The UK government’s long promised overhaul of crypto regulation has arrived. On 29 April 2025, HM Treasury published the draft Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2025 (the Draft Order) and an extensive policy note. Together they drag cryptoassets into the Financial Services and Markets Act (FSMA) perimeter and set the FCA and PRA the formidable task of writing a brand-new rulebook – including the much-trailed CRYPTOPRU prudential sourcebook – inside the next twelve months.

For industry the Draft Order is a watershed.

It does not graft a light-touch, “MiCA-style” wrapper on to an unregulated sector. Instead it applies the panoply of UK securities regulation – capital, conduct, market-abuse, disclosure, governance and senior-manager accountability – squarely on to crypto exchanges, custodians, brokers, staking providers and stablecoin issuers.

The result is a regime that is heavier, costlier and – crucially – more due-diligence-ready for institutional money than MiCA, but which will reward only those firms prepared to professionalise at speed.

This article examines the Draft Order in depth, identifies the pressure-points likely to cause the greatest implementation pain and sets out our predictions for the next eight quarters.

• UK has chosen depth over breadth – a lean statute riding on heavy secondary rules. The UK is weaving cryptoassets into the fabric of mainstream securities law rather than stitching a lighter path alongside. Much of the detail (market-abuse, disclosure, capital) is postponed to FCA handbooks, not embedded in the statutory text—hence the surface lean-ness compared to MiCA. The upside is regulatory certainty, institutional credibility and – ultimately – cheaper capital for compliant firms. The cost is complexity, capital and cultural upheaval.
• Six new regulated activities introduced. New regulated activities include running crypto trading platforms, custody services, dealing, and arranging cryptoasset transactions — with bespoke definitions tailored to crypto markets.
• Territorial reach expands. Non-UK firms serving UK retail clients (even indirectly) will need UK permissions. The overseas persons exemption will apply only to certain B2B relationships.
• Sterling stablecoins treated like securities. UK-issued fiat-backed stablecoins will be regulated as if they were securities — requiring prospectus-style disclosure, prudential backing, and redemption governance.
• Implementation will be staggered but fast. Firms can begin applying from late 2025. The regime may go live as early as Q2 2026. Those not authorised by “T-Day” must wind down or exit the UK retail market.

Bringing crypto into the Regulated Activities Order

At the heart of the Draft Order lies a rewrite of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (the RAO). A new Chapter 2B is inserted creating three key asset definitions:

• “Qualifying cryptoasset” – a fungible, transferable digital asset meeting the broad FSMA crypto definition but excluding tokenised e-money or tokenised deposits;
• “Qualifying stablecoin” – a fiat-referenced cryptoasset backed by fiat (or fiat plus other assets) designed to maintain a stable value; and
• “Specified-investment cryptoasset” – a token that is already a specified investment in its own right, e.g. a tokenised equity or bond.

Both qualifying cryptoassets and qualifying stablecoins are declared “specified investments”, meaning that any person who deals, arranges, operates a trading platform, safeguards, issues (in the case of stablecoins) or stakes those assets “by way of business” now carries on a regulated activity and must hold FCA permission.

New regulated activities

Chapter 2B formulates six new activities tailored to crypto-markets:

1. Operating a qualifying cryptoasset trading platform – this captures any venue that matches third-party buy and sell orders in cryptoassets, whether order-book, RFQ or AMM. The draft language is technology-neutral, so a DeFi DEX with algorithmic pools is in scope just as surely as a central-limit-order-book CEX.
2. Dealing in qualifying cryptoassets as principal – a firm that makes a market, runs an OTC desk or borrows/lends tokens for its own book moves inside the perimeter. The text makes clear that crypto lending and borrowing for yield, even without an order-book, is principal dealing.
3. Dealing as agent – broking, matched principal (back-to-back) execution and voice-broker OTC matching will be captured here.
4. Arranging deals – the catch-all for introducers, white-label front ends and online matching rooms that facilitate a transaction but never touch the asset. The communication-only safe harbour carves out pure software conduits (e.g. wallet SDKs, RPC nodes) provided they do not negotiate or arrange the terms.
5. Safeguarding or controlling qualifying cryptoassets (custody) – holding private keys, having unilateral transfer rights, or possessing the right of redelivery (e.g. a borrower under a crypto-loan) triggers full CASS-style segregation, daily reconciliation and acknowledgement-of-trust letters. Multi-party computation (MPC) set-ups are caught if any one signatory can move the asset; conversely, true self-custody – where only the user controls the key – remains out of scope.
6. Qualifying cryptoasset staking – covers delegated, pooled and liquid staking services where the provider arranges the locking or re-hypothecation of clients’ tokens to earn protocol rewards. Solo home validators are excluded, as are firms that only supply the communication interface by which stakers find each other..

For stablecoins, the Draft Order creates a dedicated activity of issuing qualifying stablecoins in or from the UK, with a carve-out ensuring issuers are not inadvertently deemed to be accepting deposits. The Draft Order also carves-out pure ‘communication-only’ roles: a firm that merely supplies the software, interface or protocol by which parties find each other to stake or lend will not itself be arranging staking.

Territorial reach

Part 3 of the Draft Order rewrites FSMA section 418 to hard-wire a UK-consumer focus. Overseas exchanges, brokers or market-makers dealing directly or indirectly with UK retail customers must obtain UK authorisation; the familiar overseas persons exemption will survive only for B2B flows with institutions that are not acting as an intermediary. For trading venues this could present a binary choice: ring-fence a UK order book, or interpose a UK entity on every trade. The overseas person exemption will still be available where an overseas firm interacts solely with a UK broker-dealer that meets the directly related gateway conditions.

Financial promotions

The Draft Order amends the Financial Promotion Order 2005 to align the definition of qualifying cryptoassets and to add the new activities as controlled functions, but crucially does not water down the FCA’s “Restricted Mass-Market Investment” (RMMI) regime introduced in 2023. The friction-laden COBS 4.12A (client risk warnings, cooling-off periods and positive-friction questionnaires) therefore remains, at least until Treasury undertakes the promised post-implementation review. HMT has not yet signalled when the transitional relief for “qualifying cryptoasset” promotions (s.55DA) will expire.

Transitional arrangements

Part 6 legislates for an early-application window. Firms conducting in-scope business on “T-Day” will have a short period (expected six months) to submit a full Part 4A application. Those who apply but ultimately fail to secure permission will be allowed to run-off existing business for up to two years under FCA direction but barred from taking on new UK clients. Firms that miss the window face an immediate prohibition.

Prudential requirements – CRYPTOPRU

The FCA signalled that crypto firms will face a bespoke prudential sourcebook, CRYPTOPRU, built on MiFIDPRU’s K-factor methodology but with “appropriate guidance for cryptoasset activities”. Expect own-funds to be whichever is highest of (i) a permanent minimum; (ii) one quarter of fixed overheads; or (iii) activity-based K-factors that capture client assets under custody, daily matched principal flow and potential market risk on staking or liquidity pools. The consultation is pencilled for Q3 2025, but boards should be running indicative capital models now.

Custody – broader than you think

The new custody activity covers any arrangement in which a person safeguards or controls a qualifying cryptoasset for another, referencing the ability to initiate a unilateral transfer. That deliberately sweeps in borrowers under crypto lending arrangements (because the lender retains a right of redelivery) and some multi-party computation (MPC) set-ups where one of the signatories can move coins. Self-custody, where a user alone holds the private keys, is explicitly carved out, but only if no one else can effect a transfer. The CASS-style obligations that follow – segregation, daily reconciliation, acknowledgment letters, firm-level and client-level resource requirements – could be transformative for DeFi-adjacent products. For example, a London-based DeFi protocol pools user ETH in a smart contract, with a five-of-nine MPC signer group; because any five signatories can transfer the pool, each is potentially a custodian under the Draft Order.

Staking – bringing yield products inside the perimeter

The Draft Order designates “qualifying cryptoasset staking” as a stand-alone regulated activity. Any firm that pools, delegates or otherwise “arranges for” customers’ tokens to be staked – whether on a native PoS chain or via a liquid-staking derivative (LSD) – will need FCA authorisation. The scope is intentionally broad: commercial staking-as-a-service, validator pools, and loan desks that rehypothecate staked coins are all caught. Two carve-outs temper that reach: (i) communication-only providers (wallets, UI layers, API gateways) that merely let users find a staking counter-party, and (ii) purely self-directed, “solo” staking. A staking business will also trigger the new custody rules above if it can unilaterally move client keys or LSD tokens. In short, the UK is the first major common-law jurisdiction to treat liquid and delegated staking as a fully regulated investment service, closing a gap that MiCA leaves to Member State discretion.

Stablecoins – securities in all but name

HM Treasury resisted industry calls to treat sterling stablecoins as e-money or payment-instruments. Instead UK-issued stablecoins are to be regulated like securities with full prospectus-style disclosure, prudential backing rules and ongoing reporting. Non-UK fiat-coins may circulate in the UK via authorised platforms, but issuers themselves avoid UK licensing unless they have a UK establishment. The asymmetry is deliberate: Parliament wants sterling tokenisation tied to the highest standards. The economic result, however, is likely to be a temporary freeze on home-grown £-coins until the market-abuse and disclosure pieces are consulted on later this year.

Market-abuse, admissions and disclosure – still to come

Treasury’s policy note confirms that a second statutory instrument will extend the Market Abuse Regulation (UK-MAR) to qualifying cryptoassets and create an “admission and ongoing disclosure” regime mirroring the Official List. Exchanges will need surveillance tooling capable of detecting wash-trades, pump-and-dump schemes and misuse of inside information, while issuers (including, crucially, stablecoin issuers) must prepare for periodic and ongoing disclosure akin to a listed company. Consultation is expected around November.

Consumer Duty and SMCR

Once authorised, a crypto firm becomes subject to the Consumer Duty and the Senior Managers & Certification Regime (SMCR). That shifts the regulatory lens from AML registration (today’s status for most UK-facing platforms) to end-to-end client outcome and personal accountability. Boards will need to nominate a CEO SMF1, a CFO SMF2 where appropriate, heads of risk, operations and IT-security, and produce a Duty-compliant monitoring framework covering value assessments, communication fairness and product life-cycle governance. For many crypto natives this will be their first experience of FIA letters, regulatory references and annual certifications – a steep learning curve.

This table traces side-by-side the delta from today’s patch-work regime to the full-scope regime under the Draft Order:

Put bluntly, firms shift from a single-topic AML check-box to the full FSMA toolkit overnight

Some commentary has labelled the Draft Order “MiCA-lite”. In reality it is MiCA-plus in four key respects:

The Draft Order is lean on paper because it bolsters FSMA rather than reinventing it; once CRYPTOPRU, a crypto-CASS chapter and UK-MAR expansion are layered on, total compliance lift could likely exceed MiCA in capital, custody and disclosure.

HM Treasury’s policy note underlines that the FCA will accept draft applications in advance in order to smooth the curve, but authorisations will still take 6–12 months. Firms hoping to be live on “T-Day +1” therefore need to file by Q4 2025 at the latest.

• Authorisation queue management: The FCA will resurrect its EMI/PISP “landing-slot” playbook – expect phased submission windows by activity type, with perhaps 20–30 full licences granted before the end of 2025.
• Regulatory sandbox? Expect a limited-scope ‘crypto payments sandbox’ for licensed gambling and fintech pilots – mirroring comments in the 2024 Autumn Statement.
• Enforcement signalling: To underscore the new perimeter we anticipate one or two high-profile “unauthorised business” actions – likely against offshore derivatives exchanges marketing perpetuals to UK consumers.
• Stablecoin stasis: Absent clarity on disclosure and redemption expectations, domestic £-coin projects pause; offshore USDC-style coins dominate sterling rails via on-platform pairings. Central-bank digital pound pilots are unlikely to change this calculus before 2027.
• Consolidation wave: Sub-scale OTC brokers and custody-light wallet providers will lack capital to clear CRYPTOPRU thresholds and will seek acquisition by larger financial-services groups hunting a “crypto licence in a box”.
• Reg-tech boom: Demand for automated crypto-CASS reconciliation, real-time market-abuse analytics and Consumer Duty MI pushes UK reg-tech valuations northwards.