CP25/42: Completing the FCA’s Prudential Framework for Cryptoasset Firms.

The FCA’s publication of CP25/42 marks a pivotal moment in the development of the UK’s cryptoasset regulatory regime. Building directly on the proposals set out in CP25/15, the consultation completes the prudential architecture that will underpin authorisation and ongoing supervision of operating in or from the UK.

“Cryptoasset firms” are businesses that carry on regulated activities involving cryptoassets—such as issuing, safeguarding, trading, exchanging, or arranging transactions in cryptoassets—while operating in or from the UK and falling within the FCA’s authorisation and supervisory perimeter.

As Cosegic highlighted in its earlier analysis of CP25/15: A regime for cryptoasset firms – current developments, the FCA’s direction of travel has been clear for some time: cryptoasset firms will be expected to demonstrate levels of financial resilience, governance and risk management broadly comparable to those of traditional regulated firms, adapted to the specific risks of crypto markets. CP25/42 brings that ambition into sharper focus.

From CP25/15 to CP25/42: From Foundations to Full Prudential Coverage

CP25/15 focused primarily on stablecoin issuance and cryptoasset custody, introducing the core elements of the prudential regime — including own funds requirements, early thinking on liquidity, and the application of a tailored prudential sourcebook (CRYPTOPRU).

CP25/42 extends those principles to the remaining regulated crypto activities, including:

• operating a qualifying cryptoasset trading platform,
• dealing as principal or agent,
• arranging cryptoasset transactions, and
• providing staking and related services.

Together, the two consultations complete the FCA’s prudential picture: all regulated crypto activities will be subject to explicit capital, liquidity and risk-management standards. It will be imperative for cyrptoasset firms to understand how these rules will apply to their specific business model and the resulting regulatory financial resources impact.

Capital Requirements: Formulaic Foundations

As under CP25/15, CP25/42 re-affirms the approach to applying formulaic capital requirements, set at the higher of:

• the Permanent Minimum Requirement (PMR),
• the Fixed Overhead Requirement (FOR), and
• the relevant K-Factor Requirements (KFRs).

While this structure will be familiar to firms regulated under MIFIDPRU, its application to cryptoasset firms produces materially different outcomes depending on business model and scale.

Permanent Minimum Requirement (PMR): Setting the Prudential Floor

The PMR represents the FCA’s baseline expectation of financial resilience. Under CP25/42, PMRs are calibrated by reference to the nature of crypto activities undertaken, with a clear risk hierarchy:

• Lower PMRs apply to firms engaged in arranging, advisory or agency activities, where balance-sheet exposure is limited.
• Higher PMRs apply to firms dealing as principal, operating trading platforms, or providing services that expose the firm to market, counterparty or operational risk.

As Cosegic observed in its CP25/15 commentary, PMRs are unlikely to be the binding constraint for established firms. However, for new entrants and early-stage firms, PMRs may act as a meaningful barrier to entry, particularly where permissions denoting higher risk (e.g. dealing as principal) are sought.

The inclusion of PMRs for cryptoasset Firms reinforces the FCA’s preference for credible, well-capitalised applicants and may encourage firms to phase permissions strategically rather than pursuing broad authorisation from day one.

Fixed Overhead Requirement (FOR)

The FOR is designed to ensure firms can continue operating — or wind down in an orderly manner — during periods of stress. It is calculated as a proportion of a firm’s annual fixed expenditure.

In practice, FOR is likely to be the binding capital requirement for many cryptoasset firms, particularly those with:

• significant compliance and regulatory staffing,
• complex technology stacks,
• outsourced custody, infrastructure or group services.

Applying an expense-based capital requirement could present a significant hurdle for firms in start-up phase, incurring large expenditure with limited revenues.

Firms relying heavily on outsourcing or group services should pay close attention to how costs are classified. Misjudging fixed versus variable expenditure can materially distort capital planning and attract supervisory scrutiny.

K-Factor Requirements (KFRs): The larger your footprint, the greater the risk

K-factors are the most risk-sensitive component of the regime, ensuring capital requirements increase as a firm’s risk footprint grows. CP25/42 adapts and extends these to reflect crypto-specific activities.

These requirements will need to be monitored on an ongoing basis, particularly those exposure based metrics applicable to Firm’s dealing on own account – as requirements could be volatile even intra-day.

At a high level, KFRs fall into two broad categories:

Operational Risk K-Factors

These capture risks to clients arising from:

• Executing client orders on behalf of clients and the reception and transmission of client orders
• Executing orders in the name of the Firm (either on behalf of clients or for the Firm itself)
• providing staking or yield-generating services.

Exposure based K-Factors

These apply to firms that deal as principal and are exposed to market volatility, concentration risk and credit risk on their own balance sheet.

They reflect market volatility, counterparty exposure and position risk, all of which are amplified in crypto markets.

K-factors ensure that rapid growth is accompanied by proportional increases in financial resilience — a deliberate counterweight to the “scale first, capital later” growth strategies seen historically in parts of the crypto sector.

Liquidity Requirements: Learning From Market Stress

CP25/42 introduces more explicit liquidity requirements than CP25/15, reflecting lessons learned from recent crypto market failures.

Firms will be required to hold sufficient high-quality liquid assets, primarily in fiat or near-cash form, to meet short-term obligations and support an orderly wind-down.

This is a clear continuation of previously proposed cryptoasset regulation, where liquidity quality and accessibility were identified as central regulatory concerns.

Liquidity is likely to be a more binding constraint than capital for firms whose balance sheets are predominantly crypto-denominated. Assumptions about convertibility under stress will be tested rigorously by the FCA.

Overall Risk Assessment (ORA): Moving Beyond Formulaic Compliance

Alongside the formulaic capital and liquidity requirements, CP25/42 introduces a central qualitative pillar of the prudential regime: the Overall Risk Assessment (ORA). Similar to ICARAs for MIFIDPRU firms, the ORA is a business-wide risk assessment to evaluate the business model risks to inform adequate levels of financials resources held by cryptoasset firms.

Under CP25/42, firms will be expected to identify, assess and manage all material risks that could cause harm, including:

• operational and technology risks,
• custody and safeguarding risks,
• market and counterparty risks,
• liquidity and funding risks, and
• risks arising during an orderly wind-down.

The ORA must be forward-looking, proportionate to the nature and scale of the firm, and embedded within governance and decision-making. It is not a one-off exercise for authorisation, but an ongoing process that informs capital planning, liquidity buffers and risk appetite.

Critically, CP25/42 makes clear that meeting PMR, FOR and KFRs does not, in itself, guarantee prudential adequacy. Where a firm’s ORA identifies additional risks not fully captured by the formulaic requirements, the FCA expects firms to hold additional own funds and/or liquidity.

The implication is that prudential compliance becomes a matter of judgement and evidence, not simply arithmetic. Firms will need to demonstrate how their capital and liquidity levels remain adequate under severe but plausible stress scenarios, including market dislocation and operational failure.

Own Funds and Liquidity as Threshold Requirements

CP25/42 reinforces that both own funds and liquidity form part of the FCA’s Threshold Conditions — conditions that must be satisfied at all times, not just at the point of authorisation.

In practice, this means firms must be able to demonstrate that they:

• maintain sufficient own funds and liquid resources on an ongoing basis,
• can absorb losses without disorderly failure, and
• can execute an orderly wind-down without causing harm to clients or markets.

Where the FCA considers a firm’s ORA to be weak, overly optimistic, or poorly evidenced, it may:

• require higher capital or liquidity buffers,
• impose restrictions on permissions or business activities, or
• challenge the firm’s overall business model.

This approach aligns with the FCA’s wider supervisory trend: prudential resources are assessed in context, taking into account governance quality, risk controls, complexity and operational resilience.

Groups and Consolidation: Substance Over Structure

CP25/42 makes clear that firms cannot arbitrage prudential requirements through complex group structures. Key expectations include:

• group-wide risk identification,
• consolidated capital and liquidity analysis,
• governance capable of managing intra-group dependencies.

For international groups, this reinforces a recurring theme, UK regulators expect local substance, not just local entities.

Conclusion: Prudential Regulation as a Strategic Differentiator

CP25/42 completes the FCA’s prudential framework for cryptoasset firms, translating high-level regulatory ambition into concrete financial expectations. Together with CP25/15, it signals that prudential discipline is now central to cryptoasset firm credibility in the UK.

As Cosegic’s recent digital finance commentary has consistently emphasised, firms that treat capital, liquidity and risk management as strategic assets — rather than compliance obligations — will be best placed to navigate authorisation, supervision and long-term growth under the UK’s emerging crypto regime.