UK Web3 Regulations Explained for Beginners (2025)

1) The UK map of Web3 regulation (who does what)

The UK isn’t a single “crypto regulator.” Instead, several authorities cover different parts of the puzzle:

• FCA (Financial Conduct Authority): Conduct of business, financial promotions for qualifying cryptoassets, AML registration of cryptoasset service providers, and (in the future) day-to-day rules for more crypto activities.
• HM Treasury (HMT): Sets the legislative perimeter (what is or isn’t a regulated activity), steers policy (e.g., stablecoins, future crypto regime).
• Bank of England (BoE): Will regulate systemic payment systems and stablecoin issuers/custodians when coins reach scale; works with FCA on prudential/operational standards.
• HMRC: Taxes crypto, capital gains, income, VAT in specific cases.
• ICO: Data protection (UK GDPR), including KYC/AML data you collect.
• ASA: Advertising standards (separate from the FCA’s promotions regime), can ban misleading crypto ads.

2) AML registration (MLRs): when do you need it?

Since 2020, UK-based cryptoasset exchange and custodian wallet providers generally must register with the FCA for AML supervision under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended). This is not a full financial services authorization; it’s a registration focused on AML/CTF controls. If you operate in/market into the UK and carry on relevant business, assess whether MLR registration applies.

• Covered activities (typical examples): exchanging crypto for money or other crypto; operating a platform that facilitates exchange; custody of customer private keys; sometimes ATMs (though many were shut down for non-compliance); crypto P2P businesses when by way of business.
• Core obligations: risk assessment, customer due diligence (CDD/KYC & ongoing monitoring), suspicious activity reports, screening/sanctions, record-keeping, appointing MLRO, staff training, and Travel Rule compliance (see Section 4).
• Outcome: If approved, you appear on the FCA’s cryptoasset MLR register; if refused, you must cease the activities that required registration.

[Founder idea] → [Does our UK entity exchange, arrange, or custody?] → If yes → MLR registration with FCA
                                                               ↘ If no → Still check promotions & tax duties
    

3) Marketing to UK consumers: the crypto financial promotions regime

Since October 2023, a dedicated financial promotions regime applies to marketing of qualifying cryptoassets to UK consumers. A “financial promotion” is a broad concept (an invitation or inducement to engage in investment activity). Crypto promotions must be made via one of four lawful routes and meet content/risk warning standards. This regime applies even if your token is a “utility” coin and even if your business is located abroad but targets UK consumers.

Lawful routes to communicate a crypto financial promotion

1. By an FCA-authorized person (e.g., an investment firm) communicating the promotion itself.
2. By a promotion that has been approved by an FCA-authorized person (s21 approver gateway applies).
3. By an FCA-registered MLR cryptoasset business communicating its own promotions (a narrow exemption still must follow the rules/format).
4. Via exemptions in the Financial Promotion Order (e.g., for certain high-net-worth or sophisticated investor communications, complex and narrow; get legal advice).

Standardised risk warnings and “cooling-off” periods can apply in retail channels. “Refer a friend” and monetary incentives are largely restricted. Promos must be fair, clear, and not misleading, with prominent risk warnings and without inappropriately emphasizing “safe/guaranteed returns.”

UK Crypto Promotion Checklist (retail)
✔ Lawful route selected (authorized firm / approved / MLR-registered own promo / exemption)
✔ Prominence: standardized risk warning + risk summary (no hiding in footers)
✔ No incentives to invest (where restricted), no pressure tactics
✔ Appropriateness assessment where required (can the consumer understand the risks?)
✔ Record-keeping, sign-off, and monitoring of affiliates/partners
    

4) The Cryptoasset Travel Rule: what must go with transfers

The UK has implemented the Travel Rule for crypto transfers. When a UK cryptoasset business sends funds to another cryptoasset service provider (CASP), it must transmit originator and beneficiary information along with the transfer; when receiving, it must check whether the information arrived and take steps if it didn’t. There are rules for “unhosted” wallet transfers, including risk-based measures when the counterparty isn’t a regulated provider. This is part of the AML framework and interacts with sanctions screening.

• Identify whether the counterparty is a regulated CASP and support data exchange (API or secure channel).
• For unhosted wallets, collect additional information on a risk basis (e.g., ownership attestation) and monitor patterns; consider callbacks or micro-deposits where proportionate.
• Keep records to evidence compliance; apply enhanced due diligence for higher-risk geographies or customers.

[Your UK CASP] ──transfer──▶ [Foreign CASP]
    attach: originator + beneficiary info (Travel Rule payload)
If missing/invalid: risk-based response (pause/reject/escalate) + record
    

5) Tax: HMRC basics for individuals and businesses

HMRC doesn’t treat crypto as money. Individuals commonly face Capital Gains Tax (CGT) on disposals (selling, swapping, spending crypto, gifting except to spouse/civil partner). Income Tax may apply to airdrops with work conditions, staking yields in some scenarios, mining, referral bonuses, and employment remuneration. Businesses account for crypto as trading stock or intangible assets depending on facts, and may face Corporation Tax on profits. VAT can apply to certain supplies (e.g., NFTs that are actually digital content/services).

Common retail examples

• Swap of Token A → Token B is a disposal of A for CGT; allowable costs (including gas fees) can be deducted when calculating gains/losses; UK share matching rules apply.
• Staking/Lido-style yields: whether income or capital can depend on “who controls the asset,” return mechanics, and whether you’re “earning” new tokens; HMRC guidance continues to evolve, keep records and seek advice.
• DeFi lending/borrowing: tax treatment depends on whether beneficial ownership changes, whether returns are income, and contract terms.

6) Stablecoins in the UK: what’s being proposed

UK policymakers are building a framework to regulate fiat-backed stablecoins used for payments. The approach splits responsibilities between the FCA and the Bank of England: the FCA will oversee the conduct requirements for issuers and custodians, while the BoE will set prudential/operational rules for systemic stablecoin arrangements (if a coin becomes big enough to threaten financial stability). Expect requirements around reserves quality, redemption rights, custody, risk management, operational resilience, and disclosures.

• Issuers/custodians: authorization and rules (redemption, backing assets, segregation of client funds).
• Systemic arrangements: BoE supervision comparable to payment systems, with coordination across the “regulatory family.”
• Payments angle: Payment chains, wallets, and merchants may face conduct and operational expectations similar to e-money/payment services in areas like complaints handling and fraud response.

Stablecoin regime (concept)
HMT sets perimeter → FCA rules for issuers/custodians → BoE rules if systemic (resilience + prudential)
    

7) The “future regime” for cryptoasset activities: what’s next

Beyond stablecoins, the government has consulted on a broader regulatory regime for cryptoasset activities—for example, admitting cryptoasset issuance, trading venues, lending/staking, and custody into the FSMA perimeter with appropriate permissions and rulebooks. This will likely mirror traditional markets in structure (authorization, prudential/operational requirements, conduct rules, market abuse surveillance) but adapted for on-chain specifics (wallets, smart contracts, market integrity in DeFi-like venues).

• Expect a phased rollout: stablecoins first, then wider crypto activities.
• Financial promotions and AML will continue to bite even before full authorization is in place.
• The FCA has signalled it may not immediately apply the full “Consumer Duty” to crypto activities as-is, preferring tailored rules to fit crypto risks, but this is subject to consultation and could evolve.

8) Operational playbook: how to be “regulatory-ready”

Policies & governance

• Board-approved risk assessment covering customer segments, geographies, products, delivery channels, and on-chain exposures.
• Clear roles: MLRO (Money Laundering Reporting Officer), Compliance Officer, promotions approver, data protection lead.
• Documented KYC/KYB standards, sanctions checks, PEP screening, adverse media, and enhanced due diligence triggers.
• Blockchain analytics: integrate a tool (or provider) for address risk scoring, Travel Rule routing, and case management.
• Incident response: playbooks for hacks, scams, “rug pulls,” sanctions hits, chain forks, and phishing outbreaks.
• Record-keeping: retain CDD, transaction, Travel Rule payloads, and promotion sign-offs for statutory periods.

Marketing controls

• Promotion inventory: list every ad, landing page, email, influencer script; record the “lawful route.”
• Templates: standardized FCA crypto risk warning, risk summary, and appropriateness checks where required.
• Affiliate oversight: pre-approval, UTMs, live monitoring, takedown SLAs, and audit sampling.

Technology & wallets

• Segregate customer assets; multi-sig/smart wallets with policies; cold storage for bulk reserves.
• Withdrawal orchestration: address books, allow-lists, velocity limits, human-in-the-loop for flagged transactions.
• Resilience: incident drills; business continuity plans; playbooks for chain congestion/outages.

Travel Rule workflow (example)

1. Detect counterparty type (CASP vs unhosted) at withdrawal request.
2. If CASP, build/send the originator/beneficiary payload; if unhosted, perform risk-based checks (ownership attestation, prior small tx, enhanced KYC).
3. On inbound transfers, verify payloads; missing info triggers a hold/escalation.
4. Log every decision and exception; QA monthly.

9) NFTs, DeFi, staking/lending, DAOs: where things sit

NFTs: Often outside financial services regulation as tokens, but promotions rules still apply if you market investment-like features to UK consumers. Some NFT projects are really subscriptions or digital content (VAT issues may arise). If you custody customer keys or run a marketplace that exchanges crypto for money/crypto, MLR registration could be in scope.

DeFi and staking/lending: UK rules focus on firms/activities that market to or serve UK users. Even “non-custodial” front-ends can trigger promotions obligations if they induce retail users to invest/borrow. For tax, DeFi treatment is nuanced: whether returns are income or capital depends on the facts and HMRC guidance. Build with appropriateness checks, risk warnings, and chain analytics for high-risk flows.

DAOs: A DAO’s legal status depends on structure. If a UK-facing DAO sells tokens with profit expectations or operates an exchange/lending protocol, UK rules can bite (promotions, AML where businesses are involved, and under the future regime, authorization for activities). Seek professional advice on entity wrappers, governance, and liabilities.

10) Advertising standards & privacy: beyond the FCA

ASA (Advertising Standards Authority): Even if your promotion passes FCA requirements, the ASA can still ban ads that are misleading, irresponsible, or target inappropriate audiences. Use plain-English risk statements, avoid “to the moon” or “guaranteed returns,” don’t trivialise risks with memes.

ICO (Data protection): Your KYC and wallet analytics involve personal data. Under UK GDPR you need a lawful basis (often legal obligation for AML), data minimisation, retention schedules, secure processing, and DPIAs where appropriate. Be transparent in your privacy notice about blockchain analytics, Travel Rule transfers, and sanction screening.

11) Founders’ checklist (print-ready)

• Do we carry on UK-based exchange or custody business? → MLR registration assessment and application pack.
• Are we marketing to UK retail? → Pick a lawful route, implement the FCA risk warning + risk summary, appropriateness checks where needed, affiliate controls.
• Do our flows touch sanctioned addresses or high-risk geos? → Screening + blockchain analytics + EDD.
• Have we implemented the Travel Rule end-to-end for outbound/inbound? → Payload plumbing, unhosted-wallet policy, exception logs.
• Are we collecting data lawfully and securely? → Privacy notice, retention schedule, DPIA, vendor due diligence.
• Tax ready? → Bookkeeping that captures GBP values, CGT events, and income; software for UK share matching; evidence of valuations.
• Future regime ready? → Governance, client asset segregation, operational resilience, prudential planning (where relevant).

12) FAQ (plain English)

13) Official resources & further reading

• Financial Conduct Authority (FCA) — Cryptoasset AML registration pages; crypto financial promotions hub.
• HM Government & HM Treasury — FSMA 2023 and consultations on crypto and stablecoins.
• Bank of England — Policy work on systemic stablecoins and payment systems.
• HMRC Cryptoassets Manual — Tax guidance for individuals and businesses.
• Information Commissioner’s Office (ICO) — UK GDPR guidance for fintechs/crypto firms.
• Advertising Standards Authority (ASA) — Rulings and guidance on crypto ads.

Recap

• UK crypto is a patchwork today: AML registration, financial promotions, Travel Rule, tax, and data rules all apply now.
• Stablecoin and broader activity-based regimes are coming design for them now.
• If you market to UK consumers, your promotions must follow strict routes and warnings—no exceptions for “utility” tags.
• Good operations (KYC, analytics, records, privacy) are as important as good code.