Back to Resources

FCA Crypto Final Rules: What UK Firms Must Actually Implement Now

Web3

Share
Executive summary: The FCA published its final rules for the UK cryptoasset regime under FSMA 2023 on 30 June 2026, closing the long consultation cycle that ran through 2024 and 2025. This piece — published eight days after — is a CFO-level first read of what has landed harder than expected, what has softened relative to consultation, and what belongs on the implementation roadmap for the balance of 2026. Firms operating under the temporary permissions regime now have a defined path to full authorisation, and the practical timeline is shorter than most expected.

Where the UK Regime Sits Now

The UK's approach to cryptoasset regulation moves through a clear sequence. HM Treasury's consultation response in October 2023 confirmed that cryptoassets would be brought within the FSMA regulatory perimeter, with detailed rules to be developed by the FCA. Consultation papers ran through 2024 and 2025 covering the phases of the framework — the admissions and disclosure regime, custody and safeguarding, market abuse, financial promotions, and the stablecoin-specific provisions. The final policy statement published on 30 June 2026 consolidates and finalises these rules.

The regime brings a broad set of activities within FSMA authorisation: operating a cryptoasset trading platform, custody of cryptoassets on behalf of clients, cryptoasset issuance where public offers are made, cryptoasset staking services, and lending services. The perimeter is deliberately broad, and the FCA has stated its intention to supervise the sector using the same tools it applies elsewhere in financial services.

What Landed Harder Than Consultation Suggested

The final rules are meaningfully tighter than the consultation drafts in three specific areas. Firms that built their transition plans on the consultation reading will need to reassess.

Custody Segregation Standard

The consultation had signalled a segregation standard broadly consistent with existing e-money safeguarding. The final rules go further, requiring statutory-trust structures, permitted custodians independent of the operating firm, and daily internal reconciliation supported by independent monthly attestation. This is closer to CASS-plus for crypto — materially more demanding than what many operating firms have in place today.

Whitepaper Liability Framework

The whitepaper regime for public offers of cryptoassets carries meaningful civil liability for material inaccuracies or omissions — comparable to prospectus liability under the existing UK securities regime. The consultation had left open whether liability would be structured on a negligence or strict basis; the final rules apply the negligence-based framework used elsewhere but with a defined "responsible person" concept that expressly includes directors of the issuer.

Financial Promotions Overlap

The interaction with the existing cryptoasset financial promotions regime (in force since October 2023) is clarified but tight. Any communication that could be construed as an invitation or inducement to engage in cryptoasset activity within scope of FSMA is now within the promotions regime and the substantive-conduct rules simultaneously. There is limited safe-harbour for informational marketing that does not intend to induce.

The custody impact is the biggest surprise: Firms that expected to translate their existing safeguarding structure directly are finding the trust-plus-independent-custodian requirement is a structural change, not a documentation change. Legal restructuring, custodian appointment and reconciliation build all belong on the implementation roadmap now — not in Q4.

What Softened Relative to Consultation

Three areas moved in the industry's direction from consultation to final rules.

Proportionate Capital for Smaller Firms

The consultation had proposed prudential capital minima that would have been demanding for early-stage firms. The final rules retain the concept but apply it more proportionately — smaller custodians and trading platform operators face a tiered approach linked to activity volume, with the highest bar reserved for larger firms.

Reverse Solicitation Preserved for Non-UK Firms

The consultation had suggested a very narrow reverse solicitation exemption for non-UK firms serving UK customers. The final rules retain the exemption on terms broadly consistent with the existing MiFID II approach, meaning UK persons who genuinely initiate the engagement can receive services from non-UK firms without triggering the full UK authorisation requirement. The exemption is narrow but real.

Transition Window Length

The consultation had suggested transitional relief of 12 months from final rules commencement. The final rules extend this to 18 months for most activities, with an earlier expiry only for custody and stablecoin services where the sensitivity of the safeguarding regime is highest. Most firms in the temporary regime now have until late 2027 or early 2028 to complete transition.

The Implementation Clock

For a firm currently operating under the temporary permissions regime or in scope of the new rules, the calendar looks like this:

Window
Milestone
Jul – Sep 2026
Regime gap analysis, custody structure design, restructuring plan agreed with adviser
Oct – Dec 2026
Full FCA authorisation application prepared; custodian appointment; MI redesign
Q1 2027
Application submitted; supervisory dialogue; attestation provider engaged
Q2 – Q3 2027
Authorisation processed; first-cycle monthly attestation goes live
Q4 2027
Stablecoin and custody transitional windows close for firms in those activities
Early 2028
General transitional window closes; unauthorised firms must cease

"The final rules are not the end of the process, they are the start of the implementation cycle. Firms that treat 30 June 2026 as a compliance milestone will find the practical work is only just beginning. The next twelve months determine whether a UK crypto firm still exists as an authorised entity in 2028, or whether it does not."

The CFO-Owned Deliverables

Three specific pieces of the implementation are CFO-owned regardless of the org structure.

The Capital Model

Prudential capital under the new regime is calculated on defined bases per activity type. The finance function needs to build the capital model that shows current capital position, projected requirements as activity grows, and the timing of any capital-raise decisions this triggers. For firms close to the tiered thresholds, a specific decision point exists on whether to accept the higher capital requirement or manage below the threshold.

The Cost Model for the Regime

Ongoing compliance cost — attestation, external audit, regulatory reporting, custodian fees, board and committee time — is material and needs to be forecast into the P&L. Firms that under-estimate this cost find themselves under-invested in the compliance function through 2027, which then surfaces in supervisory conversations.

Board Attestations

The regime includes board attestation obligations similar to those developing under Consumer Duty (see our June piece on board attestation for AI in regulated products). The CFO needs to have the underlying evidence base for the attestations — MI adequacy, control operation, reserve position — captured and reportable on the required cadence.

Key Takeaways

  • The FCA published its final cryptoasset rules under FSMA 2023 on 30 June 2026, closing a long consultation cycle. The regime brings trading, custody, issuance, staking and lending within FSMA authorisation.
  • Custody segregation landed harder than expected — statutory trust, independent custodian, daily reconciliation, monthly independent attestation. Legal restructuring is required for many firms.
  • Whitepaper liability applies with a defined "responsible person" concept that includes directors. Financial promotions overlap tightens.
  • Proportionate capital, reverse solicitation preservation and an 18-month general transitional window softened relative to consultation.
  • Practical calendar: gap analysis and restructuring plan July–September 2026; authorisation application prepared Q4 2026; application submitted Q1 2027; general transitional window closes early 2028.
  • CFO deliverables: prudential capital model, cost model for the ongoing regime, board attestation evidence base.
  • The final rules are the start of the implementation cycle, not the end. The next twelve months determine which UK crypto firms remain authorised entities by 2028.

Work Together

Need this applied to
your business?

UK crypto regime implementation, custody structure design and FCA authorisation preparation. We bring CFO-level rigour without the full-time cost.

Book a Free Discovery Call →