Author: James Borley, Director of Payment Services
For firms seeking cryptoasset authorisation under the Financial Services and Markets Act 2000 (FSMA), the transition from the current anti-money laundering registration regime to full prudential regulation will require substantially higher standards of governance, financial resilience and operational capability.
While much of the public focus surrounding crypto regulation has perhaps centred on financial promotions and consumer protection, the FCA’s developing framework makes clear that prudential supervision will become a central component of the UK regime.
For many cryptoasset businesses, particularly early-stage firms and fintech-led operators, this is likely to represent the most commercially significant aspect of authorisation.
From MLR Registration to FSMA Authorisation
Currently in the UK cryptoasset firms operate under registration requirements contained within the Money Laundering Regulations (MLRs). However, the new FSMA framework will bring a broad range of cryptoasset activities formally within the perimeter, including activities such as:
- operating cryptoasset trading platforms;
- custody and safeguarding;
- dealing and arranging activities;
- stablecoin-related services; and
- certain staking activities.
As we have previously reported, the FCA has confirmed that firms will be able to apply for authorisation ahead of the regime becoming fully operational in 2027.
Importantly, firms should not underestimate the difference between MLR registration and full FSMA authorisation. The FCA has repeatedly highlighted that the new regime will involve significantly broader scrutiny of firms’ prudential resources, governance arrangements, systems and controls and operational resilience capabilities.
In practice, many firms currently operating under relatively lean compliance structures may require extensive remediation before they are capable of meeting FSMA standards.
The FCA’s Prudential Focus
The FCA’s proposed prudential framework is designed to ensure that cryptoasset firms maintain sufficient financial and operational resources to conduct business safely and minimise harm to consumers and markets.
The FCA’s approach is increasingly focused on ensuring that firms can:
- absorb financial losses;
- maintain adequate liquidity;
- continue operating during periods of stress;
- safeguard client assets appropriately; and
- wind down in an orderly manner if necessary.
This reflects a wider regulatory concern arising from previous crypto market failures, where weak governance, insufficient capital and inadequate operational controls contributed to significant consumer losses and disorderly collapses.
Capital Requirements and K-Factors
One of the most significant aspects of the FCA’s proposed prudential framework is the introduction of minimum capital and own funds requirements broadly aligned to prudential methodologies already familiar under the UK Investment Firms Prudential Regime (IFPR).
Historically, many cryptoasset firms registered under the MLRs have operated without formal regulatory capital obligations beyond maintaining sufficient working capital to support business operations. Under the new FSMA regime, this position is expected to change materially.
The FCA has indicated that cryptoasset firms will likely become subject to a combination of:
- permanent minimum capital requirements;
- Fixed Overhead Requirements (“FOR”); and
- risk-sensitive capital methodologies linked to the nature, scale and complexity of regulated activities.
Importantly, the prudential framework is expected to incorporate concepts similar to the ‘K-factor’ methodology used under IFPR for MiFID investment firms.
Under the IFPR model, K-factors are designed to measure potential harm posed by firms to customers, markets and the firm itself. The FCA’s cryptoasset proposals suggest a comparable approach may be adopted to ensure prudential requirements are proportionate to the operational and financial risks generated by cryptoasset business models.
Although the final calibration remains under consultation, relevant prudential metrics for cryptoasset firms may include factors linked to:
- assets safeguarded or administered;
- customer transaction volumes;
- trading activity;
- client money exposures;
- custody operations; and
- operational concentration risks.
For firms engaged in custody or safeguarding activities, prudential expectations are likely to be particularly stringent given the FCA’s continued focus on consumer protection and asset security.
The introduction of K-factor style requirements would represent a significant shift for many crypto businesses, particularly firms that have historically operated with relatively asset-light structures or highly volatile revenue models.
In practice, firms should expect the FCA to assess not only whether minimum capital thresholds are met at a point in time, but whether financial resources remain sufficient under stressed operational and market conditions.
This is especially relevant given the FCA’s increasing focus on wind-down preparedness, operational resilience and the potential systemic impact of large-scale cryptoasset service providers.
Accordingly, firms preparing for FSMA authorisation should already be assessing:
- the quality and permanence of capital resources;
- liquidity management arrangements;
- capital forecasting methodologies;
- stress testing capabilities; and
- governance oversight of prudential risk.
For many firms, prudential planning is likely to become one of the most commercially significant components of the authorisation process.
Wind-Down Planning
A major feature of the proposed regime is the emphasis on wind-down preparedness.
The FCA has repeatedly highlighted concerns regarding disorderly cryptoasset firm (and other firm types!) failures and the risks these create for consumers, counterparties and market confidence. As a result, firms seeking authorisation are expected to maintain credible wind-down plans capable of demonstrating how regulated activities could cease in an orderly manner.
This is likely to require firms to consider:
- liquidity forecasting;
- customer communication arrangements;
- safeguarding continuity;
- operational dependencies;
- outsourcing arrangements; and
- governance escalation procedures.
For custody and safeguarding firms, the FCA is likely to focus particularly closely on how customer assets would remain protected during stressed conditions or insolvency events.
Governance and SM&CR Expectations
The FCA’s cryptoasset regime also reflects a clear expectation that firms adopt governance standards comparable to those operating elsewhere within regulated financial services.
This includes increasing alignment with the Senior Managers and Certification Regime (SM&CR), governance oversight requirements and broader FCA systems and controls expectations.
In practice, firms should expect supervisory scrutiny covering:
- board composition and expertise;
- risk management arrangements;
- financial crime controls;
- conflicts management;
- internal reporting structures;
- outsourcing oversight; and
- compliance monitoring frameworks.
For many entrepreneurial crypto firms, this may require significant changes to existing operating models.
The FCA has consistently emphasised that innovative technology does not reduce the need for effective governance disciplines. Firms seeking authorisation should therefore expect increasing regulatory focus on senior management accountability and governance maturity.
Operational Resilience and Technology Risk
Operational resilience is also expected to become a major prudential consideration under the new regime. Cryptoasset firms often rely heavily on complex technology infrastructure, including cloud hosting, distributed ledger systems, APIs, smart contracts and third-party custody providers.
These arrangements create significant operational and concentration risks which regulators increasingly expect firms to identify and manage appropriately.
The FCA’s wider operational resilience framework already applies across much of the financial services sector and is likely to influence supervisory expectations for cryptoasset firms operating under FSMA. We have provided comment on FCA expectations in our recent articles here.
Importantly, the FCA increasingly views financial resilience and operational resilience as interconnected supervisory outcomes rather than separate compliance disciplines.
Safeguarding and Client Asset Protection
The safeguarding of customer cryptoassets will undoubtedly be another of the FCA’s principal areas of concern.
The proposed framework is expected to introduce enhanced requirements for firms carrying out custody and safeguarding activities, including obligations relating to segregation, reconciliation, governance and operational controls.
The FCA is likely to focus heavily on:
- wallet governance;
- private key management;
- outsourcing oversight;
- record-keeping;
- reconciliation procedures; and
- customer disclosure arrangements.
The FCA is also expected to assess whether firms can maintain safeguarding arrangements effectively during operational disruption or stressed market conditions.
Conclusion
The FCA is clearly moving towards a regime in which cryptoasset firms are expected to meet standards broadly comparable to those applying across mainstream financial services sectors (“Crypto goes mainstream” anyone?). Prudential supervision will therefore extend far beyond current financial crime compliance and financial promotions oversight.
For firms seeking authorisation under FSMA, preparation should begin well in advance of the implementation timetable. Many businesses are likely to require significant enhancement of governance arrangements, financial resources, operational resilience frameworks and safeguarding controls before they are capable of meeting FCA expectations.
How Complyport Can Help
Complyport supports firms preparing for the UK’s evolving cryptoasset regulatory framework and the enhanced prudential expectations that will accompany FSMA authorisation.
Our services include:
- Prudential risk assessments and gap analyses.
- Capital adequacy and own funds framework reviews.
- Wind-down planning and stress-testing support.
- SM&CR implementation and accountability mapping.
- Operational resilience framework design and testing.
- Outsourcing and third-party risk management reviews.
- Safeguarding and custody control assessments.
- FCA authorisation application support.
- Ongoing compliance advisory and outsourced compliance services.
To discuss how your firm can prepare for the prudential requirements of the future UK cryptoasset regime, contact Complyport and book a meeting with one of our Subject Matter Experts today.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
