Crypto comes of age: The FCA's landmark rules and what firms must do now
The era of light-touch crypto oversight is over. On 30 June 2026, the FCA published five landmark policy statements delivering a comprehensive regulatory regime for cryptoassets – the culmination of more than three years of intensive work.
For firms operating in or into the UK, this is the most significant regulatory development the sector has faced. The message from the FCA is clear: firms must prepare now, apply early, and get this right – because getting it wrong carries existential consequences.
Background and legislative framework
The new regime is underpinned by the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 (SI 2026/102), made on 4 February 2026. These Regulations brought a broad range of cryptoasset activities within the FCA's regulatory perimeter for the first time, moving well beyond the anti-money laundering and financial promotions standards that previously defined the regulator's role in this market.
Until the rules come into mandatory effect in October 2027, the FCA's oversight of crypto continues to be largely limited to financial promotions and anti-money laundering controls. But with the policy statements now published, firms have certainty about what will be required – and the implementation runway is shorter than it may appear.
The FCA's new regulatory regime begins on 25 October 2027. Firms which are wanting to carry on these regulated activities from day one will be required to submit detailed and comprehensive applications for authorisation between 30 September 2026 and 28 February 2027. Whilst firms can continue to apply for authorisation after that period, it may mean they do not receive approval until after the new regime goes live, and will not be able to take advantage of the interim transition period the FCA is providing.
What the new rules require
The FCA has published five policy statements constituting the new framework:
- PS26/9 – Admissions and Disclosures (A&D) and Market Abuse Regime for Cryptoassets (MARC)
- PS26/10 – Stablecoin issuance
- PS26/11 – Regulated cryptoasset activities
- PS26/12 – A Prudential regime for cryptoasset firms
- PS26/13 – Application of the FCA Handbook for Regulated Cryptoasset Activities
Trading platforms, intermediaries, custodians, stablecoin issuers, and firms arranging staking must all obtain FCA authorisation to operate in the UK.
Capital and prudential requirements
All firms must meet financial resilience requirements including capital and stress testing. The prudential framework has been refined following consultation: the K-factor coefficient for stablecoin issuance (K-SII) has been reduced from 2% to 1%, and cryptoassets that can be prudently valued and are admitted to a UK qualifying cryptoasset trading platform will be subject to a single 40% net risk position requirement for K-NCP and a 40% volatility adjustment for K-CCD.
The FCA has also removed the proposed requirement to publicly disclose own funds and liquid asset threshold requirements and has introduced a proportionality framework based on own funds requirements for prudential disclosures.
Market integrity
The FCA is introducing new market integrity rules covering insider trading and market manipulation for the first time in this sector. The core MARC framework has been maintained while targeted changes improve proportionality, clarity and operability – including retaining the industry-led framework and the threshold for large UK QCATP operator obligations, narrowing the on-chain monitoring requirement for large UK QCATPs, and clarifying requirements relating to inside information disclosure and intermediary notifications. For firms that have operated to date without any of this infrastructure, building it from scratch will be a significant undertaking.
Stablecoins
The new framework sets out specific rules for stablecoins – cryptoassets designed to maintain a stable value, typically by reference to a currency such as the pound. They will be subject to clear, strong and transparent standards. Following consultation, the FCA has simplified key elements of the regime, including capital requirements for stablecoin issuers.
Consumer protection and the Consumer Duty
PS26/13 confirms that key FCA Handbook obligations – including the Consumer Duty, COBS, the Senior Managers and Certification Regime (SMCR), operational resilience and financial crime frameworks – are being applied across regulated cryptoasset activities.
Since its introduction on 31 July 2023, the Consumer Duty has set high standards of retail consumer protection, requiring firms to go beyond narrow rule compliance and actively deliver good outcomes across four areas: products and services, price and value, consumer understanding, and consumer support. Firms are expected to comply with cross-cutting rules to act in good faith, avoid causing foreseeable harm, and to act to enable and support customers to pursue their financial objectives.
In a sector the FCA regards as high risk, the bar for demonstrating compliance will be commensurately demanding, and a consumer's signature on a risk warning will not be sufficient. Firms will need to carefully consider what "good outcomes" looks like for consumers in the crypto space and how they can help achieve these.
Safeguarding and custody
The FCA is proceeding with the application of CASS 17 to client cryptoassets, with strong stakeholder support for enhanced protections around ownership rights, record-keeping, reconciliation, and private key management. Targeted exceptions to trust requirements have been introduced, the scope of control-based application clarified, and the settlement float model percentage limit increased to 2%.
Areas for further development
Decentralised finance (DeFi), distributed ledger technology (DLT), cryptoasset derivatives, audit requirements and certain stablecoin-related policy areas will be addressed through further consultation. The FCA's rules will apply to DeFi firms where there is an identifiable controlling entity; genuinely decentralised protocols without one sit largely outside the regime for now, with tailored guidance (including objective indicators of decentralisation) to follow.
Why this matters
The UK is taking a major step forward, delivering a comprehensive regime that puts it at the forefront of responsible cryptoasset regulation globally. This represents a fundamental transformation in how cryptoasset firms must organise and conduct their businesses. For the first time, they will be subject to the full suite of FSMA obligations: threshold conditions, SMCR, Principles for Businesses, the Consumer Duty, operational resilience requirements, financial crime controls, and a bespoke prudential framework.
It is worth being direct: cryptoassets are high-risk investments and will remain high risk under the new regime. The regulatory framework does not change the underlying risk profile of cryptoassets – but it fundamentally changes the obligations on the firms that provide them.
Practical guidance: What firms should do now
1. Apply early – and understand the window
If a firm wishes to rely on the savings provisions to allow them to continue to operate once the new regime goes live but where they are waiting for a decision on their application for authorisation, the application window opens on 30 September 2026 and closes on 28 February 2027. Firms should apply as early as possible to maximise the period during which they can continue operating while their application is assessed. Firms should also seek to take advantage of pre-application support meetings which the FCA is offering to help firms with preparing their applications for authorisation.
Firms that apply within the window may, subject to the relevant conditions, continue specified activities under the savings and transitional provisions until their application is determined. Firms that apply after the window closes cannot rely on those provisions and may need to cease activities until authorised. Missing or mishandling the window carries existential risk.
2. Do not assume existing registration converts
Existing registrations do not convert automatically. Firms currently registered under the Money Laundering Regulations, or authorised under the Payment Services Regulations or Electronic Money Regulations, and firms relying on a section 21 financial promotions approver, will need to seek FSMA authorisation if they carry on a regulated cryptoasset activity.
Firms registered under the MLRs should note that the FSMA fit and proper requirements are broader than those under the MLRs – existing systems and controls will help, but a gap analysis against FSMA expectations is essential.
3. Build a credible implementation plan now
The FCA encourages firms to develop a clear, board-approved implementation plan that sets out who is accountable, what needs to change, and when. Firms should review the newly regulated cryptoasset activities, determine the type of authorisation required, and carry out a comprehensive gap analysis.
Firms that submit poor quality applications risk rejection, delay, or refusal of authorisation. The Pre-Application Support Service (PASS) is available to assist, and independent legal advice when preparing an application is strongly recommended.
Conclusion
This regime sets clear, predictable rules for firms across the full range of regulated cryptoasset activities – strengthening consumer protections, enhancing market integrity, and positioning the UK as a trusted, competitive home for responsible cryptoasset innovation. The mandatory regime comes into force on 25 October 2027. The application window opens in under three months. For firms operating in this sector, the time to act is now. To discuss the implications of the FCA's new crypto regime for your firm further, please contact our financial services regulation team.
Contact
Adam Berry
Partner
adam.berry@brownejacobson.com
+44 (0)330 045 1495
Daniel Seely
Senior Associate
daniel.seely@brownejacobson.com
+44 (0)330 045 1001