longer turnaround on ambiguous cases.

Our team is closely tracking the secondary regulations that will fill in the detailed rules under the Act. We'll publish a follow-up post when the first secondary legislation is finalised, expected in May. Enterprise customers can request a bespoke briefing through their account manager.