FCA consults on applying existing compliance frameworks to crypto

The Financial Conduct Authority (FCA) is consulting on the extent to which it should apply existing rules and guidance in its Handbook to firms conducting regulated cryptoasset activities.

Full crypto regulation is set to come within the FCA's remit in 2026, and what is clear from this consultation is that the regulator does not intend to impose a light touch compliance regime for the sector. It proposes to carry across many frameworks applicable to firms authorised in the traditional finance space to cryptoasset firms, including high-level threshold conditions and principles for business, its overarching supervision manual, and senior management arrangements.

The main consultation closes on 12 November 2025, although as we explain, the paper also includes some discussion chapters, on which the FCA needs views earlier, by 15 October.

In this article, we consider the FCA's key proposals for cryptoasset firms, and its parallel call for views on how to apply the Consumer Duty and other conduct requirements to the sector.

What already applies?

The FCA is currently the supervisor for those firms that carry on crypto-related activities in the UK where those activities require it to be registered with the FCA for the purposes of anti-money laundering regulation. So it supervises their compliance with AML requirements. In 2023 its regulatory remit was slightly extended so that its rules on financial promotions also apply to crypto firms. Only a very few firms that carry on crypto activities fall within the current need for full FCA authorisation.

However, once the Government has legislated for certain cryptoasset activities to become regulated activities for FSMA purposes, the FCA will have the power, and will want, to apply the bulk of its rules to these newly regulated firms.

High level standards

The FCA proposes to apply the fundamental High Level Standards which underpin obligations applicable to all authorised firms to cryptoasset firms. Its proposals mainly concern four sourcebooks: COND (Threshold Conditions); PRIN (Principles for Businesses); GEN (General Provisions); and SUP (Supervision Manual). Stakeholder feedback during the development stage strongly supported this approach.

The Threshold Conditions – the minimum conditions a firm must continually satisfy to obtain and maintain its permissions, which include having appropriate resources and management –, and the General Provisions – rules covering administrative duties - are proposed to be implemented to cryptoasset firms without amendment.

The FCA proposes to apply PRIN with some explicit disapplication and modification:

• Principles 1 (Integrity), 2 (Skill, care and diligence), 6 (Customers’ interests) and 9 (Customers: relationships of trust) will not apply to transactions entered into on a Cryptoasset Trading Platform (CATP) by its members – this mirrors the position of transactions on multi-lateral trading venues in traditional investment markets.
• Principles 6 and 9 will also not apply when a CATP operates for professional clients.
• The definition of customer and client in PRIN will include a holder of a qualifying stablecoin.

For now, the paper does not propose to apply Principles 12, 2A and 3 insofar as they relate to the Consumer Duty. As outlined below, the FCA is for the moment just seeking views on this and intends to consult on its approach to the Consumer Duty at a later date.

The FCA intends to extend and apply core sections of SUP to cryptoassets firms, including in relation to: information gathering by the regulators; auditors; skilled persons reports; variations or cancellations or permissions; individual requirements and guidance; waiver and modification of rules; and notifications to the FCA. The reporting requirements under SUP 16 will be subject to a later consultation.

Senior management arrangements

In applying SYSC (Senior Management Arrangements, System and Controls) and related sourcebooks, the FCA aims to align standards for cryptoasset firms with those for other FSMA-authorised firms, broadly in the same way that they apply to investment firms, but with certain adaptations to accommodate the specific risks and technological differences of the sector.

The regulator notes that unless previously authorised for other activities, cryptoasset firms will have not been subject to a full FCA regulatory regime, and may lack sufficient policies and procedures to protect customers and markets. In order to instil a robust compliance culture, the FCA proposes to apply SYSC chapters covering governance, organisational controls, personnel competence, compliance and risk management, record-keeping, conflicts of interest, financial crime controls and whistleblowing to cryptoassets firms. It will consider how to apply Training and Competence requirements at a later date.

The full suite of SMCR requirements - including senior management functions, certification regime, prescribed responsibilities, and conduct rules – will be applied to cryptoasset firms, as with other authorised firms. The standard classifications (limited, core, enhanced) will also apply, although it is most unlikely that there will be any limited scope crypto firms, and the FCA intends to introduce specific regulatory reporting, and potentially further Handbook amendments, to ensure that cryptoasset firms can fall under enhanced criteria where appropriate.

Core cryptoasset firms would be required to allocate up to six Senior Management Functions (SMFs) and five prescribed responsibilities, with sector-specific responsibilities relating to custody (CASS) for stablecoin and crypto custodians. Enhanced firms would have to allocate eleven additional SMFs and seven more prescribed responsibilities, with the requirement for a Management Responsibilities Map.

The FCA does not consider that any new tailored SMFs or prescribed responsibilities are needed at this time. 

Cryptoasset firms would be treated as ‘other firms’ under SYSC, rather than ‘common platform firms’ such as banks or investment firms. However, firms with multiple permissions would need to follow applicable standards for each activity, so if a cryptoasset firm also qualified as a common platform firm, it would need to meet the higher standards accordingly. 'Designated Investment Business' will also be expanded to include cryptoasset activities to ensure comparable consumer protections in line with the FCA's aim of "same risk, same regulatory outcome" that it seeks to apply throughout its regulatory regime.

Of course, the wider SMCR review is ongoing. So, while the regulator proposes to apply the current regime for now, it will consider using a modification by consent approach where needed, to temporarily waive any requirements that may soon be revoked.

Operational resilience

The FCA's operational resilience rules, like many of its others, are deliberately designed to be technology-agnostic. The FCA proposes to extend its current (relatively new) operational resilience framework under to cover all cryptoassets firms, including those that would not typically fall within scope of the requirements as the rules apply currently to authorised firms. The increased scope means that other authorised firms who also conduct cryptoassets activities will be brought within the framework. But the FCA does recognise the particular characteristics of the cryptoasset markets, and this part of the consultation includes many examples and guidance to help firms understand what the FCA expects.

Where a firm uses outsourced and other third-party service providers, it retains responsibility for managing risks from these arrangements. Accordingly, if it increases its dependence on these providers, it must to increase its levels of risk management. However, the FCA has recognised that cryptoasset firms may find it difficult to apply these standards to permissionless distributed ledger technologies (DLTs), due to the lack of direct contractual arrangements. To avoid incompatible restrictions, the FCA therefore proposes that using permissionless DLTs will not be treated as an outsourcing arrangement for these purposes. The FCA nevertheless expects firms to evaluate their internal controls for permissionless DLTs, and the firm remains responsible for its operational resilience. Non-Handbook guidance is planned on the use of DLTs, which should provide greater clarity on how these technologies sit within the FCA's wider resilience frameworks.

The consultation also provides guidance on cryptoasset operational resilience, and how firms can comply with the FCA's requirements. It considers cryptoasset-specific risks - including private key security, validator risks, code vulnerabilities and service disruptions – and also how firms should be identifying important business services and impact tolerances. Key focus areas for risk management include:

• Maintaining robust cyber and IT controls to preserve the resilience of technology underpinning cryptoasset services.
• Implementing rigorous safeguarding processes for cryptographic keys and supporting infrastructure (such as smart contracts and validator nodes).
• Creating, testing, and regularly updating continuity plans for responding to technology failures specific to cryptoasset activities.
• Conducting targeted vulnerability scans and penetration tests.

Business standards

The FCA proposes to apply the ESG (Environmental, Social and Governance) sourcebook to cryptoasset firms. Specifically, firms will be subject to:

• Anti-greenwashing rules – requiring firms to ensure sustainability claims are fair, clear and not misleading.
• Sustainability labelling framework – prohibiting firms from using a sustainability label unless they are asset managers meeting the relevant conditions.

Provisions applying only to asset managers, asset owners and distributors will not be extended at this time, nor will any cryptoasset-specific climate or sustainability disclosures be introduced.

Financial crime prevention

While crypto firms are already subject to the Money Laundering Regulations 2017 (MLRs), they would now additionally be subject to the FCA's wider financial crime rules, such as those in SYSC 6 and the Financial Crime Guide.

Consumer Duty, FOS, conduct of business and product governance

The Consultation Paper also contains discussion chapters on options for applying Consumer Duty, access to the Financial Ombudsman Service (FOS) and its Conduct of Business (COBS) and Product Intervention and Product Governance (PROD) sourcebooks to regulated crypto activities. The discussion chapters close for comment on 15 October 2025.

For the Consumer Duty, the FCA is considering two broad options: applying the Consumer Duty with sector-specific guidance; or not applying the Consumer Duty, and instead introducing detailed rules to achieve an equivalent standard of consumer protection. Specifically, the FCA invites feedback on whether the flexible and outcomes-based Duty is fit for novel crypto activities or whether a more bespoke – and possibly prescriptive – regime would be most appropriate. In any event, the regulator is not planning to apply the Duty to trading on CATPs.

Subject to further consultation, the FCA has signalled an intention to propose extending the complaints handling rules and FOS jurisdiction to regulated crypto activities, but notes that issues may arise due to the limit of FOS jurisdiction overseas, and complications where third-party firms act on behalf of regulated entities.

Under COBS rules, the FCA asks for views on implementing core conduct and disclosure rules to crypto. For risk warnings, it queries whether more lenient terms should apply to UK-issued stablecoins relative to other risker cryptoassets, and for appropriateness testing, it is considering elevating guidance to mandatory rules.

For PROD, the FCA has highlighted potential difficulties in applying standard product governance to decentralised cryptoassets. Specifically, it asks for views on whether the Consumer Duty plus sector-specific guidance may suffice, or if bespoke PROD rules are necessary.

Other parts of the Handbook will also be relevant – for instance, although the FCA is not consulting on applying the Client Assets Sourcebook (CASS), the consequence of bringing cryptoasset business within "designated investment business" will be that CASS applies when appropriate.

What next?

This consultation marks a key milestone in the FCA's Crypto Roadmap. In Q3 2025, it is also set to consult on regimes for market abuse admissions and disclosures, and in late 2025 / early 2026, on trading platforms, intermediation, lending and staking, alongside remaining prudential sourcebook material. Policy statements for all consultations are expected during the course of 2026.

The content of this particular consultation indicates that the FCA will not be taking a light-touch supervision approach towards crypto, rather it intends to apply established regimes applicable elsewhere in the regulated sector, and adjust if necessary.

Firms in this space can anticipate final rules during 2026, and should keep an eye out for further updates on the FCA's intended approach to other key compliance frameworks, such as the Consumer Duty. Of course, we are quite some way from firms becoming newly authorised for crypto-activities, and given the small proportion of firms that are currently succeeding in becoming registered with the FCA for MLR purposes we can expect that the authorisation tests will, if anything be more demanding, so authorisation will not happen quickly. Regardless of this, though, firms aspiring to authorisation should be using this paper as a basis for planning their application.