On 23 January 2026, the FCA published a consultation paper (CP26/4) outlining its further proposals for the application of existing FCA Handbook requirements – including the Consumer Duty, complaints handling, conduct of business rules (COBS), the Senior Managers and Certification Regime (SM&CR) and safeguarding rules under the Client Asset Sourcebook (CASS) – to the new regulated cryptoasset activities. It builds on the FCA’s first consultation on its proposed rules and guidance for regulated cryptoasset firms (CP25/25, which we covered previously).
Rather than creating an entirely new rulebook from scratch, the FCA's approach is largely to extend and adapt its existing framework, but with modifications where necessary (e.g., by disapplying certain prescriptive rules where the Consumer Duty is considered to achieve equivalent outcomes). The proposals also address important practical questions, such as the exclusion of regulated cryptoasset activities from FSCS coverage, the reversal of the FCA’s earlier credit card restriction proposal and the introduction of new baseline reporting obligations for all authorised cryptoasset firms. We have laid out our analysis of the latest FCA proposals below.
This is the sixth blog post in our seven-part series covering the FCA's latest cryptoasset proposals.
Consumer Duty
Consistent with its earlier proposals, the FCA has confirmed its intention to apply the Consumer Duty to cryptoasset firms. As part of this proposal, the FCA has clarified that it does not intend to apply the Product Intervention and Product Governance sourcebook (PROD) to firms carrying on regulated cryptoasset activities – this is because the FCA believes the Consumer Duty ought to provide an appropriate level of protection to retail consumers.
We note more generally that other existing requirements would apply to trad-fi firms but not to cryptoasset firms on the basis that such requirements are made redundant by the Consumer Duty (e.g. COBS 5 rules on distance communications would also be disapplied). Looking forward, this approach could mark the beginning of a wider rationalisation of the FCA Handbook, with prescriptive requirements disapplied where equivalent consumer outcomes are achieved by the Consumer Duty.
As proposed in earlier consultations, the Consumer Duty would not apply directly to:
- participants of a UK authorised CATP (although the Consumer Duty would continue to govern how CATP operators interact with retail customers more broadly e.g. when communicating with them); and
- A&D activities (except in the case of qualifying stablecoins), with similar outcomes targeted through the FCA’s proposed crypto-specific A&D rules and guidance. UK-issued stablecoins would be subject to the Consumer Duty requirements while other cryptoassets admitted to trading on a CATP (e.g. Bitcoin or Ether) will instead be subject to more prescriptive and bespoke A&D rules.
Complaints-handling
The FCA is proposing that Chapters 1 and 2 of the FCA’s Dispute Resolution Sourcebook (DISP), which govern how firms must handle customer complaints and the circumstances in which they can be referred to the Financial Ombudsman Service (FOS), would apply to all cryptoasset firms carrying on regulated activities from a UK establishment.
The FCA proposes to extend the compulsory jurisdiction to complaints arising from acts or omissions in carrying on any of the new regulated cryptoasset activities. The compulsory jurisdiction would cover complaints from eligible complainants about activities of firms carrying out regulated cryptoasset activities from an establishment in the UK, as is already the case for other regulated activities under DISP 2.6.1R. In limited circumstances (e.g. for Gibraltar-based cryptoasset firms), FCA-authorised overseas cryptoasset firms may also be subject to the FCA’s complaints handling requirements. The FCA and the FOS are jointly consulting on whether to extend the voluntary jurisdiction to cryptoasset activities for firms based in the EEA or Gibraltar who are not subject to the compulsory jurisdiction – the FOS currently considers that it is not consistent with its priorities to offer voluntary jurisdiction in relation to cryptoasset activities carried on by authorised firms based in the EEA or Gibraltar who are not subject to the FOS’ compulsory jurisdiction.
Finally, the FCA has made the decision not to extend Financial Services Compensation Scheme (FSCS) coverage to new regulated cryptoasset activities. Consequently, customers would not be eligible for compensation from the FSCS if they suffer investment losses in relation to regulated cryptoasset activities. One particular area to be aware of is that this policy could create an unintended disincentive for the tokenisation of financial instruments - firms providing custody of traditional securities would be carrying on the activity of “safeguarding and administration” and would be within scope of the FSCS, but firms providing custody of tokenised securities would be carrying on the activity of “safeguarding of qualifying cryptoassets and relevant specified investment cryptoassets” and would not be within the scope of the FSCS.
As a practical suggestion, CP26/4 proposes a phased approach to implementing complaints reporting requirements. Cryptoasset firms would only be required to provide a baseline level of complaint data from day one as part of the more general reporting requirements set out in CP26/4 (which we explain in more detail below). This should alleviate the compliance burden on day one of the new regime.
COBS
The FCA intends to extend the definition of “designated investment business” to include the new cryptoasset activities so that COBS requirements would apply to them (with some modifications). CP26/4 sets out in detail how specific COBS rules would be applied. We have noted the following points that are likely to be of interest:
- Conduct of business obligations: broadly, the obligations in COBS 2 would apply – e.g., cryptoasset firms must act honestly, fairly and professionally, providing timely and accurate disclosures. This includes disclosures about the firm, its services, designated investments, proposed strategies, execution venues, and all relevant costs and charges, along with appropriate risk warnings.
- Financial promotions: COBS 4 rules relating to communications with clients, including financial promotions, would apply to all cryptoasset firms – although there are some different requirements for qualifying stablecoin issuers. Namely, financial promotions of qualifying stablecoins issued from outside the UK must include additional risk warnings. By comparison, UK-issued qualifying stablecoins would be reclassified and be subject to less onerous requirements as a result of “their comparatively lower risk profile relative to other overseas stablecoins”. It is also worth noting that the FCA is aware that there are applicable disclosure requirements in CRYPTO which may be separate and complementary to COBS requirements.
- Appropriateness assessments: like trad-fi firms, cryptoasset firms will be required to conduct appropriateness assessments in line with COBS 10 when offering their (non-advised) services to clients. The FCA is also consulting on new rules specifically for cryptoasset lending and borrowing products, which would broadly require service providers to consider a customer’s lending and borrowing knowledge and experience when conducting appropriateness assessments.
The use of credit cards to purchase cryptoassets
In a move that is likely to be welcomed by industry, the FCA has reversed its earlier proposal that would have restricted firms from accepting credit card payments or lines of credit from electronic money issuers. 57% of respondents opposed restrictions on the basis that risks were overstated, as lenders already follow rules on creditworthiness.
SM&CR
CP26/4 also sets out the FCA’s proposed requirements for categorising cryptoasset firms as “Enhanced” under the SM&CR. The FCA's latest proposals "seek to ensure that the largest cryptoasset firms whose size, complexity and potential impact on consumers or markets warrant more attention will be correctly categorised under SM&CR". The FCA has proposed bespoke Enhanced SM&CR thresholds, summarised in the table below, for qualifying stablecoin issuance firms and qualifying cryptoasset custodians. It has not considered bespoke Enhanced routes for other cryptoasset RAO activities, as these activities do not have natural analogies to those captured under the current Enhanced criteria in traditional finance.
| Firm type | Enhanced threshold |
| Stablecoin issuers | if the firm backing asset pool is £65bn or more (on a 3-year rolling average) |
| Cryptoasset custodians | if (i) in any given month, the sum total value of “client assets” (the sum of the firm’s qualifying cryptoassets and specified investment cryptoassets, when held on trust, during the firm's last calendar year) added to the total value of safe custody assets (if any, held in the firm's last calendar year) is greater than £100bn; or (ii) the firm projects holding a cumulative sum of more than £100bn in safe custody assets and safeguarded cryptoassets in any given month of the current year |
Reporting obligations
The FCA is proposing that the existing returns in SUP 16 will apply to all qualifying cryptoasset firms that have a Part 4A permission. A number of existing returns will be required to be submitted by all qualifying cryptoasset firms from day one of the regime (e.g., annual controllers report, annual financial crime report, baseline financial resilience report). The FCA is also developing new regulatory returns specific to regulated cryptoasset activities, with a core set of “baseline returns” being consulted on in CP26/4. The baseline returns cover matters such as key information such as the firm’s customer base, the volume and value attributed to different regulated cryptoasset activities, and its connections with other market participants. The FCA will also make periodic supplementary data requests once the regime is in force, which will allow for bespoke information to be requested by the FCA on an ad hoc basis. Over the first two to three years of the regime, the list of required returns will be refined based on feedback and further FCA analysis. The table below provides a non-exhaustive summary of the returns that must be submitted in respect of each regulated cryptoasset activity from the date the regime is live.
| Activity | Information required (non-exhaustive) |
| Safeguarding | Balances, discrepancies, third parties, wallet structure |
| Stablecoin issuance | Minted and issued numbers, backing asset composition, redemptions, third parties |
| CATP operation | Customer numbers, transaction numbers and values |
| Dealing/Arranging | Customer numbers, transaction numbers and values, lending and borrowing values (lending and borrowing only), counterparty info (lending and borrowing only) |
| Staking | Customer numbers, staking values |
| Complaints (all activities) | Total complaints received/upheld |
| Active clients (all activities) | Total active clients, total active vulnerable clients |
Additionally, authorised cryptoasset firms will be required to comply with:
- Operational incidents: reporting rules regarding operational incidents, which will be applied uniformly across all FCA-regulated firms; and
- CASS: monthly reporting requirements set out in CASS, which will be applicable to all cryptoasset safeguarding firms. Unlike the tiered CASS reporting (where small trad-fi firms are only required to report annually), all cryptoasset safeguarding firms will be required to submit monthly returns regardless of their size. The FCA considers more consistent, frequent reporting to be essential to provide the FCA with sufficient oversight and to monitor emerging risks effectively.
CASS
CP26/4 also proposes amendments to existing safeguarding-related rules in CASS 17 for firms that safeguard client cryptoassets and provide other cryptoasset services such as operating a trading platform, staking, lending and borrowing. The most recent FCA proposals relate to:
- the scope and application of CASS rules for firms offering custody alongside other regulated cryptoasset services;
- requirements to protect clients’ ownership rights through a non-statutory trust in which to hold client cryptoassets, including proposed routes to exit the trust;
- record-keeping and reconciliation requirements;
- requirements for private key management and security; and
- requirements for the appointment of third parties involved in cryptoasset custody.
The FCA has also confirmed that it still intends to require client cryptoassets to be held on trust. However, in light of industry feedback the FCA is now proposing that a firm can apply exceptions to the requirement to safeguard client cryptoassets as a trustee if certain conditions are satisfied (e.g., the firm is providing lending services in relation to the relevant cryptoassets). Once cryptoassets are removed from the trust, they would no longer be considered client cryptoassets so clients could no longer benefit from the related CASS protections.
In CP25/14, the FCA consulted on rules for firms that were only safeguarding clients’ qualifying cryptoassets without carrying on other regulated cryptoasset activities. The FCA is now consulting on proposed amendments to CASS 17 for custodians of specified investment cryptoassets that also carry on other regulated cryptoasset activities. The FCA noted that it is seeking to ensure adequate protection of clients’ specified investment cryptoassets, and that these assets are returned wholly and as quickly as possible in the event of a firm’s insolvency. As a result, it is proposing bespoke CASS rules for the custody of specified investment cryptoassets, instead of the existing CASS 6 rules, to ensure these clients’ cryptoassets are safeguarded effectively. The FCA considers that CASS 17 would be better suited to address the unique risks of the specified investment cryptoasset market and recognises that there is no external party to ensure that legal ownership is accurately recorded and updated.