The Financial Conduct Authority (FCA) is consulting on proposals to regulate firms that are authorised to safeguard qualifying cryptoassets on behalf of their clients (so called ‘cryptoasset custodians’). The consultation is part of a wider consultation which includes proposals in relation to stablecoins (which we discussed here).

The fundamental purpose of the proposed requirements is to ensure that cryptoassets custodians do not fail, thereby exposing customers to the risk of losing all their assets. The FCA notes that it will consult separately on rules that would apply once a firm has failed.

The consultation proposes rules on what the FCA identifies as four ‘core components’, which impose requirements on cryptoasset custodians beyond the existing FCA Consumer Duty:

1. Safeguarding clients’ rights to their qualifying cryptoassets

The FCA points out that “the legal uncertainty around the ownership rights of cryptoassets has resulted in different outcomes for clients in court, following cryptoasset custodian failures”. As a result, it aims to impose requirements on custodians to “adequately safeguard client’s ownership rights to their qualifying cryptoassets” by segregating assets held on behalf of clients in a non-statutory trust.

2. Recording clients’ qualifying cryptoasset holdings

Custodians will be required to maintain records for each client that sets out, among other things, the type and quantity of qualifying cryptoassets held, which blockchain address each cryptoasset is held in, and the nature of an individual’s claim to the cryptoasset. Custodians will also have to carry out a qualifying cryptoassets reconciliation each business day.

3. Minimising the risk of loss or diminution of clients’ qualifying cryptoassets

Custodians will be expected to have “adequate organisational controls and arrangements” to ensure that, among other things, private keys and means of access to cryptoassets are generated, stored, and controlled securely throughout their lifecycle. Furthermore, while custodians will not be exposed to full, uncapped liability in the event of a malfunction, hack, or loss that was not within their control, they will be expected to set out  their safeguarding controls and liability if at fault explicitly in client agreements, and the FCA will consult shortly on these requirements.

4. Governance and control over safeguarding arrangements of clients’ qualifying cryptoassets holdings

Finally, when using third parties to improve the security and efficiency of their services, custodians will be required to satisfy themselves of a range of matters that the FCA sets out in detail. The FCA will also consult on proposed rules regarding what information ought to be disclosed to clients, as well as audit and regulatory reporting requirements.

The consultation closes on 31 July 2025, and can be read in full here.