Regulatory Influencer: The UK’s Regulatory Pivot - Bringing Crypto Oversight Into the FSMA Perimeter

On September 17, 2025, the Financial Conduct Authority (FCA) published Consultation Paper CP25/25: Application of the FCA Handbook to Regulated Cryptoasset Activities. The paper sets out the FCA’s proposed framework for extending key provisions of the FCA Handbook that are applicable to existing firms regulated under the Financial Services and Markets Act 2000 (FSMA) to firms undertaking regulated crypto-asset activities. CP25/25 represents a significant shift into full-scope crypto UK supervision to date, moving the sector from a registration-only model towards a comprehensive authorisation and oversight regime. This positions crypto-asset service providers (CASPs) on a regulatory footing far closer to that of traditional financial institutions.

Under the draft legislation, activities such as issuing stablecoins, custody of crypto-assets and operating a crypto-asset trading platform will become regulated financial services. CASPs carrying out these activities in the UK will be required to seek full FCA authorisation, aligning them with the regulatory standards applied to other financial firms. For firms, the move signals a new era, one where governance, conduct and operational expectations will materially increase, and where organisational structures must evolve to withstand supervisory scrutiny.

The core challenge with regulating CASPs within the UK lies in calibration, striking the right balance between applying established regulatory standards and adapting them to the distinctive realities of crypto-assets. The proposals require careful adjustments to avoid forcing crypto firms into models designed for traditional finance. If calibrated well, CP25/25 could instead act as a competitive differentiator for the UK, signalling the importance of regulatory standards while allowing businesses to evolve under a supervisory approach that is capable of accounting for business model nuances. 

Senior Managers and Certification Regime (SM&CR): Governance Uplift for Crypto Firms

The extension of the SM&CR will impose accountability and oversight standards that are entirely new to many crypto businesses. Senior managers will need FCA approval and will be assigned clear, legally enforceable responsibilities across areas such as compliance, technology operations and financial crime controls. They will also be personally accountable for governance or compliance failures and must be able to evidence that appropriate systems, controls and mitigation measures are in place. The regime also requires firms to apply the Fit and Proper Test, which focuses on honesty, integrity, competence and financial soundness. For the FCA, SM&CR is the primary mechanism to anchor individual responsibility in a sector where leadership accountability has historically been fragmented, informal or founder-driven. CASPs should expect more intensive scrutiny of senior management function applications than traditional firms, reflecting heightened FCA concerns over operational risk, safeguarding and internal controls.

Challenges that firms may face: 

• Many crypto firms operate with flat, founder-driven hierarchies where accountability is shared or informal, making it difficult to designate a single FCA-approved individual for critical functions.
• This heightened level of personal accountability may also deter some senior leaders from engaging with or joining crypto-asset firms, as they may be reluctant to assume roles where individual liability is high, particularly in a sector still navigating emerging risks and evolving supervisory norms.
• Crypto businesses contain complex and highly technical operational workflows, making it difficult to map them into the FCA’s responsibilities framework without oversimplification.
• Many global CASPs operate key functions offshore, which may complicate the ability to assign clear UK-based senior manager responsibility for critical operations.

In preparation, firms could: 

• Formalise leadership roles in previously informal structures: Identify individuals responsible for key crypto activities and prepare them for FCA approval.
• Develop a responsibilities map tailored to crypto operations: Allocate prescribed responsibilities to senior managers for areas such as safeguarding architecture (under the Client Assets Sourcebook), platform resilience and market abuse monitoring on crypto trading instruments.
• Implement a certification regime for key operational and technical staff: Firms can annually certify staff who significantly impact client outcomes or firm risk. For example, staff who are part of client-asset reconciliation teams or are responsible for onboarding.
• Align organisational culture with SM&CR expectations: Conducting SM&CR-specific training tailored to crypto activities and embedding conduct rules across the business (including product teams and crypto-operations staff). 

Early preparation will help CASPs avoid delays during authorisation assessments, where the FCA is expected to scrutinise governance clarity and accountability mapping in depth.

Operational Resilience under the Senior Management Arrangements, Systems and Controls (SYSC) 

The FCA proposes to extend the SYSC 15A operational resilience regime to crypto-asset firms. Under these rules, CASPs would be required to demonstrate how they can prevent, respond to and recover from operational disruptions in order to maintain continuity of their business services. The FCA’s focus on resilience reflects a broader supervisory concern about outages, custody failures, technology blind spots and the fragility of decentralised ecosystems. Recent incidents involving paused withdrawals, smart contract exploits and validator failures have underscored the need for stronger, FSMA-grade resilience expectations in crypto markets.

Alongside this extension of obligations, the consultation aims to introduce crypto-specific guidance illustrating how different types of crypto firms should meet SYSC 15A expectations. This guidance clarifies how firms should apply traditional FCA resilience standards in environments that rely on technologies like permissionless distributed ledgers, despite the additional complexities these technologies may create. The FCA is also signalling that operational resilience will become a foundational pillar of CASP supervision, with expectations likely to tighten through thematic reviews once the regime is implemented.

The FCA also signals that crypto firms will be brought within the scope of the proposed rules on (which will be consulted on separately at a later date): 

• Mandatory reporting of operational incidents.
• Maintaining a detailed register of third-party relationships.

These additions reflect the FCA’s wider agenda to tighten oversight of critical suppliers and reduce opacity in CASP dependency chains.

Challenges that firms may face include: 

• Firms often support multiple blockchains, and each of them has a unique failure mode that is difficult to simulate when designing and testing resilience scenarios.
• CASPs often rely on entire ecosystems of vendors (which are susceptible to frequent change), far more than traditional financial institutions; therefore, maintaining a detailed register of critical third-party relationships may prove to be challenging or may require constant updating.
• The FCA threshold for “reportable” incidents specifically for CASPs remains ambiguous, and therefore CASPs may experience difficulty in determining what constitutes a reportable incident as they encounter scenarios unique to their business model. 

In preparation, firms could: 

• Identify and map which services, if disrupted, could cause harm to consumers or market integrity. This includes wallet creation, stablecoin issuance and custody services. This can be achieved by documenting each service, mapping its dependencies and anticipating where disruptions would occur.
• Develop detailed incident playbooks for each crypto-specific scenario and test whether services can recover within acceptable timeframes. Disruption events may include smart-contract malfunctions or blockchain congestion.
• Maintain a tested and auditable operational resilience framework that demonstrates how services will be restored through detailed recovery plans.
• Establish internal escalation routes, automated detection mechanisms and reporting templates in the event that operational incidents must be reported to the FCA. 

Consumer Protection 

The FCA is consulting on how consumer protection standards should apply to regulated crypto-asset activities and has outlined two possible approaches. Consumer protection is one of the most challenging areas to translate into crypto markets, given the absence of identifiable manufacturers for many tokens, highly fragmented value chains and extreme volatility. The FCA acknowledges that traditional notions of product oversight and foreseeable harm are more complex to apply where token behaviours can shift rapidly due to market sentiment or protocol governance.

The FCA’s two proposed approaches are:

Option 1: Apply the Consumer Duty with crypto-specific guidance:

• Under this option, crypto firms would be required to meet the core Consumer Duty obligations, such as acting in good faith and avoiding foreseeable harm, but alongside tailored guidance which recognises:

1. Decentralised crypto-assets may lack identifiable manufacturers.
2. Traditional distribution chains do not exist for many crypto products.

• The guidance would explain how crypto firms could meet the Consumer Duty in practice across different business models. 

This approach would allow the FCA to retain its preferred outcomes-based model while providing interpretive clarity for CASPs.

Option 2: Do not apply the Consumer Duty and instead introduce bespoke rules: 

• Suppose the Consumer Duty is considered unsuitable for CASPs. In that case, the FCA may create sector-specific investor-protection rules, particularly for distributors of crypto-assets where standard manufacturer-distributor models do not apply. 

This alternative would give the FCA greater flexibility to tailor rules to the crypto sector. Still, it also risks creating a divergence from the broader retail market standards that apply across the financial services sector.

Challenges firms may face: 

• Explaining highly technical blockchain concepts in plain language without oversimplification can be challenging, as it may lead to consumers underestimating the associated risks.
• Rapidly changing token behaviour can make disclosures outdated quickly.
• High and unpredictable volatility makes it harder to define what counts as “foreseeable harm”. 

In preparation of the FCA determining its final approach, firms could: 

• Redesign crypto product disclosures to explain risks that are unique to crypto and produce clear explanations of how blockchains, wallets and token functionalities work.
• Develop risk assessments for foreseeable harm arising from volatile markets, smart contract failures and cross-chain transfer vulnerabilities.
• Implement suitability checks through assessing customer understanding of volatility or complex token designs. This can be achieved through questionnaires specifically designed for cryptocurrency markets.
• Implement crypto-specific customer support through training support teams on crypto-specific issues. 

In addition, the FCA is considering extending its complaints-handling rules to CASPs. This would require CASPs to manage complaints in the same structured and transparent manner as traditional financial firms. Firms would be required to maintain proper records of complaints, ensure timely complaint responses and ensure that eligible customers have access to the Financial Ombudsman Service (FOS) if disputes cannot be resolved internally. 

This helps to build greater credibility and trust with retail customers as the firm is held to the same conduct standards as regulated financial institutions. This can be commercially valuable in a sector where consumer scepticism and reputational risk remain high. Access to the FOS offers an independent and authoritative route for dispute resolution, which can reduce prolonged customer conflicts that damage brand reputation. 

Conduct of Business Requirements 

The FCA is considering applying significant elements of its Conduct of Business Sourcebook (COBS) to regulated crypto-asset activities. This would require CASPs to meet core conduct standards similar to those in traditional financial markets. This includes acting honestly and fairly, providing clear communication and categorising clients. The FCA is expected to give heightened attention to marketing and consumer-facing disclosures, areas where crypto firms have historically struggled to comply. The rise of misleading promotions, complex yield products and opaque risk statements has made COBS alignment a supervisory priority.

However, the FCA does not intend to apply COBS to transactions between crypto-asset trading platforms (CATPs) and professional clients, and CATPs will not be required to offer cooling-off periods. 

The FCA is also considering elevating existing appropriateness assessment guidance into rules, signalling an intention to raise consumer protection standards across the sector. 

Challenges firms may face: 

• COBS is built around clear product manufacturers, stable distribution chains and well-defined client relationships. Crypto markets rarely operate this way, and CASPs may struggle to map COBS concepts onto:

1. Volatile token environments.
2. Decentralised protocols with no identifiable issuer.
3. Products whose risk profiles can change within minutes.

• Typically, crypto communications have been marketing-led rather than compliance-led. To comply with COBS, adjustments such as removing promotional styles of language and explaining risks that are often uncertain or technical must be made. This can be extremely resource-heavy and demonstrates a significant operational shift. Firms offering structurally complex products may struggle the most.

In preparation, firms could: 

• Redesign all customer-facing communications, including wallet guides and trading disclosures, to meet the COBS communication standards.
• Create a crypto-appropriate client categorisation framework based on trading behaviour and crypto volume patterns.
• Prepare COBS-aligned client agreements that reflect crypto-specific risks.
• Review onboarding journeys, trading interfaces and mobile app flows to ensure all touchpoints meet “fair, clear and not misleading” standards, particularly at moments where customers make transactional decisions.

Complying with COBS helps CASPs avoid misleading communications, inappropriate product distribution and poor customer outcomes. By embedding fair-treatment standards, firms reduce their exposure to litigation, consumer disputes and reputational harm. Strong COBS alignment may also become a competitive advantage, particularly as institutional and retail customers become more selective about which crypto service providers meet recognised financial-services standards.

Product Governance

The FCA is consulting on how the Product Intervention and Product Governance (PROD) Sourcebook should be applied to crypto-asset firms, recognising that traditional PROD requirements do not align well with decentralised or anonymous crypto-assets. Applying the PROD rule to crypto-assets reveals a mismatch between the PROD framework and the realities of the crypto market. In a conventional financial landscape, product manufacturers and end-users are clearly identifiable, and products follow linear distribution chains. In contrast, crypto-assets span a spectrum of models (from decentralised tokens with anonymous developers to centrally-issued stablecoins). Each of these has a different risk profile and, as a result, a single set of rules cannot capture the diversity of how crypto-assets are created, issued and distributed. The challenge for the FCA is ensuring product oversight without forcing CASPs into artificial “manufacturer-distributor” constructs that do not match decentralised networks or open-source token ecosystems. 

The FCA has communicated that it prefers a flexible, outcome-based approach that acknowledges the sector’s diversity rather than forcing an ill-fitting legacy framework. 

In practice, this may mean distinct expectations for:

• Decentralised tokens with no identifiable issuer.
• Exchange-issued or platform-issued tokens.
• Fiat-backed and crypto-backed stablecoins.
• Wrapped assets and cross-chain synthetic tokens.

Each of these categories carries different governance, liquidity and operational risks, which the FCA is likely to reflect in its supervisory approach.

CP25/25 Wrapped

For CASPs, the priority now is to assess how the proposed high-level standards intersect with their business model, identify areas where practical guidance or transitional arrangements are needed, prepare to demonstrate how their systems and controls can meet FSMA-aligned expectations and track regulatory developments related to the consultation. 

CP25/25 signals a clear direction of travel that CASPs will be expected to operate with the same governance discipline, operational resilience and consumer protection standards as traditional financial institutions. This is not the light-touch regime they have been used to; it is a structural uplift that will require significant investment across leadership, compliance and technology functions.

Looking to 2026, as set out in the FCA’s crypto roadmap, the final rules for CASPs' transition from MLR registration to the FSMA authorisation regime are expected, although no definite timeframes are provided. Firms that begin aligning their governance, operational resilience and consumer protection frameworks early will be in the strongest position when the FCA launches its full authorisation assessments. Firms that remain engaged with these developments will be best placed to navigate authorisation, while those that delay will face heavier scrutiny, tighter timelines and potentially significant remediation costs. CP25/25 marks the beginning of a new regulatory chapter, and firms that act now will shape the competitive landscape in the UK’s emerging regulated crypto market.