After years of industry questions regarding crypto’s place in the financial sphere, and how and when the new technologies might be regulated, the Financial Conduct Authority (FCA) has become the latest official body to take a step toward bringing crypto into the regulatory fold.
A decent proposal
The FCA has launched CP25/25: Application of FCA Handbook for Regulated Cryptoasset Activities, “seeking feedback on proposals on the minimum standards crypto firms will need to comply with.” Many of the proposals will bring crypto firms in line with “traditional financial firms” on matters including operational resilience and financial crime, as well as elements of the Consumer Duty and Senior Managers and Certification Regime (SM&CR).
The consultation is open until 15 October, 2024, with the FCA intending to publish final rules in 2026. David Geale, FCA executive director of payments and digital finance, said of the proposals:
“’We want to develop a sustainable and competitive crypto sector – balancing innovation, market integrity and trust. Our proposals won’t remove the risks of investing in crypto, but they will help firms meet common standards so consumers have a better idea of what to expect. We are working now on what those standards should look like, ahead of legislation to bring it within our regulation.”
By the (hand)book – What rules could apply to cryptocurrency firms?
The FCA’s consultation aims to establish how existing FCA Handbook rules could apply to cryptocurrency firms. There are a range of potential applications of FCA rules discussed, including Systems and Controls Sourcebook (SYSC) and Business Standards regulation.
The main goals of the proposals are to ensure that regulations are put in place that both protect consumers and market integrity and encourage innovation and growth. However, there are two key areas where the FCA’s rules may expand to encompass two of the most pressing risk areas firms currently face: operational resilience, and conduct and culture.
Operational resilience
Should the FCA expand its current set of rules and expectations to cover crypto firms, they would be expected to “have … robust arrangements, controls and policies to prevent, respond to, and recover from operational and technical disruptions such as cyber-attacks or third-party failures.”
The FCA’s consultation deems it “essential” for cryptoasset firms to have strong cyber resilience measures in place to “give consumers the highest levels of protection against potential cyber attacks,” and suggests that firms “consider international recognised risk management frameworks for cyber resilience”.
Proposed rules that would apply here include SYSC 15A, which requires firms to establish their “important business services” and set impact tolerances for potential breaches or outages. Also mentioned are SYSC 7 (governing risk identification, management, and reporting) and SYSC 8 (relating to risk and critical third parties). The FCA believes that these rules will “help firms to better prevent, adapt, respond to, recover and learn from operational disruptions,” while also reducing harm to consumers and markets.
It is unsurprising that the regulator would seek to ensure that crypto firms uphold high standards of operational resilience. Throughout recent years we have seen a sharp increase in hugely disruptive cyber attacks and outages, from the far-reaching impact of the CrowdStrike outage to regulators themselves falling victim. Back in May this year, Coinbase Global was hit by a data breach that resulted in $400 million worth of remediation and compensation, underscoring the FCA’s point: crypto firms need high levels of operational resilience and cyber security because they are increasingly tempting targets.
Conduct
Conduct and culture have been a focus area for the FCA, with the regulator intending to roll out non-financial misconduct rules to apply to 37,000 non-bank firms by September 2026. In the wake of high-profile bans related to misconduct, it will come as little surprise that the FCA will expect crypto firms to meet conduct-related expectations going forward.
The FCA proposes that crypto firms will be subject to conduct rules set out in both the FCA Handbook and the SM&CR. This would include the FCA’s Conduct Rules, which set out “minimum standards of behavior” for individuals, including:
- That they must act with integrity
- They must act with “due skill, care, and diligence”
- That they observe proper standards of market conduct
- And that they must pay due regard to the interests of customers and treat them fairly
The regulator believes crypto firms adhering to these rules would ensure that they “have clear accountability” and promote personal responsibility and improved conduct, as the FCA has found that “poor governance and conduct can make it less likely that firms will act in consumers’ best interests.”
As well as implementing “robust personal accountability frameworks for senior personnel,” the FCA’s proposals would require crypto firms “to notify the FCA when an individual has breached the Conduct Rules and has been subject to disciplinary action as a result.”
While the FCA has recently committed to reducing some of the “regulatory burdens” of the SM&CR, we have also seen several recent enforcement actions against individuals that contained a substantial conduct element. Crypto firms would do well to take note that the regulator will expect them to exhibit high standards of conduct and compliance-forward cultures.
“Same risk, same regulatory outcome”
The FCA’s proposals acknowledge that cryptoasset firms face a certain amount of unique risk due to “the novel features and business models of the technology used.” However, the regulator’s proposals are based on the principle of “same risk, same regulatory outcome” – meaning crypto firms will be held to the same standards as other regulated firms across areas including conduct and operational resilience.
Recently, the Securities and Exchange Commission (SEC) set out a range of proposals to expand current rules and regulations to encompass crypto firms. This included modifying recordkeeping rules so they could be applied to cryptoassets, which would mean such firms would need to maintain records related to business operations and communications.
While the FCA, SEC, and other regulators have begun to streamline and scale back regulation in more traditional areas of financial services, the same cannot be said for crypto. The space may represent untapped potential, but it also presents new avenues of risk. While regulators grapple with the minimum standards of regulation that crypto firms will have to meet, those in the crypto community need to be undertaking preparations of their own – ensuring they have the tactics, the talent, and the tools in place to ensure their compliance posture is comprehensive, and that they’re regulator-ready.
With regulators beginning to set out which rules might be expanded to cover crypto firms, getting out ahead of new expectations will be key for firms looking to stay on the right side of regulators. Ensuring that business data is being captured and compliantly archived is the first step to identifying – and mitigating – conduct and recordkeeping risk.
