Consumer Duty for crypto: what 'good outcomes' really means for HNW clients

How Consumer Duty thinking applies to crypto clients: outcomes, documentation, scam resistance and continuity planning without custody.

Introduction

Crypto has reached the point where many professionals can no longer treat it as an edge case. Even where the regulatory perimeter is still evolving, the direction of travel is clear: stronger expectations around client outcomes, communications, and operational controls. For advisers, solicitors, accountants and compliance teams, the practical question is not 'Is crypto regulated yet?' It is: If a client's crypto is lost, stolen, or becomes inaccessible due to incapacity or death, can you evidence that you treated the risk seriously and guided them to a workable plan?

Key takeaways

• 'Good outcomes' in crypto rarely means outperformance. It means preventing avoidable loss and making assets executable when life happens. • The biggest client harms are operational: phishing, device compromise, poor record-keeping, unclear authority, single-person knowledge, and family confusion. • Professionals need a repeatable process that is non-custodial, documented, reviewable, and easy to explain. • A 'crypto-ready' firm doesn't need to hold keys. It needs governance, questions, and a pathway.

The outcomes lens: what clients actually need

In traditional products, 'outcomes' often focuses on suitability, cost, and performance. In crypto, the outcome often hinges on something far more basic: 1. Discovery: do we know what exists and where it sits (exchange, wallet, multisig, custody arrangement)? 2. Control: who can act, with what authority, and using what devices/credentials? 3. Continuity: what happens if the key person is unavailable (incapacity) or gone (death)? 4. Protection: can a client resist social engineering, impersonation and recovery scams? 5. Executability: can someone else follow the steps without guesswork or panic? A robust approach is to treat crypto like an operational asset class: inventory + access + authority + process + review.

Why 'do nothing' becomes harder to defend

Many professional firms are still 'waiting' for clarity. The problem is that client harm does not wait. If a client is self-custodying and something goes wrong, there is no complaints pathway that recreates private keys. That creates a quiet but real risk for professionals: clients and families will assume you had a view, even if your view was 'we don't touch crypto'. The practical mitigation is not taking custody. It is being able to show you: • asked the right questions, • identified the main failure modes, • provided clear signposting and a repeatable readiness process, • encouraged periodic review, • documented what was agreed.

The five failure modes that drive most real-world losses

If you want a simple internal framework, use these five categories: 1) Single point of failure One person holds all knowledge: seed phrase location, device PINs, exchange email access, 2FA, recovery codes. Outcome risk: death or incapacity turns into permanent loss or family dispute. 2) Unverified recovery Clients rely on 'I'll figure it out later', screenshots, untested backups, or a recovery plan that has never been rehearsed. Outcome risk: 'later' becomes 'never', especially under stress. 3) Authority confusion Families and executors don't know what they are permitted to do, who has consent, or how to avoid allegations of misuse. Outcome risk: paralysis, conflict, delay, or actions that trigger fraud risk. 4) Social engineering Impersonation, 'support' messages, fake compliance emails, recovery scammers, urgent requests to 'verify'. Outcome risk: clients hand over access willingly. 5) Records gap No clean list of platforms, wallets, devices, identifiers, and where evidence sits. Outcome risk: assets are missed entirely, or estate admin becomes expensive and slow.

A simple adviser process that works without custody

Here is a repeatable approach most firms can adopt without building a crypto department. Step 1: Define scope (what you do and do not do) Be explicit internally: • You are not giving investment advice (unless you are authorised to do so). • You are not taking custody. • You are providing a readiness process: inventory, continuity, risk controls, and documentation. Step 2: Map the custody model Ask: • Where is the crypto held (exchange, self-custody wallet, multisig, third-party custodian)? • Who controls email and 2FA for exchanges? • What devices are involved? • Who else knows anything about it? Step 3: Build an evidence baseline Create a structured record: • platforms and wallet types, • device list, • contact points and trusted persons, • where evidence lives, • escalation plan if something looks wrong. Step 4: Continuity planning from day one This is where most firms fail. 'Continuity' includes: • incapacity, • death, • 'lost device', • 'suspected compromise'. Step 5: Schedule reviews Crypto setups drift: new devices, new wallets, changing exchanges, family changes. Set a review cadence (often every 4–6 months for active holders).

Where Bitzo fits

Bitzo exists because professionals need a coordination layer that is: • non-custodial (you never hold assets), • structured and repeatable (so every client gets the same baseline), • documented (so families and executors have something usable), • built for 'worst day' scenarios, not just day-to-day. If you want 'Consumer Duty-style outcomes' in crypto, the most defensible route is to make the plan simple, explicit, and executable. Related reading: Security, Inheritance, How It Works, and For Advisers.

Practical checklist for firms

• Do we have a standard 'crypto readiness' questionnaire? • Do we have a firm-wide position on custody (usually: do not take custody)? • Can we describe our process in one page? • Do we record: inventory, access routes, authority, and escalation? • Do we have a scam/impersonation playbook clients can follow? • Do we have a cadence for review?