Back to Resources

UK Crypto Authorisation: A CFO Readiness Checklist for the September 2026 Deadline

Raymond Shuai February 2026 9 min read Sources: FCA Crypto Roadmap · CP25/14 · CP25/15 · Financial Services and Markets Act 2023

FCA & Regulatory

Share
Executive summary: The FCA's cryptoasset authorisation gateway opens in September 2026, giving firms seven months from this article's date to complete their readiness preparations. This checklist covers the five workstreams a CFO must lead or co-own: financial and capital readiness, governance and people, systems and controls, reporting obligations, and the application itself. The checklist is structured to be used as a working document, not just read once.

Seven Months to the Gateway

The UK cryptoasset regulatory regime, established under the Financial Services and Markets Act 2023 and developed through the FCA's consultation papers CP25/14 and CP25/15, will open its authorisation gateway in September 2026. For firms that are currently operating under the existing cryptoasset registration regime (the AML-focused temporary registration regime), September 2026 represents the transition from a relatively light-touch AML framework to a full conduct and prudential authorisation regime. For firms that are not yet registered, it is the first opportunity to obtain authorisation.

The FCA has been explicit: it will not accept applications that are incomplete or that demonstrate a gap between claimed and actual compliance readiness. The experience from MiCA CASP authorisation in the EU in 2025 confirms this; the NCAs that reviewed applications most carefully produced firms with more robust compliance frameworks, and the firms that submitted incomplete applications wasted significant time and regulatory goodwill. The FCA is unlikely to be more lenient than the best EU NCAs.

Gateway opens
Sept 2026All conduct, prudential, and SMCR requirements must be met at application
Time remaining (Feb 2026)
7 monthsInsufficient for firms starting from scratch; begin immediately
FCA authorisation fee
Estimated £10,000–£50,000 depending on activity class and firm size
Application review period
FCA target: 6 months from complete application; incomplete applications restart the clock

Workstream 1: Financial and Capital Readiness

Capital readiness is the CFO's primary ownership area within the authorisation programme. The following checklist items must be complete at the point of application.

  • Calculate your Own Funds Requirement (OFR) under CRYPTOPRU: determine the highest of the Permanent Minimum Requirement (PMR), Fixed Overheads Requirement (FOR, approximately three months of relevant annual expenditure), and applicable K-factors (including K-SII at 2 percent of stablecoin in issuance for issuers).
  • Calculate your ILAR (Issuer Liquid Asset Requirement) if you are a stablecoin issuer using non-cash backing assets. Model this at current backing asset composition and stress-test it under a scenario where non-cash assets fall 5 percent in value.
  • Confirm that your current own funds meet the OFR on a sustained basis (not just on the application date). If you are growing rapidly, your OFR may increase materially between application and authorisation. Model the OFR trajectory over the next 18 months.
  • Prepare a wind-down plan: a documented plan for how the firm would conduct an orderly wind-down if required, including estimated wind-down costs, timeline, and the minimum capital required to fund the wind-down. The FOR is calibrated to cover this, but the wind-down plan must be documented separately.
  • Prepare three years of audited financial statements in a format acceptable to the FCA. If your audit firm is not a firm with listed company or regulatory audit experience, consider whether a change is appropriate before the application is submitted.
  • Model the funding implications of authorisation: regulatory capital that is permanently deployed in meeting the OFR is not available for investment in the business. Quantify this and confirm your current shareholders are aware of the capital requirement.
  • If you are a stablecoin issuer, confirm that your backing pool structure (custodian arrangements, asset composition, ODDR compliance, daily reconciliation capability) is fully operational and documentable. The FCA will want evidence of a functioning backing pool, not a theoretical design.
  • Prepare a financial crime risk assessment that quantifies your exposure to financial crime and demonstrates that your AML and CFT controls are proportionate to that exposure.

Workstream 2: Governance and People

The Senior Managers and Certification Regime (SMCR) will apply in full to cryptoasset businesses from the authorisation date. This has specific CFO implications.

  • Identify all Senior Manager Function (SMF) holders: SMF1 (Chief Executive), SMF3 (Executive Director), SMF16 (Compliance Oversight), SMF17 (Money Laundering Reporting), and any others applicable to your activity class. Each SMF holder must be individually approved by the FCA before they can perform their function.
  • Prepare a Statement of Responsibilities (SoR) for each SMF holder, documenting their specific accountabilities. These must be consistent with the Responsibilities Map (the firm-level document showing how overall responsibilities are divided among the senior management).
  • Confirm that the CF10 (Compliance Oversight) senior manager role is filled by someone with genuine competence and sufficient seniority. The FCA will assess whether the compliance function is genuinely independent and adequately resourced.
  • Prepare a Remuneration Policy that complies with FCA requirements: variable pay for risk-takers must be subject to deferral and malus/clawback provisions. Document which roles are classified as Material Risk Takers (MRTs).
  • Constitute a Board with appropriate independence: the FCA expects at least one non-executive director with relevant experience on the board of a regulated cryptoasset business. If your current board does not include a sufficiently experienced NED, recruit one before the application.
  • Complete a fitness and propriety assessment for all SMF holders and Certified Persons. Document the assessment methodology and evidence reviewed.
  • Confirm that your governance structure includes an audit committee (or equivalent oversight mechanism) with responsibility for financial reporting and internal controls.

Workstream 3: Systems and Controls

The FCA's conduct requirements under CP25/14 require robust systems and controls across financial crime, customer due diligence, and record-keeping. The following items are relevant to CFO oversight.

  • Implement a customer due diligence (CDD) programme that meets FCA standards: enhanced due diligence for higher-risk customers, ongoing monitoring of customer activity, and documented risk-based assessment criteria.
  • Implement transaction monitoring capable of identifying suspicious activity and generating Suspicious Activity Reports (SARs) to the National Crime Agency (NCA) within the required timeframes.
  • Confirm that your record-keeping systems retain all required records (customer due diligence, transaction records, communications) for the statutory minimum retention periods (generally five years).
  • Implement controls over client asset safeguarding: if you hold client assets (cryptoassets, fiat, e-money), confirm that your segregation, reconciliation, and reporting processes meet the relevant FCA CASS or equivalent requirements.
  • Complete a business-wide risk assessment (BWRA) under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations: document the ML/TF risks the firm is exposed to and how your controls mitigate them. This must be reviewed and updated at least annually.
  • Implement an ICT risk management framework appropriate to your size and complexity. If DORA applies to your business (through an EU entity), ensure alignment between your DORA ICT risk management framework and your FCA operational resilience requirements.
  • Complete a conflicts of interest policy that identifies actual and potential conflicts (particularly relevant for cryptoasset businesses that may also trade on their own account) and documents how they are managed.
  • Implement an internal audit function or equivalent oversight mechanism. For smaller firms, this may be an outsourced internal audit arrangement rather than a full in-house function.

"The most common failure mode in cryptoasset authorisation applications is not missing a capital calculation or misidentifying a senior manager. It is the absence of documented, operational systems and controls that have been in use long enough to generate a track record. Paper policies without evidence of implementation are not sufficient."

Workstream 4: Reporting Obligations

Once authorised, cryptoasset businesses will have ongoing FCA reporting obligations. The FCA expects applicants to demonstrate that their systems are capable of meeting these obligations from day one of authorisation.

  • Identify the regulatory returns that will apply to your activity class (these will be set out in the final Policy Statement following CP25/14 and CP25/15 consultations). Prepare template versions of these returns using your current data.
  • Implement an incident reporting process capable of notifying the FCA of "material operational or security incidents" within the prescribed timeframes. The notification obligations are separate from and in addition to any DORA obligations.
  • Confirm that your anti-money laundering reporting process can generate timely SARs to the NCA and that the nominated officer (typically the MLRO) has adequate capacity and tools to manage the reporting obligation.
  • Prepare your firm's annual report and accounts format to comply with the FCA's disclosure requirements for authorised cryptoasset businesses. These are expected to require disclosure of own funds, regulatory capital ratios, and (for stablecoin issuers) backing pool composition.
  • For stablecoin issuers specifically, implement daily backing pool reconciliation reporting and confirm that the reconciliation data is available for FCA review on request within 24 hours.
  • Implement a whistleblowing channel and process as required under FCA SYSC requirements. The channel must be independent of line management and available to all employees and contractors.

Workstream 5: The Application Itself

The FCA application is a substantial exercise in documentation. The following items are the primary documents that the FCA will review, and the CFO will be responsible for or contribute to each of them.

#
Document
CFO Involvement
1
Regulatory business planFirm overview, activities, target market
Financial projections, revenue model, capital requirement forecast
2
Financial resources assessmentOFR calculation, ILAR, wind-down plan
Primary CFO deliverable; must reconcile to audited accounts
3
Three years of audited accountsIFRS or UK GAAP compliant
CFO responsible for preparing and reviewing with auditors
4
Cryptoasset disclosure documentCDD; analogous to MiCA white paper
CFO responsible for financial sections; legal team leads overall
5
SMCR notification formsSMF applications for each senior manager
CFO submits their own form (SMF3 or appropriate designation)
6
Systems and controls descriptionPolicies, procedures, technology
CFO co-owns financial controls sections; compliance leads overall
7
Recovery and wind-down planOperational resilience; exit planning
CFO co-leads financial components; operational leads overall

The application fee and timeline are important to plan around. The FCA's target review period is six months from receipt of a complete application. An incomplete application (missing documents, inconsistencies between documents, or inadequate evidence) will result in the FCA returning the application and restarting the review clock. The practical implication is that submitting a complete application in September 2026 means you should not expect authorisation before March 2027 at the earliest.

Pre-application engagement: The FCA has indicated it will offer pre-application engagement sessions for firms approaching the September 2026 gateway. These are not mandatory but are strongly recommended for complex business models (particularly stablecoin issuers and firms with multi-jurisdiction operations). They allow the FCA to flag issues in advance that would otherwise cause delays post-submission. Book a pre-application session as early as the FCA makes them available, which is likely to be from Q2 2026.

Key Takeaways

  • Seven months is not much time if you are starting from scratch. Prioritise the financial resources assessment (OFR, ILAR, wind-down plan) and the SMCR governance structure first; these are the areas most likely to require structural changes to the business.
  • All three regulatory pillars, conduct, prudential, and SMCR, must be met simultaneously at application. You cannot submit an application that says "SMCR will be in place by authorisation date." It must be in place at submission.
  • The FCA reviews six months from a complete application. Submit as close to the gateway opening as possible, but only when genuinely ready. An incomplete application resets the clock and damages your regulatory relationship.
  • The CFO owns the financial resources assessment: OFR calculation, ILAR model, backing pool structure (for stablecoin issuers), and wind-down plan. These cannot be delegated to lawyers or consultants without CFO sign-off on every number.
  • Audited accounts are non-negotiable. If you have not completed three years of IFRS-compliant audits, you cannot apply. Start the audit process immediately if there is any gap.
  • Book a pre-application FCA engagement session when they become available, expected Q2 2026. This is the most efficient way to identify and address issues before they delay your application.
  • Budget for the authorisation programme: legal, compliance advisory, audit, and FCA fees together typically run to £150,000 to £400,000 for a mid-size applicant. Include this in your financial plan.

Work Together

Need this applied to
your business?

CFO-led authorisation readiness: financial resources assessment, capital modelling, wind-down plan, and application support for the September 2026 FCA crypto gateway.

Book a Free Discovery Call →