CP26/13: The FCA sharpens the cryptoasset regulatory perimeter

From 25 October 2027, the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 (the “Cryptoasset Regulations”) will introduce new regulated activities for cryptoassets into the FCA's regulatory perimeter. Persons carrying on those activities by way of business in the UK will need to hold FCA authorisation. In advance of that date, firms intending to undertake regulated cryptoasset activities must apply during the authorisation application window, which will run from 30 September 2026 to 28 February 2027.

To help firms navigate this transition, the FCA is proposing amendments to the Perimeter Guidance Manual (PERG) within the FCA Handbook, setting out how the perimeter and associated permissions should be interpreted in practice. These proposals are contained in CP26/13, with feedback invited by 3 June 2026. This article highlights the key points arising from CP26/13 and considers their practical implications for firms preparing for the new regime.

Setting the scene: Key concepts and definitions

Who needs authorisation?

The Cryptoasset Regulations extend the FCA's regulatory perimeter to certain cryptoasset activities and determine when persons carrying on certain activities need to be authorised and what permissions they require.

Whether authorisation is required depends on a combination of factors that must be assessed together. A practical way to approach this analysis is through the following questions:

• Is the person carrying on a regulated activity?
• Is the activity carried on, or deemed to be carried on, in the UK?
• Is it carried on by way of business?
• Does an exclusion, or exemption, apply?

In applying these questions, the focus must remain on the substance of the activity and the role performed, rather than its form. Perimeter analysis is inherently fact specific, and outcomes can turn on relatively small differences in business models.

The FCA’s decision to publish detailed PERG guidance at this stage is also instructive. It signals an expectation that firms should already be undertaking detailed perimeter analysis ahead of the authorisation gateway opening in September 2026. In our experience, perimeter uncertainty is increasingly treated by regulators as a governance and risk‑management issue, rather than a neutral legal grey area.

The Cryptoasset Regulations expand the FSMA framework by introducing new categories of investments, including ‘qualifying cryptoassets’ and ‘qualifying stablecoins’. The regulated activities^[1] consist of:

• Issuing qualifying stablecoins in the UK
• Safeguarding, and arranging safeguarding, of qualifying cryptoassets and relevant specified investment cryptoassets
• Operating a qualifying cryptoasset trading platform (“QCATP”)
• Dealing, and arranging deals in, qualifying cryptoassets as principal or agent
• Arranging qualifying cryptoasset staking

A consistent message throughout CP26/13 is that firms cannot rely on the labels or terminology^[2] they use to describe their services. In crypto markets, terminology is often used interchangeably and does not necessarily map onto traditional financial services concepts. What matters is the substance of the activity and the role performed. This focus reflects the FCA’s broader supervisory and enforcement approach, which has repeatedly challenged perimeter positions based on technical distinctions or market conventions.

Nor does the use of smart contracts, public blockchains, or features of decentralisation, in itself, place an arrangement outside of the regulatory perimeter. The key question remains whether there is an identifiable person whose business includes carrying on the relevant activity in the UK. It will be important to monitor how the FCA interprets the concept of an “identifiable person” in the context of decentralised protocols as the regime matures.

What is a qualifying cryptoasset?

A qualifying cryptoasset is a cryptoasset that meets the definition in section 417 of FSMA being a cryptographically secured digital representation of value or contractual rights that can be transferred, stored, or traded electronically and that uses technology supporting the recording or storage of data (including distributed ledger technology).

In addition, to be a qualifying cryptoasset the asset must also be fungible^[3] and transferable, and not solely a record of value or contractual rights. Certain categories of asset are expressly excluded from the definition of qualifying cryptoasset.

What is a qualifying stablecoin?

A qualifying stablecoin is a subset of qualifying cryptoasset. It is a qualifying cryptoasset that seeks, or purports, to maintain a stable value by reference to a single fiat currency and involves the holding of fiat currency and/or other assets (often referred to as ‘backing assets’) for the purpose of maintaining that stable value.

Cryptoassets that seek to maintain value through algorithmic methods or other means without underlying backing assets do not constitute qualifying stablecoin.

The UK nexus and overseas firms

The activity of issuing qualifying stablecoin requires the issuer to:

• offer the qualifying stablecoin for sale or subscription from a UK establishment;
• undertake redemption of the stablecoin from a UK establishment; and
• hold backing assets from a UK establishment for the purpose of maintaining the stablecoin's stable value.

These three limbs are applicable where this is done on behalf of another entity and all must be satisfied for the activity to constitute issuing. Where a person’s role is limited to providing technology, software, infrastructure, or minting capabilities, this will not normally amount to issuing, although such persons should consider whether they are carrying on any other regulated cryptoasset activity.

Where all elements of the issuing activity are being carried out in the UK on behalf of an overseas person, that overseas person will be treated as carrying on the activity in the UK and will require FCA authorisation. This has particular relevance for cross-border structures and M&A transactions in the stablecoin space.

key considerations by activity

Operating a QCATP

A QCATP is a system which brings together, or facilitates the bringing together of, multiple third party buying and selling interests in qualifying cryptoassets, resulting in contracts for the exchange of those assets for money (including electronic money) or other qualifying cryptoassets.

Firms operating exchanges should note that the QCATP activity does not extend to safeguarding cryptoassets before or after a transaction. As such, firms typically require separate permissions for operating a QCATP and for safeguarding cryptoassets.

Safeguarding

Safeguarding cryptoassets may be carried on regardless of whether the cryptoasset is owned by the client or the firm, provided the activity is carried out on behalf of another person and the firm has the requisite degree of control.

Requisite control exists where a firm has the ability, by any means, to bring about the transfer of the benefit of a cryptoasset to another person, including to itself. Ownership is therefore not determinative of whether safeguarding activity is being carried on.

Staking

Arranging qualifying cryptoasset staking involves making arrangements on behalf of another person (as principal or agent) for blockchain validation using qualifying cryptoassets. The focus is on intermediation that enables staking, rather than simple introductions or basic communications.

In-scope activities may include managing the staking lifecycle, pooling customer assets to meet validator thresholds, and distributing staking rewards. Purely technical services are generally out of the perimeter^[4].

Dealing and Arranging

The dealing and arranging perimeter for qualifying cryptoassets perimeter is broad. Dealing as principal or agent covers a broad range of buying and selling activities, regardless of how the transactions are described.

Arranging deals includes both bringing about specific transactions and making ongoing arrangements that facilitate trading, including through trading apps and platforms. The perimeter may apply even where a firm provides only part of the facilities for a transaction.

The ‘by way of business’ test

For the new regulated cryptoasset activities, the Cryptoasset Regulations apply a narrower concept of what ‘by way of business’ means. A person will only be treated as carrying on a regulated activity by way of business if they are carrying on the business of engaging in one or more such activities.

In the FCA's view, this is a deliberately narrower test reflects the particular characteristics of cryptoasset markets and the profile of many participants, including retail investors. It is intended to focus the regulatory perimeter on persons whose business model involves providing, performing, operating, or otherwise being engaging in the relevant activity as a service to paying customers, rather than capturing incidental or isolated activity.

Territorial scope capturing overseas firms

The Cryptoasset Regulations are designed to bring within scope persons offering services to UK consumers regardless of whether they are based in the UK or overseas. Critically, the overseas persons exclusion (“OPE”) does not apply to the new regulated cryptoasset activities. Overseas firms therefore cannot rely on the OPE to avoid authorisation where they carry on regulated cryptoasset activities with a UK nexus.

However, the position is nuanced for dealing and platform activities. Where an overseas person is only involved in the sale or purchase of qualifying cryptoassets with UK consumers through an authorised firm dealing as principal or to operate a qualifying CATP, that overseas person is not itself brought within the perimeter.

The FCA has also confirmed that its baseline expectation is for firms requiring FCA authorisation to conduct their regulated cryptoasset activities from a UK legal entity. Taken together, these provisions reinforce a recurring message across the UK’s crypto reform programme: direct FCA supervision and authorisation are becoming the price of entry for firms seeking to service the UK market, regardless of where they are headquartered or where elements of their technology stack are located.

Money laundering regulations (“MLR”) Transition

At present, cryptoasset businesses are required to register with the FCA solely for anti-money laundering purposes, and this does not constitute authorisation under FSMA. With the introduction of the new regulated cryptoasset activities, UK firms with a MLR registration will now be required to obtain a permission under the FSMA regime, if they are within scope of the Cryptoasset Regulations.

Firms registered under the MLR as a cryptoasset exchange provider or custodian wallet provider should consider the guidance to determine which permissions they require, apply for authorisation under Part 4A of FSMA, and notify the FCA within 30 days of the regime commencing if they intends to continue those activities.

Firms should begin perimeter analysis and, where appropriate, pre-application engagement with the FCA without delay. For many firms, this transition will also require a recalibration of systems and controls that have been designed primarily for AML compliance rather than full FSMA authorisation. As we have explored elsewhere in the Emerging Themes series, regulators are increasingly scrutinising gaps between formal regulatory status and the substance of how firms operate in fast‑moving digital markets.

key reflections

CP26/13 highlights a broader forecast for 2026 and beyond: as crypto markets normalise, regulators are placing less weight on novelty or technical complexity and more weight on accountability, control and consumer impact.

The FCA's guidance is deliberately wide. Firms that may not previously have considered themselves to be conducting regulated activity – whether due to their business structure, use of technology, or the terminology they adopt – should revisit that assumption considering CP26/13. This analysis should extend to overseas group structures and arrangements.

Finally, the wider legislative context continues to evolve. Ongoing work to modernise payments law, including in relation to tokenised payments and stablecoins, underscores the need for firms to assess the perimeter position by reference to the law as it stands at the relevant time, and not assume that today’s analysis will remain static.

Firms that act early will be best placed. Those that do not risk being left behind or, worse, finding themselves on the wrong side of the general prohibition when the regime comes into force in October 2027.

---

[1] Although not a separate new regulated cryptoasset activity, cryptoasset lending and borrowing is another activity popular in cryptoasset markets, which the FCA discusses in CP26/13.

[2] Cryptoasset sector terminology (e.g. exchange, custody, broker, wallet, issuer or platform) may be used inconsistently and may not map neatly onto statutory concepts.

[3] Fungibility means that a cryptoasset is freely replaceable by another cryptoasset of a similar nature or kind, such that one unit can be substituted for another. Fungibility is a question of fact rather than how a cryptoasset is labelled or marketed. Therefore, the fact that a cryptoasset might be described as a Non-Fungible Token will not, on its own, necessarily determine whether it is a qualifying cryptoasset.

[4] Operating a validator node (a specialised computer server that acts like a digital referee on the blockchain for verifying transactions, proposing new blocks or securing the network) or offering solo staking tools without further involvement is unlikely, on its own, to amount to arranging qualifying cryptoasset staking.