This article was prepared with input from Pete Chapman, partner at Richardson Lissack.
We continue our series of articles on the transition cryptoasset businesses face when moving from MLR registration to full FCA authorisation.
The UK crypto landscape is undergoing its most significant transformation to date. For firms operating in this space, this is not a simple compliance exercise, but a fundamental shift towards a regime that looks and feels much closer to traditional financial services regulation.
Last month, the FCA published CP26/13, setting out proposed cryptoasset perimeter guidance. This follows on from CP25/40 and the wider Crypto Roadmap. While it does not change the underlying legislation, it provides greater clarity on how firms should interpret the scope of the new regulated activities in practice. This is particularly relevant for firms currently assessing whether they are (and want to be) in scope and what permissions they will require ahead of the “Authorisation Window”.
What Activities Will Require Authorisation?
As set out in CP25/40, firms carrying on cryptoasset activities by way of business in the UK will require FCA authorisation. These activities include operating a trading platform, dealing as principal or agent, arranging deals, safeguarding cryptoassets, issuing qualifying stablecoins and arranging staking.
CP26/13 does not expand this list but it provides further guidance on how these activities should be understood in practice, with an emphasis on substance over form.
A Clearer Perimeter: Key Definitions
One of the most important developments in CP26/13 is the clarification of how different types of cryptoassets fit within the regulatory perimeter.
Firms must now assess both:
- whether they are carrying on a new regulated cryptoasset activity in relation to a qualifying cryptoasset; and/or
- whether they are carrying on an existing regulated activity in relation to a cryptoasset that is a specified investment cryptoasset.
This is best understood through two key definitions:
- Qualifying Cryptoassets: these are fungible and transferable cryptoassets (such as cryptocurrencies and many stablecoins) which fall within the new regime and trigger new permissions.
- Specified Investment Cryptoassets: these are cryptoassets that meet existing specified investment definitions (e.g. tokenised shares or bonds) and remain within the existing RAO framework.
While there is some conceptual overlap, the practical effect is that specified investment cryptoassets are carved out of the new regime and continue to be regulated under existing permissions (for example, dealing in investments as principal or agent and arranging deals in investments).
This distinction is critical in determining whether a firm requires new crypto permissions or can rely on its existing authorisation.
The Grey Areas: Now Narrower, But Still Real
There were several grey areas in how the perimeter was previously understood, CP26/13 provides additional guidance clarifying these.
The “arranging” boundary remains particularly important. The FCA’s guidance confirms that firms must consider their role in the transaction chain, including whether they are facilitating or enabling execution, even where they do not directly execute trades themselves and where they have no contact with the consumer.
Similarly, the position on decentralised models is clarified but not simplified. The presence of smart contracts or decentralised infrastructure does not in itself take an activity outside the perimeter. The key question remains whether there is an identifiable person carrying on the activity by way of business.
Cross-border structures also remain a focus. Firms providing services to UK consumers from overseas may still be within scope, and the FCA continues to emphasise the importance of a UK presence in many cases.
Why Getting the Perimeter Right is Fundamental
The FCA is clear that firms must carry out a detailed, case-by-case assessment of their activities, including whether those activities are carried on in the UK, by way of business, and whether any exclusions apply.
Getting this analysis wrong has significant consequences.
First, it directly affects capital requirements and prudential categorisation. Different activities can drive materially different capital requirements, and misclassification can result in firms underestimating their regulatory obligations.
Second, it creates execution risk at the authorisation stage. Firms applying for incorrect permissions may face delays, challenges from the FCA, or ultimately refusal.
Third, there are legal consequences. Carrying on a regulated activity without the appropriate permission is a breach of the general prohibition, with both criminal and civil implications, including unenforceability of agreements.
Given that the new crypto perimeter is evolving and remains novel for both industry participants and regulators, instructing suitably qualified legal counsel to provide a formal legal opinion is critical to establishing a robust, defensible starting position, and a clear reference point for early regulatory engagement.
Implications for Existing Clients and Contracts
While CP26/13 is guidance rather than new law, it does have practical implications for firms already operating in the market.
In our experience, a number of firms have historically taken a relatively narrow view of the perimeter, particularly in relation to arranging, execution support and platform-style models. The FCA’s guidance suggests a broader, substance-based interpretation, which may bring some of these models within scope.
This means that:
- existing perimeter analyses may need to be revisited;
- some firms may need to apply for additional permissions; and
- contractual documentation may not accurately reflect the regulatory characterisation of the services being provided.
For more complex or borderline models, it may be appropriate to obtain updated legal advice to ensure alignment with the FCA’s clarified position.
Authorisation Timeline and Next Steps
The initial application window for the new regime runs from 30 September 2026 to 28 February 2027, with the regime going live on 25 October 2027.
Firms that are already authorised will need to consider whether a variation of permission is required. Firms currently operating under the MLR regime will need to transition to full FCA authorisation.
The FCA has also introduced mechanisms such as the Pre-Application Support Service (PASS) to support firms ahead of application but expects firms to have undertaken a robust initial assessment before engaging. The FCA’s regulatory sandbox is no longer open to cryptoasset firms, increasing the importance of early engagement through PASS and robust upfront analysis.
How We Are Supporting Firms
We are currently supporting a number of firms across different business models in preparing for the new regime. This includes:
- conducting perimeter analyses;
- mapping activities to the relevant permissions;
- reviewing and updating business models and documentation; and
- supporting engagement with the FCA ahead of application.
If you are considering how the new regime may apply to your business, or would like to sense-check your current analysis in light of the FCA’s latest perimeter guidance, please do get in touch.
