Consumer Duty for crypto: what 'good outcomes' really means for HNW clients

By Simon Bumford, Founder · · 9 min read

How Consumer Duty thinking applies to crypto clients: outcomes, documentation, scam resistance and continuity planning without custody.

Introduction

Back to Insights Crypto has reached the point where many professionals can no longer treat it as an edge case. Even where the regulatory perimeter is still evolving, the direction of travel is clear: stronger expectations around client outcomes, communications, and operational controls. For advisers, solicitors, accountants and compliance teams, the practical question is not 'Is crypto regulated yet?' It is: If a client's crypto is lost, stolen, or becomes inaccessible due to incapacity or death, can you evidence that you treated the risk seriously and guided them to a workable plan?

Key takeaways

• 'Good outcomes' in crypto rarely means outperformance. It means preventing avoidable loss and making assets executable when life happens. • The biggest client harms are operational: phishing, device compromise, poor record-keeping, unclear authority, single-person knowledge, and family confusion. • Professionals need a repeatable process that is non-custodial, documented, reviewable, and easy to explain. • A 'crypto-ready' firm doesn't need to hold keys. It needs governance, questions, and a pathway.

The outcomes lens: what clients actually need

In traditional products, 'outcomes' often focuses on suitability, cost, and performance. In crypto, the outcome often hinges on something far more basic: 1. Discovery: do we know what exists and where it sits (exchange, wallet, multisig, custody arrangement)? 2. Control: who can act, with what authority, and using what devices/credentials? 3. Continuity: what happens if the key person is unavailable (incapacity) or gone (death)? 4. Protection: can a client resist social engineering, impersonation and recovery scams? 5. Executability: can someone else follow the steps without guesswork or panic? A robust approach is to treat crypto like an operational asset class: inventory + access + authority + process + review.

Why 'do nothing' becomes harder to defend

Many professional firms are still 'waiting' for clarity. The problem is that client harm does not wait. If a client is self-custodying and something goes wrong, there is no complaints pathway that recreates private keys. That creates a quiet but real risk for professionals: clients and families will assume you had a view, even if your view was 'we don't touch crypto'. The practical mitigation is not taking custody. It is being able to show you: • asked the right questions, • identified the main failure modes, • provided clear signposting and a repeatable readiness process, • encouraged periodic review, • documented what was agreed.

The five failure modes that drive most real-world losses

If you want a simple internal framework, use these five categories: 1) Single point of failure One person holds all knowledge: seed phrase location, device PINs, exchange email access, 2FA, recovery codes. Outcome risk: death or incapacity turns into permanent loss or family dispute. 2) Unverified recovery Clients rely on 'I'll figure it out later', screenshots, untested backups, or a recovery plan that has never been rehearsed. Outcome risk: 'later' becomes 'never', especially under stress. 3) Authority confusion Families and executors don't know what they are permitted to do, who has consent, or how to avoid allegations of misuse. Outcome risk: paralysis, conflict, delay, or actions that trigger fraud risk. 4) Social engineering Impersonation, 'support' messages, fake compliance emails, recovery scammers, urgent requests to 'verify'. Outcome risk: clients hand over access willingly. 5) Records gap No clean list of platforms, wallets, devices, identifiers, and where evidence sits. Outcome risk: assets are missed entirely, or estate admin becomes expensive and slow.

A simple adviser process that works without custody

Here is a repeatable approach most firms can adopt without building a crypto department. Step 1: Define scope (what you do and do not do) Be explicit internally: • You are not giving investment advice (unless you are authorised to do so). • You are not taking custody. • You are providing a readiness process: inventory, continuity, risk controls, and documentation. Step 2: Map the custody model Ask: • Where is the crypto held (exchange, self-custody wallet, multisig, third-party custodian)? • Who controls email and 2FA for exchanges? • What devices are involved? • Who else knows anything about it? Step 3: Build an evidence baseline Create a structured record: • platforms and wallet types, • device list, • contact points and trusted persons, • where evidence lives, • escalation plan if something looks wrong. Step 4: Continuity planning from day one This is where most firms fail. 'Continuity' includes: • incapacity, • death, • 'lost device', • 'suspected compromise'. Step 5: Schedule reviews Crypto setups drift: new devices, new wallets, changing exchanges, family changes. Set a review cadence (often every 4–6 months for active holders).

Where Bitzo fits

Bitzo exists because professionals need a coordination layer that is: • non-custodial (you never hold assets), • structured and repeatable (so every client gets the same baseline), • documented (so families and executors have something usable), • built for 'worst day' scenarios, not just day-to-day. If you want 'Consumer Duty-style outcomes' in crypto, the most defensible route is to make the plan simple, explicit, and executable. Related reading: Security, Inheritance, How It Works, and For Advisers.

Practical checklist for firms

• Do we have a standard 'crypto readiness' questionnaire? • Do we have a firm-wide position on custody (usually: do not take custody)? • Can we describe our process in one page? • Do we record: inventory, access routes, authority, and escalation? • Do we have a scam/impersonation playbook clients can follow? • Do we have a cadence for review? For further reference, see: FCA Consumer Duty, FCA Cryptoassets Consultation CP25/41.

What GC26/2 is and how it relates to Consumer Duty

GC26/2 is the FCA's guidance consultation on applying the Consumer Duty (Principle 12 and PRIN 2A) to cryptoasset firms. It supplements — rather than replaces — existing Consumer Duty rules, providing crypto-specific guidance across the four Consumer Duty outcomes: 1. Products and services: are they designed to meet the needs of the target market? 2. Price and value: is the relationship between price and benefit fair and transparent? 3. Consumer understanding: do customers receive clear, timely, and relevant information? 4. Consumer support: can customers get help when things go wrong, and is that help effective? For crypto, each of these outcomes has a distinctive operational dimension. Products involve custody models that most consumers do not fully understand. Price includes hidden fees, spread, and staking risks. Understanding requires explaining irreversibility and self-custody consequences. Support must account for the fact that some losses are permanent. The consultation is open until 12 March 2026.

Scam-resilience playbook

Scams are the single largest cause of involuntary crypto loss. A scam-resilience playbook should address these attack patterns: Deepfake impersonation: AI-generated video or audio mimicking a trusted person (adviser, family member, exchange support). Defence: verify identity through a pre-agreed secondary channel; never act on a single communication. Urgent pressure: messages claiming your account is compromised and demanding immediate action. Defence: pause and verify independently. Legitimate organisations will not pressure you to move funds within minutes. Off-platform communications: scammers redirect conversations to WhatsApp, Telegram, or personal email to bypass platform safeguards. Defence: conduct all official business on the platform's own channels; verify any request to move off-platform. Fake support agents: someone contacts you claiming to be from your exchange or wallet provider, requesting your seed phrase or remote access. Defence: no legitimate provider will ever ask for your seed phrase. Full stop. Recovery scams: after an initial loss, a second scammer contacts you claiming to be a 'recovery specialist' who can retrieve your funds for a fee. Defence: there is no legitimate service that can recover crypto from a scammer. Report to Action Fraud. The NCSC's guidance on defending against phishing attacks recommends a multi-layered approach: "make it difficult for attackers to reach your users, help users identify and report suspected phishing, and protect your organisation from the effects of undetected phishing emails." This layered thinking applies directly to personal crypto security.

Practical scam spotting tips (NCSC guidance)

The National Cyber Security Centre provides practical guidance for identifying scam communications. Applied to crypto: 1. Check the sender: does the email address match the organisation it claims to be from? Scammers use lookalike domains (e.g. 'bltzo.net' instead of 'bitzo.net') 2. Look for urgency: legitimate organisations rarely demand immediate action. If you feel panicked, pause 3. Verify links before clicking: hover over links to check the actual destination. Do not click links in unexpected messages 4. Be suspicious of unsolicited contact: if someone contacts you about your crypto holdings and you did not initiate the conversation, treat it as suspicious 5. Use two-factor authentication: enable 2FA on all crypto accounts, preferably using a hardware key or authenticator app rather than SMS 6. Report suspicious messages: forward suspicious emails to report@phishing.gov.uk and report scam texts by forwarding to 7726 These steps apply to everyone — holders, family members, executors, and professional advisers. Scam risk increases during high-stress periods like bereavement, exactly when crypto inheritance planning is most critical.

For families and executors: how to stay safe

Consumer Duty is about firms delivering good outcomes. But families and executors need their own operational safeguards: • Never share seed phrases, private keys, or recovery codes with anyone who contacts you — no matter who they claim to be • Be especially cautious during bereavement: scammers monitor obituaries and social media for targets • Verify the identity of anyone claiming to be an adviser, solicitor, or recovery specialist through independent channels • If in doubt, pause. Legitimate requests can wait for proper verification • Ensure a continuity plan exists before it is needed — documented, verified, and accessible to the right people Bitzo helps families prepare for bitcoin inheritance UK and non-custodial crypto security UK by coordinating documentation and verification in advance, so that when the time comes, the process is clear and the risks are managed. Back to Insights

Frequently Asked Questions

What does 'good outcomes' mean for crypto clients?

Preventing avoidable loss and making assets executable when life events happen — not outperformance.

Do I need to take custody to help crypto clients?

No. The value is in process, documentation, and coordination — not holding keys.

What are the main failure modes?

Single point of failure, unverified recovery, authority confusion, social engineering, and records gaps.

What is GC26/2?

It is the FCA's guidance consultation explaining how the Consumer Duty applies to cryptoasset firms. It supplements existing Consumer Duty rules with crypto-specific guidance.

Does Consumer Duty protect me from losing my crypto?

Not directly. Consumer Duty requires firms to deliver good outcomes — clear communications, fair products, effective support. But it does not guarantee against loss, especially with self-custody.

What is the biggest scam risk for crypto holders?

Social engineering — scammers impersonating support staff, advisers, or family members to extract keys or authorise transfers. Deepfake technology is making this harder to detect.

How does Bitzo help with Consumer Duty compliance?

Bitzo provides non-custodial operational planning — documentation, verification, and coordination — that delivers the continuity and scam-resilience outcomes Consumer Duty thinking demands.

Where do I report a crypto scam in the UK?

Report to Action Fraud (actionfraud.police.uk). Forward suspicious emails to report@phishing.gov.uk and scam texts to 7726.

Sources

Ready to plan your crypto inheritance?

Speak to our UK-based team about your situation. No obligation, no pressure.

Speak to us