Putting the FCA’s Operational Resilience Requirements into Practice
15 October 2025
Taken from the published LinkedIn pulse article.
From 2026, a range of digital asset activities will fall into the regulatory perimeter of the UK’s financial services regulator, the Financial Conduct Authority (FCA). These include issuing qualifying stablecoins, safeguarding qualifying digital assets, operating a digital asset trading platform (CATP), intermediation and staking.
The FCA recently outlined its proposed framework for how it will regulate these activities in CP25/25, which will expand digital asset regulation beyond its current scope of financial promotions and financial crime. Any firm or individual undertaking these new regulated activities will be required to obtain authorisation from the FCA before operating in the UK, and be expected to meet the necessary standards set by the regulator.
While CP25/25 is still undergoing consultation and may be subject to change, it is clear that central to the FCA’s expectations of regulated digital asset activities is compliance with the FCA’s existing operational resilience framework, a standard that has long been recognised as fundamental to financial services.
In practice, this will require regulated digital asset firms’ adherence and compliance with four Systems and Controls (SYSC) requirements set out in the FCA handbook:
SYSC 4 – General Risk Management Requirements
SYSC 4 sets the foundation for a coherent and accountable approach to managing risk across an organisation. Firms are expected to have clear governance structures and effective systems in place to identify, manage, and monitor all material risks. It requires defined lines of responsibility, as well as robust internal controls, and decision-making that aligns with the firm’s overall risk appetite.
SYSC 7 – Risk Control
SYSC 7 expects senior management to actively oversee risk controls, rather than delegating them. It builds upon SYSC 4 by focusing specifically on how risks are controlled once identified, and requires firms to establish proportionate risk management processes, including ongoing risk assessments, stress testing, and escalation mechanisms that ensure exposures remain within tolerance.
SYSC 8 – Outsourcing
SYSC 8 makes it clear that outsourcing does not transfer accountability and that firms remain fully responsible to the FCA for all outsourced activities. When critical or important operational functions are outsourced, firms must retain full responsibility and oversight by requiring due diligence on providers and having contingency plans to mitigate service disruptions.
SYSC 15A – Operational Resilience Requirements
SYSC 15A formalises the FCA’s operational resilience expectations that firms can prevent, adapt to, respond to, recover from, and learn from operational disruption. To ensure compliance, firms must identify their important business services, set impact tolerances for disruption, and test their ability to remain within those tolerances under severe but plausible scenarios.
Whilst these rules are still under consultation and may be subject to change, it is clear that in the future, the FCA expects higher standards of operational resilience from digital assets firms.
While some may mistakenly view the FCA’s new operational resilience requirements as a regulatory burden, they should not be seen simply as a compliance cost. For firms operating at the intersection of finance and blockchain and digital assets, a lack of operational resilience has always been a significant risk that can and should be mitigated, as shown by the headline-grabbing hacks of Mt. Gox in 2014, Bitfinex in 2016 or Bybit in 2025, or the failure of systems, like the Amazon Web Services (AWS) outage, which disrupted operations of Binance, KuCoin, MEXC and more earlier this year.
However, recognising the importance of operational resilience and risk management is the one thing; effectively implementing resilience principles and practices into the fabric of daily operations is another. At Appold, we have longstanding, in-depth expertise in assisting digital asset firms to integrate operational resilience frameworks that go beyond regulatory compliance to emphasise practical implementation of robust systems, tested response plans, and measurable governance outcomes that ensure stability and readiness for the evolving UK regulatory environment.
Through the Appold Operational Resilience Service, we are committed to ensuring that firms are equipped to plan for, respond to, recover from, and learn from operational disruptions. Our institutional-grade, regulatory-aligned framework is tailored to the unique needs of digital asset firms and draws on leading standards, including the Basel Committee’s Principles for Operational Resilience (POR), the FCA’s Policy Statement PS21/3, SYSC 15A of the FCA Handbook, and the Crypto-asset Operational Risk Management Framework (CORM).
By leveraging Appold’s independent digital asset expertise and successful track record as an auditor’s expert to major digital asset firms, along with our hands-on experience in identifying systems and controls risks, we have the capability to support firms to move beyond regulatory minimums and ensure resilience is embedded into day-to-day operations, enabling firms to withstand disruption and maintain trust in critical market functions.
Reach out to us for further discussion.
For further information, please contact:
info@appold.com