The Cryptoassets Regulations 2026 bring cryptoasset exchange and custody activities within the FSMA regulatory perimeter for the first time. Firms operating exchanges where customers buy, sell or trade qualifying cryptoassets, and firms providing custodian wallet services, will require FCA authorisation to continue operating from October 2027. This article examines the specific requirements for these two critical activity categories.
Cryptoasset Exchange Authorisation
Operating a cryptoasset exchange — whether a centralised order book, a matching engine, or a platform facilitating peer-to-peer trades — will constitute a regulated activity under the new regime. Exchange operators must apply for FSMA authorisation and comply with a range of requirements drawn from the FCA's existing framework for regulated trading venues.
Market integrity obligations. Exchange operators must implement rules and procedures to ensure fair, orderly and transparent trading. This includes pre-trade and post-trade transparency requirements, market surveillance systems to detect and report suspicious trading activity, and clear rules for listing and delisting cryptoassets.
Best execution. Exchanges must establish and implement best execution policies, ensuring that customer orders are executed on terms most favourable to the customer. This requires monitoring execution quality and reporting to customers.
Conflicts of interest. Exchanges that also trade on their own account (proprietary trading) must manage conflicts of interest between their own positions and customer orders. Firms should expect the FCA to apply standards similar to those under MiFID II.
Operational resilience. Exchange platforms must demonstrate robust technology infrastructure, business continuity planning, cyber security measures and incident response capabilities. The FCA will expect exchanges to identify important business services, set impact tolerances and test their ability to remain within those tolerances during severe disruption.
Cryptoasset Custody Authorisation
Custodian wallet providers holding cryptoassets on behalf of customers will require authorisation. The FCA will focus on:
Asset segregation. Customer cryptoassets must be segregated from the firm's own holdings at all times. This means maintaining separate wallet addresses or accounts for customer assets and proprietary assets, with clear on-chain and off-chain record-keeping demonstrating segregation.
Key management. Custody providers must implement robust private key management procedures, including multi-signature arrangements, hardware security modules, geographic distribution of key material, and staff access controls. The FCA will expect firms to demonstrate that no single point of failure could result in the loss of customer cryptoassets.
Disaster recovery. Custody providers must maintain comprehensive disaster recovery and business continuity plans, including backup key recovery procedures, and must demonstrate that customer cryptoassets can be recovered in the event of a technology failure, cyber attack or firm insolvency.
Insurance. While not a strict regulatory requirement, the FCA will expect custody providers to consider insurance coverage for customer cryptoassets against theft, loss and operational errors.
Capital Requirements
Capital requirements under the new regime will be activity-based. Firms providing exchange services only will face different capital requirements than firms combining exchange and custody activities. The FCA is expected to set initial capital minimums and ongoing own funds calculations drawing on principles from MIFIDPRU for investment firms and the PSRs 2017 for payment services.
Firms providing custody services are likely to face higher capital requirements due to the operational risk associated with holding customer assets. The FCA may also require custody providers to hold additional capital buffers based on the value of assets under custody.
Governance and SMCR
All authorised cryptoasset firms must implement the Senior Managers and Certification Regime (SMCR). This requires the allocation of specific responsibilities to named senior managers, annual certification of staff performing significant functions, and a conduct rules framework that applies to all employees. Firms must identify the individuals responsible for key functions including compliance, money laundering reporting, operations, technology and risk management.
What Firms Should Do Now
- Classify your activities under the new regulatory framework — determine whether you are operating an exchange, providing custody, or both.
- Conduct a gap analysis of your current compliance framework against the FSMA requirements.
- Begin capital planning to ensure you can meet the expected minimum requirements.
- Implement or enhance asset segregation practices and key management procedures.
- Prepare for SMCR by identifying senior management functions and establishing governance structures.
Regulatory Counsel advises cryptoasset exchange and custody firms on FSMA authorisation strategy and application management. Contact us for a free initial consultation.
Frequently Asked Questions
Yes — operating a cryptoasset exchange will be a regulated activity under FSMA from October 2027, requiring FCA authorisation.
Custody providers must demonstrate asset segregation, robust key management, disaster recovery capabilities, and governance standards including SMCR compliance.
Likely yes — firms providing custody services face additional operational risk from holding customer assets and are expected to face higher capital requirements.
FSMA authorisation for cryptoasset firms is expected to take 6–12 months, consistent with authorisation timelines for other regulated financial services firms.