The UK's cryptoasset authorisation regime is changing fast. From October 2027, digital asset businesses operating in the UK require full FCA authorisation. The application gateway opens in September 2026. The governance frameworks, AML controls and individual accountability structures the FCA expects take months to build properly. That time is now.
FINTECH & DIGITAL ASSETS REGULATORY ADVISORY
The FCA Is Regulating Crypto. Fully.
Cambitas advises fintech and digital asset businesses on UK regulatory authorisation, financial promotions compliance, governance design and cross-border regulatory strategy — drawing on decades of in-house regulatory experience at major financial institutions.
No obligation. Confidential from the first conversation.
Why Cambitas
Regulatory Advisory Built on Experience From Inside Financial Institutions.
Cambitas is led by principals who built and ran legal and compliance functions inside major financial institutions and technology companies. They navigated the FCA’s supervisory expectations from the inside — designing AML frameworks, managing regulatory authorisations, building governance structures and advising boards on regulatory risk under real commercial pressure.
That experience is directly applicable to fintech and digital asset businesses facing the same regulatory expectations now. The FCA does not apply different standards to newer business models — it applies the same standards and expects the same quality of governance, regardless of how recently the firm was founded.
When you instruct Cambitas, you work directly with our principals. No associates. No delegation. The people who advise you are the people who do the work.
FREE DOWNLOAD
UK Crypto Regulatory Readiness Guide
What digital asset businesses need to do to prepare for FCA authorisation — the governance frameworks required, the AML standards the FCA assesses, the financial promotions rules in force now and the timeline for the full authorisation regime.
No obligation. No sales call unless you ask for one.
OUR SERVICES
Six Areas Where Fintech & Digital Asset Businesses Get Regulatory Advisory Wrong — And What We Do Differently
Each service below includes what we see going wrong in practice and exactly what we do about it.
1. FCA Cryptoasset Authorisation
New legislation brings cryptoasset activities within the FSMA regulatory perimeter. From 25 October 2027, firms conducting specified cryptoasset activities in or targeting the UK require full FCA authorisation. The application gateway opens on 30 September 2026.
What we see in practice
The new regulated activities cover trading platforms, dealing, arranging, safeguarding, stablecoin issuance and staking. The territorial reach is broad: overseas firms selling qualifying cryptoassets to UK consumers require UK authorisation unless a UK-authorised intermediary stands between the firm and the consumer. The FCA will interview proposed senior managers, assessing experience, regulatory understanding and integrity, and will reject shell applications without assessment. Firms can apply from September 2026 and February 2027 and may continue new business while their application is determined. Firms applying after that window enter a no-new-business transitional regime. Firms that do not apply must run off UK operations before commencement or risk a criminal offence under section 19 of FSMA.
What we do
We advise on FCA cryptoasset authorisation from the ground up: scoping the required Part 4A permissions, designing the governance framework and SM&CR structure, building the AML programme to FSMA-authorisation standard, preparing Statements of Responsibilities for proposed senior managers and drafting the regulatory business plan. We prepare firms for FCA senior manager interviews and manage the regulatory dialogue throughout the application process.
2. Financial Promotions Compliance for Crypto
The FCA's financial promotions regime for cryptoassets is already in force. The enforcement record makes clear the FCA treats violations seriously.
What we see in practice
Since the FCA's financial promotions rules for cryptoassets came into force, the regulator has issued over 1,400 alerts about non-compliant crypto promotions and taken significant enforcement action against firms — including fines into the millions. The most common violations are promotions that fail to include prescribed risk warnings, promotions that are not approved by an FCA-authorised person, and social media content that does not meet the fair, clear and not misleading standard. The rules apply to UK-facing promotions regardless of where the firm promoting them is based.
What we do
We design financial promotions compliance frameworks for crypto businesses — covering the approval process for promotions, risk warning requirements, social media content standards and the governance structures that demonstrate a proportionate and consistently applied approach to marketing compliance. We also advise on financial promotions for fintech products, payment services and investment-related communications.
3. Regulatory Structuring for Fintech Business Models
The FCA's regulatory perimeter catches fintech businesses at three predictable moments: product launch, revenue model expansion and UK market entry.
What we see in practice
Payment services, consumer credit, financial promotions, investment arrangement, e-money issuance — the regulated perimeters covering these activities are broader than most fintech founders expect, and the boundaries are not always obvious from the outside. Businesses that launch without a documented perimeter analysis have made a regulatory judgement without the information needed to make it reliably. The FCA does not treat regulatory perimeter errors as innocent mistakes when a business has been operating for months without authorisation.
What we do
We provide documented regulatory perimeter analysis for fintech business models — assessing which activities require authorisation, which can be conducted under exemptions, and how revenue models should be structured to operate within applicable regulatory frameworks. The analysis is specific to the business model, not generic to the sector.
4. Payments & E-Money Regulatory Advisory
Payment institutions face a specific set of FCA obligations that intensify as the business scales — and the FCA's supervision of this sector has become significantly more assertive.
What we see in practice
The FCA's supervisory approach to payment institutions and e-money firms has shifted materially since 2023. Safeguarding of customer funds, once treated as an administrative obligation, is now a primary supervisory focus — and the FCA has made clear that firms with inadequate safeguarding arrangements will face enforcement action. Capital adequacy requirements under the Payment Services Regulations are also receiving more active scrutiny. Firms that built their compliance frameworks for a less demanding supervisory environment are often not adequately prepared for the level of FCA attention they now face.
Â
What we do
We advise payment institutions and e-money firms on safeguarding frameworks, capital adequacy obligations, operational resilience requirements, AML compliance and conduct standards. For UAE-based payment businesses seeking FCA authorisation, we advise on the UK regulatory pathway and the governance requirements specific to overseas applicants.
5. Governance & Operational Compliance Frameworks
The FCA assesses governance quality by looking at what actually happens in a firm, not what the governance documentation says should happen.
What we see in practice
The gap between governance as documented and governance as practised is one of the most consistent findings across FCA supervisory reviews of fintech and digital asset businesses. Firms that build governance frameworks for the purpose of satisfying an authorisation application — and then do not embed them operationally — create a compliance risk that is easy to identify under scrutiny. The FCA's skilled person reviews and supervisory visits consistently find this gap. It is addressed by building governance that reflects operational reality from the start, not by updating documentation after the fact.
What we do
We design governance frameworks for fintech and digital asset businesses that are built around operational reality — three lines of defence structures, board accountability frameworks, risk escalation processes, compliance monitoring programme design and SM&CR individual accountability mapping. The frameworks we build are designed to hold up under FCA scrutiny, not just to satisfy an authorisation checklist.
6. Cross-Border: UK FCA & UAE VARA Advisory
The UK FCA regime and the UAE's VARA licensing framework are separate regulatory systems. One does not satisfy the other.
What we see in practice
Digital asset businesses with operations in both the UK and UAE face genuinely distinct regulatory obligations in each jurisdiction. A VARA licence authorises a firm to operate in the UAE. It provides no authorisation to conduct regulated activities in the UK, promote financial products to UK audiences or hold FCA permissions. Conversely, UK FCA cryptoasset authorisation does not satisfy UAE VARA requirements. Businesses that operate in both markets without a coordinated regulatory strategy create compliance gaps that are expensive to close after the fact. ADGM and DIFC add further regulatory frameworks for businesses operating in Abu Dhabi and the DIFC free zone respectively.
What we do
We advise on VARA licensing requirements, ADGM authorisation, DIFC regulatory frameworks and UK FCA cryptoasset authorisation — providing coordinated regulatory strategy across both markets. For businesses already holding VARA licences seeking UK FCA authorisation, we advise on the additional requirements the UK regime imposes and how to structure the authorisation application to reflect the existing UAE regulatory framework.
Ready to Start Your FCA Authorisation Preparation?
Crypto, fintech, payments — bring your regulatory challenge directly to us.
GO DEEPER
Explore Our Regulatory Advisory Guide
Each page below provides detailed practical guidance on a specific area — what the FCA looks for, what good preparation looks like and what to do when things get complicated.
FCA Crypto Authorisation
A practical guide to the new UK regulatory regime for cryptoassets, the authorisation process, and what firms need to do now.
THE REGULATORY TIMELINE
The UK Crypto Regulatory Timeline — And Where You Need to Be
The financial promotions regime is already in force. Everything else is coming. The legislative framework has been laid before Parliament, the FCA has published its proposed rules, and the key dates are fixed. Here is what applies now, what is approaching, and what preparation is required at each stage.
Now
ACTIVE
Financial Promotions in Force
UK financial promotions rules for cryptoassets are already in effect. All UK-facing crypto marketing must be approved by an FCA-authorised person or the firm itself once authorised. Risk warnings are mandatory. The FCA is actively monitoring and has issued over 1,400 alerts for non-compliance. The rules apply regardless of where the firm promoting is based.
April -- September 2026
ACT NOW
Build Your Authorisation Framework
The FCA's Pre-application Support Service (PASS) opens in July 2026. The application gateway opens on 30 September 2026. This is the window in which to build the governance frameworks, AML programmes, SM&CR documentation, regulatory business plan and financial resources evidence that a credible application requires. The FCA will interview proposed senior managers as part of the assessment process. Firms that begin preparation now will enter the gateway with a complete application. Firms that begin in the autumn will be building their framework and their application simultaneously.
30 September 2026 -- 28 February 2027
DEADLINE
Application Window Open
Firms must submit their FCA authorisation applications during this period to access the saving provision, which allows continued operation including new business while the application is determined. Firms applying after 28 February 2027 enter the transitional provision: existing customers only, no new UK business. The FCA will assess applications in the order received, with no priority for MLR-registered or existing FSMA-authorised firms. Poor-quality submissions will be rejected without assessment
25 October 2027
DEADLINE
Regime Live
From this date, firms conducting specified cryptoasset activities in or targeting the UK must hold Part 4A authorisation. This covers trading platforms, dealing, arranging, safeguarding, stablecoin issuance and staking. Operating without authorisation is a criminal offence under section 19 of FSMA. AML registration alone is no longer sufficient. Firms that have not applied must have run off their UK operations before this date.
25 October 2027 Onwards
ONGOING
Ongoing Supervisory Obligations
Authorised cryptoasset firms face FCA supervision on the same basis as other regulated firms: conduct standards, financial crime controls, governance quality, senior manager accountability, regulatory reporting under SUP 16, and Consumer Duty obligations applied through CP26/4. The FCA's existing Handbook requirements, including COBS, DISP and SM&CR, will apply to cryptoasset activities. Saving and transitional provisions expire on 25 October 2029. Authorisation is the start of the regulatory relationship, not the end of it.
The preparation window for FCA authorisation is now. The firms entering the FCA process with credible applications will be the ones that started building now.Â
UK & UAE REGULATORY FRAMEWORKS
FCA vs VARA: A Practical Comparison for Digital Asset Businesses
Digital asset businesses operating across UK and UAE markets regularly ask whether one regulatory framework satisfies the other. The answer is straightforward: it does not. Here is what each framework requires and how they differ.
| Area | UK — FCA Regime | UAE — VARA Regime |
|---|---|---|
| Regulator | Financial Conduct Authority (FCA) | Virtual Assets Regulatory Authority (VARA) — UAE Dubai mainland. ADGM and DIFC have separate frameworks. |
| Who it covers | Cryptoasset businesses conducting regulated activities in the UK or promoting to UK audiences — exchanges, brokers, custody providers, stablecoin issuers. | Virtual asset service providers operating in Dubai mainland. ADGM covers Abu Dhabi. DIFC covers the Dubai International Financial Centre. |
| Authorisation type | Full FCA authorisation under the Financial Services and Markets Act 2000 (Cryptoassets) Regulations from 2027. Replaces AML registration. | VARA licence — specific categories include Exchange Services, Broker-Dealer Services, Custody Services, Management & Investment Services. |
| Key requirements | Governance framework, AML programme, SM&CR individual accountability, financial promotions compliance, Consumer Duty, regulatory business plan. | VARA-specific governance requirements, AML/CFT framework aligned with UAE federal law, minimum capital requirements, localisation requirements for senior management. |
| Financial promotions | FCA rules apply to all UK-facing crypto promotions — mandatory risk warnings, FCA-authorised person approval required, social media and influencer standards. | VARA has separate marketing and advertising requirements for virtual asset services in Dubai. These do not exempt a firm from UK FCA financial promotions obligations. |
| Cross-border note | A VARA licence does not authorise UK regulated activities. UK FCA authorisation is required separately for any UK-facing operations. | UK FCA authorisation does not authorise UAE operations. VARA licensing is required separately. Coordinated strategy is essential for dual-market businesses. |
Businesses building a dual UK-UAE regulatory strategy need both frameworks addressed — sequenced correctly, structured to avoid duplication and with governance arrangements that satisfy both regulators.Â
WHO WE WORK WITH
The Businesses We Advise
Cambitas works with digital asset and fintech businesses at every stage — from pre-authorisation preparation through to ongoing regulatory management and cross-border expansion.
| Cryptoasset Exchanges & Brokers |
|---|
| Exchanges and brokerage platforms seeking FCA cryptoasset authorisation, managing financial promotions compliance and building the governance and AML frameworks the FCA requires at authorisation and throughout ongoing supervision. |
| Digital Asset Custody & Wallet Providers |
|---|
| Custody providers and wallet infrastructure businesses navigating the specific operational governance, safeguarding and AML requirements that apply to firms holding or controlling customers' digital assets under the FCA's custody framework. |
| Stablecoin Issuers & Payment Token Firms |
|---|
| Businesses issuing or facilitating the use of stablecoins and payment tokens in the UK market — where the regulatory perimeter is evolving rapidly and the boundary between payment services regulation and cryptoasset regulation requires careful navigation |
| Fintech Startups & Scale-Ups |
|---|
| Technology-driven businesses building regulated or regulation-adjacent financial products. The FCA does not scale its regulatory expectations proportionately to company size — a startup with three people faces the same governance requirements as a firm with three hundred. |
| DeFi & Web3 Platforms |
|---|
| DeFi protocol developers and Web3 infrastructure providers assessing UK regulatory perimeter implications of their products and token designs. The FCA's approach to decentralised finance is developing — businesses need to understand the current position and track the direction of travel. |
| UAE-Based Digital Asset Businesses |
|---|
| UAE-based digital asset businesses — holding VARA licences, ADGM authorisations or DIFC permissions — seeking FCA authorisation for UK operations. The VARA framework and the FCA framework have different requirements, and both must be addressed to operate in both markets. |
SITUATIONS WE WORK THROUGH
Questions we are Asked Every Week
Direct answers to the regulatory questions fintech and digital asset businesses bring to us most often.
"We are a crypto business — do we need FCA authorisation right now?"
If you are operating as a cryptoasset exchange provider or custodian wallet provider in the UK, you currently need MLR registration and must comply with the financial promotions regime. From 25 October 2027, those requirements are replaced by full FCA authorisation under the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2025. The application gateway opens on 30 September 2026 and closes on 28 February 2027. Applying within that window is critical: it gives access to the saving provision, allowing continued operation while your application is determined. Applying after that window means no new UK business until authorisation is granted. A credible application requires a governance framework, AML programme, SM&CR structure, regulatory business plan and financial resources evidence, all built to FSMA standard. That preparation takes months. The firms starting now will enter the gateway ready.
"Our crypto marketing is getting flagged by the FCA"
The FCA's financial promotions regime for cryptoassets requires all UK-facing promotions to be approved by an FCA-authorised person, to include prescribed risk warnings and to meet the fair, clear and not misleading standard. The FCA monitors non-compliance actively — over 1,400 alerts have been issued. If a promotion has been flagged, the immediate priority is a compliance audit of all live marketing materials, a clear approval process going forward and a governance framework that prevents recurrence. The FCA expects firms to identify and remediate non-compliant promotions proactively.
"We hold a VARA licence — what do we need to do to operate in the UK?"
A VARA licence authorises operation in Dubai under the UAE's regulatory framework. UK FCA authorisation is a separate requirement for any regulated activities conducted in the UK or marketed to UK audiences. A VARA licence demonstrates regulatory credibility in the UAE, and the FCA will regard it as evidence of regulatory experience — but it does not satisfy UK authorisation requirements. The UK application requires a separate governance framework assessment, AML programme review and regulatory business plan specific to the UK operations.
"We are a payment institution and the FCA has raised safeguarding concerns"
The FCA's focus on safeguarding for payment institutions and e-money firms has intensified significantly. Safeguarding concerns raised by the FCA are not administrative queries — they signal that the regulator has identified what it considers a material risk to customer funds. The response requires a structured assessment of current safeguarding arrangements against FCA requirements, a remediation plan with clear timelines and proactive engagement with the FCA throughout the remediation process. Speed and transparency of response are both essential.
"Investors are asking about our regulatory position and we are not sure what to tell them"
Investors in regulated and regulation-adjacent fintech businesses conduct regulatory due diligence as a standard part of their process. They assess FCA authorisation status, compliance framework quality, SM&CR implementation and any outstanding regulatory issues. Gaps in any of these areas affect valuation and terms. The right approach is a regulatory position assessment before the investor process begins — identifying issues, addressing them in advance and preparing clear, accurate responses to the regulatory questions investors will ask.
"We want to expand from UAE into the UK — where do we start?"
The starting point is a UK regulatory perimeter analysis specific to the activities the business proposes to conduct in the UK. This determines which FCA permissions are required, which activities might be conducted under exemptions and how the existing UAE regulatory framework can be structured to support the UK application. For VARA-licensed businesses, the UAE governance framework provides a useful foundation — but it requires significant adaptation to meet FCA standards. The earlier the analysis is conducted, the less expensive the adaptation.
Ready to Talk?
No obligation. No sales pitch. Just a direct conversation.
FREQUENTLY ASKED QUESTIONS
Direct Answers to the Questions We Hear Most
Each question below matches a query that fintech founders, compliance officers and digital asset businesses search for regularly. The answers are direct and complete.
Q1. Does my fintech or digital asset business require FCA authorisation?
The FCA’s regulatory perimeter covers payment services, e-money issuance, investment management, financial promotions and, from 2027, cryptoasset activities. A fintech business conducting any of these activities in the UK requires FCA authorisation before it can lawfully operate. The perimeter is broader than most founders expect, and the FCA does not apply a startup exemption. Unauthorised regulated activity is a criminal offence under FSMA 2000.
Q2. What does the new FCA cryptoasset authorisation regime require?
From 2027, cryptoasset businesses operating in the UK require full FCA authorisation — covering exchanges, brokers, custody providers, stablecoin issuers and other digital asset service providers. The FCA’s assessment focuses on four areas: governance framework quality, AML and financial crime controls, Senior Manager and Certification Regime implementation, and the credibility of the regulatory business plan. AML registration under the Money Laundering Regulations, which was previously sufficient for some crypto activities, is no longer adequate.
Q3. How does the FCA financial promotions regime apply to crypto businesses?
UK financial promotions rules apply to all cryptoasset marketing directed at UK audiences — including promotions made by firms based outside the UK. Promotions must be approved by an FCA-authorised person (or the firm itself once authorised), must include prescribed risk warnings, and must meet the FCA’s fair, clear and not misleading standard. Social media content, influencer arrangements and online advertising are all in scope. The FCA monitors non-compliance actively and has issued over 1,400 alerts since the rules came into force.
Q4. What is a VARA licence and what does it authorise?
VARA — the Virtual Assets Regulatory Authority — is the UAE regulatory body responsible for licensing virtual asset service providers operating in Dubai mainland. A VARA licence authorises specified virtual asset activities in Dubai under UAE federal and emirate-level regulation. It does not authorise regulated activities in the UK, and it does not satisfy UK FCA requirements. Businesses operating across both markets require both the relevant UAE authorisation and UK FCA authorisation as separate regulatory requirements.
Q5. What AML compliance does a crypto business need under UK regulation?
UK cryptoasset businesses are subject to the Money Laundering Regulations 2017 and, from 2027, to the FCA’s full financial crime standards applicable to authorised firms. This requires a risk-based AML framework covering customer due diligence, enhanced due diligence for higher-risk customers, transaction monitoring, suspicious activity reporting and MLRO governance. The FCA assesses AML frameworks not on the quality of the written policy but on the quality of the controls as they operate in practice.
Q6. What governance does the FCA expect from a fintech or digital asset business?
The FCA expects regulated firms, at any size, to maintain governance arrangements with clear first-line risk ownership, independent compliance oversight and accountability structures that function in practice. For SM&CR-subject businesses, individual Senior Management Functions must be clearly allocated and documented. The FCA’s supervisory reviews consistently find the gap between governance as documented and governance as practised. The standard required is genuine operational governance — not documentation.
FREE DOWNLOAD
UK Crypto Regulatory Readiness Guide
A practical guide to the new UK regulatory regime for cryptoassets, the authorisation process, and what firms need to do now
No obligation. No sales call unless you ask for one.
Preparation for the new regime must start now.
The FCA cryptoasset authorisation regime requires governance frameworks, AML programmes and individual accountability structures that take months to build properly. The application gateway opens on 30 September 2026 and closes on 28 February 2027. Firms entering the gateway with credible applications will be in the strongest position when the regime commences on 25 October 2027. Firms that start late will compete for FCA attention at the busiest point in the queue.
Cambitas works with digital asset and fintech businesses at every stage — from regulatory perimeter analysis through to FCA authorisation, financial promotions compliance and ongoing supervisory management. Our principals bring decades of in-house regulatory experience to every engagement.
Confidential from the first conversation.
DOWNLOAD FREE GUIDE
FCA Authorisation Advisory Guide
DOWNLOAD FREE GUIDE
FCA Crypto Authorisation
Cambitas
- +62 812 3456 7890
- 123 Corporate Avenue, Jakarta, Indonesia
- contact@lawfirm.com