
Since 8 October 2023, every crypto promotion shown to UK consumers falls under the full FCA financial promotions regime. Your existing financial-services compliance template doesn't cover this. Not because your template is wrong, but because crypto comes with rules that don't exist in the rest of the regulated marketing world. Four lawful routes to market, a cooling-off period that can't be waived, a prescribed risk warning that must be used verbatim, and a ban on referral bonuses. Section 21 of FSMA makes non-compliance a criminal offence, carrying up to two years' imprisonment and unlimited fines for the firm and the authorised approver.
The operational reality most teams meet first, though, isn't criminal risk. It's that their campaigns stall, their ads get platform-rejected on terms they thought were compliant, and their compliance team is stuck running the same reviews on the same assets with no way to prove which version actually shipped.
Why crypto compliance breaks marketing teams that already "do compliance"
The core problem is this. Traditional financial-services compliance workflows assume one route to market, one approval chain, and one disclaimer library. Crypto has four routes, each with a different approval chain, different audience restrictions, different documentation requirements. The checklist that works for a lending product fails quietly for a crypto product because the rules aren't a subset of what you already know. They're adjacent.
One crypto platform we reviewed had an established FCA compliance workflow for its existing regulated products. When it launched its crypto line, the same workflow missed the cooling-off disclosure on a flagship campaign for three months. The ads were technically "approved", just by a process designed for products that didn't need cooling-off. The gap wasn't sloppiness. It was that the process had no concept of the rule.
This is the failure mode to design for. Crypto-specific rules need crypto-specific checkpoints. They do not inherit from your existing financial-promotions approval flow.
The four lawful routes to market
Since 8 October 2023, there are exactly four legal ways to communicate a crypto promotion to UK consumers:
Route 1: FCA-Authorised Crypto Firm. Your firm is directly authorised by the FCA for crypto business. Broadest audience access, heaviest regulatory burden. COBS rules apply in full: appropriateness, cooling-off, risk warnings, Consumer Duty. Rare because the capital and governance requirements are significant.
Route 2: Approved by an Authorised Person. You are not authorised yourself, but an FCA-authorised firm (a "s21 approver") approves each promotion before it goes live. The approver takes legal responsibility for the ad. This is the most common route for unregulated crypto platforms marketing in the UK. The implication for your workflow: every live ad now has a third-party gate. Every revision is a re-approval. SLAs and scope must be contractually clear.
Route 3: Registered Under MLR 2017. You are registered as a cryptoasset service provider under the Money Laundering Regulations 2017. You can communicate promotions without a separate s21 approver, but audience scope is narrower, appropriateness assessments are stricter, and you still owe the full suite of prescribed warnings and cooling-off rules.
Route 4: Exempt from FSMA. You meet a specific exemption. For example, communicating only to genuinely commercial customers, or sending one-off, non-systematic communications to existing clients. Exemptions are narrow and brittle. One word in the creative can push you out of the exemption. This route needs expert labelling and isn't a scalable marketing route.
Most crypto platforms operate across Routes 2, 3 or 4, sometimes simultaneously across different products. The first job of a crypto marketing workflow is classifying every campaign to its route before anyone writes copy.
Crypto-specific rules your existing compliance process probably misses
Five rules apply to crypto promotions that don't apply (or don't apply identically) to other financial promotions. All five are routine sources of quiet non-compliance in teams that have otherwise solid financial-services workflows.
1. Cooling-off period. Crypto products sold to first-time investors must include a 24-hour cooling-off period. The customer cannot opt out. This has to be disclosed pre-purchase, tracked separately from your normal refund policies, and operationally enforced. Ad copy can't suggest an instant-access journey that the cooling-off period doesn't allow.
2. Prescribed risk warning, verbatim. The FCA's wording must appear exactly. "Don't invest. Your capital is at risk."for summary warnings. The full warning reads "Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment and you are unlikely to be protected if something goes wrong. Take 2 mins to learn more." and is used in the fuller placements. No softening, no reworded versions, no "variant" that sounds more brand-safe. Prominence requirements apply. This isn't a footer disclaimer.
3. Appropriateness assessment. Before marketing a crypto product to a given audience, you must assess and document whether that audience has sufficient knowledge and experience to understand the product. This is a written assessment, not an assumption about your targeting setup. The FCA will ask to see it.
4. Ban on refer-a-friend and incentive bonuses. Affiliate and incentive bonuses for cryptoasset promotions are prohibited. "Refer a friend and get £50 in Bitcoin" is not legal. If you run multi-product referral programs, crypto has to be carved out at product level. Platform-level carve-outs aren't enough if the copy still touches crypto.
5. High-risk audience restrictions. Crypto ads cannot be targeted at minors or vulnerable consumers. You need documented proof of active age-gating at campaign level, not reliance on platform defaults. "The platform says 18+" isn't the same thing as "we have evidence that 18+ targeting was set, verified and maintained."
The commercial reality: why "we'll retrofit our existing process" fails
The retrofit approach is appealing because the team already has compliance infrastructure. It fails because crypto rules don't map cleanly onto non-crypto workflows.
The common failure patterns:
- The disclaimer library doesn't have the verbatim FCA crypto warning. Teams approve an ad with a "high-risk investment" variant that reads well in the brand voice but isn't the prescribed wording. The ad is technically non-compliant from launch.
- Cooling-off isn't a workflow step. Nothing in the approval checklist prompts the reviewer to check for cooling-off disclosures, because the reviewer's other financial products don't need them.
- Route classification is implicit. The team assumes everything goes through Route 2 because that's how their biggest product is set up. A separate product line is actually Route 3, and the workflow silently applies the wrong rule-set.
- Appropriateness assessment lives in a draft doc. It exists, but it's not attached to the approval record. When the FCA asks, the team can't produce it against a specific campaign.
- Affiliate carve-outs are platform-level. Crypto is excluded from the bonus engine at platform config, but the creative still says "refer a friend" because the marketing team wasn't told the carve-out applied to messaging too.
Every one of these is avoidable. None of them is visible to a team running standard financial-promotions compliance because the rules don't appear in that workflow's checklist.
What a crypto-aware compliance workflow actually needs
Five operating changes distinguish teams that ship crypto campaigns cleanly from teams that ship and retrofit:
Classify route at brief stage, not approval stage. Every campaign brief states the lawful route before any copy is written. If the route isn't clear, the brief doesn't move forward. This stops writers producing copy that cannot be shipped under the route the product actually sits on.
Separate crypto checkpoint in the pre-flight. Cooling-off disclosure, prescribed risk warning (exact wording), appropriateness assessment link, affiliate carve-out, age-gating proof. All as explicit line items, not implicit in "financial services compliance." A crypto ad failing any one of these should fail the pre-flight, not the human review.
Third-party approver SLA documented. For Route 2 firms, the s21 approver relationship needs defined scope (which products, which channels), turnaround SLA, revision re-approval rules, and liability clarity. Without this, every ad becomes a bespoke negotiation.
Audit trail at asset-variant level. Every ad variant that shipped should map to its approval record, its s21 approver (if applicable), its appropriateness assessment, its prescribed-warning version used, and its final published state. FCA inspections cross-reference live ads to approval records. If you can't produce that link at variant level, you've got a gap.
Platform-rejection diagnosis built in. Crypto ads get rejected on platform filters (Meta, Google, TikTok) for category-triggered reasons as well as compliance reasons. The workflow needs to separate "rejected for policy reason X" from "rejected because the word triggered a filter", because the fix is different.
Objection: "We'll just use our existing process with a crypto addendum."
This is the most common self-rescue, and it fails reliably.
An addendum to an existing process does two things badly. It makes crypto rules optional in practice (they're always "the extra bit" on top of the real checklist, so they get skipped under deadline pressure). And it leaves the workflow blind to the interaction between crypto rules and your existing rules. Picture a non-crypto product and a crypto product co-marketed on a single shared landing page that now needs to satisfy both rule-sets. That's where the quiet failures live.
The workflow has to treat crypto as a first-class route, not a variant. That doesn't mean rebuilding everything. It means: classification is a required field, crypto-specific checkpoints are required gates, and the disclaimer library has the verbatim prescribed warnings as dedicated entries, not adapted from other templates.
When manual works and when it doesn't
Manual compliance review is reasonable if you're running fewer than 5-10 crypto promotions a month, on one route, on one or two channels, with a co-located team. A spreadsheet-based checklist plus email approvals can work at that scale.
It stops working when volume crosses ~20 crypto promotions a month across multiple routes or channels, your team is distributed, your campaigns trigger platform rejections needing diagnosis, or you need a defensible audit trail for FCA inspection. At that point the manual overhead exceeds the cost of a dedicated tool within one quarter, and the risk of a quiet non-compliance rises faster than the team can catch up with it.
The decision isn't about trusting automation to do compliance. It's about whether the volume and variety of crypto campaigns has crossed the point where manual review reliably catches the route-specific rules. And, practically, whether your s21 approver can keep up with your marketing velocity.
FAQ
Do I need to be FCA-authorised to run crypto ads in the UK?
No. You can operate on Route 2 (approved by an s21 authorised person), Route 3 (MLR-registered), or Route 4 (exempt). Most crypto platforms use Route 2 or 3.
Can I run crypto ads without a cooling-off period?
Only if your customer is not a first-time investor in that specific product. If there's any chance they are, you must offer the cooling-off period. It cannot be waived.
Can I run referral or affiliate bonuses for crypto?
No. Affiliate and incentive bonuses for cryptoasset promotions are banned under FCA rules. You can run referrals for other products like lending or insurance, but not crypto.
What exactly does the prescribed risk warning have to say?
The FCA's full warning is "Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment and you are unlikely to be protected if something goes wrong." The summary warning is "Don't invest. Your capital is at risk." Both have prominence and design requirements. They are not footer disclaimers.
Does my ad platform's built-in age-gating count as my audience control?
No. You need documented evidence that 18+ targeting was set, verified, and maintained at campaign level. Platform defaults are not proof of appropriateness.
What does an FCA inspection of crypto marketing actually look like?
The FCA typically requests approval files, audience targeting documentation, appropriateness assessments, risk assessment records, and copies of live ads. They cross-reference live ads against approval records. If a campaign can't produce documented evidence linking those, that's a finding.
Can I use the same disclaimer I use for other investment products?
No. The crypto prescribed warning is separate and verbatim. Adapting your investment disclaimer doesn't satisfy the rule. The exact FCA wording must appear.


