top of page
Search

UK Progress on Cryptoasset Regulation Implementation and 6-Month Readiness Project Plan

Part 1: SwanFS Report on UK Progress to Implement Cryptoasset Regulation

1. Executive Summary


The UK Financial Conduct Authority (FCA) is finalising a comprehensive, FSMA-based regulatory regime for cryptoassets. Transitioning from a limited perimeter focused on Anti-Money Laundering (AML) and financial promotions, the FCA is implementing a full-scale conduct, prudential, and market integrity framework under the Designated Activities Regime (DAR) and the expanded regulatory perimeter defined in the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2025.


The complete blueprint for this regime has now been published. Consultations on Regulated Activities (CP25/40), Market Abuse and Admissions & Disclosures (CP25/41), and the Prudential Framework (CP25/42) closed on 12 February 2026. The final foundational piece, CP26/4 (Application of FCA Handbook for Regulated Cryptoasset Activities II), closes on 12 March 2026.


The FCA is applying a “same risk, same regulatory outcome” principle, tailoring traditional finance rules to the structural realities of cryptoassets. With the FCA indicating that the Authorisation Gateway will open in the second half of 2026 (projected for September), firms must urgently pivot from regulatory monitoring to active implementation.

2. Assessment of UK Regulatory Progress


A. Conduct, Consumer Protection & Redress (CP26/4 & CP25/40)

  • The Consumer Duty & COBS: Principle 12 (Consumer Duty) and PRIN 2A will apply to retail-facing crypto activities. However, it is explicitly disapplied for non-discretionary trading occurring strictly between participants on a UK Qualifying Cryptoasset Trading Platform (QCATP). Firms must enforce appropriateness testing (COBS 10). While standard distance contract cancellation rights (COBS 15) are disapplied, a bespoke 2-working-day withdrawal right applies to retail consumers, specifically when a Supplementary Disclosure Document (SDD) is published before admission to trading.

  • Credit Purchases: The FCA has chosen not to ban the use of credit cards for purchasing cryptoassets outright, citing evidence that credit card users are generally less financially vulnerable. However, firms must adhere to strict conduct rules regarding the “borrowing to invest” risk.

  • Dispute Resolution & FSCS: UK crypto consumers gain access to the Financial Ombudsman Service (FOS) under the compulsory jurisdiction. However, the FCA has confirmed that FSCS compensation will not apply to cryptoasset investment losses or firm failures at this stage.

  • Lending & Borrowing (L&B): Retail access to L&B is permitted but restricted. Firms must ensure mandatory over-collateralisation, provide negative balance protection, and obtain express prior consent for collateral top-ups. Automatic top-ups are strictly capped at 50% of the initial collateral’s market value (net of fees). Firms are strictly prohibited from using proprietary (firm-issued) tokens for L&B operations (e.g., as collateral or yield).

  • Staking: Regulated as a specific activity requiring clear upfront information, explicit prior consent from retail clients regarding key terms, and comprehensive record-keeping. The FCA has dropped earlier proposals that would have mandated automatic compensation for operational “slashing” failures, deciding the risk profile did not justify a standard compensation mechanism.


B. Market Integrity: Admissions & Disclosures (A&D) and Market Abuse (MARC) (CP25/41)

  • Admissions & Disclosures (A&D): To offer tokens to UK retail investors, a Qualifying Cryptoasset Disclosure Document (QCDD) must be published and filed on an FCA central repository (e.g., the National Storage Mechanism). QCATPs act as gatekeepers and must conduct due diligence to reject tokens likely to be detrimental to retail investors.

  • Market Abuse Regime for Cryptoassets (MARC): A bespoke regime prohibiting insider dealing, unlawful disclosure, and market manipulation. “Large CATPs” (defined as those with >£10m annual revenue) face enhanced obligations, including mandatory on-chain monitoring and cross-platform information sharing. Intermediaries must submit suspicious transaction notifications directly to the relevant QCATP, rather than the FCA.


C. Prudential Framework (CP25/42)

Cryptoasset firms will be subject to a new integrated prudential sourcebook (COREPRU) alongside a sectoral sourcebook (CRYPTOPRU).

  • Own Funds Requirement (OFR): Capital requirements will be the highest of:

    1. Permanent Minimum Requirement (PMR): Ranging from £75k (Arrangers/Agents) to £150k (QCATPs, Custodians, Staking), up to £350k (Stablecoin Issuers) and £750k (Principal Dealers).

    2. Fixed Overheads Requirement (FOR): Equivalent to 3 months (one quarter) of relevant annual expenditure.

    3. K-Factor Requirements (KFR): Activity-based risk charges. Examples include K-QCS (0.04% of custody assets), K-SII (2% of stablecoins in issuance), and K-NCP (net crypto position risk: 40% for liquid “Category A” assets; 100% for “Category B”).

  • Liquidity & Risk Assessments: Firms must meet a Basic Liquid Assets Requirement (BLAR) equal to one-third of the FOR plus 1.6% of any client guarantees. Firms must also conduct an Overall Risk Assessment (formerly referred to as ICARA in MIFIDPRU, renamed for CRYPTOPRU), covering stress testing and wind-down planning.


D. Governance, Safeguarding & SM&CR (CP26/4)

  • Safeguarding (CASS 17): Client cryptoassets must be legally segregated and held on a non-statutory trust. The FCA permits a strictly controlled “operational surplus” (firm assets held in the trust) for activities like staking. Crucially, a 1% “float” exception is permitted to sit outside the trust for QCATPs to facilitate off-chain transaction settlement on internal ledgers.

  • SM&CR Tiering: The Senior Managers & Certification Regime applies. “Enhanced” tiering thresholds are set for Stablecoin issuers with a backing asset pool of>£65bn and Custodians holding >£100bn in client assets (aggregated with safe custody assets).


Part 2: SwanFS 6-Month Strategic Project Plan (March 2026 – August 2026)


Given that the FCA Authorisation Gateway opens in September 2026, CASPS must execute the following plan to ensure Day-1 compliance.


Month 1: Mobilisation, Gap Analysis & Structuring (March 2026)

  • Action 1: Finalise and submit to CP26/4 before the 12 March deadline.

  • Action 2: Conduct a Regulatory Gap Analysis, mapping products (Spot, Margin, Staking, L&B) against the new regulated activities (Articles 9S, 9T, 9W, 9Y, 9Z6) to determine the required permissions profile.

  • Action 3: Finalise the UK establishment strategy based on the guidance in Annexe 4 of CP26/4.


Month 2: Prudential Readiness & Risk Frameworks (April 2026)

  • Action 1: Calculate provisional Own Funds Requirements (PMR, FOR, and K-Factors) under CRYPTOPRU 4. Ring-fence required Tier 1 capital.

  • Action 2: Assess liquid asset classifications against the Basic Liquid Assets Requirement (BLAR) (1/3 of FOR + 1.6% guarantees).

  • Action 3: Develop the inaugural Overall Risk Assessment methodology (per CRYPTOPRU 7) to replace legacy ICARA frameworks. Model severe/plausible stress scenarios and establish internal limits for Concentration Risk (K-CON).


Month 3: Conduct, Disclosures & Consumer Duty Alignment (May 2026)

  • Action 1: Overhaul retail customer journeys for Consumer Duty. Implement COBS 10 Appropriateness testing and the specific 2-day withdrawal mechanisms for SDDs.

  • Action 2: Restructure L&B and stakeholder user flows. Enforce mandatory over-collateralisation, build automated negative balance protection, restrict automated top-ups to the 50% cap, and implement “Express Prior Consent” screens.

  • Action 3: Upgrade complaints handling to meet DISP 1 standards and integrate FOS referral rights into Terms & Conditions.


Month 4: Market Integrity, A&D, and MARC Surveillance (June 2026)

  • Action 1 (If a Large QCATP >£10m revenue): Procure and deploy on-chain monitoring tools (e.g., Chainalysis/Elliptic) and establish protocols for cross-platform information sharing.

  • Action 2: Implement off-chain surveillance for market abuse. Deploy frameworks to route suspicious transaction notifications to QCATPs, maintain Insider Lists (including wallet addresses), and enforce COBS 11.7 personal account dealing policies.

  • Action 3: Establish an Admissions Committee and SOPs for due diligence, drafting QCDDs, and filing via the FCA’s National Storage Mechanism (NSM).


Month 5: Safeguarding (CASS 17) & Reporting (July 2026)

  • Action 1: Legally establish non-statutory trusts under CASS 17. Architect wallet structures to segregate client assets, accounting for the permitted “operational surplus” and the 1% settlement float.

  • Action 2: Audit private key management (CASS 17.4) and record-keeping (CASS 17.5).

  • Action 3: Build data pipelines for SUP 16.34 Regulatory Reporting (e.g., complaints, safeguarding balances). Ensure trading engines publish pre- and post-trade transparency data within required timeframes (1 minute for post-trade).


Month 6: Governance (SM&CR) & Gateway Submission (August 2026)

  • Action 1: Finalise SM&CR implementation. Determine Tiering (Core vs Enhanced). Assign SMFs, draft Statements of Responsibilities (SoRs), and prepare the Management Responsibilities Map.

  • Action 2: Conduct a third-party “Mock Authorisation” audit of CASS 17, MARC, and Prudential frameworks.

  • Action 3: Consolidate the Regulatory Business Plan (RBP) and IT/Cyber packs into a finalised Part 4A Authorisation Application, ready for immediate submission when the gateway opens in September 2026.



 
 

Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page