UK's New Crypto Regulatory Framework 2025: A Deep Dive into the FCA's Latest Rules
- Jess Saumarez
- 7 hours ago
- 16 min read
In this emergency episode, Wayne and Gareth dissect the UK's newly announced comprehensive crypto asset regulation framework. They explore how the FCA has adapted existing financial regulations to create a new regime for crypto assets, covering everything from stablecoin issuance to trading platforms. The discussion breaks down key timelines for implementation through 2026, crucial requirements for both UK and overseas firms, and the three major challenges firms will face: consumer duty, senior managers regime, and capital adequacy.
Whether you're a crypto business owner or industry professional, this episode provides essential insights into how the UK's new regulatory landscape will reshape the crypto asset market.
Transcript:
Wayne (00:03.31) Hello Gareth. Welcome back. Clear, fair and not misleading podcast. It's been a little while since the last one. I feel like we've probably let the schedule slip a little bit because we've been super busy, but that's no bad thing,
Gareth (00:04.782) Aloha.
Gareth (00:17.209) We have, but it feels like we're back with an emergency podcast. Breaking news.
Wayne (00:20.75) It would be if we had a schedule and this was an interim podcast within that tightly kept schedule we'd call it emergency. But unfortunately it just happens that we've got ourselves together and something big happens. So we've got new crypto rules, right? We've got a statutory instrument and a policy document out.
Gareth (00:38.361) We do. And so what does that mean? Well, it means that finally the UK has written its rules for the full regulation of crypto assets and their activities in the UK, which is what we've been building towards for a very long time, what the Finprom rules kind of created an interim regime for. And yeah, it looks like we're now a full steam ahead towards a full new regime.
Wayne (01:08.334) And in terms of the way the FSA have done this, I suppose they had a number of routes, right? They could have created something entirely from scratch. a blank piece of paper, let's start from the very beginning. Unsurprisingly, we'd probably say they haven't done that. They could have looked abroad to other jurisdictions, to Meekland Europe, to elsewhere and taken some inspiration from that or made a copy, not very FCA like, or they could have done pretty much what they've done, I think, if you'd agree, Gareth, which is to take the existing...
part for a permissions authorisation environment and done a bit of a read across a control left control replace.
Gareth (01:48.002) Yeah, I mean, that's pretty fair, right? Take the word security out of the regulated activities order and put the word crypto asset in. And yeah, there's some specific activities that will be caught and we can get into the detail of that. But broadly, you're absolutely right. This is a copy of the existing regulated activities in the UK financial system as applied to crypto. And so...
That takes us right back at the top level to section 19 of the Financial Service of the Markets Act. Sorry, I'm a lawyer, sometimes that comes out. But you know, cannot do a regulated activity in the UK by way of business unless you are authorised or exempt. And so the regulated activity of some activities in crypto assets, no false, well, not known, but will fall squarely within that regime.
And so, yeah, firms will have to start looking towards authorisation.
Wayne (02:53.069) And in terms of that looking for authorisation, we don't have any specific dates as yet, but what's the expected time table? We can probably gain some insights based on the consultation period when that ends and what we've seen in the past from real changes.
Gareth (03:11.457) Yeah, sure. So the new statutory instrument. So let's be clear, this is not all totally brand new. We knew the broad level activities that were going to be regulated. Now we've had some of the detail about how those regulations will work in practice. That consultation paper came out yesterday. And so there is a period of time until I think the end of May to respond.
with thoughts and commentary on those draft rules before they get pushed through the FCA's implementation powers. Now, that won't be the start and end of it. We are Q2 2025. We've got some more things in terms of conduct and firm standards, which we'll
be published in consultation form around Q3 2025. We've got some admissions and disclosures consultations as well as market abuse consultations Q3 2025. And then a few more bits and pieces towards the end of 25 before publication of the final rules and all policy statements early 2026, at which point there will then be
the gateway opening for existing firms to kind of go through and sort of grandfather into the new rules, I suppose, before the regime goes fully live for all new market players, I would guess Q3, Q4, 2026. So it might sound a long way away, but as we know with these kind of regulatory change, regulatory implementation regimes,
they take a long time for firms to get their heads around the rules and then get themselves in shape really to get those applications and this is very similar to MIFID 2.
Wayne (05:17.175) Yeah, but I guess the one of the key differences here, I suppose, is that when things like Mythid 2 come into play, there are existing firms and existing regulatory regimes who are mapping across or gap analysing the differences between the old and the new regime. Whereas in this case, although there are obviously firms that are authorised in some respects, whether it's e-money or AMLs or whatever, it's going to look quite different. So this is almost the roots and
branch review of what the firms are doing in the context of new rules that have never had to be followed before.
Gareth (05:52.7) gap analysis will be very big, I would suggest.
Wayne (05:55.256) There is a massive gap. That will be the analysis. The work is how you fill that.
Gareth (05:58.061) Yeah. And so what kind of what does that mean in practice, I suppose? Well, you know, firm that comes into this regime and we can talk about how you fall into the regime and what will capture you in a moment. But firms that come into this regime will need to seek SCA authorisation. It's a full authorisation now. It's not a money laundering registration, which in other contexts as typically being kind of an easier route through the FCA, you know, you sort of register with them to say we handle money in some form of business capacity. And so we've got that risk that we need to manage and we're notifying you of that. This is a full application, six month window for the FCA to review and complete the review of the application unless it's deemed incomplete in case, in which case 12 months, you you could have a full year going through this process trying to get authorised. And then
On top of the, hey, we're now allowed to do this activity in respect of this investment type, we've now got all these other conduct areas that apply to authorised firms now applying to those crypto asset firms directly in a way that probably they haven't thought about or felt before. So there's going to be some big cultural work to be done on this for sure. We don't need to mention the words consumer duty too many more times on this podcast. That is going to be one of those things. But I think the biggest one that's going to be a shock is the senior managers regime.
Wayne (07:37.262) There's three, I felt there's three bigot isn't there on that? And they're big because of their size and their reach. They're also big in terms of assessing and implementing because they're in some cases, not all cases, in some cases, they're almost the least prescribed parts. So consumer duty is the obvious one. That's very broad, very principles based. You've kind of got to work out what the prescriptive element to those principles looks like for your own business. and documents it follow it through. The next one is, as you mentioned, SMCR. That's a big one. And that's the one I think a lot of certainly executive individuals feel because that's now putting your name next to some activities of the firm and making you personally responsible for it. And then the third one is probably capital adequacy, which is complicated to say the very least. It's the...
probably the highest risk area in terms of following the rules because of the consequences. It's one of the most expensive because of the trap pad requirements that firms have to have, especially in this new regime. And also it's the most complicated to try and work out what on it all means.
Gareth (08:51.827) Yeah, this podcast isn't meant to a, let's scare everybody into submission kind of episode. So we'll try not to get ahead of ourselves. There's one other area that I think will get brought into all of this. In fact, I know it will get brought into all of this and that's complaints. So handling complaints as a regulated business is very different to handling complaints as a non-regulated business. Timeframes apply, the requirement to write a conclusion to each case, that identification in the first case of it's something being a...
expression of dissatisfaction. There's a lot to work through there on an operational basis. So that might be kind of cutting across a future podcast episode because those statutory instruments or at least the discussion papers on those are due again. Sorry, I said discussion papers. mean consultation papers, but yeah, they're due kind of Q3 this year. So we've got a bit of time probably before those come in. And until then,
What we have is a bit more prescription around the activities that are caught and the exemptions to those activities and what they mean.
Gareth (10:02.994) We've obviously identified Wayne that this is broadly the similar kind of activities to the existing regime. So maybe do you want to kind of go through that and then I talk about some of the operational implications of that.
Wayne (10:18.209) Yeah, so I mean, the activities mainly you've got, I there's quite a broad list, right? But in the context of crypto assets, you've got arranging, you've got bringing about deals, you've got market making, you've got custody, you've got issuance. It's pretty much anything that touches what is now an instrument, which is a crypto asset, you know, facilitates business between people in the UK doing those things. And that, as you say, is...
what exists already. It's going to be an extra instrument added to the list of current instruments of shares and units and warrants and derivatives and so on and so forth. I guess the point on this in particular is that it's new and also it's specific to the UK where a lot of firms are quite cross-border. But I guess we might come to that in a minute. I'll you expand a bit more on those activities first.
Gareth (11:16.2) Yeah, sure. So the statutory instrument sets out then the new categories of specified investments. And so to be clear, when we talk about doing a regulated business, there are regulated activities, arranging deals, bringing about deals and investments, custody, issuance that you've mentioned. And then they have to apply to a specified type of investment for things to fall within the rules.
And so we now have a definition of what crypto assets is in the context of these rules. So any cryptographically secured digital representation of value or contractual rights that can be transferred, stored or traded electronically, and which uses technology supporting the recording or storage of data, which may include a DLT. And so we've now got that definition of a crypto asset. Anybody that does.
activity in relation to something that meets that definition is therefore doing regulated business. And going back to section 19, the general prohibition, you cannot do that activity unless you're authorized or exempt. There's a few other bits to that section 19 piece, so it has to be done by way of business and it has to be done in the UK. And we've already said we'll touch on the geographic piece momentarily. But just while we're still on the kind of activities and the definitions within them,
There are new definitions for qualifying stable coins. And so those are activities relating to the issuance of stable coins. And a stable coin is defined as a coin that references one or more fiat currencies. That's really important. The FCA has always been clear that tokens that reference the algorithmically backed, for instance, are not stable by their nature. And so you can't call them stable coins. So a stable coin is an an instrument that references one or more fiat currencies and seeks to hold those fiat currencies or fiat currencies and other assets as backing assets to maintain kind of a stable value. Then we've got the activity itself of stable coin issuance in relation to qualifying stable coins. And there are kind of three
Gareth (13:39.356) broad components to that activity, the offer of a stable coin, the redemption of a stable coin, and the maintenance of the value of stable coin. Now there was something in those rules that was quite interesting and they said, know, kind of creating the stable coin, whether that's in design or physically creating the code that issues the thing itself is not actually stable coin issuance, which is slightly kind of intuitive, right? The person who writes the code and sets go and kind of causes tokens to be created suddenly is not actually doing the regulated activity of stable coin issuance. Actually, it has to be the person that's offering it for sale or their agent. So somebody who is arranging for the offering of those tokens into the market, accepting payments, that kind of thing.
also accepting money to redeem those. And by redemption, we mean in that investment funds capacity of canceling the units and giving people their money back in that context. So that's stable calling issuance. We've got safeguarding, which is a new activity, again, in the regulated activities order. Safeguarding is basically custody of qualifying crypto assets.
And what they're looking to do in this context is to ensure that assets are held when they are being held on behalf of somebody else in a way that is effectively safe. And so that activity itself is going to have to be regulated and the way that that's conducted will be regulated. There's a few other specified activities. So they are
operating a qualifying crypto asset trading platform, so an exchange. And that activity will extend to where qualifying crypto assets are exchanged with either crypto assets or money, including e-money, to create a of clear perimeter between a traditional exchange, like a securities exchange, and then a crypto asset exchange under this separate
Gareth (15:58.961) and a permission scope. Some firms might end up doing both, of course, but if that's the case, then they will need both permissions. There's also dealing in qualifying crypto assets as principles. So if you buy and sell off your own order book on the basis of its intention, which is basically to capture lending and borrowing, then that will be caught by the rules. Dealing as agent is another. So if you're buying and selling on behalf of somebody else,
arranging somebody else's transactions in crypto assets, then that's also caught as an activity. And then the last one, which is quite interesting, is qualifying crypto asset staking, which includes liquid staking. And so anyone that facilitates that kind of activity or arranges that kind of activity will be caught as a firm needing to be authorised by the FCA. There are no, it's interesting to note,
special provisions for decentralised finance, where they're being carried out on a truly decentralised basis, then the requirements to seek authorisation won't be applicable. But the FCA will be watching, I think, to determine whether you are truly decentralised, i.e. whether there is no person that could be said to be undertaking the activity by way of business.
Wayne (17:25.753) I feel like that DeFi one is one that's going to be tested. think that's the carve out there is we're not going to legislate for this. We're going to let people decide what they think is in scope and out of scope and then we're going to test it through whatever process, supervisory, legal, whatever that might be and then see who's the first to join the party and set the precedent.
Gareth (17:49.925) I believe you're absolutely right.
Wayne (17:52.374) Another interesting point on the custody actually, just to pick up, because something like a difference in the crypto asset world to traditional finance is the custody point. So again, my understanding is that there's in the rules or nothing applied for self custody. So holding off, holding in a wallet. This is applying to the exchanges, for example, that will hold custody for you. So it's holding it for somebody else if it's taken out of that.
not applied.
Gareth (18:25.478) Yes, yeah, that's right. The key thing I think among all of this is the geographic element to this. When are you said to be doing this activity by way of business in the UK such that authorisation is required? And of course, this will be the key question for anyone who has an offshore entity. You're in Lithuania, you're in Poland, you're in Germany.
When are you caught by the rules? And the FCA has been very clear in the statutory instruments. They've section 418 of the Financial Services and Markets Act to say that any firm that deals directly or indirectly with a UK consumer will need to be authorised by the FCA for carrying out a regulated activity in the context of crypto assets.
regardless of whether the firm is based in the UK or overseas. So yeah, if you have only a Lithuanian entity or only a Polish entity, but you still service the UK market, then I'm afraid that will no longer keep you out of the authorisation regime and you will need to seek FCA approval. There's also a notice period on some of this stuff as well. So if you intend to do it, then I think it's a 28 day notice period.
and a 28 day notice period in the event that you decide to cease that kind of activity. yeah, so that's interesting. That applies actually in the context of operating an exchange, dealing as principal, dealing as agent, arranging deals. Then there's carrying on things like safeguarding and custody again.
If you are safeguarding the assets of a consumer in the UK, then again, authorisation will be required. The only sort of slight nuance to those rules is the other rules around issuing qualifying stable coins. An issuer of a stable coin will only need to be authorised for that activity in the UK if they issue that stable coin.
Gareth (20:51.214) from an establishment in the UK. So that's the one time where being overseas will get you an exemption that doesn't otherwise apply.
So that's kind of it. I suppose in a nutshell, in terms of the high level rules, we will obviously follow up with more in-depth content on this as and when that starts to play its way through. And obviously, do reach out if you have any questions on its applicability to your individual business. What's left, I suppose, Wayne, is that bit around those other elements conduct.
et cetera, that being authorised will affect in terms of a business in crypto assets. So yeah, I wonder if you just had maybe two minutes on that.
Wayne (21:43.926) Yeah, and I guess the sort of order of play for firms, whether they're going to go through the gateway because they have activities already or they're already authorised under the current regime, whether it's new ones, is going to be firstly to look at the specifics that we've talked about when we know the detail. So what activities are you doing? What will require which authorisation in the UK? And then recognise that that will then require an application to the FCA.
So you've to make sure that you're applying for the right things, the right activities for the instruments. And then the next bit is to recognise that application process will then involve a lot of testing of those broader pieces. So great, we understand that you are an exchange, for example. We understand what you're doing, that you also offer safeguarding through custody on your online wallets. That we understand the details. Now talk to us through documentation, policy, resource, et cetera, about.
your capital adequacy requirements, how you calculated those and what they are actually looking like, your SMCR mapping, your statements, your consumer duty stuff. And there's a lot of paperwork to do on that. But in some respects, to try and turn it a little bit positive if we can, there are things we see firms doing or certainly capable of doing in this space where I think they could be very good at it compared to...
traditional finance where not so much. you know, supporting understanding and communication lines, I can probably get in touch with a crypto exchange by three, four, five different comms channels versus telephone and snail mail if I'm dealing with someone more traditional. So, but yeah, that's the bit, know, there's the, there's a technical detail and then sort of work down into the principles and spit out the paperwork at the other side.
Gareth (23:35.043) Yeah, exactly. you know, those responses, so the senior managers regime, which will apply and we've already sort of briefly mentioned, that will create responsibility maps within organisations. will have to be able to say, are responsible for these particular things, you are responsible for these particular things. Personal liability will attach to some of that. Again, that's quite new, I think, in some context for crypto, thinking about who individually is responsible personally for some of the activities in this space.
We've already mentioned complaints and having the process for dealing with those complaints, whether that's identifying what a complaint is in the first place, tracking the timing on, you know, acknowledging the receipt of a complaint, creating that final report on communication to the complainant on the outcome of an investigation that's been carried out. That will also have to be kind of worked through. Of course, an authorised firm
kind of prove its own financial promotions. And so, you know, the process of how you're going to create, oversee, monitor those from your compliance angle. Effectively, what I think this is gonna mean is that like crypto asset firms that become authorised or want to become authorised will very much need to focus a lot more of their resource on that kind of compliance function because there'll be a lot more things getting thrown their way.
that I think probably they're having to handle at the minute.
Wayne (25:02.957) back to that application point then, when the FCI testing this stuff, it's showing who's going to do that. And also what gives them the right to play in that space? Do they know this stuff or is it just bodies thrown of problems in the hope that that makes it go away? That's not always quite enough, isn't it? So I think it's helpful, I guess, that we've seen very, very slowly what traditional finance has done to cope with rules and these regimes that exist now.
puts in a position to sort of help the crypto firms to do that at the much faster pace they'll need to because this is coming down the track in know 12, 18 months time.
Gareth (25:39.383) Mm-hmm, that's right. So yeah, I don't have much more to say on that. Of course, more content will follow. We know more about the implementation of the rules, some of these other consultation papers around conduct and complaints, and the other aspects of operating a regulated business that will all follow. And in the meantime, we are here for anybody that
does want to ask questions, having seen it from both sides of this fence, right, from the traditional side, traditional finance and then the current state of the crypto market.
Wayne (26:19.565) Cool, emergency podcast over Gareth, that was very exciting. Yeah, Yeah, excellent, until the next one which will be not an emergency I hope, and will just be a much calmer podcast like normal, we won't look quite so, not less energetic, yes, yeah. Well done for absorbing all those rule references though Gareth, it's very impressive to the right kind of person.
Gareth (26:21.748) Emergency podcast, I love it. I record 26 minutes, I love it.
Gareth (26:34.018) much more well thought through.
Gareth (26:39.349) Excellent.
Gareth (26:45.514) and very boring to dinner party guests.
Wayne (26:48.183) to the rest of them, yeah. Yeah, but you can't please everybody all the time,
Gareth (26:52.085) Indeed. And on that bombshell.
Wayne (26:52.969) Yeah. Well, bye. Until next time.
Gareth (26:56.171) See you soon.