UK Cryptoasset Regulation – 2023 developments and what’s to come in 2024 (Part 2)

United Kingdom

In Part 1 of this two-part series, we provided an overview of the myriad developments in the regulation of cryptoasset activities in the UK in 2023 and the first two months of 2024, and looked ahead to what is still to come.

In Part 2, we take a step back to assess what these developments mean in the round for cryptoasset businesses providing services in or to the UK, and how that is set to change.

A. Overview of the current and future landscape

Current position

 Key takeaways

  • Non-security tokens: A business currently needs to be registered under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”) in order to conduct exchange and/or custody activities in respect of non-security tokens.
  • Security tokens: A business currently needs both a licence under the Financial Services and Markets Act 2000 (“FSMA 2000”) and a registration under the MLRs where it conducts exchange and/or custody activities in respect of security tokens, as there is no carve-out for security tokens under the MLRs. Note that this ‘double regulation’ is expected to fall away under forthcoming FSMA 2000 licensing regime for cryptoassets.

    A business also needs to be licensed under FSMA 2000 in order to conduct other traditionally regulated activities in respect of security tokens, including advisory and management activities.
  • Financial promotions: There are specific new rules which apply to non-security tokens (i.e. “qualifying cryptoassets”). Security tokens will continue to be dealt with under the existing rules, depending on the nature of the security token in question.

Future position

The future regulatory regime for cryptoassets will be implemented in two phases, as set out in HM Treasury’s consultation paper published in February 2023 and its response published in October 2023.

In ‘phase 1’, the government is prioritising:

  1. the creation of FCA regulated activities under the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (“RAO”) for the issuance and custody of fiat-backed stablecoins which are issued in the UK; and
  2. the regulation of payment services relating to certain fiat-backed stablecoins where used in a UK payment chain under the Payment Services Regulations 2017.

In ‘phase 2’, non-security tokens will be brought within the scope of the existing FSMA 2000 / RAO framework and included in the list of “specified investments” in Part III of the RAO.

A broad range of activities will be regulated under the new framework, including: issuance; exchange; investment and risk management; lending, borrowing and leverage; and safeguarding and/or administration.

The FCA is also accelerating its work to provide regulatory clarity around staking activities, and has called for evidence on: Decentralised Finance (‘DeFi’); other activities not proposed to be captured under the ‘phase 2’ regime (such as investment advice and portfolio management); and sustainability.

B. Current position: Regulatory licensing / registration requirements

1) Security Tokens

  1. Traditional regulated activities – Full licensing (FSMA 2000 / RAO)

    1. In-scope assets

      The FSMA 2000 / RAO regime applies to persons who undertake “specified activities” in relation to “specified investments” by way of business in the UK. There is a broad range of “specified investments” under the RAO. The FCA refers to cryptoassets which meet the definition of a specified investment as “security tokens”. The most relevant types of specified investment for tokens tend to be: electronic money (particularly relevant for stablecoins); shares; debentures; units in collective investment schemes; derivatives; and rights to or interests in any of the foregoing.
    2. In-scope activities

      There are a large range of “specified activities” under the RAO, which will generally tend to cover most forms of activity in relation to specified investments. These include: dealing as principal or agent, arranging, advising, managing, safeguarding, and operating a trading platform. Where a cryptoasset is a security token, it is necessary to consider whether a person is engaging in any of these specified activities.
  2. Exchange & Custody services – AML/CTF registration (MLRs)

    1. In-scope assets 

      A “cryptoasset” means a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically. The definition also includes a right to, or interest in, a cryptoasset. In short, this covers the vast majority of cryptoassets.
    2. In-scope activities

      Cryptoasset exchange provider

      The definition of cryptoasset exchange provider is as follows:
      “ a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services—
      (a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
      (b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
      (c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.”

      The complexity in applying this definition to the activities of a cryptoasset business often arises from the broadly drawn concept of “making arrangements with a view to” the exchange of cryptoassets.  Even if they are not directly providing exchange services, cryptoasset businesses will need to consider whether they are making arrangements with a view to enabling their customers to exchange cryptoassets for fiat, or for other types of cryptoassets.

      Custodian wallet provider

      The definition of custodian wallet provider is as follows:

      “ a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer — 
      (a) cryptoassets on behalf of its customers, or 
      (b) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets,
      when providing such services.”

      Note that this does not cover arranging safeguarding / administration, so is narrower in scope than the definition of a cryptoasset exchange provider.

      Guidance from the Joint Money Laundering Steering Group also confirms that the definition is meant to exclude non-custodial wallets. Therefore, firms who merely hold and store cryptographic keys, but are not involved in their transfer (the owner of the cryptoassets interacting with the payment system directly), are not likely to be in scope of the definition. This includes hardware wallet manufacturers and cloud storing service providers. However, careful analysis will be required where a non-custodial wallet provider also offers other services such as exchange functionality.

2) Non-security tokens

  1. Traditional regulated activities – Full licensing (FSMA 2000 / RAO)

    Not currently applicable.
  2. Exchange & Custody services – AML/CTF registration (MLRs)

    As above for security tokens.

C. Current position: Financial promotions


The financial promotions regime prohibits the communication by any person, in the course of business, of any invitation or inducement to engage in investment activity. The concept of “investment activity” is defined by reference to the concepts of engaging in “controlled activities” in respect of “controlled investments”.

Security tokens were already within scope of the financial promotions regime by virtue of constituting “controlled investments” under the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (“FPO”). In October 2023, the financial promotions regime was expanded to bring “qualifying cryptoassets”, i.e. non-security tokens, within scope by bringing them within the definition of a “controlled investment”.

Therefore, the vast majority of cryptoassets are now covered by the financial promotions regime.

1) Security Tokens

  1. In-scope assets

    A “controlled investment” under the FPO, which is very similar in scope to the definition of a “specified investment” under the RAO.
  2. In-scope activities

    A “controlled activity” under the FPO, which is very similar in scope to the definition of a “specified activity” under the RAO.
  3. Exemptions

    Those set out in the FPO, comprising: (i) exemptions relating to all controlled activities; and (ii) exemptions relating to certain controlled activities only.

2) Non-security tokens

  1. In-scope assets

    A “qualifying cryptoasset” under the FPO. Very broadly, this means any cryptographically secured digital representation of value or contractual rights that is transferable and fungible, but does not include cryptoassets which meet the definition of electronic money or an existing controlled investment (i.e. a security token).

    Importantly, this means that non-fungible tokens (‘NFTs’) are generally not within scope.

    The FCA categorises non-security tokens as ‘Restricted Mass Market Investments’ (‘RMMIs’), meaning they are subject to the corresponding restrictions on how these investments can be marketed to UK consumers, as set out in the FCA’s Policy Statement 22/10.

    Very broadly, the key features of the FCA’s specific financial promotions rules for non-security tokens (as set out in Policy Statement 23/6) are: 
                  (i) risk warnings and summaries; 
                  (ii) banning incentives to invest; 
                  (iii) 24 hour cooling off period; 
                  (iv) personalised risk warning pop-up; 
                  (v) client categorisation; 
                  (vi) appropriateness assessment; and 
                  (vii) record keeping requirements.

    These are often practically difficult for cryptoasset businesses to comply with, particularly the ‘back end’ Direct Offer Financial Promotion (‘DOFP’) rules relating to personalised risk warnings, 24-hour cooling off period, client categorisation and appropriateness assessments.

    The FCA has also published non-handbook guidance (FG23/3) to support the new rules.
  2. In-scope activities

    Invitations or inducements to engage in the following “controlled activities” in relation to qualifying cryptoassets are within scope of the financial promotions regime: 
                (i) dealing in securities and contractually based investments; 
                (ii) arranging deals in investments; 
                (iii) managing investments; 
                (iv) advising on investments; and 
                (v) agreeing to carry on specified kinds of activity.

    Importantly, this means that the prohibition will generally not apply to the promotion of cryptoasset custody services.
  3. Exemptions

    There are four routes cryptoasset firms can take to lawfully communicate cryptoasset promotions: 
                (i) an authorised person communicates the promotion; 
                (ii) an authorised person approves the promotion; 
                (iii) a cryptoasset firm registered under the MLRs communicates the promotion; or 
                (iv) the promotion otherwise complies with the conditions of an exemption in the FPO.

    The applicable exemptions under the FPO for other controlled investments are generally also available for qualifying cryptoassets, except for: (i) article 51 (Associations of high net worth or sophisticated investors); and (ii) article 61 (Sale of goods and supply of services).

    In practice, this generally means that the only available exemptions will likely be those under: (a) article 49 (High net worth companies, unincorporated associations etc.); (b) article 19 (Investment professionals); and/or article 31 (Overseas communicators: non-real time communications to previously overseas customers).

    The FCA recently introduced an ‘approval gateway’ requiring authorised firms to apply for and obtain a variation of permission from the FCA in order to approve promotions of unauthorised businesses. This will require applicants to demonstrate that they have the relevant competence and expertise in the products being promoted.

    The initial application period for existing authorised firms ran from 6 November 2023 to 6 February 2024, and firms that failed to apply by the latter date are no longer able to approve these promotions. Firms that applied by the 6 February deadline are allowed to continue to approve financial promotions whilst the FCA assesses their applications.

D. Current position: Travel Rule

Since 1 September 2023, cryptoasset businesses in the UK (i.e. those subject to the MLRs) have been required to collect, verify and share information about cryptoasset transfers, known as the ‘Travel Rule’.

This derives from recommendations from the Financial Action Task Force (“FATF”), which has called on jurisdictions to align practices for cryptoasset businesses sending and receiving transactions with those that apply in other areas of financial services.

As highlighted by the FATF in June 2023, particular challenges may arise for businesses as a result of delays and differences in implementation of the Travel Rule across jurisdictions. The FCA has published guidance in relation to this, noting that:

  • When sending a cryptoasset transfer to a jurisdiction without the Travel Rule, firms should:
    • take all reasonable steps to establish whether they can receive the required information; and
    • if they cannot receive the necessary information, still collect and verify the information as required by the MLRs and store that information before making the cryptoasset transfer.
  • When receiving a cryptoasset transfer from a jurisdiction without the Travel Rule, firms should:
    • if the cryptoasset transfer has missing or incomplete information, consider the countries in which the firm operates and the status of the Travel Rule in those countries; and
    • take these factors into account when making a risk-based assessment of whether to make the cryptoassets available to the beneficiary.


Through the ongoing raft of legislative and regulatory initiatives, the UK is laying the foundations for a comprehensive regulatory regime for cryptoassets. Whilst it has been slower to do this than other jurisdictions such as the European Union, Dubai, Singapore and Hong Kong, which has been a cause of frustration for industry participants, the advantage for the UK in this approach is that has been able to assess the relative strengths and weaknesses of these other regimes and take this into account in developing its own. The government’s hope is that the end product has the desired effect of making the UK a global hub for cryptoassets.

CMS has a market-leading, cross-practice Crypto & Digital Assets Group, comprising former regulators as well as former in-house heads of legal and other functions at some of the leading businesses in the industry. Please don't hesitate to get in touch if you would like to discuss anything in this article or the broader ecosystem in more detail.

Article co-authored by Anna Burdzy, Trainee Solicitor at CMS.