Crypto authorisation: what the application questions reveal about the work ahead
The FCA has now published information on the authorisation application form for cryptoasset firms, including the questions and sections firms are likely to need to complete.
The publication is for information only and the form is still being finalised, but it gives firms a much clearer view of the application they will need to prepare.
While some question wording or explanations may change, the FCA does not expect the overall structure or content to change before the live form becomes available when the gateway opens on 30 September 2026.
You do not need to wait for the final form to start preparing.
The value of the publication is not just that it previews the form; it gives firms a way to test whether their business model, documents and evidence are ready to withstand scrutiny.
The application needs to explain the business
The FCA’s document shows that the application will combine standard authorisation information with crypto-specific questions driven by the firm’s business model and the regulated activities it is applying for.
That means the application cannot be treated as a generic document completed in isolation by Compliance or Legal.
It needs to explain what the firm does, how the relevant cryptoasset activities operate, who is responsible for them, what risks arise and how those risks are managed.
Firms may already have policies, governance forums and control frameworks in place, but the challenge is making sure the application brings those elements together into a coherent, evidence-backed submission.
Get the activity mapping right from the start
The application builder uses a firm’s business model, proposed activities, permissions, client types and any relevant limitations or requirements to determine which questions need to be completed. That makes the early mapping exercise critical.
Before drafting starts, firms need a clear view of what the UK firm will do, which legal entity will carry on each activity, which permissions are needed, which clients will be served and which parts of the application those choices will trigger. This may sound straightforward, but it can quickly become complex where firms operate through group structures, shared technology, third-party providers or multiple product lines. If the application does not clearly explain the entity, activity and control model, it can create uncertainty about what is actually being authorised and where responsibility sits.
Where firms rely on group infrastructure, shared services or third parties, the application should make clear how the UK entity retains accountability and effective control over the regulated cryptoasset activities.
Build the Regulatory Business Plan (RBP) around the operating model
The FCA’s application information makes clear that the regulatory business plan is an essential part of the application and must be tailored to the firm’s business model; a generic version will not be appropriate.
The RBP therefore needs to do more than describe the firm at a high level. It needs to explain how the business operates, how the cryptoasset activity fits into that model, who the customers are, how money and cryptoassets flow through the firm, which third parties are used and how the control framework works in practice.
It also needs to align with the policies, risk assessments, governance documents and supporting evidence submitted with the application. If those materials do not tell the same story, the FCA may find it harder to understand and assess the firm’s model.
The RBP needs to bring the application together, not be written last as a narrative wrapper around disconnected documents.
Policies need to be evidenced in practice
The FCA’s application information asks for a wide range of policies and supporting documents, depending on the firm’s business model and activities.
But the issue is not just whether the firm has the right documents in place.
The application needs to show that those documents reflect how the business actually operates, and that the controls described are live and embedded. Supporting material might include MI, governance records, examples of control operation, issue logs, oversight records or other materials that show how the framework works in practice.
That means, for example:
the financial crime framework should connect the business-wide risk assessment, customer risk assessment, onboarding controls, transaction monitoring, wallet screening and escalation process;
governance arrangements should show who will be responsible for crypto and how issues will be identified, escalated and managed across the business;
third-party arrangements should explain not just who the provider is, but how the firm oversees the service and retains appropriate control;
market abuse or trading platform material should be specific to the firm’s activity, rather than a generic policy that could apply to any business.
This is where preparation can quickly become more time-consuming. Firms may have the documents, but the application still needs those documents to be current, specific to the business and aligned with the way the controls actually operate.
Make the application a business-owned exercise
The application is not confined to compliance. The FCA’s document points to information from across the firm, including governance, senior management, controllers, financial forecasts, IT systems, financial crime, compliance monitoring, complaints, records management and activity-specific controls.
Firms will need input from the teams that design, operate and oversee those arrangements, with clear ownership for the underlying activity.
Without that ownership, the application risks becoming a compliance-led narrative that is difficult to evidence. The form may be submitted online but preparing it should be run as a business-wide readiness exercise.
Six practical steps firms can take now
Firms can use the FCA’s publication as a readiness checklist. Key actions include:
1. Map activities to permissions
Confirm which activities the UK firm will carry on, which permissions are needed, which client types are in scope, and which application sections are likely to be triggered.
2. Build the RBP from the operating model
Use the regulatory business plan to explain how the business works in practice, not as a generic narrative added after the rest of the application pack has been assembled.
3. Gather evidence, not just documents
Check whether the firm can evidence the arrangements described in the application through MI, governance records, examples of control operation and other supporting materials.
4. Check consistency across the pack
Make sure the RBP, policies, risk assessments, governance documents and supporting evidence are aligned on scope, ownership, risks and controls.
5. Involve the right people early
Bring in the teams that design, operate and oversee the relevant arrangements before drafting is too advanced, rather than asking them to approve text at the end.
6. Use PASS as a readiness point, not a discovery session
Approach PASS and FCA engagement with a clear view of the firm’s model, key questions and areas of judgement, rather than using it as the point at which those issues are first worked through.
What readiness should look like
The FCA’s publication gives firms more than a policy direction; it shows what the application is likely to require. Firms that are best prepared for the gateway opening will be those that can clearly explain their activities, permissions, operating model, governance, controls and supporting material, and show how those elements fit together.
The application should also be approached as the start of ongoing supervision, not the end of a project. Firms need to be able to evidence arrangements that can operate after authorisation, not just describe a target state for the form.
We’re here to help
We help firms prepare FCA cryptoasset registration and authorisation applications that are clear, coherent and supported by robust evidence.
Our support can range from targeted reviews to fully managed, end-to-end project delivery. We can:
Hold the pen – drafting and coordinating your application documents.
Provide end-to-end project management – managing the application process from planning through to submission.
Review the application pack – including the Regulatory Business Plan, supporting documentation, policies, risk assessments and governance materials.
Test your evidence base – assessing whether your controls are current, proportionate, embedded and capable of being evidenced to the FCA.
Provide independent challenge – identifying gaps and strengthening your application before submission.
Preparing for cryptoasset registration is about more than understanding the rules. It's about translating the FCA's expectations into an application that clearly demonstrates how your business meets them.
If you're considering an application or want to assess your readiness, we'd be pleased to discuss how we can help.