Crypto firms – a guide to FCA authorisation

The FCA is finalising its regulatory framework via the Crypto Roadmap, which it aims to complete by October 2026. This is underpinned by two key legislative changes. The first is HM Treasury’s draft amendments to the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO), which defines the scope of the FCA’s new regulatory regime. The second is the Property (Digital Assets etc) Act 2025, passed in December 2025, which recognises digital assets such as cryptocurrencies, tokenised assets and stablecoins as personal property, giving them enhanced protection under UK law. 

These changes have allowed the FCA to move forward with a series of consultations, discussion papers and draft Handbook provisions that cover both conduct and prudential requirements. To continue to offer regulated activities, crypto firms must assess the full implications of the proposed regime and prepare for FCA authorisation. 

Article

Crypto regulations pick up pace with three FCA consultations

Read more

Which digital assets and activities are in scope?

All firms will need FCA authorisation to carry out the cryptoasset activities listed in the draft RAO – including firms currently registered with the FCA under the Money Laundering Regulations 2017. Those firms already authorised under FSMA for other regulated activities will need to apply for a variation of permissions. Proposed authorised crypto activities are: 

• Issuing qualifying stablecoins in the UK
• Safeguarding qualifying cryptoassets and relevant specified investment cryptoassets
• Arranging for another person to safeguard qualifying cryptoassets (or relevant specified investment cryptoassets)
• Operating a qualifying cryptoassets trading platform
• Dealing in qualifying cryptoassets as a principal
• Dealing in qualifying cryptoassets as an agent
• Arranging deals in qualifying cryptoassets
• Making arrangements with a view to transactions in qualifying cryptoassets
• Qualifying cryptoasset staking

The new regime will have a broad territorial reach and cryptoasset firms serving UK customers will typically be in scope, even if they’re based overseas. As such, firms must assess their current and prospective business model to identify which activities will be regulated, and if any exemptions or exclusions apply.  

Article

Top themes for the payments sector in 2026

Read more

Steps to authorisation 

The FCA authorisation window runs from 30 September 2026 until 28 February 2027, with the regime applying from October 2027. With a short timeframe until implementation, applicants need to demonstrate how they meet FSMA requirements, based on the nature, scale, and complexity of their activities. Key elements include:

• Threshold Conditions (COND) – the minimum conditions a firm is required to satisfy and maintain (including having appropriate resources for the nature and scale of the business)
• Principles for Businesses (PRIN) and the Consumer Duty (subject to consultation) – for the fair treatment of clients, product design and communications
• Governance and systems requirements (SYSC) – including effective risk management, internal controls and managing conflicts of interest
• Senior Managers and Certification Regime (SM&CR) – extending individual accountability to senior management and key staff
• Conduct of Business (COBS) requirements – for client communications, disclosures and reporting

Firms are expected to have all the necessary plans, arrangements and resources in place to support FCA regulation at the time of submission – to the extent that this is reasonable and practicable. This echoes the FCA’s expectation for firms to take regulation seriously and be “ready, willing and organised” to comply on an ongoing basis.

Preparing your submission

The time and effort required for the authorisation process should not be under-estimated and firms can significantly benefit from the FCA’s pre-application support (PASS) service and information sessions. Once the assessment process begins, the FCA doesn’t usually accept significant changes to the proposed business model, or put applications on hold for extended periods. So, effective pre-submission preparation is vital.

Our services

Digital assets – how we can help

Read more

Getting started with crypto authorisation 

The breadth of FCA authorisation requirements will represent a significant shift for many firms, in terms of governance, oversight and risk and control frameworks. As a starting point, firms should consider the following key questions and take steps to progress the related actions and priorities that might arise from them.

Governance, systems and controls:

• Are ‘mind and management’ in the UK? Are key members of the proposed leadership team in place, who meet ‘fit and proper’ requirements?  
• Is there a suitable risk management framework in place for specific risks and at enterprise level?
• Are there appropriate internal controls, processes and procedures (including financial crime controls)?

Business model analysis:

• Is the business plan realistic, viable and sustainable? Is it supported by data and evidence?
• Are there any potential harms or conduct issues that are inherent to the business? How will they be mitigated to an acceptable level?
• Could the firm achieve an orderly exit of the UK market if necessary?

Prudential and financial resilience:

• Is there a full set of financial projections, supported by realistic modelling assumptions?  
• Is there a preliminary prudential risk assessment to estimate the capital and liquidity requirements?
• How will the firm ensure financial resilience, with sufficient allocations in capital and liquidity planning?

IT and operational risk:

• Are necessary technology systems designed, built and tested?   
• Are IT governance arrangements sufficiently robust, with appropriate policies and procedures to support smooth operations?
• Are the necessary risk assessments in place?
• How effectively are outsourced arrangements controlled and overseen?

Operational resilience:

• How will the firm comply with operational resilience rules to reduce the impact of service outages and mitigate the risk of financial harm, including through association with third parties?

Compliance and business standards:

• Are the necessary compliance framework and controls in place?
• How will the firm ensure good customer outcomes?

The above list is non-exhaustive but gives a good overview of what the FCA is looking for, and the general approach crypto firms need to take. To get started, firms should:

• assess the impact of the anticipated regulations and the firm’s readiness to comply with and implement them
• access the FCA’s pre-application support service (PASS) and related information as published
• design, implement, enhance and embed the necessary governance structures and control frameworks 
• start the application process, seeking advice from independent experts as required. 

For existing firms that don’t meet the necessary standards for authorisation or choose to strategically exit the UK market, the FCA will provide a transitional provision to help them to run-off their UK business in an orderly way.

For further information, contact Paul Staples.