FCA Launches Consultation on Crypto Regulatory Perimeter

The perimeter is not the rulebook but it decides who has to follow it

There is a moment in every regulatory build-out where the real question begins to change.

At first, the focus is on the rules themselves: what will firms have to do, what standards will apply, how strict will the regime be. But eventually, the centre of gravity moves somewhere else. The harder question becomes more fundamental: who, exactly, is inside the system?

That is the question the UK is now starting to answer.

With its latest consultation on cryptoasset perimeter guidance, the Financial Conduct Authority is not introducing new obligations or extending the scope of the law. Instead, it is doing something more precise, and in many ways more consequential. It is explaining how the new regime is meant to attach to real-world business models.

And in doing so, it is drawing a line that many firms will find closer than expected.

From registration to authorisation

The broader context matters here. For several years, crypto firms in the UK have operated in a space that felt regulated, but only partially so. Registration under the Money Laundering Regulations imposed compliance obligations, but it never amounted to full authorisation under financial services law. It was, in effect, a perimeter at the level of financial crime, not market structure.

That distinction disappears in October 2027.

At that point, the new cryptoasset regime under FSMA comes into force, and with it the full logic of UK financial regulation. Activities become regulated activities. Firms require authorisation. The general prohibition applies. Carrying on business without the appropriate permissions is no longer a compliance gap, it is a criminal offence.

What has been missing, until now, is a clear account of how that framework maps onto crypto-native activities. Not in theory, but in the messy reality of platforms, interfaces, custody models and cross-border structures.

This consultation is the FCA’s attempt to provide that account.

What will actually be regulated 

At a high level, the direction is now clear. The FCA is not creating a single, unified category of “crypto businesses”. Instead, it is bringing a set of cryptoasset activities into the existing FSMA framework. 

Those activities are defined in the legislation and form the backbone of the new regime. They include operating trading platforms, dealing in cryptoassets, arranging transactions, safeguarding assets on behalf of clients, issuing qualifying stablecoins, and arranging staking services. 

In other words, the regime is built around the key functions that make crypto markets work. Some of these will feel familiar. Trading, intermediation and custody have long been central to financial regulation. Others, such as staking, reflect more crypto-native forms of participation, but are still approached through the same underlying logic. 

How these activities are being understood

While the list of regulated activities provides the structure, the consultation gives a clearer sense of how the FCA intends to interpret them in practice.

Take trading platforms. Operating a cryptoasset trading platform is treated as one of the clearest entry points into the regime. Where a firm brings together multiple buyers and sellers and enables trading in cryptoassets, it is, in substance, performing a market function. It does not matter whether the platform is centralised or relies on more distributed infrastructure. The question is whether there is a person operating or controlling that environment in a way that constitutes a business. If there is, the activity is likely to fall squarely within the perimeter.

Dealing activities are framed in similarly broad terms. A firm that buys or sells cryptoassets on its own account, or on behalf of clients, is engaging in conduct that closely mirrors traditional principal or agency trading. The labels may differ, but the underlying function is familiar. Where a firm stands between counterparties, or acts as the counterparty itself, it is likely to be viewed as carrying on a regulated activity.

Arranging transactions extends the perimeter further. This is not limited to executing trades, but captures the act of making those trades possible. Interfaces, applications or other systems that facilitate buying and selling can fall within scope, even where the firm does not take custody of assets or directly execute the transaction. The absence of a broad “technical services” exclusion is telling here. The FCA is signalling that participation in the transaction flow, even at one remove, may be enough to bring a firm inside the regime.

Safeguarding, or custody, is another core pillar. Here, the focus is not strictly on legal ownership, but on control. Where a firm holds cryptoassets, or has the ability to control or return them on behalf of another person, it is likely to be performing a safeguarding function. This captures a wide range of custody models, including those where clients have a contractual claim rather than direct ownership of assets.

Stablecoin issuance is treated more narrowly, but also more deliberately. To fall within scope, a firm must be involved in the full lifecycle of the stablecoin: offering it, maintaining its value, and standing ready to redeem it. When those elements are present, and carried on from the UK, the activity is brought clearly within the perimeter. 

Staking sits at the edge of the regime, but is still captured where it takes on an intermediary character. Simply running infrastructure, such as operating a validator node, is unlikely to be sufficient on its own. But where a firm pools customer assets, manages participation in validation, and distributes rewards, it begins to look less like a technical service and more like a managed activity performed on behalf of others. 

Familiar tests, unfamiliar answers

At first glance, the structure will feel familiar to anyone used to FSMA. The analysis turns on a set of questions that have been part of the UK regulatory toolkit for years: are you carrying on a regulated activity, is it in the UK, is it done by way of business, and do any exclusions or exemptions apply.

But familiarity here is slightly misleading.

In traditional financial markets, those questions tend to have relatively stable answers. The location of an activity is usually clear. The identity of the intermediary is rarely ambiguous. The boundaries between infrastructure, service provision and execution are well understood.

Crypto unsettles all of that.

An exchange may be incorporated offshore, operated across multiple jurisdictions, and accessed globally through a single interface. A protocol may present itself as decentralised, while still relying on identifiable actors to maintain or control key elements of the system. A wallet provider may insist it merely provides software, even as it shapes how users interact with underlying markets.

What the FCA is doing in this guidance is, in effect, reasserting the underlying logic of the perimeter in that more fluid environment.

When “in the UK” stops being geographic

One of the clearest signals comes from the way the consultation approaches territorial scope.

Historically, there has been some comfort in structuring activities outside the UK and relying on that fact to remain outside the regulatory perimeter. That comfort is now much harder to sustain. The guidance makes clear that activities can be treated as carried on in the UK even where parts of the operation, or even most of it, sit elsewhere, particularly where services are provided to UK consumers.

Just as importantly, the usual “overseas persons” exclusion does not apply to these new cryptoasset activities. That is not an incidental detail. It removes one of the more commonly relied upon routes for avoiding UK authorisation in cross-border models.

The practical implication is that the UK is not only regulating firms established within its jurisdiction. It is asserting a claim over activity that reaches into the UK market, even when the underlying infrastructure is located elsewhere.

Substance over labels

Running alongside that is a second, equally important theme: the FCA’s insistence on substance over form.

Throughout the document, there is a clear discomfort with relying on the language that has developed within crypto markets to describe business models. Terms such as “DeFi”, “front end”, or “protocol” are treated as, at best, shorthand. They do not determine whether something is inside or outside the perimeter.

Instead, the analysis returns repeatedly to a more basic set of considerations. Who is actually operating the service? Who sets the parameters under which it functions? Who controls key aspects of the system? And ultimately, who derives a commercial benefit from the activity?

The presence of smart contracts or elements of decentralisation does not, in itself, answer those questions. Nor does it remove the possibility that there is a person carrying on a business for regulatory purposes.

In that sense, the FCA is not rejecting crypto-native architectures. It is simply refusing to treat them as determinative.

Regulating functions, not products

The structure of the new regulated activities reinforces that approach.

Rather than attempting to regulate specific products, the regime focuses on functions. Operating a trading platform, dealing as principal or agent, arranging transactions, safeguarding assets, issuing stablecoins, arranging staking: these are defined in a way that deliberately cuts across a wide range of business models.

In some cases, the breadth is striking. The concept of “arranging deals”, for example, extends beyond traditional brokerage models to include a wide variety of interfaces and facilitation mechanisms. It is capable of capturing not only those who execute transactions, but also those who play a role in making those transactions possible.

At the same time, the FCA is careful not to rely solely on labels. Whether an activity falls within scope depends on what the firm is actually doing, and how it participates in the relevant arrangements. That assessment is inherently fact-specific, and the guidance repeatedly emphasises the need for case-by-case analysis.

Absorbing new models into old concepts

Perhaps the most interesting aspect of the consultation is what it does not do.

It does not attempt to create bright lines for emerging areas such as lending or staking. Instead, it maps those activities back onto the core set of regulated functions. Lending, for example, is not treated as a standalone category. Depending on how it is structured, it may involve dealing, arranging, or safeguarding, and therefore fall within the perimeter through those routes.

This is a familiar regulatory technique. Rather than defining every new product, the framework absorbs them by reference to underlying activities. It avoids the risk of obsolescence, but at the cost of some upfront uncertainty for firms trying to map their models onto the regime.

A short runway to implementation

All of this sits against a relatively compressed transition timeline.

The FCA expects to open the application window in late 2026, with the regime going live in October 2027. Firms that are currently registered under the MLRs will be able to continue operating during the transition, but only if they apply within the relevant window and move towards full authorisation.

That creates a practical pressure point. Before a firm can apply, it needs to understand which permissions it requires. And before it can do that, it needs to understand how its activities are characterised within the perimeter.

This consultation is intended to bridge that gap.