FCA proposes application of current rules to crypto businesses

What does this mean?

Consultation proposals

High-level standards and supervision

The FCA proposes to extend the Threshold Conditions (COND) to cryptoasset firms, setting minimum requirements for authorisation and ongoing operations. The Principles for Business (PRIN) would also apply, with definitions of “customer” and “client” expanded to cover holders of qualifying stablecoins. However, Principle 12 (Consumer Duty) is not being applied at this stage, subject to the outcome of the DP.

Certain Principles will not apply in specific contexts. For example, Principle 6 (Customers’ interests) and Principle 9 (Relationships of trust) would not apply to operators of cryptoasset trading platforms (CATPs) when dealing with professional clients. In addition, Principles 1, 2, 6 and 9 will not apply to transactions concluded between participants of a CATP under its rules, reflecting the approach taken for multilateral trading facilities.

Other Handbook modules would extend to cryptoasset firms, including General Provisions (GEN) on disclosure and use of FCA status, and Supervision (SUP), covering information requests, skilled person reviews, and auditor oversight. Crypto firms will also be subject to the FCA’s financial crime framework, including SYSC 6, the Financial Crime Guide (FCG), and Financial Crime Thematic Reviews (FCTR). Finally, enforcement-related modules such as DEPP and the Enforcement Guide (EG) will apply, ensuring consistency with the wider regulatory regime.

Senior Management Arrangements, Systems and Controls (SYSC) and Senior Managers and Certification Regime (SM&CR)

The FCA proposes to apply the SYSC sourcebook to cryptoasset firms, including general organisational requirements (SYSC 4), training and competence (SYSC 5), compliance, internal audit and financial crime (SYSC 6), risk control (SYSC 7), record-keeping (SYSC 9), conflicts of interest (SYSC 10) and whistleblowing (SYSC 18). 

Conflicts of interest are identified as a particular concern given vertically integrated business models in crypto where issuance, trading and custody may sit within the same group. The FCA intends to consult later in 2025 on changes to SYSC 10 and on crypto-specific conflicts expectations in a future consultation covering activity-specific rules.

The SM&CR will apply to all cryptoasset firms. Senior managers will require FCA approval, must hold Statements of Responsibilities and will be accountable for ensuring certified staff are fit and proper. Proportionality will be maintained through the existing Limited, Core and Enhanced tiers so obligations scale with firm size and complexity. The FCA is proposing to apply the current SM&CR in full for now, while noting that the wider SM&CR review could lead to future adjustments.

Cryptoasset firms will be subject to the same financial crime framework as other FSMA-authorised firms, including anti-money laundering, counter-terrorist financing and fraud prevention requirements under SYSC 6, supported by the FCA’s Financial Crime Guide and Financial Crime Thematic Reviews. 

The FCA plans to consult separately on the TC sourcebook’s application to cryptoasset firms before publishing final rules, while SYSC 5 remains in scope in this consultation.

Operational resilience

The FCA proposes to extend the SYSC 15A operational resilience framework to all cryptoasset firms, including those that would not otherwise be in scope under the current SYSC 15A.1.1 application. This brings any FSMA-authorised firms that conduct cryptoasset activities into scope for SYSC 15A as well.

SYSC 15A remains technology agnostic and requires firms to identify important business services, map the people, processes, technology, facilities and information supporting them, set impact tolerances, and test severe but plausible disruption scenarios. SYSC 4 and SYSC 7 continue to complement this framework on risk management and control, and SYSC 8 sets outsourcing standards that interact with operational resilience.

A UK branch of an overseas firm is not in scope of SYSC 15A. In-scope UK firms that operate overseas branches may choose to apply SYSC 15A voluntarily to those branches. Other operational standards, including SYSC 8 on outsourcing, continue to apply to overseas branches.

Where firms rely on third parties to deliver important business services, they should have appropriate contractual and continuity arrangements and must remain able to oversee those providers. The FCA notes challenges in applying SYSC 8 to permissionless distributed ledgers and therefore proposes that use of permissionless DLT should not be treated as outsourcing under SYSC 8.1.1R. Firms would remain responsible for evaluating their internal controls for permissionless DLT within SYSC 15A.

Alongside rule application, the FCA is consulting on non-Handbook guidance to help cryptoasset firms implement operational resilience in practice, with crypto-specific risks and examples for different business models. The guidance covers areas such as private key security, validator risks for staking models, dependence on permissionless DLTs and handling blockchain forks. It explains how to identify important business services, set and maintain impact tolerances, and design and execute scenario tests. The FCA also plans to consult in Q1 or Q2 2026 on further non-Handbook guidance on the use of DLT and its implications for operational resilience.

Within the guidance, firms are reminded to calibrate impact tolerances in line with SYSC 15A.2, including maintaining tolerances during severe but plausible disruptions, to consider 24/7 market dynamics when setting tolerances, and to plan for degraded service operation where appropriate. Firms must develop and maintain testing plans under SYSC 15A.5 and conduct lessons-learned exercises after tests or real incidents.

Business standards

The ESG Sourcebook will apply to cryptoasset firms. Any sustainability claims must be fair, clear, and not misleading. No new crypto-specific climate disclosure rules are proposed, reflecting current data limitations in the market.

Discussion paper

Consumer Duty (Duty)

The FCA seeks feedback on two options: applying the Duty to all regulated cryptoasset activities with additional sector guidance, or introducing tailored rules that achieve comparable consumer protection. The FCA states for clarity that it proposes not to apply the Duty to trading between participants of a UK authorised cryptoasset trading platform, aligning this with the approach to multilateral trading facilities.  The FCA would also reinforce protections through bespoke Admissions and Disclosures requirements focused on consumer understanding.

Access to redress

The FCA invites views on extending access to the Financial Ombudsman Service for crypto complaints and indicates it is likely to consult on applying the DISP 1 complaint handling rules to newly regulated cryptoasset activities. It explains the interdependency between DISP 1 and the rules that set out when a complaint can be referred to and determined by the Ombudsman in DISP 2 and DISP 3. The FCA notes it previously did not think FSCS protection should extend to the new crypto activities, but it will consider this further and consult in a future paper.

Conduct of Business and Product Governance

The FCA is seeking views on how the Conduct of Business Sourcebook (COBS) should apply to cryptoasset firms. It is considering applying COBS broadly, with adjustments where no crypto equivalent exists. The FCA also invites feedback on specific points, including whether UK-issued qualifying stablecoins should remain classed as Restricted Mass Market Investments or be reclassified to reflect their lower risk, and whether additional risk warnings should be required for stablecoins issued by non-UK authorised entities.

On product governance, the FCA is exploring whether the existing PROD Sourcebook should apply to cryptoasset firms. Alternatively, it says it may be more effective to rely on the Consumer Duty, supplemented by tailored guidance and selected COBS provisions, to deliver appropriate product governance outcomes.

What do firms need to do?

Firms should move beyond gap analyses and consider how these proposals reshape the expectations of a credible, well-run cryptoasset business. The application of high-level standards such as COND and PRIN should push boards to examine whether their culture, governance and disclosures truly align with the FCA’s expectations of fairness and integrity, rather than waiting for prescriptive rules. Senior management should anticipate SM&CR accountability by clarifying internal responsibilities early, even in firms where roles have historically been blurred, and by developing training and competence frameworks that reflect the unique risks of digital assets.

Operational resilience deserves fresh thinking: cryptoasset firms should not simply retrofit banking-style playbooks but interrogate the vulnerabilities unique to 24/7 markets, validator dependencies and permissionless DLT. This means designing resilience strategies that accept ongoing disruption as normal and building controls that can withstand forks or node failures without relying on contractual assurances that may never exist.

In responding to the discussion elements, firms should engage seriously with the Consumer Duty debate. The FCA has floated the idea that product governance standards in COBS could be delivered by reliance on the Duty, while at the same time leaving open whether the Duty will ultimately be applied to cryptoasset activities at all. Firms should not treat this uncertainty as an excuse for inaction. Instead, they could test product value propositions and disclosure practices now, signalling maturity to regulators and investors alike. Access to redress and product governance are not just compliance hurdles but opportunities to differentiate through transparency, consumer trust and operational discipline.

Next steps

Comments for chapters 1 to 5 are due by 12 November 2025, and for chapters 6 and 7 by 15 October 2025. The paper will be followed by further regulatory consultations throughout 2025 and 2026, as per the FCA’s crypto roadmap.