UK Cryptoasset Regulation Under FSMA: A Structural Shift Not To Be Ignored

29 April 2026

Taken from the published LinkedIn Pulse article.

Introduction

Recent announcements from the Financial Conduct Authority (FCA) have demonstrated that the UK cryptoasset regulatory framework is now entering a new phase under FSMA (Financial Services and Markets Act 2000). It has become apparent that this process will involve a transition from limited oversight, primarily over Anti-Money Laundering (AML) and promotional services, to full financial services regulation. Whilst the targeted October 2027 implementation timeline may seem distant, the scale of preparation required means that, operationally, the deadline is much closer than it seems. It should be noted that this is not an incremental update but rather a structural expansion of regulatory scope and expectations. Therefore, firms should treat this as an ongoing transition rather than a future event.

What’s Changing?

The range of firms that need to align with new regulatory standards has expanded, meaning many will have to undergo the process from registration to full authorisation. This means a transition away from Money Laundering, Terrorist Financing and Transfer of Funds (MLR)-only oversight to FSMA authorisation, and the introduction of new regulated activities, including custody and safeguarding, trading platforms, dealing (principal/agent), staking, and stablecoin issuance.

Therefore, the extent of FCA supervision is now expanding beyond financial crime into governance and senior management, operational resilience, prudential risk, outsourcing and third-party risk, customer outcomes and conduct. It is evident that the standards being introduced are beginning to resemble those applied to investment firms under the Investment Firms Prudential Regime (IFPR) and Markets in Financial Instruments Directive (MiFID)-aligned regimes.

Beyond the boundary enlargement of FCA supervision, new prudential and risk frameworks are expected to be introduced. This means that capital requirements will now include a permanent minimum, fixed overheads, and activity-based metrics, similar to the K-factor approach used in the UK investment firm prudential regime. In addition, firms are likely to face a more formalised, ICARA-style approach to firm-wide risk assessment. ICARA, or the Internal Capital Adequacy and Risk Assessment, requires firms to assess the material risks and harms arising from their business, determine whether they hold adequate financial resources, undertake stress testing, and maintain a credible wind-down plan. For cryptoasset firms, this could represent a material shift from registration-style compliance towards ongoing prudential risk management.

Another notable change is the revision of requirements relating to disclosure and market transparency. Annual disclosures covering a firm’s risk profile and capital position are expected to place greater emphasis on market discipline and comparability.

This all indicates that firms that previously lay outside the regulatory perimeter may now be brought within scope, with crypto-native firms increasingly treated by traditional financial institutions as legitimate financial services entities. This moves the sector away from the predominantly technology-led model in which many crypto businesses have traditionally operated. Firms will now need to evidence financial resources, robust governance, and operational resilience consistent with those of regulated financial services businesses. From Appold’s perspective, this is likely to become a potential dividing line for the sector where institutional credibility will depend less on narrative or product innovation, and more on the ability to withstand scrutiny and stress whilst operating with the discipline expected by traditional financial markets.

What Does This Mean in Practice?

These regulatory changes will require a sizable change in attitude from crypto firms, who will have to adhere to institutional standards to continue operating in the UK.

Primarily, governance will become central. Fit and proper requirements for leadership, ‘mind and management’ expectations, along with board-level accountability structures, will be imperative for validating the legitimacy and security of any firm. Operational resilience will no longer be a secondary issue, and crypto firms will be required to demonstrate the ability to withstand disruption, manage third-party risk, and implement defined recovery and exit strategies.

Crypto firms will also need to take action to address upskilling and capability gaps. This is due to the introduction of training and competence requirements for risk teams, compliance infrastructure, operations and financial modelling. At present, many crypto-native firms are not structured to meet these institutional-grade expectations. Furthermore, revenue sustainability and exposure to market and counterparty risk will now be increasingly scrutinised. The question remains whether many crypto-native firms will be able to meet these new standards and fulfil the specific requirements in an adequate and timely manner.

Implications for Firms

Initially, firms will have to map the scope of the new regulations to identify which activities fall within the new regulatory perimeter and assess whether authorisation or reauthorisation is required. Firms will then have to proceed to conduct a gap analysis against FCA standards, divided into the following categories: Governance (COND, FIT), Systems and controls (SYSC), Risk and prudential frameworks, and Customer and conduct obligations (PRIN, Customer Duty).

It will be especially important to carry out financial and prudential planning, including capital adequacy modelling, liquidity planning, stress testing, and scenario analysis. Furthermore, firms will have to build or refine core frameworks to address enterprise-wide risk management, ICARA-style assessment processes, operational resilience frameworks, and oversight structures for outsourcing.

Finally, firms will have to make various strategic decisions regarding ‘mind and management’ and business model viability under regulation will be discussed. The question of whether to scale, restructure, or exit certain activities will also need to be considered.

It is evident that demonstrating compliance will now go beyond mere possession of the relevant documentation. Integrated governance, risk, and operational frameworks will now be essential. For many firms, this will be their first interaction with full FSMA authorisation, and so, alignment with financial services standards will be resource-intensive and cross-functional.

However, our view is that those who do it properly will benefit the most from institutional acceptance, which could drive business opportunities further from these very institutions as well as potentially increase the value of their organisations.

But what is clear is that time is running out to prepare for this change, and those firms that leave it too late will face issues that could range from a loss of FCA registration to fines and, in more extreme cases, curtailed UK business activities.

How Appold Can Support This Transition

Whilst the regulatory direction is now clear and the timeline is fixed, the complexity of preparation is high. Firms that treat this as a compliance exercise risk under-preparing. Rather, early engagement will allow strategic flexibility and reduced execution risk, and those who treat it as an operational transformation will be better positioned. With experience across institutional standards and crypto infrastructure, Appold provides expertise on operational readiness beyond theoretical compliance. As the financial landscape comes under greater regulatory oversight, Appold is positioned to help firms navigate this transition smoothly. We support clients across both traditional and crypto-related industries in:

• Interpreting regulatory scope and applicability

• Designing and implementing governance and operating models

• Building risk and prudential frameworks

• Preparing for authorisation and ongoing supervision

Reach out to us for further discussion.

www.appold.com

For further information, please contact:

info@appold.com