The FCA’s expectations of cryptoasset firms continue to evolve, but the direction of travel is increasingly clear: firms are expected to demonstrate mature, risk-based and operationally effective financial crime controls, not simply policies that look adequate on paper.
As the sector grows and business models become more complex, the regulator is placing greater scrutiny on whether firms truly understand the financial crime risks within their products, customer bases and transaction flows. That includes how those risks are identified, governed, monitored and evidenced in practice.
For FCA-authorised crypto firms, this creates a challenge that goes beyond regulatory interpretation. Firms must ensure that their controls can withstand operational pressure, adapt to emerging typologies and produce evidence that governance frameworks are functioning effectively.
Below, we explore several of the key financial crime themes firms should be focusing on.
Risk Assessments Need to Reflect Real Exposure
A recurring issue across the crypto sector is the gap between documented risk assessments and the actual risks firms face operationally.
The FCA expects firms to maintain enterprise-wide and customer-level risk assessments that are dynamic, evidence-based and tailored to the nature of their business model. Generic assessments or frameworks borrowed from traditional financial services firms are unlikely to be sufficient where crypto-specific risks are present.
This is particularly important in areas such as:
exposure to high-risk jurisdictions
complex ownership structures
decentralised ecosystems
rapid movement of funds
use of mixers, privacy tools or layered wallet structures
exposure to sanctions evasion typologies
fraud and mule account activity
Risk assessments should directly inform control design, customer due diligence, monitoring scenarios and escalation frameworks. Where firms cannot clearly demonstrate that linkage, regulators may question whether the framework is genuinely risk-based.
In practice, many firms also face challenges keeping risk assessments aligned to evolving products, customer behaviour and emerging typologies, particularly in fast-growth environments where frameworks can quickly become outdated if not reviewed regularly.
Practical considerations for firms
Firms should consider whether their risk assessments:
accurately reflect current products, customer types and geographies
are reviewed frequently enough to capture emerging threats
incorporate crypto-specific typologies and red flags
meaningfully drive monitoring and due diligence decisions
are supported by clear governance and documented rationale
Transaction Monitoring Must Be Operationally Effective
Many crypto firms have invested heavily in surveillance tooling, blockchain analytics and screening capabilities; however, technology alone does not satisfy regulatory expectations.
The FCA is increasingly focused on whether transaction monitoring frameworks are calibrated appropriately, producing meaningful outputs and supported by effective investigative processes.
Common weaknesses across the sector can include:
excessive alert volumes with limited prioritisation
poorly tuned scenarios
insufficient understanding of customer behaviour
gaps between blockchain monitoring and internal customer data
inadequate escalation or SAR decision-making processes
limited evidence of ongoing optimisation and testing
For crypto firms in particular, monitoring frameworks should account for the speed, scale and cross-border nature of transactions, alongside typologies associated with sanctions evasion, layering, fraud networks and high-risk wallet exposure.
Monitoring programmes should also evolve alongside changes in customer behaviour and criminal methodologies. Static controls quickly become ineffective in fast-moving environments.
This is an area where firms often benefit from independent review and challenge, particularly where alert volumes are increasing, typologies are changing rapidly or internal teams are struggling to determine whether existing controls remain proportionate and effective.
Practical considerations for firms
Crypto firms should assess whether they can clearly evidence:
how monitoring scenarios were designed and calibrated
why thresholds remain appropriate
how alerts are triaged and investigated
what management information is reviewed by governance forums
how typologies and emerging risks are incorporated into controls
whether back-testing or effectiveness testing is performed regularly
Governance and Accountability Remain Critical
The regulator continues to emphasise the importance of governance, particularly in high-growth firms where financial crime frameworks may struggle to keep pace with commercial expansion.
Strong governance is not simply about committee structures or reporting lines. The FCA expects senior management to demonstrate meaningful oversight of financial crime risks, including an understanding of where control gaps exist and how remediation is progressing.
This becomes particularly important where firms operate internationally, introduce new products rapidly or rely heavily on third-party providers.
In practice, firms should be able to demonstrate:
clear accountability for financial crime risks
effective escalation processes
appropriately skilled compliance and MLRO functions
sufficient resourcing for investigations and monitoring
evidence of challenge from senior management and boards
timely remediation of identified weaknesses
For many crypto firms, maintaining effective governance becomes increasingly difficult as transaction volumes, jurisdictions and product offerings expand. Governance frameworks that were appropriate at an earlier stage of growth may require significant enhancement as firms mature operationally and face greater supervisory scrutiny.
Sanctions Controls Continue to Face Scrutiny
Sanctions risk remains a major area of focus across the crypto sector, particularly given ongoing geopolitical developments and concerns around sanctions evasion using digital assets.
The FCA expects firms to understand how sanctions exposure can manifest across customers, wallets, counterparties and transaction activity, and to implement controls proportionate to those risks.
This extends beyond basic name screening. Firms increasingly need to consider:
wallet screening and blockchain exposure analysis
indirect exposure to sanctioned entities
typologies associated with evasion techniques
transaction patterns linked to high-risk jurisdictions
governance around escalation and decision-making
A common challenge for firms is balancing operational efficiency with effective escalation processes, particularly where screening outputs generate large volumes of potential matches.
As sanctions typologies continue to evolve, firms should also consider whether their frameworks are receiving sufficient ongoing tuning, assurance and specialist oversight to remain effective in practice.
Practical considerations for firms
Firms should consider whether their sanctions framework:
adequately covers wallet and transactional exposure
incorporates current typologies and geopolitical developments
includes clear escalation and investigation procedures
is supported by documented governance decisions
can demonstrate ongoing tuning and optimisation
FINTRAIL’s experts have extensive knowledge of sanctions regulatory requirements and their application in practice. We can assist clients of all sizes build and maintain an effective sanctions compliance programme.
Evidence, Assurance and Control Testing Matter More Than Ever
An increasingly important theme across FCA supervision is the expectation that firms can evidence control effectiveness — not simply describe their framework.
Policies, procedures and governance documentation remain important, but regulators are also looking for operational proof points, including:
testing results
QA findings
management information
remediation tracking
audit outcomes
evidence of senior management oversight
Firms that cannot demonstrate how controls operate in practice may struggle during supervisory engagement, even where policies appear comprehensive.
This is particularly relevant for crypto firms operating in fast-growth environments, where controls may not have scaled at the same pace as customer acquisition or transaction volumes.
Independent assurance activity can play an important role here, both in identifying weaknesses before regulators do and in helping firms demonstrate that controls are subject to meaningful challenge and review.
Practical considerations for firms
Areas firms may wish to review include:
the maturity of QA and assurance programmes
whether MI supports meaningful decision-making
how remediation actions are tracked and evidenced
the quality and consistency of investigations
whether governance committees receive actionable reporting
Final Thoughts
The FCA’s expectations of crypto firms are continuing to mature alongside the sector itself. Increasingly, the focus is shifting from whether firms have controls in place to whether those controls are demonstrably effective, proportionate and embedded operationally.
For many firms, the challenge is no longer simply implementing a financial crime framework; it is ensuring that governance, monitoring, assurance and risk management processes can evolve alongside changing threats, regulatory expectations and business growth.
This is particularly relevant for firms scaling quickly, entering new markets or adapting to increasingly sophisticated fraud and sanctions risks, where control frameworks can struggle to keep pace with operational complexity.
Firms that invest early in scalable, risk-based and evidence-driven controls are likely to be better positioned as supervisory scrutiny continues to increase.
FINTRAIL supports crypto and digital asset firms with financial crime risk assessments, AML and sanctions framework reviews, governance support, transaction monitoring optimisation, assurance activities and broader anti-financial crime advisory services. You can learn more about our work with crypto firms on our cryptocurrency sector page.
Please reach out to our team if you’d like support with any of these topics.
This article was adapted from an original piece published by Cosegic.