Legal briefing | |

Come one, come all: FCA CP26/4 and yet more cryptoasset proposals

Come one, come all: FCA CP26/4 and yet more cryptoasset proposals

Overview

At the end of last year, we spent considerable ink (or its virtual equivalent) summarising HM Treasury's now finalised Financial Services and Markets 2000 (Cryptoassets) Regulations 2025 (the SI), and the FCA's barrage of cryptoasset consultation papers that followed in quick succession.

Our earlier briefings in May 2025 and December 2025, explained that from 25 October 2027, the SI will amend the UK Regulated Activities Order (RAO) to create seven new UK regulated activities relating to cryptoassets, as well as extending the scope of the existing activity of "agreeing to carry on a regulated activity" in Article 64 RAO to cover the new cryptoasset activities. We refer to these new regulated activities below as "cryptoasset activities".

Those of us subject to the mistaken impression that we had only to wade through three CPs with a combined total of over 600 pages of narrative and rules have once again fallen foul of wishful thinking. FCA CP26/4, comprising another 294 pages of information, was published on 23 January 2026 and is a sort of "mop-up" consultation setting out a range of additional proposals and following up on earlier suggestions trailed in CP25/25 back in September 2025. However, firms should not be fooled – although CP26/4 covers a range of disparate issues, some of its content may still have a very significant impact on firms' business models and organisational structures. Therefore, while we sympathise with those who are suffering from consultation fatigue, we would strongly encourage firms to stay engaged with the subject matter and how it will apply to their operations, lest there be some unwelcome surprises down the line. 

The latest consultation in CP26/4 closes on 12 March 2026, after which we anticipate that firms and industry associations will need a cold towel and bed rest after this marathon bout of policymaking. Although we don't yet have a confirmed date for the corresponding policy statement(s), these seem likely to follow towards the middle or latter half of the year, after which the rush to implementation will really begin in earnest. Once more unto the breach...

In this latest briefing, we summarise the key elements of CP26/4 and set out our own views on some of the proposals, identifying some aspects which we think will require clarification or refinement in the final rules.

Announcement of the FCA cryptoasset application window

Probably the most significant development in the last few weeks, albeit one that is not contained in CP26/4 itself, is that the FCA has now confirmed the window during which firms will need to apply for authorisation or variation of permission if they wish to carry on cryptoasset activities on or after 25 October 2027 (when the new regime takes effect).

The window will be open from 30 September 2026 until 28 February 2027.

It is important that firms which will be (or which expect to be) carrying on cryptoasset regulated activities from 25 October 2027 submit their applications during the application window. This is because there are more generous transitional provisions available to firms while their applications are being determined if the application was submitted within the specified period.

Applications submitted outside the window but before 25 October 2027 will generally receive more limited transitional relief, which covers only the "run-off" performance of pre-existing contracts. This means that existing cryptoasset businesses that submit an application outside the application window may find that their ability to take on new business from 25 October 2027 is disrupted.

  1. CP26/4: The headlines
  2. Taken into custody: Client Asset (CASS) rules for cryptoasset safeguarding
  3. Troubled waters? The proposed approach to authorising overseas firms
  4. Retail without the detail? The proposed application of the Consumer Duty
  5. The best of the rest: other elements of the proposals

Now Reading

CP26/4: The headlines

As noted above, in many ways, CP26/4 is a sweep up of outstanding topics, covering proposed conduct, governance and reporting rules that were not previously addressed. Very broadly, those topics include:

  • New proposed FCA client asset (CASS) rules to cover the new regulated activity of safeguarding cryptoassets.

  • Guidance on the FCA's general approach to authorising overseas firms to carry on cryptoasset activities.

  • The application of the Consumer Duty to cryptoasset activities (including a separate consultation on non-Handbook guidance about how the Duty applies in this context).

  • Extending existing conduct of business requirements for traditional investment business to cryptoasset activities.

  • Proposals around how to determine when a cryptoasset firm will constitute an enhanced firm for the purposes of the FCA's Senior Managers and Certification Regime (SMCR).

  • Proposed training and competency requirements in relation to certain activities carried on for retail clients.

  • Proposals for how the FCA's complaints resolution rules should apply, whether activities should be subject to the jurisdiction of the Financial Ombudsman Service and whether they are covered by the scope of the Financial Services Compensation Scheme.

  • Proposals for periodic regulatory reporting requirements for cryptoasset firms.

Below, we shine a light on several of the more important or interesting aspects of these proposals.

Although the proposals represent a scattering of different issues, some of the draft rules and guidance could end up being highly significant for firms' business and operating models. This is particularly the case in relation to elements of the CASS proposals, as well as the proposed application of the FCA's Consumer Duty to cryptoasset business involving retail clients in the distribution chain. Given the considerable difficulties that some firms in the 'trad-fi' space have experienced in complying with these requirements, cryptoasset firms should engage with the detail of these proposals quickly and consider whether the FCA's expectations are sufficiently clear and practical to allow effective implementation. For reasons we explain below, we have particular reservations over whether some of the elements of the CASS rules have been formulated correctly and will achieve the FCA's intended outcomes.

Taken into custody: Client Asset (CASS) rules for cryptoasset safeguarding

Perhaps the most significant component of CP26/4 is the FCA's draft CASS 17 rules, which set out the requirements relating to the protection of cryptoassets that will apply to firms carrying on either or both of:

  • the Article 9N(1)(a) RAO activity of safeguarding a qualifying cryptoasset or relevant specified investment cryptoasset; or

  • the Article 9N(1)(b) RAO activity of arranging for another person to carry on the above safeguarding activity.

The proposed requirements are relatively technical and therefore what follows is only intended as a high-level summary.

 

Scope opera

In terms of their scope, the FCA is proposing that the relevant CASS rules will apply only in relation to activities carried on from a UK establishment. This is likely to be a welcome clarification, particularly given the current uncertainty around the precise territorial scope of the cryptoasset safeguarding activities themselves. This means that where cryptoassets are held or controlled from an establishment outside the UK, the new CASS 17 rules would not apply (although there may still be some conceptual questions about precisely where a cryptoasset is considered to be held or subject to control in practice).

There is also an exemption from the CASS 17 rules for a UK qualifying cryptoasset trading platform (QCATP) operator if, broadly, the following conditions are met:

  • the QCATP operator is a non-UK firm;

  • the QCATP operator is subject to a regulatory requirement (as part of its FCA authorisation) that it can only safeguard cryptoassets to facilitate the settlement of transactions executed on a UK QCATP; and

  • such requirement also prohibits the QCATP operator from accepting any qualifying cryptoassets from a UK user, other than qualifying cryptoassets which it has received via another member of its group which is itself acting in compliance with CASS 17 rules relating to the settlement of transactions on a UK QCATP.

The FCA indicates that this (narrow) exemption is designed to facilitate a "float" model where cryptoassets are moved from the client's own wallet into a global settlement wallet, with transactions then being settled off-chain in the firm's internal ledger.

Apart from that, a UK QCATP operator which holds or controls cryptoassets on behalf of customers will generally need to comply with the new CASS 17 rules, including UK QCATP operators who provide integrated custody solutions as part of the QCATP's services to customers, as well as where a UK QCATP operator uses client assets to pre-fund transactions.

Firms should also remember that the concept of safeguarding cryptoassets is drawn far more widely than the equivalent activity of safeguarding and administering investments in the 'trad-fi' context. This is because the concept of cryptoasset safeguarding is primarily constructed around a somewhat nebulous "control" test, meaning that it is possible for a firm to be safeguarding a cryptoasset where it controls the means of access to that asset, even though the firm is not holding the asset (in the sense of having legal and/or beneficial title to it). In our response to HM Treasury's consultation on the draft SI in May 2025, we advocated for a different approach, with a clearer distinction between holding and non-holding control, but this was ultimately not adopted.

 

Devil in the detail - Requirement to safeguard assets as trustee

Despite industry pleas to the contrary, the FCA has confirmed that it is proposing to introduce a requirement, subject to limited exceptions, that where a firm is carrying on the regulated cryptoasset safeguarding activity, it must ensure that it is acting as trustee in relation to the relevant client cryptoassets under a trust that complies with certain specified conditions. Broadly speaking, the relevant conditions are that:

  • the relevant trust must be created and operated by the firm in compliance with applicable legal requirements for trusts in the UK;

  • the terms of the trust must be clearly documented so that the intended purpose of the trust and its terms are clear; and

  • the terms and operation of the trust must comply with certain requirements specified by the FCA, including that the firm (as trustee) must be required to respond to any lawful instructions given by the relevant client and that the trust assets must be segregated and insulated from the claims of any creditors (other than the clients whose assets are subject to the trust).

The FCA's proposed trustee rules also contain rules around a firm's ability to maintain an operational surplus in relation to trust assets and the way in which shortfalls should be allocated.

It appears that in the absence of powers to create a statutory trust (unlike the framework for 'trad-fi' investment business), the FCA is seeking to implement trust-based protections for client cryptoassets by using CASS 17 to impose a trustee obligation on firms.

Ignoring for now (as we covered this in this briefing) the advantages and disadvantages of a trust model more generally, in the context of  "non-holding" cryptoasset safeguarding (i.e. where a firm has control over the means of access to a client cryptoasset, but does not have legal or beneficial title to it) this approach simply will not work. This is because, under English law it is not possible for a person to declare a trust over assets in relation to which that person has no proprietary interest, and the FCA's draft rules require that any declared trust must comply with UK legal requirements.

The specific requirements in CASS 17.4 for firms holding the means of access to a client cryptoasset do not help either as none of them are expressed to switch off the general requirement for a firm to act as a trustee in relation to client cryptoassets.

Therefore, absent a specific exemption from this trust requirement, non-holding cryptoasset safeguarding, as envisaged under Article 9N RAO, would simply not be able to take place from a UK establishment, as there would be no way for the firm to do so in compliance with the FCA's proposed CASS 17 framework. We hope that this is simply a drafting oversight, which can be fixed as part of the post-consultation output, rather than a deliberate policy choice by the FCA.

 

Shards of control - managing the means of access to a cryptoasset

As noted above, the FCA is proposing that specific rules should apply where a firm has control over the means of access to a client cryptoasset. In the context of sharding of the cryptoasset, the FCA's rules clarify that the concept of "means of access" includes shards of a private key, so that the rules will apply where a firm has a sufficient quantity of shards (or can direct others who hold a sufficient quantity of shards) to exercise control over the relevant asset.

As you would expect, the proposed requirements broadly relate to ensuring robust security and organisational arrangements to protect against the possibility of loss, inoperability or irrecoverability of the relevant client cryptoassets, as well as associated record-keeping requirements. This emphasises the importance of maintaining adequate operational resilience and security processes, as failures in those areas may lead to breaches of CASS 17 and the FCA has historically operated a very low tolerance for non-compliance with any aspects of the client assets framework.

 

Clear accounts - Record keeping and reconciliation requirements

As with the trad-fi CASS framework, the new CASS 17 rules include requirements for firms to maintain the necessary records to allow them to establish the entitlement of each client to the client cryptoassets held by the firm, as well as allowing the firm's own assets to be distinguished from client cryptoassets.

The firm will also need to calculate and reconcile the relevant client entitlement to cryptoassets and the corresponding assets that it holds on behalf of the client at least once every business day. Where the firm identifies a discrepancy, it will need to resolve this without delay and if there is a shortfall, the firm must ensure that it is holding the correct number of client cryptoassets within 24 hours.

As for trad-fi firms that carry on traditional safeguarding activities, in practice, these requirements are likely to require cryptoasset safeguarding firms to implement detailed operational processes and systems to evidence and record client entitlements and daily reconciliations. However, in some cases, firms may be able to develop technological solutions to integrate DLT-based information to assist in meeting these requirements.

Safeguarding firms should also note that under the FCA's conduct of business proposals, they will need to provide clients with access to an online system (which must also allow clients to retain and store the relevant information) where the client can easily access up to date statements about the cryptoassets the firm holds on their behalf. Firms may therefore wish to keep in mind potential interdependencies or synergies between reconciliation and reporting when they are designing any internal systems for these purposes.

 

Trusted hands - Appointment of third parties

The proposed CASS 17 rules recognise that a firm may appoint a third party to carry on safeguarding of cryptoassets under the firm's direction – i.e. effectively, to delegate safeguarding responsibilities to a third-party entity.

The FCA is proposing that the firm will need to meet a range of conditions in this context, including that the third party will need to operate in a jurisdiction which specifically regulates cryptoasset safeguarding under a framework with mandatory financial and operational resilience requirements and will need to be subject to ongoing supervision in that jurisdiction. The firm will also need to carry out appropriate due diligence and ensure that a written agreement is in place with the third party which covers several mandatory requirements. Further, the appointment of a third party must be approved by the firm's governing body or its authorised delegate, creating a clear emphasis on senior management accountability for delegated cryptoasset safeguarding arrangements.

 

Arrangers unpacked – the lighter touch

As a reminder, there are two separate cryptoasset safeguarding activities in Article 9N RAO – the substantive activity of safeguarding and the separate activity of arranging cryptoasset safeguarding by another person.

Where a firm is only arranging cryptoasset safeguarding but is not carrying on the substantive safeguarding activity itself, the FCA is proposing that a more limited set of requirements will apply. Broadly, the firm will need to ensure that a written agreement is in place between the firm and the third-party custodian setting out their respective obligations, any required payments, and their respective potential liability in the case of loss of a client cryptoasset. The firm will also need to ensure that it maintains records of any arrangements that are put in place. This is broadly similar to the existing requirement in relation to trad-fi firms arranging custody of traditional investments on behalf of their clients.

Troubled waters? The proposed approach to authorising overseas firms

In Annex 4 of the CP, the FCA discusses its proposed approach to authorising international firms to carrying on regulated cryptoasset business in the UK.

The discussion opens with the FCA establishing a baseline expectation that firms carrying on cryptoasset activities will need to do so from a legal entity established in the UK, subject to limited exceptions. This suggests that despite statements from the UK government and the regulator about wanting to operate an open international market for cryptoassets, non-UK entities may in practice find it difficult to obtain FCA authorisation for the new activities, although the FCA has stopped short of prohibiting this entirely.

The FCA makes the point in its approach discussion that before the question of authorisation of a non-UK entity becomes relevant, it is first necessary to determine whether that entity is carrying on (or is deemed to be carrying on) regulated activities in the UK at all. However, it is unfortunate that the FCA has not yet taken the opportunity to consult on providing further advice (for example, in PERG) about its interpretation of the geographical scope of the new regulated activities. For example, there continue to be concerns in the industry about whether a non-UK firm may be carrying on relevant dealing activities in the UK, based on an analysis of where the resulting contract is formed. Unless those uncertainties are adequately resolved, the FCA risks confusion and potentially unnecessary authorisation applications in relation to non-UK businesses.

Broadly speaking, the exceptions under which the FCA envisages potentially authorising non-UK firms are:

  • Where the non-UK firm operates a QCATP through a UK branch, if this can facilitate better access to global liquidity and improve price and execution outcomes for clients. The FCA acknowledges that in this scenario, the ability to match UK and overseas orders within the same legal entity may be desirable. The regulator indicates, however, that other cryptoasset activities (e.g. safeguarding) should typically be carried out through a separate UK legal entity, suggesting that there may still be costs and fragmentation effects for non-UK trading platform operators which also undertake other cryptoasset business lines.

  • As a variation on the above, the FCA also indicates that it may be willing to grant a matched principal dealing permission to a QCATP operator authorised via a UK branch so that it can deal in a matched capacity on its own platform. However, the regulator states that if the firm intends to carry other proprietary dealing as principal, it is likely to need to do via a separate authorised UK subsidiary, meaning that, for example, a non-UK investment bank that operates a cryptoasset trading platform would be likely to need to hive off any regulated UK proprietary trading in cryptoassets into a separate UK affiliate.

  • As another variation on the above, the FCA states that a QCATP operator authorised via a UK branch could also be granted a restricted cryptoasset safeguarding permission to allow it to operate a "float" model for settlement of transactions via a global settlement wallet (see Client Asset (CASS) rules for cryptoasset safeguarding above).

However, when authorising a non-UK firm, the FCA states that it expects that the relevant non-UK entity should be subject to "comparable levels of regulatory protection and regulatory requirements" based on the FCA's assessment of the situation. This implies that some kind of case-by-case jurisdictional assessment may be required, so that the potential for a non-UK firm to become FCA authorised in this context will vary according to the jurisdiction in which it has been established. It remains to be seen whether the FCA would consider the EU's MiCA framework as a comparable framework in this context, although we suspect that this would probably be the case. Firms established in jurisdictions that do not regulate cryptoasset activities, or that operate only very light cryptoasset regulatory frameworks, may find it considerably more difficult to meet this hurdle and may need to establish a UK subsidiary instead.

Retail without the detail? The proposed application of the Consumer Duty

In CP25/25, the FCA proposed applying the Consumer Duty to cryptoasset firms when there are retail clients in a relevant distribution chain. In CP26/4, the FCA states that it has received widespread support among stakeholders for applying the Duty to cryptoasset business, provided that this is accompanied by sector-specific guidance. It appears that industry participants may have adopted this position in the hope that the application of the Duty would replace potentially inflexible and onerous detailed rules for the sector, although following CP25/25 and CP 26/4, there would now seem to be risk that firms may end up having to navigate both prescriptive rules and the Duty.

In response to the industry's request for practical sector-specific guidance, the FCA has published draft guidance on the application of the Duty to cryptoasset firms for consultation in GC26/2. The deadline for responding to the guidance consultation is the same as for CP26/4 – i.e. 12 March 2026.

The proposed guidance does make some attempts to address some of the nuances with cryptoasset business. For example, it recognises that for a truly decentralised cryptoasset (such as Bitcoin) there may not be an identifiable manufacturer for the purposes of the product governance requirements, or that some cryptoassets may be more volatile than other asset classes.

Nonetheless, the overall impression is that the guidance continues to suffer from some of the inherent flaws that have led to ongoing industry criticism of the Duty more generally. This includes good and poor practice examples which tend to focus on simpler or relatively self-evident situations while avoiding harder cases, as well as broad statements of principle that are not always easy to translate into concrete expectations. To avoid some of the difficulties that have plagued the trad-fi investment world, cryptoasset firms may want to consider whether to seek more granular steers on the FCA's expectations in some of the more difficult situations, although this will inevitably need to be weighed against the potential loss of flexibility that might result.

One area that firms should continue to monitor is the territorial application of the Duty. In the proposed guidance, the FCA has included wording which replicates the existing territorial scope provisions of the Duty more generally. This references the somewhat cumbersome formulation that while the starting point is that the Duty applies in relation to UK retail customers, it will also apply to non-UK retail customers if the activity in question is subject to some other FCA rule or provision of onshored financial services legislation which applies on a wider territorial basis. In practice, as many FCA rules do apply to non-UK customers (at least in relation to activities and services provided from a UK establishment), this has tended to extend the scope of the Duty to non-UK retail customers too. In CP26/4, the FCA notes that it is expecting to consult during H1 2026 on cutting back the territorial scope of the Duty to exclude business carried on with non-UK customers. Depending on the outcome of that consultation, one might hope for a narrower application of the Duty, allowing firms to focus on its implications for UK customers only.

The best of the rest: other elements of the proposals

  • Conduct of business requirements: The FCA has provided feedback on its initial proposals in CP25/25 in relation to how it will apply the requirements in the Conduct of Business sourcebook (COBS) to cryptoasset business. This includes proposals to apply a range of existing disclosure, client reporting and communication requirements to cryptoasset business, and to apply the existing client categorisation framework (although this may be modified by the FCA's separate proposals in CP25/36, which, if adopted, would also apply to cryptoasset business –  see page 49 of our 2026 Regulatory Roadmap for further information on this).

  • FOS jurisdiction: Extending the jurisdiction of the Financial Ombudsman Service to cover the new cryptoasset related activities where the relevant customer is an "eligible complainant" as defined under the existing framework. The FCA notes that this position was originally discussed in CP25/25 and was broadly supported by most respondents.

  • FSCS coverage: Not extending the scope of the Financial Services Compensation Scheme (FSCS) to include the new cryptoasset activities, meaning that customers will not have recourse to the FSCS if a cryptoasset firm fails and results in customer losses. However, the FCA notes this could lead to some inconsistent or complex results in relation to activities carried on in connection with specified investment cryptoassets, which would not benefit from FSCS protection in relation to safeguarding under Article 9N RAO, but could still benefit from FSCS protection in relation to trad-fi activities (such as dealing or investment advice) carried out in relation to the same asset. While the technical basis of the structure of FSCS protection is based on stepping in to cover losses caused by an insolvent firm (e.g. an adviser), there is no question that communicating the scope of coverage to a retail client in a comprehensible way is a significant challenge.

  • Use of credit: Confirming that the FCA is not proceeding with its original suggestion of banning cryptoasset firms from accepting payments via credit cards, or credit lines from electronic money institutions, in relation to the purchase of cryptoassets. There was widespread industry push-back against this, with respondents noting that this could be challenging to implement, given the difficulty in identifying payments made in this way, and that providers of credit would already be required to run creditworthiness assessments on the customer. However, as has become common, the FCA directs firms to consider whether the Consumer Duty means that they should provide additional information to customers who may be using credit lines in this context to ensure that they understand the potential risks involved.

  • Training and competency: The FCA is proposing to introduce new training and competence requirements for individuals within firms who are involved in providing dealing, safeguarding or arranging activities to retail clients in relation to cryptoassets. These are broadly designed to mirror the existing approach adopted for the equivalent trad-fi activities. However, the FCA is not proposing requirements relating to specific forms of appropriate qualifications, noting that the market for professional training and development in relation to cryptoassets is still emerging, but that it will keep this under review. In practice, this means that firms will need to develop appropriate internal frameworks for assessing individuals providing relevant cryptoasset services to retail clients as competent to carry on those activities and for ensuring that appropriate supervision is in place. 

  • Regulatory reporting: The FCA describes its approach to regulatory reporting as "iterative". It is proposing to apply a range of existing standardised reporting requirements to cryptoasset firms, such as annual controllers and close links reports, filing or audited financial reports and accounts, and annual financial crime reporting. It is also proposing to phase in new cryptoasset-specific reporting items over the first 2 – 3 years of the new regime, which will be subject to ongoing refinement. Initially, the FCA has suggested that these new reports will consist of certain "baseline returns" which will depend on the cryptoasset activities being carried out. For example, a firm that is carrying on stablecoin issuance would be required to report on elements including:

    • numbers of minted and issued stablecoins;

    • stablecoin redemption requests;

    • the composition of the relevant backing asset pool(s);

    • any breaches of the backing asset requirements;

    • the names of third parties appointed in connection with the backing asset rules; and

    • the total revenue arising from issuing qualifying stablecoins during the period.

The data would need to be reported on a quarterly basis, within 30 business days of the end of the relevant reporting period, except for returns relating to cryptoasset safeguarding, which will need to be reported monthly within 15 business days of the end of the relevant month.

Although the iterative development of reports may help ensure that the data collected is relevant and proportionate, it also presents the risk that during the first few years of the new regime, firms may be presented with something of a moving target in terms of reporting obligations. Although this may not be overly problematic if the information requested is the sort of data that the firm is likely to collect or have readily available anyway, if data demands increase, firms will need to ensure that there is adequate time to implement corresponding data collection and validation systems.

  • SMCR enhanced firm status: In CP25/25, the FCA proposed applying the SMCR requirements to cryptoasset firms. In CP26/4, it has now set out the criteria that it is proposing to use to determine whether a cryptoasset firm is an "enhanced" firm for those purposes (and would therefore be subject to more onerous requirements). These are as follows:

    Activity

    Threshold

    Stablecoin issuance

    Total value of the backing asset pool exceeds £65 billion on a 3-year rolling average

    Cryptoasset custody

    Total value of safeguarded cryptoassets, added to the total value of trad-fi safe custody assets (if any), held in the last calendar year exceeds £100 billion in any given month

    OR

    The firm projects that it will hold a cumulative sum of more than £100 billion in safeguarded cryptoassets plus trad-fi safe custody assets during the current calendar year

Getting in touch

We are advising a range of firms, industry associations and other stakeholders on the introduction of the new UK cryptoassets regime. If you'd like to discuss any aspect of the proposals, or how we can support your organisation with the transition to the new regime, please get in touch with your usual Travers Smith contact or any of the individuals named below.

Get in touch

Read Natalie Lewis Profile
Natalie Lewis
Read Matt Humphreys Profile
Matt Humphreys
Read Harry Millerchip Profile
Harry Millerchip
Read James Turner Profile
James Turner
Read Martin Hammond Profile
Martin Hammond
Read Mark Evans Profile
Mark Evans
Back To Top Back To Top chevron up