Regulations · FCA · Section 21 gateway
// FCA · FSMA s21 · PERIMETER

The Section 21 gateway.

Before the UK rulebook asks what your crypto promotion says, it asks whether you are allowed to say anything at all. Get the perimeter wrong and the most carefully worded risk warning cannot save the promotion — it is a criminal offence under FSMA s25.

Applies to: UK-facing exchanges Token launches / TGEs Offshore firms reaching UK Growth and KOL teams

The rule.

Section 21 of the Financial Services and Markets Act 2000 restricts who may communicate a financial promotion. Since October 2023, qualifying cryptoassets are controlled investments — so crypto marketing aimed at UK consumers is a financial promotion and falls inside this perimeter.

// FSMA 2000 · Section 21(1)–(2)

“(1) A person (‘A’) must not, in the course of business, communicate an invitation or inducement to engage in investment activity.

(2) But subsection (1) does not apply if—

(a) A is an authorised person; or

(b) the content of the communication is approved for the purposes of this section by an authorised person.”

This is the rule that sits underneath every other FCA requirement. The prescribed risk warning, the cooling-off period, the incentives ban — all of them assume you have already cleared the perimeter. If you have not, the content rules are moot: communicating the promotion is itself unlawful under FSMA s25, carrying up to two years’ imprisonment and an unlimited fine.

What it requires.

A crypto financial promotion communicated in or to the UK must satisfy one of three gateways — or be kept out of the UK entirely.

Gateway one — authorised. The communicator is itself an FCA-authorised person with the relevant permission. Registration under the Money Laundering Regulations is not authorisation for financial promotions; few crypto-native firms qualify.

Gateway two — approved. The content is approved by an authorised firm that holds the Section 21 approval permission for cryptoassets specifically, and the visible approval marker appears on the asset: “This financial promotion has been approved by [name], FCA Reference [number].”

Gateway three — exempt. A Financial Promotion Order exemption applies (certified high-net-worth or self-certified sophisticated investors), the audience genuinely meets the criteria, and you can evidence the audience gate. Mass-market retail does not qualify.

The fourth option — geo-fence. If none of the gateways applies, the only compliant route is to keep UK consumers from reaching the asset: IP blocking, non-UK ad targeting, no UK-language localisation, KOL contract restrictions, and excluding GBP / UK-card payment methods.

Common violations.

// Violation pattern · offshore reach

A non-UK exchange runs a clean landing page — prescribed risk warning at the top — with Meta ads geo-targeted to London and Manchester.

The content is compliant; the firm holds no UK authorisation and no approval. Reach into the UK without a gateway is the breach, regardless of the warning. The most common offshore-funnel finding. Citation: FSMA s21(3); PERG 8.

// Violation pattern · missing approval marker

A token project obtains Section 21 approval but ships the landing page with no approval marker anywhere on it.

An approval you cannot see on the asset is, for enforcement purposes, an approval that is not there. Citation: COBS 4.12A.18R.

// Violation pattern · wrong-permission approver

A promotion carries a valid-looking approval marker — from a firm authorised for payment services, not cryptoassets.

Since the February 2024 reform, an approver can only approve asset classes within its permission. A non-crypto approval has limited validity for a crypto promotion. Citation: FCA Section 21 Approval Permission regime.

// Violation pattern · assumed exemption

A presale page claims a “sophisticated investor” exemption with a single unchecked tick-box and no certification flow.

An exemption you cannot evidence at audience level is not an exemption. The burden of proving the gate sits with the communicator. Citation: FPO Articles 48–50A; COBS 4.12A.10R.

How to comply.

// Fix 1 · answer the perimeter first

Before any copy work, decide which of the three gateways the asset relies on — or geo-fence. Treat “does this reach UK consumers?” as an upstream design decision, not a post-hoc check.

// Fix 2 · verify the approver’s permission

If relying on approval, confirm in writing that the authorised firm holds the Section 21 approval permission for cryptoassets specifically — not payments, not generic investments — and that what it approved matches what you publish.

// Fix 3 · place the approval marker

Put the marker where it cannot be missed — footer or near-CTA, on every approved asset — with the firm name and FCA reference number.

// Fix 4 · evidence every exemption

Use a certification flow, not a tick-box, and keep the records. The FCA references documented compliance processes in mitigation; the audit trail is the defence.

// Fix 5 · make geo-fencing real

A “UK users prohibited” line in the terms is not geo-fencing. Combine IP blocking, ad-targeting exclusions, no UK-language localisation, KOL contract restrictions, and payment-method exclusions.

Related rules.

This page is an operator-grade heuristic, not legal advice. The Section 21 perimeter carries criminal liability under FSMA s25; for a binding view on authorisation, approval or exemption, retain qualified UK counsel.