Proposed UK Authorisation Regime
for Cryptoassets

The UK is finally going to integrate cryptoassets into the established financial regulatory framework. Spearheaded by His Majesty’s Treasury (HMT) and the Financial Conduct Authority (FCA), the legislative initiatives seek to create a comprehensive authorisation regime for cryptoassets, balancing innovation with consumer protection and market integrity. The division of responsibilities, with HMT handling the primary legislation and the FCA developing detailed rules and undertaking supervision, is consistent with the established practice for financial services regulation in the UK.

The primary objective is to create a regulatory environment where firms seeking to provide cryptoasset services in or to the UK are required to be authorised and supervised by the FCA. This phased but determined approach, moving from high-level policy to near-final legal text within approximately 18-24 months, indicates a relatively swift legislative pace for such a novel and complex area. This reflects the UK government’s stated ambition to be a leader in regulated crypto innovation and the perceived urgency to provide market clarity and address potential risks. 

The Current UK Regulatory Landscape for Cryptoassets

The current regulatory regime for cryptoassets in the UK is a combination of overlapping frameworks rather than a single unified authorisation and prudential supervision regime. Key existing regulatory frameworks include:

FCA Registration for AML/CTF

• Scope: Firms carrying out cryptoasset exchange or custody services must register with the FCA under the Money Laundering Regulations 2017 (MLRs).
• Focus: AML/CTF compliance, including KYC, record-keeping, and risk assessments.
• Limitations: This is not a full regulatory authorisation; it does not cover all conduct or prudential regulation.

Financial Promotions Regime (FinProm)

• Cryptoasset promotions must comply with the Financial Services and Markets Act 2000 (FSMA or the Act) regime for financial promotions.
• Only authorised or firms regulated for AML under the Crypto Asset Registration Regime (CAAR) or firms with approval from an authorised firm can promote cryptoassets to UK consumers.
• Promotions must be fair, clear and not misleading, with appropriate risk warnings.

Regulation under the Regulated Activities Order (RAO)

• Certain cryptoassets may fall under existing regulated activities (e.g., if structured as derivatives, securities, or e-money).
• In such cases, offering or dealing in them without FCA authorisation can be a criminal offence.

See our UK, EU and Gibraltar law cryptoasset law and regulation hub for more information. 

The Architecture of Traditional Financial Services Regulation

The UK’s regulatory framework for traditional financial services serves as the foundation for the new cryptoasset authorisation regime. The Financial Services and Markets Act 2000 (FSMA) – as amended – provides the overarching legal framework, establishing the powers of regulators and defining regulated activities. The “general prohibition” in Section 19 prohibits carrying on regulated activities without authorisation. The RAO is a key piece of UK secondary legislation that defines what activities are considered “regulated activities” under FSMA.

The decision to bring cryptoassets into the regulatory fold by amending FSMA and the RAO to include “qualifying cryptoassets” as specified investments and to define new cryptoasset-specific regulated activities is therefore highly significant.

In the UK, the FCA and Prudential Regulation Authority (PRA) share regulatory responsibilities in a “twin peaks” model. The FCA regulates conduct across the entire UK financial services sector and is also the prudential regulator for firms that are not systemically significant, while the PRA is responsible for the prudential supervision of all banks and other deposit takers, insurers, and certain larger investment firms. The PRA focuses on ensuring that if a firm it supervises fails, it would do so in an orderly way that minimises disruption to essential financial services and avoids risking contagion to the wider economy or financial infrastructure.

Same Activity, Same Risk, Same Regulatory Outcome

The guiding principle for the UK regulatory regime is “same activity, same risk, same regulatory outcome,” ensuring a level playing field between cryptoasset related activities and traditional financial services. 

However, the unique nature of cryptoassets necessitates bespoke rules and adaptations. The FCA’s Conduct of Business Sourcebook (COBS) principles influence cryptoasset conduct rules. Client Asset Protection (CASS) principles are adapted for safeguarding cryptoassets. Prudential regulation draws from the MIFIDPRU framework, with crypto-specific adjustments. 

Key regulated activities will include the issuance of stablecoins, operation of trading platforms, dealing in and arranging deals in cryptoassets, custody, and staking (see below). Firms undertaking these activities will require full FCA authorisation, a significant step up from the current AML registration and FinProm regime. While the new regime shares similarities with traditional financial services regulation, notable differences exist, particularly in prudential requirements and the inapplicability of the Financial Services Compensation Scheme (FSCS) to most cryptoasset activities. The draft legislation is considered “near final,” with implementation expected in 2026.

Transitional Provisions

Transitional arrangements include a 12-month period for cryptoasset firms already registered under the MLRs to seek full authorisation. Firms not currently registered will require full authorisation before offering services. This two-tiered approach acknowledges the significant regulatory scrutiny for those crypto firms that successfully registered under the MLR regime and sets a high bar for new entrants.

Defining “Qualifying Cryptoassets” and “Qualifying Stablecoins”

The scope of the regime depends on the definitions of “qualifying cryptoassets” and “qualifying stablecoins.” A “cryptoasset” is broadly defined, but the focus is on “qualifying cryptoassets,” which are fungible and transferable, functioning similarly to traditional financial instruments. 

“Qualifying stablecoins” are cryptoassets that reference  fiat currency, aim to maintain a stable value and are backed by approved core assets.

These definitions distinguish between crypto-native products and “specified investment cryptoassets,” which are tokenised traditional assets.

Exclusions include electronic money, fiat currency, central bank digital currencies (CBDCs), and non-transferable cryptoassets.

Key Regulated Cryptoasset Activities Requiring Authorisation

The draft SI outlines several regulated activities requiring FCA authorisation: 

• Issuance of qualifying stablecoins.
• Safeguarding (custody) of qualifying cryptoassets and relevant specified investment cryptoassets.
• Operating a qualifying cryptoasset trading platform.
• Dealing in qualifying cryptoassets as principal.
• Dealing in qualifying cryptoassets as agent.
• Arranging deals in qualifying cryptoassets.
• Qualifying cryptoasset staking.

These activities are established as distinct, allowing the FCA to develop tailored rules. For example, “qualifying cryptoasset staking” is a novel activity necessitating specific rules around consumer consent, risk disclosure, and asset segregation. The FCA is also considering rules for cryptoasset lending, borrowing, and restricting credit for crypto purchases. This comprehensive list covers the lifecycle of cryptoasset services, closing regulatory gaps.

The FCA’s Role and the Authorisation Process

Firms engaging in regulated activities will need full FCA authorisation. The FCA is developing its rulebook through discussion and consultation papers, with key publications including DP25/1, CP25/14, and CP25/15. 

To become authorised, firms must demonstrate that they meet and will continue to meet a set of minimum standards known as “threshold conditions”. These conditions are fundamental requirements relating to aspects such as the firm’s legal status, location of offices (head office and, if applicable, registered office must be in the UK or the firm must carry on business in the UK), close links (connections to other entities must not hinder effective supervision), appropriate resources (both financial and non-financial, including capital, liquidity, and competent staff), suitability (the firm, including its management and controllers, must be fit and proper), and an effective and viable business model. The regulators must feel confident that they are capable of effectively supervising the firm.

The transition to full FSMA authorisation represents a substantial increase in regulatory burden, requiring firms to meet higher standards comparable to traditional financial services. This aims to enhance consumer protection, market integrity, and financial stability. For cryptoasset firms, the FCA will be the primary regulator for both conduct and prudential aspects, unless specific activities (like systemically important stablecoins) bring them within the Bank of England’s/PRA’s purview.

The financial services regulators possess wide-ranging enforcement powers, which can be used if firms breach regulatory requirements. These powers include imposing fines, restricting a firm’s authorisation (e.g., preventing it from undertaking certain activities), and prohibiting individuals from working in the regulated financial services sector.

The existing FinProm regime, which has restricted the promotion of certain types of cryptoassets in the UK since 2023, will also be affected, as authorised firms will generally be able to approve their own financial promotions related to their regulated cryptoasset activities.

Specific Considerations: DeFi, Staking, and Custody

“Truly decentralised” DeFi activities are not intended to be regulated, where no identifiable person or firm is undertaking the activity. However, defining “true decentralisation” is complex, and the FCA continues to explore DeFi. Qualifying cryptoasset staking requires explicit consumer consent, key features documents, segregated wallets, and liability for financial losses due to inadequate resilience. Custody services must ensure consumer cryptoassets are secured and accessible, with proposals aiming to enhance financial resilience.

Qualifying Cryptoasset Staking

Staking receives specific attention due to its novel nature and potential risks to consumers. Firms offering staking services to retail consumers will be required to:

• Obtain explicit advance consent from consumers regarding the amount of cryptoassets to be staked, conditions for payment, repayment, return of assets, and fee arrangements.
• Provide retail consumers with a key features document clearly outlining the implications of staking (including for ownership of the assets) and the associated risks.
• Maintain separate wallets for consumers’ staked cryptoassets, distinct from the firm’s own assets and other consumers’ non-staked assets.
• Maintain accurate records and conduct regular reconciliations of staked cryptoassets.
• Be liable for financial losses suffered by retail consumers if the firm has inadequately assessed its technological and operational resilience, including dependencies on third parties (e.g., validator node operators) and hold sufficient capital to absorb such losses. 

These detailed rules for staking reflect significant concerns about consumer understanding of the complex risks involved, issues of asset ownership and control during staking, and the operational intricacies of interacting with blockchain networks.

Custody (Safeguarding)

The safeguarding of client cryptoassets is a foundational element of the new regime. Firms providing crypto custody services (including exchanges) will be required to ensure that consumers’ cryptoassets are effectively secured and can be easily accessed by the consumer at any time. The proposals also aim to enhance the financial resilience of cryptoasset custodians to reduce the likelihood and impact of firm failures. These rules are critical for building trust and facilitating broader adoption, particularly by institutional investors.

Conduct of Business and Client Assets

The FCA’s Conduct of Business Sourcebook (COBS), sets out the standards for how firms should interact with their clients and conduct their business. These rules are fundamental to ensuring that firms treat customers fairly, provide clear and balanced information, and act in their clients’ best interests.

Key areas covered by COBS include:

• General Duty (COBS 2): Firms must act honestly, fairly, and professionally in accordance with the best interests of their clients.
• Information about the Firm and Communications with Clients (COBS 4): All communications, including financial promotions and marketing materials, must be fair, clear, and not misleading. This involves using simple language, ensuring risk warnings are prominent and legible (e.g., in the same font size as the main text), providing up-to-date information, presenting balanced projections (not overstating potential benefits), clearly explaining fees, disclosing if a product or service is provided by a third party, and ensuring any comparisons made are meaningful and fair.
• Suitability and Appropriateness (COBS 9 & 10): When providing advice, firms must ensure that any personal recommendation is suitable for the client, considering their knowledge and experience, financial situation, and investment objectives (COBS 9). When providing services that do not involve advice for more complex products, firms must assess whether the product or service is appropriate for the client (COBS 10).
• Best Execution (COBS 11): Firms must take all sufficient steps to obtain the best possible result for their clients when executing orders, considering factors such as price, costs, speed, likelihood of execution and settlement, size, nature, or any other consideration relevant to the execution of the order.

Overarching these specific COBS rules is the Consumer Duty, introduced by the FCA, which requires firms to act to deliver good outcomes for retail customers. This duty imposes a higher standard of care and places a greater emphasis on firms proactively considering consumer needs and potential harms. These established COBS principles are highly influential in shaping the conduct rules being developed for cryptoasset firms.

The FCA’s Client Assets Sourcebook (CASS) contains rules designed to protect client money and custody assets (such as shares and bonds held for clients) if a firm becomes insolvent. CASS has been a key priority for FCA, which has imposed substantial fines for non-compliance.

The fundamental requirement of CASS is that firms must keep client money separate from the firm’s own money, typically in segregated client money bank accounts, and ensure that custody assets are appropriately registered and segregated. This ring-fencing is intended to ensure that client assets can be returned to clients as quickly and completely as possible in the event of the firm’s failure.

Key operational elements of CASS compliance include:

• Segregation: Promptly placing client money into segregated accounts and ensuring custody assets are clearly identifiable as belonging to clients.
• Reconciliation: Regularly reconciling internal records of client money and assets with the records of banks and custodians holding those assets.
• Remediation: Investigating and resolving any discrepancies identified during reconciliation in a timely manner.
• Risk Management: Identifying, assessing, and mitigating risks to client assets.
• Leadership and Governance: Assigning senior management responsibility for CASS compliance (under the Senior Managers and Certification Regime – SMCR) and maintaining appropriate oversight.
• Audit: Subjecting CASS arrangements to external audit where required.

The principles underpinning CASS provide a strong framework for client asset protection and are being adapted for the safeguarding of cryptoassets under the new regime.

Prudential Regulation (Capital Adequacy and Liquidity)

Prudential regulation aims to ensure that financial firms are financially sound, can absorb losses, and have sufficient liquid resources to meet their obligations. The approach to prudential regulation in the UK varies depending on the type and systemic importance of the firm.

• PRA-regulated firms: Banks, building societies, and insurance companies supervised by the PRA are subject to detailed and complex capital and liquidity requirements, largely based on international standards such as the Basel framework for banks and Solvency II for insurers. These firms must maintain adequate financial resources, including robust capital buffers, and have effective risk strategies and management systems. The PRA’s recent policy statement PS6/25, for example, updated requirements for international bank branches operating in the UK partly in response to events like the failure of Silicon Valley Bank.
• FCA-regulated investment firms: 
  • Investment firms that conduct MiFID (Markets in Financial Instruments Directive) activities are prudentially regulated by the FCA under a regime known as MIFIDPRU. This regime is generally less complex than the one for banks, reflecting the different risk profiles of investment firms. MIFIDPRU sets out rules on “own funds” (the regulatory capital firms must hold, categorised into Common Equity Tier 1 (CET1), Additional Tier 1 (AT1), and Tier 2 capital) and liquidity requirements.
  • The capital requirements for other firms (such as payment service providers) is specified in the relevant secondary legislation. It is usually a minimum base level of capital that is then adjusted upwards for volume and risk. 

The approach to prudential regulation for cryptoasset firms is expected to draw more from the principles of the MIFIDPRU framework, but with significant crypto-specific adjustments to address their unique risks.

FCA Consultation Papers CP25/14 and CP25/15 – COREPRU and CRYPTOPRU

[June update to the original Article]

CP25/14 focuses on rules for stablecoin issuance and cryptoasset custody, aiming to ensure stablecoins maintain value and custodians provide robust safeguarding. CP25/15 details prudential rules, introducing COREPRU (Core Prudential Sourcebook) and CRYPTOPRU (Crypto Prudential Sourcebook). Key features include the Overall Financial Adequacy Rule (OFAR), Own Funds Requirement (OFR), Liquid Assets Requirement, and Concentration Risk.

CP25/14: Stablecoin Issuance and Cryptoasset Custody

Consultation Paper CP25/14 focuses on establishing rules and guidance for the issuance of “qualifying stablecoins” and the safeguarding (custody) of “qualifying cryptoassets,” including stablecoins. The FCA proposes to incorporate these new requirements into its existing Client Assets Sourcebook (CASS) and a new crypto sourcebook.

Proposals for Issuers of Qualifying Stablecoins:

Firms issuing qualifying stablecoins (QFSs) used for UK payments will need authorisation under Part 4A of FSMA. Key proposed requirements include:

• Backing Assets: Stablecoins must be fully backed on a 1:1 basis with secure, high-quality, liquid, fiat-denominated assets of an approved kind. These backing assets must be held with an unconnected third-party custodian and protected under a statutory trust, with the issuer acting as the trustee.
• Redemption Rights: All holders must have the legal right to redeem their stablecoins at par value on demand, directly from the issuer. Issuers must be able to place a payment order for redeemed funds within one business day of receiving a valid redemption request.
• Transparency and Disclosure: Issuers must clearly disclose their redemption policies, the composition of their backing assets, and their value methodologies to consumers.

Proposals for Custodians of Qualifying Cryptoassets:

Firms safeguarding qualifying cryptoassets (including private key management) will also require authorisation. Key proposed requirements include:

• Segregation: Client cryptoassets must be segregated from the custodian’s own assets.
• Trust Arrangement: Qualifying cryptoassets must be held on behalf of clients in a trust. The FCA proposes this to be a non-statutory trust for cryptoasset custodians.
• Books and Records: Custodians must maintain accurate books and records of clients’ cryptoasset holdings.
• Controls and Governance: Adequate organisational arrangements, controls, and governance structures must be in place to protect clients’ cryptoasset holdings.

The FCA plans further consultations on additional measures for protecting qualifying cryptoassets, including prudential and operational resilience requirements.

CP25/15: Prudential Regime for Cryptoasset Firms – COREPRU and CRYPTOPRU

Consultation Paper CP25/15 details the FCA’s proposed prudential rules and guidance specifically for firms issuing qualifying stablecoins and those safeguarding qualifying cryptoassets. These rules aim to ensure firms can operate safely and withstand periods of financial stress.

A significant development is the FCA’s plan to introduce an integrated prudential rulebook structure, starting with two new sourcebooks:

• COREPRU (Core Prudential Sourcebook): This sourcebook will initially apply to firms conducting regulated cryptoasset activities and will bring together core prudential requirements that are common across different categories of firms. Over time, COREPRU is intended to house core prudential provisions for all FCA-regulated firms. 
• CRYPTOPRU (Crypto Prudential Sourcebook): This sourcebook will contain other sector-specific prudential requirements for firms undertaking regulated cryptoasset activities.

The main features of the proposed prudential regime outlined in CP25/15 include :

• Overall Financial Adequacy Rule (OFAR): Cryptoasset firms must maintain adequate financial resources (in amount and quality) for their business at all times.
• Own Funds Requirement (OFR): This is the minimum capital firms must hold, calculated as the highest of:

• • Permanent Minimum Requirement (PMR): £350,000 for stablecoin issuers and £150,000 for cryptoasset custodians.
  • Fixed Overheads Requirement (FOR): Equal to one-quarter of the firm’s relevant expenditure in the previous year.
  • K-factor Requirement: A variable amount based on the firm’s activities and associated risks, similar to the approach for investment firms.

• Definition and Composition of Own Funds: Detailed rules will specify what is eligible as capital, with fully paid-up shares preferred. Other instruments may be allowed subject to criteria and limits. Cryptoassets issued by the firm itself or a connected party cannot be included as capital

• Liquid Assets Requirement:

• • Basic Liquid Assets Requirement (BLAR): All cryptoasset firms must hold liquid assets equivalent to at least one-third of their FOR, to fund initial stages of a wind-down. Eligible assets include cash, short-term UK bank deposits, UK gilts, and units in UK regulated money market funds; cryptoassets are not eligible.
  • Issuer Liquid Asset Requirement (ILAR): An additional requirement for stablecoin issuers to ensure they can quickly (T+1) top up their backing asset pool if a shortfall occurs.

• Concentration Risk: Firms must have sound administrative, accounting, and internal control procedures to monitor and manage exposures to counterparties and asset classes. Stablecoin issuers must also consider this for their backing asset pool.

The FCA plans a subsequent consultation (CP2), expected in Q4 2025 or Q1 2026, to cover remaining prudential aspects such as requirements for cryptoasset firm groups, PMR and K-factor requirements for activities not covered in CP25/15, sector-specific concentration risk rules, an Internal Capital Adequacy and Risk Assessment (ICARA-style) process, and public disclosure of prudential information. The FCA also notes that CRYPTOPRU firms may be subject to other prudential requirements and will consult on the interaction between different prudential sourcebooks, for example, for firms that are also MiFID investment firms.

Territorial Scope and Implications

The regime applies to UK-domiciled and overseas firms serving UK clients, particularly retail customers. Firms serving UK retail customers must generally be authorised in the UK, regardless of location. 

Specific activities like custody and staking have territorial considerations, while stablecoin issuance requires authorisation if carried out from a UK establishment. Significantly, HMT has indicated that the existing “overseas persons exclusion,” which allows some overseas firms to conduct certain activities with UK persons without UK authorisation under specific conditions, will not generally be extended to cryptoasset activities.

The FCA is considering how to regulate or exempt overseas Cryptoasset Trading Platforms (CATPs). Future possibilities include permitting overseas CATPs to operate through UK branches or recognising firms authorised under an equivalent regulatory regime in their home jurisdiction, though these are not the immediate proposals. For overseas CATPs serving only UK professional investors, UK authorisation may not be required unless a regulated activity is physically carried on in the UK. This continues the common distinction in regulatory treatment for retail versus professional clients.

Key Takeaways and Future Outlook

The UK’s proposed cryptoasset regime represents a significant step towards integrating these digital assets into the broader financial system. The focus on authorisation, detailed rules for specific activities, and prudential requirements demonstrates a comprehensive approach. Whilst drawing heavily from traditional financial services regulation, the regime acknowledges the unique risks and characteristics of cryptoassets, necessitating tailored rules. 

The UK’s aim to be a leader in regulated crypto innovation is evident in the swift legislative pace and the engagement with industry stakeholders. Market participants must prepare for a more demanding regulatory environment, requiring significant operational and compliance adjustments. As the regime evolves, the UK’s approach may adapt based on global developments and the maturation of the crypto market. The consultation papers, ongoing discussions, and future policy statements from HMT and the FCA will be crucial in shaping the final regulatory framework. This regulatory landscape will be pivotal in determining the future of cryptoassets in the UK, seeking to balance innovation with robust protection and integrity.

Cryptoasset Knowledge Hub

Please see our Cryptoasset & DLT Knowledge Hub to keep track of the main legal and regulatory issues involved in cryptoassets in the UK, the EU and Gibraltar.