19 December 2025

Travelling along the UK Road(map) to Regulating Cryptoassets: Finalised statute and new FCA Consultations

Written by:Sophie Lessar Chris Harvey Sam Gokarn-MillingtonSuman Khurana

Latest Developments

On 16 December 2025, the Financial Conduct Authority (FCA) released three separate consultation papers (the CPs) as part of its ongoing work to establish a comprehensive regulatory regime for cryptoasset firms.

CP25/40 - Regulating Cryptoasset Activities
CP25/41 - Admissions & disclosures and market abuse regime for cryptoassets
CP25/42 - A Prudential Regime for Cryptoasset Firms

The CPs are accompanied by the finalised legislation of the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2025 (the Statutory Instrument). A draft Statutory Instrument was published by HM Treasury in April 2025, for the regulation of certain activities relating to cryptoassets (see our previous article here). The updated Statutory Instrument (published on 15 December 2025) now brings additional cryptoasset activities within the FCA’s regulatory remit and expands the regulatory perimeter initially proposed earlier in April 2025.

These consultations and statute are part of the foundations for the expansion of the FCA’s regulatory framework to cover a broader range of activities and risks beyond the FCA’s current limited focus on financial promotions and anti-money laundering requirements.

Market participants and stakeholders are invited to provide feedback on the FCA proposals by 12 February 2026. The FCA will consider all responses in line with its Crypto Roadmap and intends to publish final rules and guidance in policy statements in 2026. The new legislation is expected to be approved in 2026 and be in force from October 2027.

This briefing note sets out an overview of the key proposals and exceptions. For more information about what this means for you, contact the authors.

FSMA Landscape and Market Abuse Regime: The Statutory Instrument

The Statutory Instrument establishes the UK’s first comprehensive regulatory framework for cryptoassets. It amends existing law to bring a wide range of cryptoasset activities within the FCA remit.

The legislation defines key categories, ‘qualifying cryptoassets’, ‘qualifying stablecoin’, and ‘specified investment cryptoassets’, and makes activities such as issuing stablecoins, safeguarding assets, operating trading platforms, dealing, arranging deals, and staking regulated activities requiring FCA authorisation.

The Statutory Instrument and CPs expand the regulatory perimeter beyond the earlier draft published in April 2025, to explicitly include cryptoasset lending and borrowing, as well as DeFi activities within the scope of activities which are regulated under the regime. The Statutory Instrument formalises requirements for both UK-based and overseas firms serving UK clients.

Creating the framework for disclosure requirements for cryptoasset offers in the UK, it will be important for international firms to read this framework alongside the EU’s MiCA disclosure requirements. The detailed, yet principles-driven, approach aligns with broader UK disclosures frameworks. Firms will need to track these requirements against MiCA if seeking to operate in the UK and EU. For retail markets, it will also be important to take into account broader transparency and disclosure requirements. Manufacturer/distributor obligations for those with indirect retail market considerations will also be important. Given the liability regime imposed, with direct liability to pay compensation for loss resulting from untrue or misleading statements or omissions, firms interposed in the offer of cryptoassets, particularly where there is not a known “issuer” in the traditional sense, should feature in firm analysis of this statute.

The Statutory Instrument introduces new rules on public offers, admissions to trading, and a market abuse regime tailored to cryptoassets, prohibiting insider dealing, unlawful disclosure, and market manipulation. The UK government’s approach is grounded in the principle of “same risk, same regulatory outcome”, meaning that cryptoasset activities presenting similar risks to those in traditional finance will be regulated to the same standard. This aims to support innovation while ensuring robust consumer protection and market integrity.

The Statutory Instrument also now provides a prudential framework, including clarifying further the requirements for stablecoin issuers and custodians, as well as expressly outlining the consumer protection requirements and conduct expectations for retail-facing crypto asset activities. Once implemented, the Statutory Instrument is intended to increase regulatory certainty, investor confidence, and competition in the sector.

Regulating Cryptoasset Activities: FCA Consultation Paper CP25/40 -

Background

The FCA’s current oversight is limited to the promotion of cryptoassets and the enforcement of anti-money laundering standards. Under the proposed regime, firms and individuals will be required to obtain FCA authorisation before carrying out a wider set of cryptoasset activities “by way of business” in the UK.

The FCA’s proposals demonstrate the effort to adapt to the rapidly evolving financial markets. By introducing a comprehensive regulatory framework for cryptoassets, the FCA seeks to fulfil the objectives set out in its five-year strategy, including becoming a smarter regulator and supporting economic growth (read more on the FCA’s five-year strategy in our article).

What does this mean for market participants?

Currently, the cryptoasset market remains largely unregulated in the UK, except for the requirements on financial promotions and financial crime. Upon implementation of these proposals, cryptoasset trading platforms will require FCA authorisation. Additionally, they will still need to follow the FCA Handbook requirements (CP35/25) as part of the Crypto Roadmap.

Similarly, firms acting as intermediaries in dealing with qualifying cryptoassets, involved in cryptoasset lending and borrowing, staking or decentralised finance will have increased requirements of disclosure and following a prudential regime. The proposed changes follow an approach that is very similar to the regulatory regime that traditional financial institutions must follow. Therefore, market participants will need to ensure compliance with the new regulations or even reconsider their operations and business models.

Overview of CP25/40

CP25/40 presents the FCA’s proposed rules and guidance for several newly regulated cryptoasset activities that had not been addressed in previous consultations. These activities include:

Cryptoasset trading platforms (CATP) – platforms providing a marketplace for retail and institutional clients;
the role of intermediaries – when dealing in qualifying cryptoassets;
- lending and borrowing services – firms offering cryptoasset lending and cryptoasset borrowing services by way of business
staking – cryptoassets used and locked for proof-of-stake blockchain validation in exchange for financial rewards; and
decentralised finance (DeFi) –financial system utilising cryptoassets in direct transactions between individuals and businesses, removing centralised institutions.

Cryptoasset Trading Platforms

Under the proposed regime, firms operating CATPS, as defined into the Cryptoasset Regulations, will now need FCA authorisation to provide service to retail and institutional clients.

In order to obtain this authorisation, firms will need to have a presence in the UK. Especially relevant to international firms serving UK clients is the expectation of establishing a UK legal entity to be able to get authorisation. Some flexibility is set to be permitted for branches, however, retail clients must always have a relationship with a UK entity to evidence adequate oversight and consumer protection. CP25/40 formalises requirements for both UK-based and overseas firms serving UK clients, with a strong emphasis on UK legal entity requirements for retail access.

Additionally, UK operators must have defined and non-discriminatory rules and procedures to allow users to access and use the platform. These procedures must be sufficient to protect these users from market-making arrangements and communicate the conflicts of interest that are especially relevant to the platform.

Intermediaries

Intermediaries are defined in CP25/40 as those dealing in qualifying cryptoassets as principal, agent or those arranging deals, following the definition in the Cryptoasset Regulations. They will be required to comply with rules on best execution, client disclosures, management of conflicts of interest, and record-keeping.

Transparency and reporting are the key themes of the proposals. Pre-trade and post-trade transparency requirements will apply to larger firms, defined as those with annual revenues exceeding £10 million. Smaller firms and certain business models will be exempt. All firms must keep detailed records of transactions and client orders for five years and provide prompt reporting to clients.

Lending and Borrowing

Access to lending and borrowing services for retail consumers will be permitted but subject to strict requirements, including the requirement of adhering to new consumer protection, disclosure, and record-keeping obligations. To satisfy the consumer protection requirements, lenders will need to inform clients on the service and cryptoassets provided to the client, their access to the return and yield, restrictions and minimum thresholds as well as “any other information material to [their] understanding” of the service.

Similarly, requirements for express consent, over-collateralisation, and negative balance protection are included in the proposals. The use of proprietary tokens in lending and borrowing is still prohibited due to concerns about conflicts of interest and consumer protection.

Staking

CP24/40 follows the definition of staking set out in the Cryptoasset Regulations. Staking firms will now be required to give retail clients enhanced information about the firm and the way its staking service operates.

The aim of the new requirements on staking is to ensure that consumers have a clear understanding of the risks of the service. Staking services will be regulated, with firms required to provide clear information and obtain express consent from retail clients, as well as to maintain appropriate records and ensure operational resilience.

Decentralised Finance

Where DeFi activities are carried out by a controlling person or entity, these activities will be engaged in the wider regime. CP25/40 follows the same approach to DeFi as that in Treasury’s Policy Note (published April 2025). The FCA intends to apply the same regulatory outcomes as for centralised firms, following the principle of “same risk, same regulatory outcome”. This proposal aims to minimise regulatory arbitrage.

However, further consultation is expected to ascertain the degree of decentralisation and control that will be required in DeFi arrangements. The regulator, through CP25/40, is seeking feedback from the industry on whether traditional rules should apply to staking, borrowing and lending, and decentralised finance.

Admissions & disclosures and market abuse regime for cryptoassets: FCA Consultation Paper CP25/41

Background

The proposals in CP25/41, based on the Statutory Instrument, are designed to prohibit insider dealing, unlawful disclosure, and market manipulation in relation to “relevant qualifying cryptoassets”. The new rules also require UK qualifying cryptoasset trading platform (QCATP) operators and intermediaries to carry out extensive surveillance and promptly report suspicious activity. These rules extend the existing UK Market Abuse Regulation (UK MAR) framework to cryptoassets, but are tailored to address the unique features and risks of the cryptoasset sector.

What does this mean for market participants?

For banks and cryptoasset intermediaries, the new rules mean a substantial upgrade in surveillance capabilities. Traditional tools for monitoring suspicious trading in stocks or bonds are no longer sufficient; systems must now be able to detect crypto-specific risks, such as unusual blockchain activity or trading linked to cryptocurrency forks. Firms are required to monitor all client orders, regardless of the platform used, ensuring a comprehensive view of client activity. Staff training becomes essential, equipping employees to recognize new forms of market abuse unique to crypto trading.

Relevant parties, such as issuers, offerors, platform operators, and certain intermediaries, must keep an insider list of everyone who has access to confidential information like code changes or upgrades, as required by Regulation 31. If an event occurs that could affect a cryptoasset’s price, they must disclose it to the public immediately under Regulation 26. Disclosure can only be delayed if three conditions are met: it would harm legitimate interests, the information remains confidential, and the delay will not mislead the public. Once these conditions no longer apply, the information must be published without delay.

Overview of CP25/41

The new rules centre on three offences: insider dealing, unlawful disclosure, and market manipulation. Given that these rules are an extension to the existing UK MAR framework, the possible penalties for these three offences include potential civil and criminal penalties that are established under the existing UK MAR framework.

Insider Dealing

Regulation 22 of the Statutory Instrument broadly prohibits insider dealing. Anyone with inside information must not:

Use it to acquire/dispose of a qualifying cryptoasset or related instrument;
Cancel or amend an order based on such information; or
Recommend or induce another person to do so.

A breach does not require intent. Strict liability applies. Inside information is defined in Regulation 18 of the Statutory Instrument as information that meets several criteria. Specifically, it must be:

Precise in nature;
Not made public;
Related directly or indirectly to a relevant issuer, offeror, UK QCATP operator, or the cryptoasset itself; and
Likely to have a significant effect on the price if made public.

The “significant effect” test is set out in Regulation 18(4)(d) of the Statutory Instrument. This provision states that information is considered to have a significant effect if “a reasonable person would be likely to use it as the basis, or part of the basis, of the person’s investment decisions”.

Examples of inside information include information regarding:

A “whale alert” (large transfer) if not publicly accessible;
Code vulnerabilities known to developers pre-admission;
Blockchain forks (plans to introduce or reject a protocol split);
Viability or instability of a qualifying stablecoin;
Upcoming “air drops” or “burning” events (including magnitude and timing).

Unlawful Disclosure

Regulation 24 of the Statutory Instrument prohibits disclosing inside information unless in the normal course of duties. There is an exemption for journalism (Regulation 25(1)(b) of the Statutory Instrument), provided the disclosure is made for journalistic purposes, no advantage or profit is derived, and there is no intent to mislead the market.

Market Manipulation

Regulations 19 and 28 of the Statutory Instrument ban actions creating false/misleading impressions or abnormal prices, including:

Trades/orders distorting supply, demand, or price;
Deceptive schemes;
Disseminating false information via media/social media;
Manipulating benchmarks;
Controlling supply/demand to fix prices;
Disruptive order placement;
Giving opinions after taking positions without disclosing conflicts.

Regulation 39 of the Statutory Instrument applies these prohibitions to solo or joint actions.

Systems, Controls, and Information Barriers

Regulation 30(2) of the Statutory Instrument requires UK QCATPs and intermediaries to maintain systems to prevent, detect, and disrupt abuse, including monitoring orders, alerts, and communications.

Suspicious activity must be promptly reported (Regulation 30(3) of the Statutory Instrument) with details of the asset, timing, description, reasons, and suspected party. Notifications must remain confidential, and Regulation 30(5) of the Statutory Instrument provides civil liability protection for good faith notifications.

Regulation 33 of the Statutory Instrument protects disclosures made by individuals who know or suspect contraventions of insider dealing, unlawful disclosure, or market manipulation, provided the information was obtained in the course of their work and the disclosure is made to a nominated officer as soon as practicable.

Finally, Regulation 31 of the Statutory Instrument mandates insider lists for relevant persons such as issuers, offerors, operators, and intermediaries, to be updated and provided to the FCA on request.

A Prudential Regime for Cryptoasset Firms: FCA Consultation Paper CP25/42

Background

CP25/42 builds on earlier proposals in CP25/14 and CP25/15, which introduced the prudential sourcebooks COREPRU and CRYPTOPRU. This latest paper extends the framework to cover remaining cryptoasset activities, including operating a qualifying cryptoasset trading platform (CATP), staking, arranging deals, and acting as agent or principal in qualifying cryptoassets (including lending and borrowing products).

What does this mean for market participants?

If these proposals are adopted, stakeholders can expect a more resilient and transparent crypto market. The higher capital and liquidity requirements will protect assets and reduce the risk of firm failure. These measures should strengthen consumer confidence and improve stability, particularly for products like stablecoins, which would need robust backing. However, the changes may also increase compliance costs for firms, which may lead to higher fees or reduced product choice.

Overview of CP25/42

Minimum Capital Requirement

The FCA has proposed a minimum capital requirement based on firm type. The minimum capital requirement (Permanent Minimum Requirement or PMR) is the highest of three limbs: PMR, Fixed Overhead Requirement (FOR), and K-factor Requirement (KFR). The PMR for each activity is specified (e.g., GBP75,000 for dealing as agent, GBP150,000 for CATP, GBP750,000 for principal).

The FCA proposes to apply risk-weighted calculations to crypto exposures and higher weights for volatile or illiquid tokens. Firms will also be required to maintain sufficient own funds to cover operational and market risks. Firms will need to hold their own capital, cash or high-quality liquid assets, above the set threshold. Custodial firms are likely to face higher minimums. The FCA’s rationale is that the requirement will strengthen consumer protection.

Mandatory Liquidity Standards

The FCA has proposed that cryptoasset firms will need to maintain adequate liquid assets (Basic Liquid Assets Requirement or BLAR) to meet short-term obligations, even under market stress. This includes holding high-quality liquid resources and conducting regular stress tests to ensure resilience in extreme conditions. The proposal is for the BLAR to be set at one third of the FOR plus 1.6% of guarantees provided to clients. There is also an Issuer Liquid Asset Requirement (ILAR) for stablecoin issuers. Firms must assess liquidity needs over a rolling 90-day period and consider wind-down scenarios

These requirements aim to prevent sudden liquidity shortfalls that could disrupt operations or harm clients and consumer protection.

Overall Risk Assessment and Group Risk

The FCA have highlighted two notable changes in CP25/42 from CP25/15:

The internal capital adequacy and risk assessment process is now referred to as the overall risk assessment, which is now the “centrepiece of risk management". Under the proposal, this would need to be reviewed annually.
The FCA has dropped plans for bespoke group requirements. Instead, firms must consider group risk within their overall risk assessment and disclose relevant group information under public disclosure rules

COREPRU and CRYPTOPRU in Practice

COREPRU currently applies only to firms carrying on regulated cryptoasset activities, with plans to consult on extending it to other regulated firms in future.
CRYPTOPRU sets crypto-specific prudential standards. Together, they cover own funds, liquidity, fixed overheads, disclosure obligations, and concentration risk monitoring.
Firms subject to the MIFIDPRU regime will complete a single overall risk assessment (ICARA) and may publish consolidated prudential disclosures to avoid duplication.

Crypto Regime vs IFPR

The FCA’s proposed prudential regime for cryptoasset firms differs from the standard Investment Firms Prudential Regime (IFPR) because it is tailored to address crypto-specific risks. While the overall structure mirrors IFPR, the calibration of requirements is distinct.

For example, the regime introduces an Issuer Liquid Asset Requirement (ILAR) for stablecoin issuers to ensure adequate backing assets, alongside bespoke K-factors that reflect crypto activities such as issuance and custody. These measures aim to strengthen operational resilience given the volatility and technological dependencies inherent in crypto markets.

Litigation Risk Considerations

As well as implementation of a new licensing and compliance regime, taking into account tradfi experience of the years, and the nature of this industry, cryptocurrency exchanges and providers should also plan for areas of potential litigation risk that may face from retail claimants under the FCA’s new regulatory regime:

Overseas Platforms: Overseas exchange platforms serving UK retail customers will be required to use a UK legal entity for retail access. There is the potential for follow-on consumer claims if platforms are subject to regulatory intervention for operating or arranging without authorisation.
Admissions/public offer disclosures: The new admissions & disclosures regime raises potential liability where disclosures are incomplete or misleading for assets admitted or offered via a UK platform, opening statutory compensation style exposure.
Staking services: Enhanced retail disclosures and consent requirements mean mis- description of staking mechanics and/or risks could prompt mis-selling allegations.
Market abuse: Platforms/intermediaries will be required to prevent, detect and disrupt abuse and keep insider lists. Surveillance or disclosure failings could lead to FCA action and private follow-on claims.
Inside information handling: Immediate public disclosure will be required where price sensitive information arises (subject to narrow delay conditions). Mishandling may create enforcement and investor loss claims risk.
Stablecoin touchpoints: Issuance and related activities fall within scope; statements about backing/redemption expose firms to misrepresentation claims if redemption falters in stress.

Next Steps

The FCA’s proposals signal a major shift towards a full regulatory regime for cryptoassets, aligning them with traditional financial standards to improve market integrity and consumer protection.

Next Steps for Firms:

Check Scope: Confirm if your activities require FCA authorisation, including any existing permissions that may need to be varied or additional permissions to be applied.
Map: For firms active, or planning to be active, in other jurisdictions, compare and track similarities and differences in regimes, in order to identify efficiencies and areas where different compliance may be needed.
Prepare Applications: Review governance, processes, and client disclosures.
Upgrade Controls: Implement systems to detect crypto-specific risks and market abuse.
Training: Consider training teams on immediate disclosure triggers and conditions for delay.
Plan Capital & Liquidity: Model requirements under COREPRU/CRYPTOPRU and stress-test resilience.
Engage: Review the CPs and Statutory Instrument and submit any feedback by 12 February 2026.
Monitor: Monitor FCA updates for enforcement expected from October 2027.