EST · MMXXVI
Home/Jurisdictions/United Kingdom/AML and travel rule regime in United Kingdom
Compliance, AML & Travel Rule

AML and travel rule regime in United Kingdom

Aml and travel rule regime in United Kingdom. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to OBOLUS.

Operating a digital-asset business in the United Kingdom without a complete AML (anti-money laundering) and Travel Rule (the obligation to pass originator and beneficiary data with every qualifying transfer) compliance program exposes the firm to enforcement by the Financial Conduct Authority (FCA), frozen banking rails and, in the most serious cases, criminal liability for principals. The UK sits outside the EU's MiCA regime but has built its own demanding VASP supervision architecture. Getting it right before the FCA looks is not optional.

Under the UK regime, a VASP (virtual asset service provider) carrying on cryptoasset activity by way of business must register with the FCA under the Money Laundering Regulations (MLR). The Travel Rule applies separately, requiring firms to collect, verify and transmit identifying data on both the originator and beneficiary when moving virtual assets above the applicable threshold. Both obligations are live, enforced and subject to an increasingly assertive supervisory posture. This page maps the full compliance architecture for an inbound or established operator.

Why the UK AML Regime Matters for Digital-Asset Businesses Right Now

The FCA's supervisory stance on cryptoasset AML has hardened materially since registration opened. Firms that treated the MLR registration as a box-ticking exercise have discovered – often at examination – that the FCA expects a compliance program whose substance matches its documentation. In our practice we have seen operators arrive with policies assembled from template libraries, only to face a first-round information request that exposes every gap.

The UK's position is also structurally significant for a cross-border business. Post-Brexit, a UK-registered VASP cannot passport into the European Economic Area under MiCA. An operator serving both UK and EU retail or institutional clients must maintain separate regulatory footprints. The FCA and ESMA-aligned national competent authorities apply overlapping but distinct AML rules, and the Travel Rule thresholds and technical standards differ between the two regimes. Assuming one compliance program serves both is a common and costly error.

The FCA's MLR registration is the gateway to UK cryptoasset activity. Without it, a firm may not carry on exchange, custody, transfer or certain advisory services in or from the UK. The FCA has a publicly maintained list of registered firms; an unregistered firm operating in the UK market is conducting unauthorised business, which carries significant sanctions.

The Travel Rule was implemented in the UK through the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations, aligning the UK broadly with the FATF Recommendation 15 standard while preserving domestic calibration of the data threshold and sunrise-period provisions. Operators need current legal advice on the applicable thresholds because they are subject to review.

For a scoped assessment of your UK compliance posture, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity, the user base, the banking – change the analysis.

Map your options

Who Needs FCA Registration Under the UK AML Regime?

Any business carrying on a cryptoasset activity by way of business in the UK must be registered with the FCA under the MLR. The regulated perimeter covers exchange services, peer-to-peer trading platforms, custody providers, issuers of certain cryptoassets and transfer services. The test is functional: what the firm does, not what it calls itself.

Firms incorporated outside the UK are not automatically exempt. The FCA applies a UK-nexus test: if the service is targeted at or actively used by UK persons, the registration obligation can bite regardless of where the entity is domiciled. In our practice, we regularly advise overseas operators who assumed their offshore licence was sufficient to serve UK-based institutional clients. That assumption does not hold under the MLR framework.

Several categories require particular attention. A decentralised protocol with a commercial entity sitting behind it may fall within the regulated perimeter depending on the degree of central control. A non-fungible token (NFT) marketplace that handles payment processing for fungible assets can cross the threshold. A token-issuing treasury function that conducts secondary-market operations may need registration even if it does not consider itself an exchange.

The FCA applies a risk-based approach to registration assessments. Firms with higher-risk customer bases, complex product offerings or novel business models face longer and more detailed assessment processes. The FCA has publicly stated that a substantial proportion of applicants have been refused or withdrawn during the assessment period. That is not a deterrent to applying – it is a reason to apply with a complete and coherent submission from the outset.

What Does the UK Travel Rule Require from a VASP in Practice?

The UK Travel Rule obliges a VASP to collect, verify and transmit specified originator and beneficiary data with every virtual asset transfer that meets or exceeds the applicable threshold, whether the counterparty is another regulated VASP or an unhosted wallet. The data set required mirrors the FATF Recommendation 15 standard: full name, account number or wallet identifier, and, for the originating party, an address or equivalent identifier.

The practical challenge is twofold. First, the obligation applies to outbound and inbound transfers. A receiving VASP that cannot obtain compliant Travel Rule data from the sending institution must determine whether to apply enhanced due diligence or decline the transaction. Many smaller operators have not built the remediation workflows for inbound non-compliant transfers. Second, the Travel Rule interacts directly with the firm's transaction monitoring and suspicious activity reporting obligations. A failure in Travel Rule data collection can constitute a standalone AML deficiency even if the underlying customer KYC is clean.

Cross-border transfers introduce additional complexity. When a UK VASP sends a transfer to a VASP in a jurisdiction that has not yet implemented the Travel Rule – or has implemented it with different thresholds – the UK firm remains bound by its own regulatory obligations. It cannot discharge those obligations simply because the receiving jurisdiction operates on different standards. Operators we advise routinely build jurisdiction-specific transfer matrices to manage this asymmetry.

The FCA also expects VASPs to maintain records of Travel Rule data for a defined retention period aligned with the MLR record-keeping requirements. A firm that transmits but does not retain Travel Rule data is not compliant; the record is evidence of compliance at any future supervisory review.

Building a UK-Compliant AML Program: Process and Core Components

A UK-compliant AML program for a cryptoasset business is not materially different in structure from that of a traditional financial institution – but several components require crypto-specific calibration. The FCA expects to see a written risk assessment, a suite of policies and procedures, a designated MLRO (Money Laundering Reporting Officer), staff training, transaction monitoring, and a suspicious activity reporting chain that leads to the National Crime Agency.

The risk assessment is the foundation. It must cover customer risk, product and service risk, delivery-channel risk and geographic risk. For a cryptoasset business, geographic risk includes the jurisdictions from which customers onboard, the counterparty VASPs the firm interacts with, and the on-chain routing of funds through intermediate wallets. A risk assessment that does not address on-chain provenance is incomplete under current supervisory expectations.

KYC (know-your-customer) procedures must be calibrated to the risk assessment. Standard due diligence, enhanced due diligence for higher-risk customers and simplified due diligence for lower-risk categories each have specific trigger criteria. For a crypto firm, the enhanced due diligence triggers commonly include customers using privacy-enhancing protocols, customers in higher-risk geographic jurisdictions, and customers whose transaction patterns deviate from stated business purpose.

Transaction monitoring requires a rule set that reflects the specific asset classes and transaction types the firm handles. Generic bank-grade rules applied to on-chain transactions produce high false-positive rates and, more dangerously, can miss chain-specific typologies. Regulators in the leading hubs increasingly expect firms to demonstrate that their monitoring logic is tailored to their product set, reviewed periodically and tested against real transaction data.

The MLRO function deserves specific attention. The individual appointed must be a senior manager with genuine authority to file a Suspicious Activity Report (SAR) without board approval and to refuse or exit a customer relationship. A nominal MLRO with limited access to compliance data does not satisfy the FCA's expectation. We have seen enforcement-adjacent situations arise precisely because the MLRO role was treated as an administrative designation rather than a substantive compliance function.

How Does the FCA Registration Process Work for a Cryptoasset Firm?

The FCA's cryptoasset registration process runs through its Connect portal and involves a structured submission covering the firm's business model, its AML policies, its beneficial ownership structure and the fitness and propriety of key individuals. The FCA has publicly indicated that initial assessment periods can be lengthy for complex applications; operators should plan for a process measured in months rather than weeks.

The application requires the firm to nominate and assess key function holders, including the MLRO and any senior managers holding FCA-specific controlled functions. Each individual undergoes a fitness and propriety assessment. A single key-function holder who cannot pass that assessment can delay or derail the entire registration. For firms with international ownership structures – common in digital-asset businesses – the beneficial ownership analysis extends to every entity in the chain, which can require assembling corporate records across multiple jurisdictions.

The FCA may issue a first round of information requests (RFIs) after initial review of the submission. Responding fully and promptly to an RFI is critical; an incomplete or evasive response is treated as evidence of a governance problem. In practice, the quality of the initial submission determines the number of RFI rounds – a well-prepared application can compress the process materially.

Firms operating while their registration application is pending may do so under a transitional arrangement, but only if they were in operation before the relevant deadline and notified the FCA within the prescribed window. An operator that missed that window and is currently unregistered is not entitled to rely on the transitional arrangement; it is operating in breach and must seek advice on rectification immediately.

A micro-matter illustrates the stakes: in a recent compliance-structuring engagement, a payments-adjacent firm had been operating under the mistaken belief that its e-money licence covered its crypto transfer activity. We identified the gap before an FCA information request arrived, restructured the regulated perimeter, and filed a compliant registration application supported by a purpose-built AML program. The firm regularised its position without enforcement proceedings.

Cross-Border Interaction: Tax, Banking and the UK Compliance Stack

For a business operating across the UK and other jurisdictions, the compliance stack rarely lives in one place. A UK-registered VASP with a Maltese or Lithuanian parent, or with custodial functions in Singapore, faces the question of which regime governs which transaction – and how the AML obligations in each jurisdiction interact rather than simply accumulate.

Banking access is the practical pressure point. UK-licensed banks remain cautious about VASP clients. A firm that cannot demonstrate a complete and operational AML program – including a functioning MLRO, documented KYC procedures and a live transaction monitoring system – will struggle to open or retain a GBP settlement account. The debanking of crypto firms is not primarily a regulatory phenomenon; it is a commercial decision by banks that are themselves FCA-regulated and do not want the supervisory risk of a poorly-compliant VASP client.

Tax interacts with AML in the documentation layer. HMRC's approach to crypto asset taxation means that a firm's transaction records serve a dual function: they satisfy the MLR record-keeping obligation and they form the basis of the firm's own tax reporting and that of its customers where reporting obligations apply. A record-keeping system built only for one purpose is likely to be deficient for the other.

For an international group, the cross-border angle also arises in the Travel Rule context. When a transfer moves from a UK VASP to an affiliate in an AIFC-regulated entity in Kazakhstan, or to an ADGM-licensed custodian in Abu Dhabi, the UK VASP must apply Travel Rule obligations to the outbound leg even though the counterparty is an intra-group entity. The FCA does not provide an intra-group exemption from Travel Rule data requirements; the data must be collected, transmitted and retained regardless.

If a prior application stalled or a banking relationship was closed, a second review can surface the structural reason and the route to resolution. Firms that have already engaged with the FCA and encountered difficulty benefit from a structured gap analysis before re-engaging with the regulator. Contact OBOLUS at info@oboluslaw.com.

Map your options

What Are the Most Common AML Compliance Failures the FCA Identifies?

The FCA's thematic reviews and published enforcement activity point to a consistent set of deficiencies in cryptoasset firm AML programs. Understanding these failure modes is the first step to avoiding them.

The most frequently cited failure is an inadequate risk assessment – one that is generic, not updated when the business model changes, and not actually used to calibrate the firm's controls. A risk assessment that predates a product launch, a new geographic market or a shift to institutional clients is not a live document; it is evidence of a static compliance function.

Customer due diligence failures typically cluster around two points: onboarding, where firms apply the wrong risk category to a customer and therefore under-apply due diligence; and the trigger for enhanced due diligence on an existing customer, where monitoring either misses the trigger or is not connected to a re-review workflow. In a blockchain context, on-chain risk signals – wallet provenance, use of mixing services, counterparty exchange risk ratings – must feed into the CDD process, not sit in a separate analytics silo.

Travel Rule failures, as the FCA has noted in industry communications, tend to arise from three sources: firms that have not implemented Travel Rule capability at all; firms that have implemented it for outbound transfers but not incoming; and firms that have capable systems but have not resolved how to handle the "sunrise problem" – transfers from jurisdictions that have not yet implemented equivalent Travel Rule rules. None of these is a technical mystery, but all require deliberate design before the firm begins transacting at scale.

A common assumption is that once a firm achieves FCA registration, the compliance obligation has been met. That assumption is wrong. Registration is the beginning of a supervised relationship. The FCA expects registered firms to maintain their programs, update them as the business evolves and respond to thematic guidance. A program that was adequate at registration but has not been updated after a product expansion or a customer-base change will not survive a mid-lifecycle supervisory review.

Decision Matrix: Which Profile Needs Which UK Compliance Approach?

Not every operator faces the same compliance structure. The right approach depends on the firm's profile.

A startup exchange seeking to onboard UK retail customers needs FCA registration as its first step, a KYC program built to handle individual consumer risk, a transaction monitoring system calibrated to spot retail typologies, and an MLRO who can carry the SAR function from day one. The timeline to registration is measured in months; the operator should build the compliance program in parallel with the application, not after it.

An established institutional VASP – a custody provider or OTC desk serving professional counterparties – faces a different calibration. Customer due diligence for institutional clients requires legal entity verification, UBO analysis and ongoing monitoring of the entity's own regulatory status. The Travel Rule data set for institutional transfers is larger and more complex than for retail. The MLRO function here needs seniority and access to the firm's legal and compliance teams, not just its operations desk.

A foreign VASP with an existing registration in another jurisdiction – say, under the VARA regime in Dubai or under MiCA in an EU member state – that wants to extend services to UK clients cannot rely on that foreign registration. It must either obtain standalone FCA registration or use a UK-regulated entity. Allied counsel in the relevant jurisdiction can coordinate the cross-border compliance mapping; OBOLUS handles the UK-facing regulatory and compliance architecture.

A DeFi-adjacent protocol with a commercial entity in the UK needs bespoke analysis of whether the protocol's operations fall within the MLR perimeter. The answer turns on the degree of centralised control, the nature of the assets handled and the involvement of the UK entity in the transaction flow. This is not a question that yields a safe generalist answer; it requires specific legal analysis of the protocol's architecture.

Related at OBOLUS

FAQ

What does the Travel Rule require from a VASP?

Under the UK Travel Rule, a VASP must collect, verify and transmit specified originator and beneficiary data – including full name, account or wallet identifier, and an address-equivalent identifier – for every virtual asset transfer that meets or exceeds the applicable threshold. The obligation applies to both outbound and inbound transfers. Data must be retained for the period specified under the Money Laundering Regulations. Where a counterparty VASP cannot supply compliant data on an inbound transfer, the receiving firm must apply enhanced due diligence or decline the transaction.

Who must act as MLRO for a crypto firm?

A MLRO (Money Laundering Reporting Officer) must be a sufficiently senior manager with genuine decision-making authority: the ability to file a Suspicious Activity Report with the National Crime Agency without requiring board sign-off and the authority to exit a customer relationship on AML grounds. For FCA-registered cryptoasset firms, the MLRO is typically a controlled function holder subject to fitness and propriety assessment. Nominating an individual who lacks the seniority, access or authority to act independently does not satisfy the FCA's expectation.

How do regulators audit crypto AML programs?

The FCA audits cryptoasset AML programs through a mix of supervisory tools: desk-based reviews of documented policies and procedures, information requests requiring production of risk assessments and transaction monitoring logs, on-site inspections, and thematic reviews across the registered population. Regulators expect to see a live, updated risk assessment, evidence that controls are implemented in practice and not just documented, staff training records, and a SAR-filing history proportionate to the firm's customer base. A program that exists only on paper will not pass examination.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the whole of our practice. We map the licence, compliance and banking stack across operating, custody and payment layers before you commit – because the cost of a gap is orders of magnitude higher than the cost of getting it right at the outset. To discuss your situation, contact info@oboluslaw.com or message us via t.me/oboluslaw.

By Victor Olsen, Regulatory & Compliance Analyst – specialising in AML program design, FCA registration and Travel Rule implementation for digital-asset businesses operating in and from the United Kingdom.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours