Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

FCA publishes second paper on the forthcoming prudential regime for cryptoasset firms

13 Jan 2026 United Kingdom 18 min read

On 16 December 2025, the Financial Conduct Authority (“FCA”) published its second consultation paper on the proposed Prudential Regime for Cryptoasset Firms (CP25/42). This follows an earlier paper on the proposed prudential regime for stablecoin issuers and cryptoasset custodians in May 2025 (CP 25/15) (see our summary of the earlier paper here).

This consultation paper is part of the FCA’s push to publish its final rules for the cryptoasset industry before the new cryptoasset regulatory regime comes into force on 25 October 2027. The paper has been published alongside two others on: (i) the FCA’s approach to regulating cryptoasset activities (CP25/40) (see our summary here); and (ii) admissions, disclosures and public offers relating to qualifying cryptoassets (see our summary here) and the market abuse regime for cryptoassets (CP25/41).

Overall, we expect the proposals to have a significant impact on cryptoasset businesses, particularly those that have not previously been subject to prudential regulation and, due to the punitive capital treatment of certain exposures, drive changes in market structure. The new prudential and group disclosure requirements will also subject many cryptoasset businesses operating on an international basis to a greater level of transparency than has previously been the case.

The FCA is welcoming feedback on the consultation paper by 12 February 2026. Below, we summarise the key proposals, drawing out the practical implications and next steps for affected businesses and markets.

What does this consultation paper cover?

In this paper, the FCA outlines proposed own funds requirements for “other cryptoasset firms.” These are firms seeking permissions to operate a qualifying cryptoasset trading platform (“CATP”), conduct qualifying cryptoasset staking, arrange deals, deal as agent and/or deal as principal in qualifying cryptoassets (including lending and borrowing activities). Several of these requirements are being presented for the first time, as prior papers did not address them specifically. The paper also sets out a range of requirements that will apply to all types of cryptoasset firms, including stablecoin issuers and cryptoasset custodians.

As a reminder, the FCA will introduce two new sourcebooks: (i) COREPRU, which will be a cross-cutting prudential rulebook setting common principles and baseline requirements that will (in due course) apply to other types of regulated firms as well; and (ii) CRYPTOPRU, which will be a sector specific rulebook for cryptoasset firms that builds on COREPRU and sets detailed capital, liquidity, risk management and wind down standards tailored to cryptoasset firms. For these purposes, “qualifying cryptoassets” generally excludes specified investment cryptoassets (e.g. tokenised financial instruments), which will continue to be dealt with under the existing prudential regimes (as applicable to individual firms).

What are the key changes from CP 25/15?

The FCA is largely maintaining the approach set out in CP 25/15 in relation to stablecoin issuers and cryptoasset custodians, applying it more broadly, but has identified two notable changes. Firstly, it has replaced the term “internal capital adequacy and risk assessment process” (known as the ICARA) with an “overall risk assessment” to align with the broader nature of the risk framework, a shift that is not expected to have significant practical effects. Secondly, the FCA no longer intends to introduce a bespoke regime for groups of cryptoasset firms. Instead, firms should evaluate group related risks within their overall risk assessment and include specific group information in their public disclosures. The FCA has also indicated that it plans to consult further on additional rules and guidance for stablecoin issuers specifically.

Own funds – overview

As will be familiar to investment firms subject to the MiFID activity-related prudential rules (known as MIFIDPRU), the FCA proposes to subject other cryptoasset firms to an own funds requirement (“OFR”) that is the highest of a firm’s permanent minimum requirement, its K-factor requirement and its fixed overheads requirement. We discuss each of these limbs in more detail below.

Own funds – permanent minimum requirement (other cryptoasset firms)

In CP25/15, the FCA proposed a permanent minimum requirement (“PMR”) of £350,000 for firms issuing qualifying stablecoins and £150,000 for firms safeguarding qualifying cryptoassets. In this consultation paper, the FCA has proposed the following PMR for the remaining cryptoasset activities, noting that where a firm conducts multiple activities, the highest PMR will apply:

  • £75,000 for dealing as agent and for arranging deals in qualifying cryptoassets;
  • £150,000 for operating a CATP and for qualifying cryptoasset staking; and
  • £750,000 for dealing as principal in qualifying cryptoassets.

This is the first time the industry has seen the proposed PMR figures. Although aligned with equivalent activities in traditional finance (as set out in MIFIDPRU), which will apply to specified investment cryptoassets (e.g. tokenised financial instruments) going forwards, the CRYPTOPRU measures will have a significant impact on cryptoasset firms. Many in scope cryptoasset firms will now need to raise substantial capital on an initial and ongoing basis and/or restructure some or all of their existing capital stack to meet regulatory requirements. As such, there may be a competitive advantage for investment firms who are already well capitalised and already have appropriate systems and controls in place.

Own funds – K-factors

The FCA will require cryptoasset firms to calculate their “K‑factors”, which are activity or exposure based measures used to set capital requirements. CP 25/15 specified K‑factors for issuing qualifying stablecoins (“K‑SII”) and for safeguarding qualifying cryptoassets (“K‑QCS”). The FCA now proposes additional K‑factors for the remaining activities, divided into operational based and exposure based categories, as set out below.

Operational based

  • K‑QCS K‑QCS – The FCA proposes to broaden K‑QCS (as consulted on in CP 25/15) to cover relevant specified investment cryptoassets, as well as qualifying cryptoassets. This will lead to relevant specified investment cryptoassets potentially being caught by two regimes (CRYPTOPRU and MIFIDPRU) when a firm carries out safeguarding qualifying cryptoassets and relevant specified investment cryptoassets, as well as holding client assets in the course of MiFID business. There is some confusion in the consultation as, while the paper explains that the relevant MIFIDPRU K-factor (K-ASA) will be disapplied and K-QCS will apply instead (paragraph 3.9), the text of the draft rules provides that relevant specified investment cryptoassets already captured in the K-ASA requirement need not be included in the calculation of K-QCS (CRYPTOPRU 4.5.3 R).
  • K‑CCO (client cryptoasset orders) – K‑CCO will apply to elements of arranging deals and/or dealing as agent in qualifying cryptoassets, namely: (i) executing orders on behalf of clients; and (ii) receiving and transmitting client orders. K‑CCO is set at 0.1% of average client cryptoasset orders and must include chain orders involving more than two parties, orders executed by a CATP solely in its capacity as operator, and orders a firm executes on an external CATP (other than in its own name). This is similar to the K‑COH (client orders handled) requirement that applies under MIFIDPRU.
  • K‑CTF (cryptoasset trading flow) – K‑CTF will apply to trading conducted in the firm’s own name (irrespective of whether the order is ultimately for the benefit of a client). It is set at 0.1% of average cryptoasset orders, calculated on daily transaction value, and excludes client orders captured under K‑CCO. This is the same base concept as K‑DTF (daily trading flow) under MIFIDPRU, which also excludes orders captured under K-COH to prevent double counting.
  • K‑CCS (clients’ cryptoassets staked) – K‑CCS will apply to staking services provided on behalf of clients and is set at 0.04% of average clients’ cryptoassets staked. It covers all qualifying cryptoassets the firm has staked, including assets queued for validation or in the process of being unstaked, as well as assets staked via a third party or where the firm has been appointed by a third party. Where a firm both stakes and safeguards qualifying cryptoassets, K‑CCS may exclude assets captured in the K‑QCS, provided staking and safeguarding occur simultaneously. As this is a cryptoasset specific operational K‑factor recognising staking risks, there is no MIFIDPRU equivalent, although the closest conceptual analogue is K‑ASA (operational risk from custody/administration).

Exposure based

  • K‑NCP (net cryptoasset position – market risk)
    • K‑NCP imposes a market risk capital charge on firms’ trading book positions in qualifying cryptoassets, capturing potential value volatility. It excludes UK authorised qualifying stablecoins, positions already deducted under COREPRU 3, and positions in financial instruments, FX, or commodities that fall under MIFIDPRU’s K‑NPR or K‑CMG (as applicable). For firms subject to both CRYPTOPRU and MIFIDPRU, certain exposures (e.g. financial instruments with a qualifying cryptoasset as an underlying) may be included in a firm’s K‑NCP calculation instead of its K‑NPR/K‑CMG where appropriate to enable firms to recognise the effects of hedging (e.g. entering into a derivative instrument relating to a qualifying cryptoasset holding).
    • After netting and valuing positions in the firm’s functional currency, a position risk adjustment applies: 40% for Category A cryptoassets and 100% for Category B cryptoassets. The 40% position risk adjustment for Category A cryptoassets is comparable to the treatment of collective investment undertakings (CIUs) under the UK CRR, which are subject to an adjustment of 32%, however, it is a significantly higher charge than as applicable to single name equities (16%) and it remains to be seen how many cryptoassets it will be practicable for firms to assess as satisfying the relatively stringent Category A criteria.
  • K‑CCD (cryptoasset counterparty default – counterparty risk)
    • K‑CCD addresses potential counterparty default risk for firms that regularly enter into qualifying cryptoasset transactions creating exposures that extend beyond the standard settlement period for a spot trade. It does not apply to cryptoasset firms that only spot trade, where settlement is immediate or near immediate. This K-factor will be relevant in lending scenarios.
    • The K-CCD calculation excludes cryptoassets already deducted under COREPRU 3 and transactions already captured by K‑TCD under MIFIDPRU. K‑CCD is then calculated as 1.2 × exposure value ×  risk factor. A new risk factor for retail clients has been proposed as 83.33% (as compared to a risk factor of 1.6% for transactions involving central governments, central banks, public sector entities etc. and credit institutions and investment firms and 8% for transactions involving other counterparties, which reflects the MIFIDPRU position).
    • This approach to retail clients is intended to align with the FCA’s proposals in CP25/40 that firms must provide negative balance protection to retail clients and will have no recourse to them beyond the collateral that has been received. The impact of this risk factor is therefore that firms will have to hold capital equivalent to the full exposure value after accounting for collateral. However, the exposure value may also be subject to volatility adjustments in relation to the collateral received and the cryptoasset due from the counterparty of 0% for UK authorised qualifying stablecoins, 40% for Category A cryptoassets and 100% for Category B cryptoassets. This may make lending to retail clients uneconomic and/or is likely to discourage firms from accepting Category B cryptoassets as collateral.    
  • K‑CON (concentration – concentration risk) – K‑CON addresses concentration risk arising from significant exposures to individual clients or groups of connected clients and applies to all cryptoasset firms. The methodology broadly aligns with MIFIDPRU. CRYPTOPRU broadens the scope of the concentration risk requirements to include exposures from cryptoasset counterparty default (captured under K‑CCD) and net long positions in qualifying cryptoassets (captured under K‑NCP). Firms must calculate K‑CON only where exposure values exceed the “concentration risk soft limit.” Again, the methodology here is aligned to MIFIDPRU large exposure style measurements and soft limits. Exposures to a client or group of connected clients are calculated across both traditional financial instruments and cryptoassets.

Have there been any changes to the fixed overhead requirements (all cryptoasset firms)?

The FCA has proposed targeted adjustments to “relevant expenditure”, so the fixed overheads requirement (“FOR”) more accurately reflects true fixed costs for firms trading in qualifying cryptoassets. Specifically, it will allow:

  • a 100% deduction for fees, brokerage, and other charges paid to trading venues, intermediate brokers and central counterparties, where these amounts are directly passed through to clients;
  • an alternative 80% deduction for such fees/brokerage/charges where they are not directly passed on to clients (and have not already been deducted under the 100% pass through); and
  • a clarification that neither approach permits deductions for membership fees or loss sharing obligations owed to trading venues or central counterparties.

In addition, the draft rules introduce a deduction for losses from trading in financial instruments or qualifying cryptoassets when calculating relevant expenditure for the FOR.

The overall risk assessment (all cryptoasset firms, excluding MIFIDPRU investment firms)

The FCA has designed a bespoke ongoing prudential risk assessment for cryptoasset firms, similar to the internal capital adequacy and risk assessment (“ICARA”) for MIFIDPRU investment firms. Cryptoasset firms that are also MIFIDPRU investment firms will not be subject to the new requirements and will instead continue to apply the rules set out in MIFIDPRU 7.

The overall risk assessment is intended to be used by relevant firms to monitor compliance with the overall financial adequacy rule (“OFAR”). To achieve this, the FCA proposes to introduce an own funds threshold requirement and a liquid asset threshold requirement, both of which would be determined by firms through their overall risk assessment process. Relevant cryptoasset firms must take action if they fail to meet these requirements, and if a firm is unable to resolve any breaches, the FCA would expect the firm to begin winding down.  

The FCA proposes the overall risk assessment to operate as a continuous process by which a firm will identify and monitor risks and put in place appropriate and proportionate mitigants. The assessment is also expected to include business model assessment, capital and liquidity planning, stress testing, recovery action planning, wind down planning and financial resource adequacy considerations. The firm’s governing body must review and sign off on the overall risk assessment at least annually, and upon any material change, with records to be retained for at least three years. The FCA will consult in 2026 on non-Handbook guidance on completing the overall risk assessment.

Determining own funds threshold requirement and liquid asset threshold requirement (all cryptoasset firms, excluding MIFIDPRU investment firms)

As part of the overall risk assessment, firms will need to estimate any additional own funds for any material harms not covered by the PMR, KFR or FOR, as well as any further liquidity requirements not covered by the basic liquid assets requirement (“BLAR”) and (where applicable) issuer liquid asset requirement (“ILAR”).

 To comply with the overall financial adequacy rule (“OFAR”), a cryptoasset firm will set its own funds threshold requirement (“OFTR”) at the higher of the amount of its OFR (see above) and the total own funds necessary to fund its ongoing business operations, taking into account potential periods of financial stress during the economic cycle, or own funds as necessary for wind down without causing material harm.  

Cryptoasset firms will also be required to assess and calculate the amount of liquid assets required to fund the firm’s ongoing business operations. The firm should also produce a reasonable estimate of the amount of liquid assets required to wind down without causing material harm. This will help it to determine the overall amount of liquid assets it will need to hold to meet the OFAR.

Firms must assess the amount of liquid assets required to fund ongoing business operations by assessing liquidity needs over a rolling 90 day period and regularly review their 12 month funding profile, including liquidity needs, sources and mitigations for any gaps. In addition to core liquid assets described in CP25/15, the FCA also proposes allowing non-core liquid assets that are readily convertible to cash, subject to haircuts, so that firms can meet thresholds above the BLAR and (where applicable) ILAR with an appropriate mix of core and non-core assets. The BLAR and ILAR themselves must be met with core liquid assets.

How are firms expected to address group risks under the new proposals (all cryptoasset firms, excluding MIFIDPRU investment firms)?

The FCA proposes that group risks must be captured in the firm’s overall risk assessment, including both direct and indirect financial exposure and other risks such as shared reputation, clients, policies, or control frameworks. This applies regardless of where the members of the group are located or whether or not the group includes other UK authorised persons. Firms must, where proportionate, reduce group risks. If a firm is not able to reduce group risks that may cause material harm, it must assess whether additional own funds and liquid assets are needed to cover such risks.

Disclosure and reporting (all cryptoasset firms)

Where a cryptoasset firm is subject to other prudential regimes (e.g. MIFIDPRU), disclosure requirements must be met across both regimes. However, to avoid unnecessary duplication, firms may publish a single, consolidated set of prudential disclosures that cover all the requirements for both regimes.

Cryptoasset firms will be required to make specific disclosures at least annually, either when publishing annual financial statements or when submitting their confirmation statement to Companies House. Initially, the FCA only expects to collect returns from specific firms on an ad hoc basis, to test what works for the cryptoasset sector. The FCA will therefore not consult further on prudential regulatory returns for the time being but will consult more generally on cross-cutting reporting in Q1 2026.

How will the new regime interact with other prudential regimes (all cryptoasset firms)?

The FCA acknowledges that some firms will conduct both regulated cryptoasset activities and MiFID activities, meaning that they may fall under both COREPRU/CRYPTOPRU and MIFIDPRU. In this case, firms will only need to conduct a single overall risk assessment, encompassing both cryptoasset and MiFID businesses. While disclosure requirements may differ between the regimes, such firms will be allowed publish a single, consolidated set of prudential disclosures covering both regimes.

 When a firm subject to COREPRU/CRYPTOPRU is also subject to another FCA prudential regime, the FCA proposes that the interaction of these regimes will be in the same manner as MIFIDPRU interacts with other prudential regimes. COREPRU/CRYPTOPRU will not apply to firms that are prudentially regulated by the PRA, such as banks and the small number of designated investment firms.

How will prudential requirements apply to cryptoassets, counterparties or arrangements originating in third countries (all cryptoasset firms)?

The FCA acknowledges that it has not specifically addressed various third country issues, including the treatment of exposures to cryptoassets, counterparties or arrangements originating in third countries and states that these may be areas subject to future consideration. One example given is the fact that the exclusion from the position risk requirement for qualifying stablecoins that comply with UK requirements could potentially be extended to third country stablecoins in the future, where regulatory outcomes are broadly aligned (hinting at a potential equivalence regime). In the meantime, clearly cryptoasset firms will be incentivised to accept UK qualifying stablecoins as collateral over those from other jurisdictions, as they will be excluded from a position risk charge.

Next steps for affected firms

As discussed above, firms that will become subject to prudential regulation for the first time are likely to have the most work to do to prepare for the application of the COREPRU and CRYPTOPRU rulebook. All affected firms will need to map permissions and business lines to the applicable PMRs and K-factors, build reliable data pipelines to quantify K‑factor requirements and develop relevant policies and procedures (e.g. with regards to the categorisation of collateral for the purposes of the K-NCP charge and the calculation of the FOR).

Boards should oversee and approve a continuous overall risk assessment that sets credible own funds and liquid asset thresholds above minimums where justified by stress testing, business model analysis and wind down needs, supported by clear escalation triggers, contingency actions and documented governance. Group interdependencies, financial and operational, should be assessed and mitigated proportionately within the overall risk assessment. Firms will also need to prepare to make their first disclosures under the new rules, once they go live.

Finally, with feedback due by 12 February 2026 and final rules expected ahead of the 25 October 2027 go live, firms should engage with the consultation and provide feedback based on their specific business models, as industry feedback is crucial in designing and appropriately calibrating the prudential regime.

CMS has a market leading cryptoasset regulatory practice and is currently assisting Crypto UK and its members in responding to this consultation. Please reach out to any of the contacts listed or your usual CMS contact should you wish to discuss these developments further.

Co-authored by James Isaacs, Trainee Solicitor.

More insights
Banking & Finance Financial Services & Regulation Digital Assets & Crypto Asset Based Financing Funds FinTech TMT - Technology, Media & Telecommunications

Explore more

Publication United Kingdom

Crypto Regulation in the UK

11 Mar 2026 2 min read
Expert Guide International

CMS Expert Guide to Crypto Regulation in United Kingdom

17 min read
Event United Kingdom

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.