The UK Financial Conduct Authority (FCA) published a consultation paper on 17 September 2025 outlining its proposals for applying the rules and guidance in its Handbook to cryptoasset firms (CP25/25). The proposed rules will apply to firms that have obtained authorisation to carry on the new regulated cryptoasset activities set out in the April 2025 draft Statutory Instrument (SI), once the SI is in force (see our client briefing for further discussion on the SI here).
The FCA is also seeking feedback on the application of specific rules to cryptoasset firms, together with setting out some early thoughts on the application of those rules. Responses to the discussion elements of CP25/25 will inform the proposals set out in future consultation papers that are due to be published under the Crypto Roadmap (which is summarised in our blog post here).
The proposals are also a natural extension of the FCA’s general approach, which is to tailor the Handbook rules and guidance to reflect the unique nature of different products and services – broadly following the guiding principle of “same risk, same regulation”.
CP25/25 covers a consultation on the application rules and guidance in some of the cross-cutting Handbook areas to cryptoasset firms and a discussion on how the FCA can apply the Consumer Duty, conduct of business rules, product governance rules, the Dispute Resolution rules and access to the Financial Ombudsman Services.
This blog post covers the firmer proposed rules set out in CP25/25 – we have covered the discussion aspects of CP25/25 in a separate blog post here.
Principles and business standards
CP25/25 proposes to apply the Handbook’s high level and business standards to cryptoasset firms, while disapplying (i) some Principles for Businesses in certain circumstances and (ii) certain rules in the Supervision Manual (SUP).
PRIN
The FCA proposes to apply all of PRIN to cryptoasset firms in most circumstances, including the requirement to maintain adequate risk management systems, to manage conflicts of interest fairly and to deal with regulators in an open and cooperative way with its regulators.
However, for transactions entered into on a CATP, the FCA proposes to disapply certain of the principles to transactions entered into on a qualifying cryptoasset trading platforms (CATPs) by its members. The relevant principles are the requirements to act with integrity, to conduct business with due skill, care and diligence, to treat customers fairly and to ensure the suitability of decisions and advice for customers. Where a CATP provides the service of operating a CATP solely for professional clients, only the principles regarding treating customers fairly and regarding suitability would be disapplied. Additionally, similar to other types of business, the FCA would disapply parts of PRIN for business done with eligible counterparties. The FCA’s rationale for such exclusions is that it does not impose these principles on similar trading platforms in traditional finance. Instead, trading venues are responsible for monitoring compliance with their own trading rules.
SUP
The FCA only proposes to apply the SUP rules that are relevant to cryptoasset firms. Relevant rules include: (i) SUP 2 – on information gathering by the FCA or the Prudential Regulatory Authority (PRA) on their own initiative; (ii) SUP 3 – governing the appointment of auditors (albeit that SUP 3 would only be relevant for the new stablecoin issuance and cryptoasset custodian activities, which is in line with the FCA’s approach in CP25/14 to require a CASS-specific annual audit for these businesses); (iii) SUP 5 – relating to the reports prepared by skilled persons under section 166 or 166A of FSMA; (iv) SUP 6 – explaining how firms may apply to vary or cancel their Part 4A FSMA permission and to impose, vary or cancel requirements; (v) SUP 7 – governing the FCA’s ability to vary a firm’s permissions or to set individual requirements and limitations on the firm; (vi) SUP 8 – allowing the FCA to waive or modify rules for firms; (vii) SUP 9 – on the individual guidance the FCA may provide to firms; and (viii) SUP 15 – requiring firms to notify the FCA of significant changes to their business.
The FCA will set out its proposals relating to the application of SUP 16 reporting requirements to cryptoasset firms in a future consultation paper. In addition, various SUP requirements wouldn’t apply to cryptoasset firms under the proposals, including the requirements detailing the close links and controllers reporting and the SUP rules on FCA approved persons in appointed representatives.
Other high level standards and business standards
Under the regulations proposed in CP25/25, various high level standards and business standards in other sourcebooks would also apply to cryptoasset firms without any crypto-specific modifications, including:
- Threshold Conditions (COND), which are the minimum conditions a firm must satisfy, and continue to satisfy, to obtain and keep its permissions;
- General Provisions (GEN), which cover the administrative duties that apply to FCA-regulated firms; and
- ESG Sourcebook, which sets out rules governing the sustainability claims made by firms. Only rules that apply to all FSMA-authorised firms will apply to cryptoasset firms, so sector-specific ESG rules would not apply.
Senior Management Arrangements, Systems and Controls
The FCA is of the general view that existing Handbook rules (and other related rules) that set standards for governance, systems, controls, whistleblowing and conflicts of interest are equally applicable to cryptoasset firms. As a result, the following would apply to cryptoasset firms similarly to other FSMA-authorised firms under the CP25/25 proposals:
- SYSC rules: generally, cryptoasset firms would also be classified as “other firms”, rather than “common platform firms” for the purpose of the Senior Management Arrangements, Systems and Controls sourcebook (SYSC), with the rules applying in a similar way to how they apply to most authorised firms (i.e., different to banks and investment firms, which face more complex and stringent requirements). The FCA’s view is that “cryptoasset firms do not typically pose the same level of systemic risk” as banks and investment firms.
- SM&CR: all existing elements and rules of the Senior Managers & Certification Regime (SM&CR) would apply to cryptoasset firms, including all relevant senior management functions, prescribed responsibilities and conduct rules set out in the Handbook. This includes the certification regime, the requirements of Senior Management Function (SMF) managers, common conduct rules for firm staff in the Code of Conduct Sourcebook (COCON) and the guidance on fit and proper testing. No sector-specific SMFs would be introduced for cryptoasset firms and the FCA does not expect that any cryptoasset firms will be “limited scope”; and
- Anti-money laundering: cryptoasset firms will be subject to the same Handbook rules and guidance on financial crime that apply to other FSMA-authorised firms. For example, the FCA proposes applying the rules and guidance in SYSC 6 to ensure that firms have adequate policies and procedures to identify, assess, monitor and manage money laundering risks.
Finally, CP25/25 notes that the FCA will publish a future consultation paper focusing on the possible application of the conflicts of interest rules in SYSC 10 to cryptoasset firms given the specific conflicts of interest risks posed by common crypto business models (e.g., vertically integrated exchanges).
Operational resilience requirements
The FCA has proposed to extend its existing operational resilience framework to cover all firms carrying on regulated cryptoasset business, including those that would not traditionally fall within its scope under existing requirements. The FCA considers that approach to be appropriate given the major harmful impacts of operational failures in the cryptoasset market.
The effect of this proposal is that the FCA’s rules on the operational resilience framework in SYSC 15A would apply to all firms carrying on regulated cryptoasset activities, while the general risk management requirements (SYSC 4) and the chapter on risk control (SYSC 7) would apply as guidance.
As part of the proposed crypto-specific guidance to help firms implement the FCA’s operational resilience rules, CP25/25 uses four fictional firms as examples. Those examples demonstrate the robustness of the FCA’s expectations, and they also highlight how the FCA's proposed approach would account for crypto-specific risks such as: (i) private key security risks; (ii) validator risks; (iii) code vulnerabilities; and (iv) service disruptions.
Disapplication of SYSC 8
The FCA is proposing that cryptoasset firms using permissionless DLTs should not be deemed to enter into outsourcing arrangements for the purposes of SYSC 8. The SYSC 8 rules require firms to increase their level of risk management as they increase their dependence on third-party service providers. The FCA proposes to disapply the SYSC 8 rules for cryptoasset firms using permissionless DLTs on the basis that such firms would face practical challenges following the rules where they lack a direct contractual relationship with the DLT provider. To avoid restricting the use of permissionless DLTs, the FCA is proposing that such use should not be treated as an outsourcing arrangement.
Next steps
The publication of CP25/25 is the latest instalment in the government’s ongoing efforts to implement a regulatory framework aimed at supporting growth in the UK crypto sector.
The deadline for submitting responses to the discussion chapters of CP25/25 is 15 October. 12 November 2025 is the deadline for respondents to comment on any of the other proposals set out in CP25/25.
For an overview of the discussion chapters in CP25/25, please read our separate blog post here.