Contact
May 6, 2025
The UK government’s long promised overhaul of crypto regulation has arrived. On 29 April 2025, HM Treasury published the draft Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2025 (the Draft Order) and an extensive policy note. Together they drag cryptoassets into the Financial Services and Markets Act (FSMA) perimeter and set the FCA and PRA the formidable task of writing a brand-new rulebook – including the much-trailed CRYPTOPRU prudential sourcebook – inside the next twelve months.
For industry the Draft Order is a watershed.
It does not graft a light-touch, “MiCA-style” wrapper on to an unregulated sector. Instead it applies the panoply of UK securities regulation – capital, conduct, market-abuse, disclosure, governance and senior-manager accountability – squarely on to crypto exchanges, custodians, brokers, staking providers and stablecoin issuers.
The result is a regime that is heavier, costlier and – crucially – more due-diligence-ready for institutional money than MiCA, but which will reward only those firms prepared to professionalise at speed.
This article examines the Draft Order in depth, identifies the pressure-points likely to cause the greatest implementation pain and sets out our predictions for the next eight quarters.
Key takeaways
- UK has chosen depth over breadth – a lean statute riding on heavy secondary rules. The UK is weaving cryptoassets into the fabric of mainstream securities law rather than stitching a lighter path alongside. Much of the detail (market-abuse, disclosure, capital) is postponed to FCA handbooks, not embedded in the statutory text—hence the surface lean-ness compared to MiCA. The upside is regulatory certainty, institutional credibility and – ultimately – cheaper capital for compliant firms. The cost is complexity, capital and cultural upheaval.
- Six new regulated activities introduced. New regulated activities include running crypto trading platforms, custody services, dealing, and arranging cryptoasset transactions — with bespoke definitions tailored to crypto markets.
- Territorial reach expands. Non-UK firms serving UK retail clients (even indirectly) will need UK permissions. The overseas persons exemption will apply only to certain B2B relationships.
- Sterling stablecoins treated like securities. UK-issued fiat-backed stablecoins will be regulated as if they were securities — requiring prospectus-style disclosure, prudential backing, and redemption governance.
- Implementation will be staggered but fast. Firms can begin applying from late 2025. The regime may go live as early as Q2 2026. Those not authorised by “T-Day” must wind down or exit the UK retail market.
In-depth analysis
The legislative architecture – what the Draft Order actually does
Bringing crypto into the Regulated Activities Order
At the heart of the Draft Order lies a rewrite of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (the RAO). A new Chapter 2B is inserted creating three key asset definitions:
- “Qualifying cryptoasset” – a fungible, transferable digital asset meeting the broad FSMA crypto definition but excluding tokenised e-money or tokenised deposits;
- “Qualifying stablecoin” – a fiat-referenced cryptoasset backed by fiat (or fiat plus other assets) designed to maintain a stable value; and
- “Specified-investment cryptoasset” – a token that is already a specified investment in its own right, e.g. a tokenised equity or bond.
Both qualifying cryptoassets and qualifying stablecoins are declared “specified investments”, meaning that any person who deals, arranges, operates a trading platform, safeguards, issues (in the case of stablecoins) or stakes those assets “by way of business” now carries on a regulated activity and must hold FCA permission.
New regulated activities
Chapter 2B formulates six new activities tailored to crypto-markets:
- Operating a qualifying cryptoasset trading platform – this captures any venue that matches third-party buy and sell orders in cryptoassets, whether order-book, RFQ or AMM. The draft language is technology-neutral, so a DeFi DEX with algorithmic pools is in scope just as surely as a central-limit-order-book CEX.
- Dealing in qualifying cryptoassets as principal – a firm that makes a market, runs an OTC desk or borrows/lends tokens for its own book moves inside the perimeter. The text makes clear that crypto lending and borrowing for yield, even without an order-book, is principal dealing.
- Dealing as agent – broking, matched principal (back-to-back) execution and voice-broker OTC matching will be captured here.
- Arranging deals – the catch-all for introducers, white-label front ends and online matching rooms that facilitate a transaction but never touch the asset. The communication-only safe harbour carves out pure software conduits (e.g. wallet SDKs, RPC nodes) provided they do not negotiate or arrange the terms.
- Safeguarding or controlling qualifying cryptoassets (custody) – holding private keys, having unilateral transfer rights, or possessing the right of redelivery (e.g. a borrower under a crypto-loan) triggers full CASS-style segregation, daily reconciliation and acknowledgement-of-trust letters. Multi-party computation (MPC) set-ups are caught if any one signatory can move the asset; conversely, true self-custody – where only the user controls the key – remains out of scope.
- Qualifying cryptoasset staking – covers delegated, pooled and liquid staking services where the provider arranges the locking or re-hypothecation of clients’ tokens to earn protocol rewards. Solo home validators are excluded, as are firms that only supply the communication interface by which stakers find each other..
For stablecoins, the Draft Order creates a dedicated activity of issuing qualifying stablecoins in or from the UK, with a carve-out ensuring issuers are not inadvertently deemed to be accepting deposits. The Draft Order also carves-out pure ‘communication-only’ roles: a firm that merely supplies the software, interface or protocol by which parties find each other to stake or lend will not itself be arranging staking.
Territorial reach
Part 3 of the Draft Order rewrites FSMA section 418 to hard-wire a UK-consumer focus. Overseas exchanges, brokers or market-makers dealing directly or indirectly with UK retail customers must obtain UK authorisation; the familiar overseas persons exemption will survive only for B2B flows with institutions that are not acting as an intermediary. For trading venues this could present a binary choice: ring-fence a UK order book, or interpose a UK entity on every trade. The overseas person exemption will still be available where an overseas firm interacts solely with a UK broker-dealer that meets the directly related gateway conditions.
Financial promotions
The Draft Order amends the Financial Promotion Order 2005 to align the definition of qualifying cryptoassets and to add the new activities as controlled functions, but crucially does not water down the FCA’s “Restricted Mass-Market Investment” (RMMI) regime introduced in 2023. The friction-laden COBS 4.12A (client risk warnings, cooling-off periods and positive-friction questionnaires) therefore remains, at least until Treasury undertakes the promised post-implementation review. HMT has not yet signalled when the transitional relief for “qualifying cryptoasset” promotions (s.55DA) will expire.
Transitional arrangements
Part 6 legislates for an early-application window. Firms conducting in-scope business on “T-Day” will have a short period (expected six months) to submit a full Part 4A application. Those who apply but ultimately fail to secure permission will be allowed to run-off existing business for up to two years under FCA direction but barred from taking on new UK clients. Firms that miss the window face an immediate prohibition.
Key policy pillars – where the pain will be felt
Prudential requirements – CRYPTOPRU
The FCA signalled that crypto firms will face a bespoke prudential sourcebook, CRYPTOPRU, built on MiFIDPRU’s K-factor methodology but with “appropriate guidance for cryptoasset activities”. Expect own-funds to be whichever is highest of (i) a permanent minimum; (ii) one quarter of fixed overheads; or (iii) activity-based K-factors that capture client assets under custody, daily matched principal flow and potential market risk on staking or liquidity pools. The consultation is pencilled for Q3 2025, but boards should be running indicative capital models now.
Custody – broader than you think
The new custody activity covers any arrangement in which a person safeguards or controls a qualifying cryptoasset for another, referencing the ability to initiate a unilateral transfer. That deliberately sweeps in borrowers under crypto lending arrangements (because the lender retains a right of redelivery) and some multi-party computation (MPC) set-ups where one of the signatories can move coins. Self-custody, where a user alone holds the private keys, is explicitly carved out, but only if no one else can effect a transfer. The CASS-style obligations that follow – segregation, daily reconciliation, acknowledgment letters, firm-level and client-level resource requirements – could be transformative for DeFi-adjacent products. For example, a London-based DeFi protocol pools user ETH in a smart contract, with a five-of-nine MPC signer group; because any five signatories can transfer the pool, each is potentially a custodian under the Draft Order.
Staking – bringing yield products inside the perimeter
The Draft Order designates “qualifying cryptoasset staking” as a stand-alone regulated activity. Any firm that pools, delegates or otherwise “arranges for” customers’ tokens to be staked – whether on a native PoS chain or via a liquid-staking derivative (LSD) – will need FCA authorisation. The scope is intentionally broad: commercial staking-as-a-service, validator pools, and loan desks that rehypothecate staked coins are all caught. Two carve-outs temper that reach: (i) communication-only providers (wallets, UI layers, API gateways) that merely let users find a staking counter-party, and (ii) purely self-directed, “solo” staking. A staking business will also trigger the new custody rules above if it can unilaterally move client keys or LSD tokens. In short, the UK is the first major common-law jurisdiction to treat liquid and delegated staking as a fully regulated investment service, closing a gap that MiCA leaves to Member State discretion.
Stablecoins – securities in all but name
HM Treasury resisted industry calls to treat sterling stablecoins as e-money or payment-instruments. Instead UK-issued stablecoins are to be regulated like securities with full prospectus-style disclosure, prudential backing rules and ongoing reporting. Non-UK fiat-coins may circulate in the UK via authorised platforms, but issuers themselves avoid UK licensing unless they have a UK establishment. The asymmetry is deliberate: Parliament wants sterling tokenisation tied to the highest standards. The economic result, however, is likely to be a temporary freeze on home-grown £-coins until the market-abuse and disclosure pieces are consulted on later this year.
Market-abuse, admissions and disclosure – still to come
Treasury’s policy note confirms that a second statutory instrument will extend the Market Abuse Regulation (UK-MAR) to qualifying cryptoassets and create an “admission and ongoing disclosure” regime mirroring the Official List. Exchanges will need surveillance tooling capable of detecting wash-trades, pump-and-dump schemes and misuse of inside information, while issuers (including, crucially, stablecoin issuers) must prepare for periodic and ongoing disclosure akin to a listed company. Consultation is expected around November.
Consumer Duty and SMCR
Once authorised, a crypto firm becomes subject to the Consumer Duty and the Senior Managers & Certification Regime (SMCR). That shifts the regulatory lens from AML registration (today’s status for most UK-facing platforms) to end-to-end client outcome and personal accountability. Boards will need to nominate a CEO SMF1, a CFO SMF2 where appropriate, heads of risk, operations and IT-security, and produce a Duty-compliant monitoring framework covering value assessments, communication fairness and product life-cycle governance. For many crypto natives this will be their first experience of FIA letters, regulatory references and annual certifications – a steep learning curve.
How far does the Draft Order move the dial?
This table traces side-by-side the delta from today’s patch-work regime to the full-scope regime under the Draft Order:
Today (pre-Draft Order) | Tomorrow (once Draft Order + FCA rulebooks in force) |
Legal perimeter – only tokens already classed as “specified investments” (e.g. tokenised shares, bonds or units in a collective investment scheme) fall inside the RAO. Everything else – Bitcoin, utility tokens, most NFTs – is unregulated for conduct purposes. | All fungible, transferable cryptoassets – “qualifying cryptoassets” and fiat-backed “qualifying stablecoins” – are added to the RAO as new specified investments. Dealing, arranging, trading-venue operation, custody and staking in relation to those assets become Part 4A-permission activities. |
AML only – exchanges and custodian-wallet providers need registration under the Money Laundering Regulations 2017. Supervision is limited to financial-crime controls; there is no prudential capital, client-asset or governance rule-set. | Full FSMA authorisation – firms must satisfy threshold-conditions on resources, effective supervision and fitness and propriety. They enter the orbit of the FCA’s entire conduct and prudential handbooks, including SMCR, Consumer Duty and (via CRYPTOPRU) hard own-funds and liquidity tests. |
No dedicated client-asset regime – the CASS sourcebook applies only if the token is already a specified investment (e.g. security tokens). For “pure” crypto the FCA has relied on guidance and good practice statements. | Crypto-CASS equivalent – the new custody activity triggers statutory segregation, daily reconciliation, acknowledgement-of-trust letters, record-keeping and audit similar to traditional CASS. Borrow/lend desks and certain MPC arrangements are drawn in by the “right of redelivery” wording. |
Financial promotions – since October 2023 “qualifying cryptoassets” are classified as RMMI. Firms may promote only via an authorised person or an FCA-approved approver, with cooling-off, positive-friction and risk-warning requirements. The promo regime is the only conduct discipline for most of the market. | Same friction-layer, plus full conduct toolkit – the RMMI rules stay, but once a firm is authorised the FCA can also deploy COBS, PROD, SYSC, the Consumer Duty and Principle 12. Mis-selling or unfair-value cases can now be tackled with the same powers the FCA wields in mainstream securities markets. |
Stablecoins – no bespoke UK framework; sterling stablecoins are notionally caught by e-money rules but, in practice, few issuers have opted in. Systemic coins are flagged for Bank of England oversight, but detailed rules remain absent. | Sterling stablecoins treated as securities – issuance within (or from) the UK requires an FCA permission and compliance with prospectus-style disclosure, redemption governance and CRYPTOPRU capital. Non-UK fiat-coins may circulate, but only via authorised trading platforms. |
Market abuse & disclosure – the UK-MAR regime does not apply to crypto. Exchanges run voluntary surveillance; issuers have no formal inside-information disclosure duty. | UK-MAR extended – Treasury’s follow-on instrument will import suspicious-transaction reporting, insider-list obligations and a continuous-disclosure regime. Issuers of exchange-traded coins (including stablecoins) face listed-company-style transparency. |
Put bluntly, firms shift from a single-topic AML check-box to the full FSMA toolkit overnight
UK vs MiCA – comparative analysis
Some commentary has labelled the Draft Order “MiCA-lite”. In reality it is MiCA-plus in four key respects:
Issue | UK post-Draft Order | EU MiCA |
Prudential and capital liquidity | New CRYPTOPRU sourcebook will import MiFID-style K-factors (client assets, matched-principal flow, market risk) plus “quarter-FOE” and permanent-minimum thresholds. | Fixed minima (€50k / €125k / €150k depending on service) or ¼ of the previous-year fixed overheads; no K-factors. |
Disclosure / admission | Prospectus-style document for exchange-traded tokens; ongoing periodic and inside-information disclosure under a crypto-tailored UK-MAR. | Mandatory crypto-asset white paper (Arts 4–15) plus limited ongoing updates; lighter than securities-style prospectus. |
Market abuse regime | Second SI will extend UK-MAR obligations (insider dealing, STORs, insider lists) to qualifying cryptoassets traded on authorised venues. | Title VII MiCA creates a cut-down abuse framework (wash trading, layering, ramping) but without full insider-list or STOR machinery. |
Stablecoins | UK-issued fiat-backed coins become “qualifying stablecoins”: issuance requires authorisation, disclosure, redemption governance and CRYPTOPRU capital; non-UK coins may circulate only via authorised platforms. | Single regime for ARTs & EMTs: issuers authorised by an EU NCA, €200 m market-cap trigger for enhanced rules, mandatory reserve and redemption tests. |
The Draft Order is lean on paper because it bolsters FSMA rather than reinventing it; once CRYPTOPRU, a crypto-CASS chapter and UK-MAR expansion are layered on, total compliance lift could likely exceed MiCA in capital, custody and disclosure.
Implementation timeline – what happens when?

HM Treasury’s policy note underlines that the FCA will accept draft applications in advance in order to smooth the curve, but authorisations will still take 6–12 months. Firms hoping to be live on “T-Day +1” therefore need to file by Q4 2025 at the latest.
Market outlook and predictions
- Authorisation queue management: The FCA will resurrect its EMI/PISP “landing-slot” playbook – expect phased submission windows by activity type, with perhaps 20–30 full licences granted before the end of 2025.
- Regulatory sandbox? Expect a limited-scope ‘crypto payments sandbox’ for licensed gambling and fintech pilots – mirroring comments in the 2024 Autumn Statement.
- Enforcement signalling: To underscore the new perimeter we anticipate one or two high-profile “unauthorised business” actions – likely against offshore derivatives exchanges marketing perpetuals to UK consumers.
- Stablecoin stasis: Absent clarity on disclosure and redemption expectations, domestic £-coin projects pause; offshore USDC-style coins dominate sterling rails via on-platform pairings. Central-bank digital pound pilots are unlikely to change this calculus before 2027.
- Consolidation wave: Sub-scale OTC brokers and custody-light wallet providers will lack capital to clear CRYPTOPRU thresholds and will seek acquisition by larger financial-services groups hunting a “crypto licence in a box”.
- Reg-tech boom: Demand for automated crypto-CASS reconciliation, real-time market-abuse analytics and Consumer Duty MI pushes UK reg-tech valuations northwards.
Expertise