Crypto asset activities are now being brought fully within the Financial Services and Markets Act (FSMA) perimeter, meaning firms will be held to the same regulatory standards as traditional financial institutions.
Whilst this guidance is focused on FCA-regulated firms, the same risks apply to investment managers on a global scale, meaning that your corporate policies should not be overlooked and assumed to remain adequate. Under this new regime, organisations will need to comply with extensive FCA Handbook requirements, including:
PRIN (Principles for Businesses)
SYSC (Systems & Controls)
COND (Threshold Conditions)
Consumer Duty
Operational Resilience
Financial Crime Requirements
Firms operating previously under lighter or fragmented supervision must now demonstrate robust governance, clear operational oversight, strong customer-outcome frameworks, and mature systems and controls.
Key Regulatory Dates
Firms must be fully authorised by the commencement date to continue regulated crypto-asset activities.
FCA Expectations Under the New Regime
The FCA has reaffirmed its approach of “same risk, same regulatory outcome.” Crypto businesses must now meet governance, resilience, conduct, safeguarding and financial crime standards equivalent to those applied across the wider financial services sector. Firms will need to demonstrate:
Strong governance structures with clear accountability.
Documented systems and controls suitable for crypto-asset risks.
Mature customer-outcome frameworks aligned to Consumer Duty.
Tested operational resilience arrangements.
Robust AML, KYC and market-abuse prevention controls.
Effective safeguarding and segregation of client assets.
Competence at board and senior management level in crypto-specific risks.
The FCA expects firms to arrive at the authorisation window with a fully complete, well-evidenced application, not a roadmap.
Governance, Oversight and SMCR Considerations
The move to FSMA-level regulation substantially raises expectations on senior management. Directors and senior managers should anticipate increased scrutiny and potential personal exposure in the event of governance or oversight failures. Areas of focus include:
Assessment of crypto competence at board level.
Evaluation of whether SMCR-equivalent structures should be implemented.
Establishing regulatory change forums and steering committees.
Documentation of risk ownership across operational, technology, financial crime, and customer-outcome functions.
Early assessment of potential capital, operational or staffing enhancements required to meet supervisory expectations.
Firms should engage in early readiness planning to avoid being compressed during the application window.
Systems and Controls, AML and Market-Abuse Compliance
The FCA has emphasised that crypto firms must adopt rigorous safeguarding and financial crime frameworks, including:
Independent testing and validation of AML/KYC systems.
Transaction monitoring systems capable of identifying typologies relevant to crypto asset flows.
Segregation of duties, key-person controls and strict private-key access governance.
Market abuse surveillance for firms dealing in tokens that qualify as financial instruments.
These expectations represent a major uplift compared with the practices of many crypto-native firms.
Operational Resilience Expectations
Crypto platforms and custodians operate in a uniquely high-velocity environment, where outages, volatility-driven load spikes, smart-contract issues and reconciliation breaks can rapidly create customer detriment. Once the FSMA regime applies, such incidents will no longer be viewed merely as operational issues. They may trigger regulatory scrutiny into whether the firm:
Conducted adequate resilience testing
Maintained effective fallback arrangements
Communicated promptly and transparently with customers
Monitored key impact tolerances
The FCA will expect scenario analysis across cyber breaches, insolvency events, bridge failures, wallet compromise and extreme market dislocations.
Product Governance, Consumer Duty and Conduct
Investment managers, trading platforms, custodians and digital asset service providers will need to evidence:
Clear product governance frameworks
Appropriately designed and targeted disclosures
Suitability and appropriateness processes, where relevant
Regular MI reporting on operational incidents, complaints, error rates and customer detriment indicators.
Defined tolerance thresholds for mis-selling, disclosure failures and poor customer outcomes
The Consumer Duty materially increases liability exposure for firms whose systems, communications or oversight processes fall below the expected standards.
Insurance Considerations Under the New Regime
The shift to FSMA authorisation fundamentally changes the liability environment for crypto firms and investment managers. Insurance programmes designed for pre-regime operating models may no longer be adequate.
A full-stack insurance review is now a governance requirement, not a discretionary exercise.
Professional Liability / E&O
Professional Liability (PI/E&O) cover becomes critical as Consumer Duty heightens exposure to allegations of:
Misstatements or disclosure failures
Execution errors or operational failures
Pricing and valuation discrepancies
Customer detriment resulting from platform outages or process failures
Poor investment or treasury decisions where firms exercise discretion
Directors & Officers (D&O)
Board members and senior managers face materially heightened scrutiny and risk, including:
Governance failures
Systems-and-controls weaknesses
Deficiencies in operational resilience planning
Mismanagement of customer assets
Failures in AML or market-abuse oversight
Authorisation misstatements or insufficient regulatory readiness
A modern D&O programme must reflect these exposures.
Crime / Fidelity Insurance
Crypto firms face elevated risk of both internal and external crime events, including:
Private-key compromise
Collusion or malicious insiders
Wallet or reconciliation manipulation
Fraudulent onboarding or KYC breaches
Social engineering and transfer fraud
Crime insurance must be carefully reviewed for crypto-appropriate definitions and exclusions.
Cyber Insurance
Under the new regime, cyber incidents are not merely technical failures; they are potential regulatory breaches. Cyber insurance must be fit-for-purpose and should cover:
Hot and cold wallet compromise
Infrastructure attacks on trading platforms
System outages leading to customer detriment
Ransomware and operational disruption
Regulatory investigation costs arising from cyber events
A policy designed for conventional technology firms will often leave material gaps.
What This Means for Investment Managers and Funds
While much of the public discussion focuses on exchanges and custodians, investment managers and funds will also be drawn into the regulatory perimeter depending on their activities.
Managers should focus on:
Portfolio and treasury risk frameworks for crypto assets.
Clear valuation methodologies and pricing hierarchies.
Liquidity management, including extreme volatility scenarios.
Counterparty due diligence on exchanges, custodians and liquidity providers.
NAV calculation processes for crypto asset valuations.
Outsourcing governance where functions such as custody or execution are delegated.
These requirements interact closely with PI, D&O, operational resilience and cyber coverage considerations.
Summary
The FCA’s new crypto-asset regulatory regime transforms crypto businesses into fully regulated financial institutions. Expectations will rise sharply across governance, systems and controls, operational resilience, safeguarding, financial crime prevention and customer outcomes.
Insurance arrangements that were suitable before the FSMA regime are unlikely to match the post-2027 risk environment. Reviewing Professional Liability, Directors and Officers, Crime and Cyber cover is now an essential step in regulatory readiness, senior management protection and organisational resilience.
Firms should begin their readiness planning early to ensure they can meet authorisation expectations well before the regime takes effect.
Inspire
All in