Author: James Borley, Director of Payment Services
In our last article, we highlighted the increased prioritisation by the Financial Conduct Authority (FCA) of payments firms’ operational resilience arrangements. An additional area that payments firms should now consider carefully is the interaction between operational resilience obligations and the forthcoming UK cryptoasset regulatory regime under Financial Services and Markets Act 2000 (FSMA).
The UK government and FCA are progressing towards a comprehensive authorisation framework for cryptoasset activities under the FSMA, with the new regime expected to commence in October 2027. Firms carrying on in-scope cryptoasset activities, including custody, exchange, dealing, arranging and stablecoin-related services, will require FCA authorisation under a substantially expanded regulatory perimeter.
For many existing payments firms and Electronic Money Institutions (EMIs), particularly those involved in digital asset payments, stablecoin settlement infrastructure, embedded wallets or crypto-fiat conversion services, the operational resilience implications are likely to be significant.
The FCA has already indicated that cryptoasset firms entering the FSMA perimeter will become subject to broader conduct, governance and prudential expectations comparable to those applying across traditional financial services sectors.
Operational resilience is therefore expected to become a key component of cryptoasset authorisation assessments, particularly where firms rely on:
- distributed ledger infrastructure;
- third-party wallet or custody technology;
- outsourced blockchain analytics providers;
- cloud-native operating models;
- algorithmic transaction monitoring;
- cross-border liquidity providers; or
- stablecoin settlement mechanisms.
From an Authorisations perspective, the FCA has been explicit in stating that it will focus heavily on whether firms, once authorised for cryptoasset activities, can continue delivering critical services during periods of technological disruption, cyber incidents, blockchain congestion, smart contract failures or third-party outages.
This is particularly relevant given the increasing convergence between traditional payments infrastructure and cryptoasset-related services. A growing number of FCA-authorised payments firms are either exploring stablecoin use cases directly or integrating digital asset functionality into broader payment ecosystems.
Consequently, firms seeking cryptoasset permission under FSMA should avoid treating operational resilience as a standalone compliance workstream. Instead, resilience considerations should be integrated early into product design, outsourcing frameworks, custody arrangements and governance structures.
Importantly, firms transitioning from the current Money Laundering Regulations registration regime into full FSMA authorisation may underestimate the extent to which the FCA will scrutinise operational controls, governance maturity and resilience capabilities as part of the authorisation process. As part of the Authorisations assessment, firms must clearly describe and explain their operational resilience arrangements in detail. When I say clearly, I mean exactly that; if the FCA cannot understand it, they will assume that neither does your Board. That then threatens to undermine the whole application.
As with Consumer Duty, the FCA expects operational resilience to cut across all aspects of a firm’s application for Part4A permission. Rather than running through it like a stick of rock though, perhaps it’s more of a marble cake effect?
How Complyport Can Help
As the UK cryptoasset regulatory framework continues to develop, firms should begin assessing whether their governance, operational resilience and control frameworks are capable of meeting FCA expectations under the future FSMA regime.
Complyport supports firms at every stage of this process, including:
- Conducting operational resilience gap analyses against FCA expectations and industry good practice;
- Assisting with cryptoasset and payments firm FCA authorisation applications and regulatory business plans;
- Reviewing governance frameworks, Board oversight arrangements and Senior Management accountability structures;
- Supporting the identification and mapping of important business services and critical operational dependencies;
- Reviewing incident management, business continuity and disaster recovery arrangements;
- Performing compliance monitoring reviews and independent assessments of operational resilience programmes; and
- Providing regulatory compliance support for firms transitioning from Money Laundering Regulations registration to full FSMA authorisation.
Contact Complyport today to book a meeting with one of our Subject Matter Experts and discuss how we can support your regulatory journey.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
