Existing firms that are currently only registered under the Money Laundering Regulations will also be required to apply for Financial Services and Markets Act 2000 (FSMA) authorisation and become subject to the requirements of the Handbook as they apply to cryptoasset firms.

The FCA’s stated objective is to align cryptoasset firms with the standards that already apply to other FSMA-authorised entities, following the principle of “same risk, same regulatory outcome”. The regulator nonetheless acknowledges that certain adaptations are necessary to reflect the unique characteristics of cryptoassets and the particular risks they pose.

The FCA’s overall approach

The FCA proposes to apply a wide range of cross-cutting Handbook provisions to cryptoasset firms, but recognises the need for certain modifications. For example, the Principles for Businesses (PRIN) will be modified such that Principles 1 (integrity), 2 (skill, care, and diligence), 6 (customers’ interests), and 9 (relationships of trust) will not apply to transactions between members on a cryptoasset trading platform (CATP), and Principles 6 and 9 will not apply when a CATP is servicing professional clients. This is consistent with the approach that the FCA takes when applying the Principles to trading platforms in traditional finance.

The FCA identifies three main areas of harm that it wishes to address: (i) the prevalence of poor governance and conduct in cryptoasset firms, which undermines consumer protection and market integrity, (ii) the attraction of cryptoassets to criminals, and (iii) the risks arising from weak operational resilience in a sector heavily reliant on technical infrastructure. The regulator states that its proposals aim to mitigate these harms, though they will not remove the underlying risks of investing in volatile and high-risk assets.

The FCA’s approach to governance, systems, and controls

The Paper sets out the FCA’s proposals on governance, systems, and controls. Cryptoasset firms will become subject to rules and requirements in relation to organisational arrangements, risk management, compliance, internal audit, record-keeping, management of conflicts of interest, and whistleblowing procedures. The FCA acknowledges that this will impose new and additional obligations on firms that have not previously been authorised under the FSMA.

The FCA also confirms that it intends to apply the Senior Managers and Certification Regime in full to cryptoasset firms from day one. The FCA expects firms to be categorised as Limited, Core, or Enhanced under the existing framework, with only a small proportion of large firms likely to fall into the Enhanced category. The regulator points to the collapse of the FTX exchange as a case study demonstrating the need for clear apportionment of responsibilities and independent governance, noting that concentrated decision-making and unmanaged conflicts of interest contributed to consumer harm.

Operational resilience

Operational resilience is a key area of focus. The FCA proposes that Senior Management Arrangements, Systems and Controls (SYSC) 15A should apply to all cryptoasset firms. This means that cryptoasset firms will need to apply the framework when, for example, identifying important business services (IBS), defining impact tolerances, mapping vulnerabilities for each IBS, conducting regular scenario testing to assess the firm’s ability to remain within the impact tolerances, and determining effective communication strategies. The Paper provides illustrative example scenarios involving cryptoasset business models to demonstrate how each can be applied in practice.

The FCA recognises the unique risks posed by cryptoasset businesses, such as increased technological risks and vulnerability to transaction disruptions and cyberattacks, and warns that cryptoasset firms should take the particular risk profile of their business models into account when applying the operational resilience framework.

In implementing the guidance, the FCA also expects firms to consider the outsourcing requirements under SYSC 8, in particular ensuring that appropriate skill, care, and diligence are applied to outsourcing arrangements. The use of permissionless distributed ledger technologies (DLTs) will not itself be considered outsourcing, but cryptoasset firms will be expected to evaluate their internal operational controls for permissionless DLTs in line with the framework in SYSC 15A, and will remain responsible for managing risks associated with third-party providers, such as cloud and IT vendors.

Application of the Consumer Duty and access to the Financial Ombudsman

The FCA is seeking feedback on applying the Consumer Duty (Duty) to cryptoasset firms, and whether customers should have access to the Financial Ombudsman Service (FOS) for complaints.

The FCA proposes to apply the Duty to newly regulated cryptoasset activities with additional sector-specific guidance where necessary, noting that the Duty’s outcome-focused approach would afford cryptoasset firms flexibility in assessing the needs of their customers and how to tailor their products and communications accordingly. The Duty would not apply to trading between participants of UK-authorised cryptoasset trading platforms, as is the case for multilateral trading facilities. The Paper seeks feedback on whether this approach is appropriate or if tailored rules are needed for cryptoasset activities.

The FCA is also considering applying the complaint-handling rules in the Dispute Resolution: Complaints Sourcebook Chapter 1 (DISP 1) – which outlines rules and guidance on how firms should manage customer complaints arising from regulated activities – to cryptoasset firms, and extending FOS access to consumers with complaints about newly regulated cryptoasset activities.

Application of COBS and PROD

The FCA is requesting input on how the Conduct of Business Sourcebook (COBS) should apply to cryptoasset firms offering newly regulated cryptoasset activities. Its current proposal is to apply core COBS chapters to cryptoasset firms with adaptations, including rules on fair treatment of clients, conflicts of interest, disclosures, client categorisation, communications and financial promotions, client agreements, appropriateness, reporting, and cancellations.

The FCA is not planning to apply the existing Product Governance Sourcebook (PROD) provisions to firms providing cryptoasset products or services because of the challenges associated with applying the framework to decentralised products, such as Bitcoin. In this regard, the FCA has sought feedback on whether, and if so when, it might be appropriate to rely on the Duty instead of applying PROD or certain aspects of COBS.

Next steps

The FCA has welcomed feedback on the impact of the proposals and has encouraged suggestions on any other market developments that have not been considered or other unintended consequences of the proposals. Responses for the discussion proposals (Chapters 6 and 7) are required by 15 October 2025, and responses for the consultation proposals (Chapters 1 to 5) by 12 November 2025.

The FCA has also expressed its intention to consult on proposals for charging cryptoasset firms as part of its annual consultation on fees policy, which it plans to publish in November 2025.

Client Alert 2025-242