The UK’s new cryptoasset regulatory regime is expected to be implemented from next year. It will bring specified cryptoasset activities within the Financial Services and Markets Act 2000 (FSMA) regulatory perimeter, shifting the regulatory gateway from the current primarily anti-money laundering (AML) registration regime under the Money Laundering Regulations (MLRs) to a full FSMA authorisation framework.

The complexity of a full FSMA application should not be underestimated. With the Financial Conduct Authority (FCA) expected to open the cryptoasset authorisation gateway in September 2026, cryptoasset firms need to begin preparations now. 

In the first two articles in this series (article 1 and article 2), we outlined the new regime and timeline and two key steps that firms preparing for their authorisation or Variation of Permission (VoP) application should consider. The first is to assess Principles for Business (PRIN) and Systems and Controls (SYSC) requirements and establish core controls; the second is to build or assess the AML framework.

This final article focuses on further issues that firms seeking to undertake regulated cryptoasset activities should address.

Consumer Duty and Financial Promotions Standards

The FCA is consulting on how the Consumer Duty applies to cryptoasset firms. Introduced in 2023, the Consumer Duty requires FCA-regulated firms within scope to move beyond simple risk warnings to a proactive, outcome-based approach, delivering good outcomes for retail customers:¹

• Products and services must be suitable for the target market. This requires an understanding of customers’ risk appetite and financial sophistication.
• Prices must be fair and commensurate with the value received by customers.
• Consumer communications must be clear, fair, and informative. Firms must highlight the risks of the products. Influencers should only be used with caution and subject to appropriate oversight or approval. 
• Consumer support must be accessible and responsive. It should be straightforward for customers to exit. 
• Promotions must be “clear, fair, and not misleading.”

Additionally, firms will generally fall under the Dispute Resolution: Complaints sourcebook (DISP), giving eligible complainants access to the Financial Ombudsman Service (FOS).²

What firms should do now

• Perform product governance reviews and fair-value assessments, aligning customer journeys against outcome testing.
• Ensure that there is a robust financial promotions approval and monitoring process in place. This should include an auditable promotions register/log that meets the expectations of the broader Consumer Duty requirements.
• Build management information (MI) dashboards for outcomes, complaints themes, and remediation effectiveness, with board-level review where appropriate.

Governance and Senior Managers and Certification Regime (SM&CR) 

The FCA will apply the Threshold Conditions (set out in FSMA and reflected in COND) to regulated cryptoasset firms and will assess their business models, governance, and senior management fitness and propriety.³

Cryptoasset firms will be subject to the same SM&CR applicable to solo-regulated firms, with senior individuals formally accountable for different aspects of the business.⁴ Under SM&CR, every senior manager must have a Statement of Responsibility (SoR). They may face enforcement action if their firm breaches a regulatory requirement and they failed to take reasonable steps to prevent it.⁵

Cryptoasset firms will be classified under the existing SM&CR framework for solo‑regulated firms as Core, Enhanced or Limited Scope.⁶ Most firms are likely to fall within the Core category, while some may be treated as Enhanced firms based on the FCA’s SM&CR categorisation criteria. Enhanced firms are subject to additional obligations, including maintaining a Management Responsibilities Map, having formal handover procedures, and allocating additional prescribed responsibilities where applicable.

What firms should do now

• Map senior management function (SMF) roles and SoRs and implement a reasonable-steps framework and evidence log.
• Establish or confirm key decision-making is located in the UK, documenting decision-making forums, escalations, and challenge.
• Prepare those holding SMFs for FCA interviews through mock interviews and horizon-scanning Q&A.
• Update governance documents, including board or committee charters, Responsible-Accountable-Consulted-Informed (RACI) matrices, policies, and regularly assess consistent execution to confirm they are operating in practice. 

Prudential requirements and wind-down planning 

The FCA has proposed a new prudential regime for crypto firms. They will be subject to two sourcebooks: COREPRU, for general requirements, and CRYPTOPRU, for sector-specific rules.⁷ Under the proposals, crypto firms will need to meet the overall financial adequacy rule (OFAR), requiring them to maintain sufficient capital and liquidity to cover their business risks and absorb unexpected shocks.

On the capital side, boards will need to approve the own funds threshold requirement (OFTR) set at the higher of: (a) the Own Funds Requirement (OFR) prescribed in the regulation, and (b) the total own funds the firm assesses as necessary to fund ongoing operations through periods of financial stress, or to support an orderly wind-down without causing material harm.⁸

The regulatory minimum OFR will be calculated as the highest of the three components: 

1. A baseline permanent minimum requirement (PMR) ranging from £75,000-£750,000, depending on the firm’s activities;
2. A fixed overheads requirement (FOR) equal to one-quarter of annual fixed overheads;
3. K-factor requirements (KFR) calibrated specifically to crypto activities, covering operational, trading, counterparty, and concentration risks, etc. 

The risk-based requirements will be based on a stress-testing analysis and wind-down planning formalised in an overall risk assessment document. Crypto firms will also need to hold liquid assets (cash or high-quality bonds) above their liquid asset threshold requirement (LATR).⁹ The LATR should be set to cover funding shortfalls in business-as-usual conditions, and in periods of stress over a 90-day horizon, and to support an orderly wind-down. In practice, firms should expect to hold liquid assets of at least one month’s operating expenses. Qualifying stablecoin issuers will also need sufficient on-demand deposits to ensure that they can top up the backing pool using their liquidity in the required timeframe. 

Under the proposed regime, crypto firms must also have a wind-down plan (WDP) that explains how the firm could be wound down without creating undue consumer harm or market disruption. WDPs must be realistic and tested through scenario analysis. Firms must demonstrate that they are able to execute the plan, if necessary, with clear governance, early warning indicators, execution playbooks, and communication plans. The FCA has previously shared guidance and undertaken thematic reviews of wind-down planning¹⁰ and crypto firms should draw on this to understand its expectations.  

What firms should do now

• Enhance capital and funding plans.
• Calibrate capital/liquidity buffers and implement prudential risk metrics and stress testing. 
• Assess the impact on business model viability and sustainability.
• Produce a WDP with triggers, options analysis, consumer communications, and operational playbooks.

Outsourcing, Operational Resilience and Safeguarding

Outsourcing expectations in the FCA’s Senior Management Arrangements, Systems and Controls sourcebook (SYSC), in particular SYSC 8 (outsourcing), will also apply to crypto firms under the new regime.¹¹ Firms should assess the adequacy of their outsourcing arrangements against proposed rules and within a broader third-party risk framework. Firms which are part of international groups and rely extensively on other group entities will need to ensure they have sufficient control over critical services.

Firms should also benchmark their resilience frameworks against SYSC 15.2 (operational resilience), ensuring they operate robust systems that can prevent, respond to, and recover from disruption.¹² 

Crypto firms will have to safeguard customers’ assets and money to the standards of the FCA’s Client Assets Sourcebook (CASS). Firms providing custody of crypto assets will be subject to the new CASS 17 chapter of CASS.¹³ If the firm holds client funds, they need to be segregated under CASS 7 (client money), unless they are used solely as backing assets for qualifying stablecoins, in which case they are in scope of the new CASS 16 chapter. There is no permitted mixing between funds used for general crypto activities and those used as backing assets for stablecoins.¹⁴

The CASS rules impose a wide range of new requirements on crypto firms, including legal and operational segregation, records, accounts and reconciliations, CASS management responsibilities, compliance and audits, and regulatory reporting.

What firms should do now

• Build or assess the firm’s outsourcing arrangements, operational resilience programme, impact tolerance setting, scenario testing, response or recovery run-books, and communication plans.
• Design and evidence client asset safeguarding controls proportionate to permissions, including segregation, reconciliations, and governance.

Engage Early with the FCA via the Pre Application Support Service 

The FCA expects complete, high-quality applications for authorisation or a VoP. It may reject poor-quality submissions without assessing them and refund the fee. In those circumstances, firms are likely to be treated as having “not applied” for the purposes of accessing the saving and transitional provisions (as discussed in our first article).

With the application window fast approaching, firms must be able to evidence appropriate resources and robust, workable arrangements – not just well-drafted documents – and demonstrate that they are ready to operate compliantly from day one of authorisation. This is consistent with FCA’s expectation that the applicants are “ready, willing and organised.¹⁵ 

That, in turn, requires careful sequencing and planning well ahead of submission – for example, raising equity or debt, or reallocating assets towards cash or other high-quality liquid assets, so that the firm can meet the FCA’s prudential expectations once authorised.

The FCA’s Pre-Application Support Service (PASS) is designed to help firms surface issues early, validate assumptions about their business model and permissions, and avoid common pitfalls that can derail an application once the formal process begins.¹⁶

PASS offers an opportunity to discuss draft business plans with FCA case officers before formal submission. It provides optional, free pre-application meetings where firms can discuss their business models, the authorisation process and the FCA’s expectations.

Firms should use the PASS to identify potential “red flags” and clarify the scope of required permissions. To maximise the value of PASS meetings, firms should prepare a draft regulatory business plan with a clear permissions mapping and defined target market.

Participation in the PASS does not guarantee the success of any application for authorisation or a VoP.  The FCA encourages firms to consider independent legal or compliance advice as part of preparing an application.

What firms should do now

• Build a complete evidence library including the regulatory business plan, governance pack, policies or procedures, MI, capital or liquidity analysis, resilience and wind-down plans.
• Use the PASS to refine permissions scope and identify red flags. Track all related actions and decisions.
• Create a detailed submission plan during the application window, ensuring sufficient resources and board access to meet the deadline.
• Scenario-plan for saving provision versus run-off outcomes, aligning product launch and customer communications accordingly.
• Establish a standing governance forum to oversee progress, risks, and regulatory interactions.
• Obtain independent legal or compliance review ahead of submission.

As highlighted throughout this series, the move to full FSMA authorisation is more complex than many firms may expect, and preparation should already be underway. Crypto firms should clarify whether their activities are in scope and what permissions are required, establish robust governance and controls, and ensure practical readiness to operate in a fully supervised environment. 

Footnotes:

1. Financial Conduct Authority, “GC26/2: Application of the Consumer Duty to cryptoasset firms,” 23 January, 2026.
2. Financial Conduct Authority, “Sourcebook DISP Dispute Resolution: Complaints,” FCA Handbook, accessed 23 April, 2026.
3. Financial Conduct Authority, “Cryptoassets: Our standards,” 6 February, 2026.
4. Ibid.
5. Financial Conduct Authority, “Senior Managers Regime,” 12 February, 2026.
6. Financial Conduct Authority, “SM&CR categorisation for solo-regulated firms,” 27 October, 2025.
7. Financial Conduct Authority, “CP25/15: A prudential regime for cryptoasset firms,” 6 February, 2026.
8. Financial Conduct Authority, “CP25/42: A prudential regime for cryptoasset firms,” 20 February, 2026.
9. Ibid.
10. Financial Conduct Authority, “The Wind‑down Planning Guide,” FCA Handbook, accessed 23 April, 2026.
11. Financial Conduct Authority, “CP25/25: Application of FCA Handbook for Regulated Cryptoasset Activities”, 3 March, 2026.
12. Ibid.
13. Financial Conduct Authority, “CP26/4: Application of FCA Handbook for regulated cryptoasset activities – part 2,” 23 January, 2026.
14. Financial Conduct Authority, “CP26/8: Quarterly consultation paper No. 51,” 6 March, 2026.
15. Financial Conduct Authority, “Authorisation and registration applications – good practice and areas for improvement,” 11 September, 2025.
16. Financial Conduct Authority, “Pre-application support service (PASS),” 6 February, 2026.