On 17 September 2025, the Financial Conduct Authority (FCA) released Consultation Paper CP25/25, proposing the application of existing FCA Handbook rules to cryptoasset activities.
In this article, we’ve listed 7 proposed changes to their governance that cryptoasset companies will need to make, based on this paper, which are each subject to further update based on feedback the FCA receives. The final regulations are expected to be published in 2026.
1. Changing how firms will comply with Money Laundering Regulations (MLRs)
Cryptoasset firms will still be subject to MLRs, but they will no longer be required to register separately with the FCA as a cryptoasset business under the MLRs. Cryptoasset firms (including those currently registered under the MLRs 2017) will need authorisation under the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (FSMA RAO), and will be subject to the requirements of the FCA Handbook. Guidance contained in the Financial Crime Guide (FCG) and Financial Crime Thematic Reviews (FCTR) will also apply.
2. Applying the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook, and others
The SYSC sourcebook, along with related sourcebooks such as Code of Conduct (COCON), Fit and Proper test for Employees and Senior Personnel (FIT), and FCG, will apply to cryptoasset firms, just as they do for existing FSMA authorised firms.
In general, under SYSC, cryptoasset firms will be classed as ‘other firms’ (in the same way as consumer credit companies) as opposed to ‘common platform firms’ (such as banks or investment companies). If cryptoasset firms are carrying on multiple regulated activities, and those activities lead them to be classed as ‘common platform firms,’ then they will have to meet the higher standards applied to ‘common platform firms’ across all of their regulated activities.
3. Applying the Senior Managers and Certification Regime (SM&CR)
The existing SM&CR will apply to cryptoasset firms, requiring clear accountability and apportionment of responsibilities. This would make senior leaders personally accountable for operational failures, misconduct, or regulatory breaches occurring under their oversight.
Regardless of classification under SM&CR, all cryptoasset firms will be classed as Designated Investment Businesses (DIB), and will be required to have a Compliance Oversight Function (SMF 16). Most cryptoasset firms will be categorised as Core under the SM&CR and will also be required to allocate up to 6 Senior Management Functions (depending upon whether the SMFs are relevant to the firms):
- SMF1 – Chief Executive
- SMF3 – Executive Director
- SMF27 – Partner
- SMF9 – Chair
- SMF16 – Compliance Oversight
- SMF17 – Money Laundering Reporting Function
4. Extending the FCA’s operational resilience framework to cryptoassets
Due to the cryptoasset sector’s heavy reliance on technology, and noting the Bybit hacking incident (in which over USD 1.5 billion was stolen when hackers breached the wallet infrastructure) the FCA plans to extend its operational resilience framework to all cryptoasset firms.
Firms will be expected to demonstrate that they can prevent, withstand, and recover from cyber incidents, system outages, and other disruptions, thereby minimising consumer harm and maintaining market confidence. In Q1/Q2 2026, the FCA also plans to consult on the use of DLTs with the intention of providing greater clarity on their implications for operational resilience.
5. Applying the Environmental, Social and Governance (ESG) sourcebook
The ESG sourcebook will generally apply to cryptoasset firms. No new cryptoasset-specific climate or sustainability disclosures are to be introduced at this time. Cryptoasset firms promoting cryptoassets and associated products and services to UK customers will need to ensure any claims about the sustainability characteristics of those products are fair, clear, and not misleading.
6. The future application of Consumer Duty and redress
The FCA has invited views on how Consumer Duty could be proportionately extended. It has suggested two options:
- apply the Consumer Duty with sector-specific guidance, or
- introduce bespoke consumer protection rules instead.
The FCA’s current preferred approach is to apply the Duty with sector-specific guidance, recognising that decentralised products and fluctuating valuations may complicate implementation. Trading between participants on authorised cryptoasset trading platforms would not fall within the Duty’s scope. The FCA is also consulting on whether consumers should have access to the Financial Ombudsman Service (FOS) and protections under the Dispute Resolution (DISP) rules.
7. Future potential application of Conduct of Business (COBS) and Product Governance
The FCA is seeking feedback on whether, and how, to apply COBS and Product Governance rules to cryptoassets. At the same time, the regulator is considering a more flexible approach to product governance. Due to the decentralised and fungible nature of many cryptoassets, it may not apply the existing Product Governance regime and instead rely on Consumer Duty principles and tailored guidance to deliver equivalent governance outcomes, where conventional frameworks are not considered appropriate.
Our view
We believe that the CP25/25 consultation is a constructive step towards aligning cryptoasset activities with established financial services standards. By classifying cryptoasset firms as ‘other firms’ rather than applying the same rules as banks and investment firms under SYSC, the FCA aims to ease regulatory burdens – though some critics have questioned whether this goes far enough.
Spanning 160 pages, the consultation paper provides detailed guidance and practical examples on the governance of cryptoasset firms and activities, which, while extensive, serves as a timely reminder for businesses to begin planning. Key priorities should include strengthening systems and controls, and assessing senior management functions and resourcing needs.
Stakeholders are also watching closely for the FCA’s final stance on Consumer Duty. The regulator’s challenge will be to maintain consistency without stifling competition, or pushing smaller firms offshore, before the full regime takes effect in 2026.
How can we help?
For further information about issues raised in this article, please contact a member of our Cryptoassets team.
