FCA CP26/4: the UK crypto rulebook is forming — a checklist for firms and advisers

CP26/4 proposes how the FCA Handbook applies to regulated cryptoasset activities. A practical checklist for firms, advisers, and compliance teams preparing now.

Introduction

Back to Insights The FCA's Consultation Paper CP26/4 sets out proposed rules and guidance for firms conducting regulated cryptoasset activities. Published in January 2026 with a consultation deadline of 12 March 2026, it covers Consumer Duty, conduct of business standards, complaints and redress, training and competence, the Senior Managers and Certification Regime (SM&CR), regulatory reporting, safeguarding, and more. As the FCA states, the aim is to "promote market integrity, protect consumers, and support innovation and competition in the UK cryptoasset market." This article translates CP26/4 into a practical checklist for professional firms — what you need to have in place, what to monitor, and where crypto estate planning and non-custodial security intersect with the evolving rulebook. This is general information, not legal advice.

Explore key topics

• What CP26/4 is and what it proposes • The permissions gateway • Consumer Duty and cryptoasset firms • Conduct of business, complaints, and redress • 10-point checklist for professional firms • Bitzo practical checklist • For professionals: what to do next • For families and executors: why this matters

What CP26/4 is and what it proposes

CP26/4 is the second part of the FCA's consultation on applying its Handbook to regulated cryptoasset activities. It builds on earlier consultations (CP25/14, CP25/15, CP25/25, CP25/40, CP25/41, CP25/42) and covers: • Consumer Duty (Principle 12 and PRIN 2A) — with supporting guidance in GC26/2 • Conduct of Business Standards (COBS) — fairness and transparency rules • Dispute Resolution (DISP) — complaints handling and access to the Financial Ombudsman • Credit for Crypto Purchases — restrictions on using credit to buy cryptoassets • Training and Competence standards • Senior Managers and Certification Regime (SM&CR) • Regulatory Reporting (SUP 16) • Cryptoasset Safeguarding requirements • Retail Collateral Treatment in Cryptoasset Borrowing • Location Policy Guidance The consultation closes on 12 March 2026. The FCA plans to open its permissions gateway for firms to apply for cryptoasset authorisation in September 2026.

The permissions gateway

The FCA has confirmed it plans to open a gateway for firms to apply for cryptoasset permissions in September 2026. This means firms intending to conduct regulated cryptoasset activities in the UK will need to apply through this gateway. For professional firms (advisers, solicitors, accountants) who do not directly conduct cryptoasset activities but advise clients who hold crypto, the gateway matters because: • Providers you recommend or introduce clients to will need to be authorised • Due diligence on crypto service providers becomes a compliance requirement, not just best practice • Client conversations about protections, redress, and Ombudsman access become more concrete Firms already registered under the Money Laundering Regulations for crypto activities will need to transition to full FCA authorisation.

Consumer Duty and cryptoasset firms

CP26/4 proposes applying the Consumer Duty to cryptoasset firms. The accompanying guidance consultation GC26/2 explains how the Duty applies in practice. The Consumer Duty requires firms to deliver good outcomes for retail customers across four areas: products and services, price and value, consumer understanding, and consumer support. For crypto, 'good outcomes' must account for the specific risk profile: irreversible transactions, self-custody complexity, scam exposure, and the operational risks of incapacity or death. The FCA's guidance is issued under section 139A of FSMA and supplements (rather than replaces) existing rules. Professional firms should consider: are the crypto providers your clients use likely to meet Consumer Duty standards? If not, that is a risk your client relationship absorbs.

Conduct of business, complaints, and redress

CP26/4 proposes extending existing Conduct of Business Standards (COBS) to cryptoasset activities, covering: • Clear, fair, and not misleading communications • Appropriate disclosure of risks • Suitability and appropriateness assessments • Best execution requirements On complaints and redress, CP26/4 discusses how DISP (the Dispute Resolution sourcebook) would apply, including access to the Financial Ombudsman Service. The extent of Ombudsman access may depend on whether activities are conducted from a UK establishment. For professional firms, this changes the conversation with clients. You can start explaining that regulated crypto providers will have formal complaints processes and, in some cases, Ombudsman access — but the details depend on the specific firm and activity.

10-point checklist for professional firms

Use this checklist to prepare your firm for the evolving crypto regulatory landscape: 1. Map your firm's crypto exposure: which clients hold crypto, and what services do you provide around it? 2. Review provider due diligence: are the platforms and custodians your clients use planning to apply for FCA authorisation? 3. Update your compliance manual: add a section on cryptoasset activities and your firm's boundaries 4. Train relevant staff: ensure advisers, paralegals, and relationship managers understand the basics of crypto custody models and risks 5. Add crypto triage to onboarding: ask new clients whether they hold cryptoassets and how access is managed 6. Document your firm's position: clarify in writing what you will and will not do regarding crypto (information only, no custody, no financial advice) 7. Review professional indemnity coverage: check whether your PI policy covers crypto-related advisory activities 8. Prepare client communications: draft a clear, plain-English note explaining how regulation is developing and what it means for their holdings 9. Establish a continuity planning workflow: partner with a non-custodial specialist like Bitzo for documentation, verification, and recovery coordination 10. Monitor the consultation timeline: respond to CP26/4 by 12 March 2026 if relevant, and track the September 2026 gateway opening

Bitzo practical checklist

Whether you are a firm preparing for the gateway or an adviser helping clients, these non-custodial actions apply now: 1. Inventory all client crypto holdings (platforms, wallets, custody models) — without ever requesting keys 2. Identify single points of failure: one person holding all knowledge with no backup 3. Verify trusted contacts through documented, identity-checked processes 4. Create continuity documentation (Policy Packs) that executors and solicitors can use 5. Schedule periodic reviews — holdings, platforms, and contacts change 6. Separate ownership from access from authority: who owns, who can access, who can authorise Bitzo provides this coordination layer without custody, without holding keys, and without financial or legal advice. Explore all our insights at /insights for more on crypto inheritance planning UK and bitcoin inheritance UK.

For professionals: what to do next

Start with the 10-point checklist above. Beyond that: • Read the CP26/4 consultation paper in full if your firm operates in the crypto space • Consider responding to the consultation by 12 March 2026 • Brief your compliance team on the permissions gateway timeline • Introduce a non-custodial continuity planning conversation with HNW clients who hold crypto • Visit our advisers page (/advisers) for Bitzo's professional workflow Related reading: our article on the HM Treasury policy note (/insights/uk-cryptoasset-activities-regime-policy-note-what-changes) covers the legislative framework behind CP26/4.

For families and executors: why this matters

You do not need to read consultation papers. But you should know: • The UK is building a formal regulatory framework for crypto — protections will improve over time • Your executor may eventually be able to access formal complaints processes if a crypto provider fails during estate administration • None of this replaces the need for your own continuity planning — regulation protects against provider failure, not against lost keys or undocumented wallets • Document what exists, who can act, and how to verify identity before it matters Bitzo helps families and executors prepare for crypto probate UK scenarios now, while the regulatory framework develops. See our executors checklist (/insights/crypto-probate-uk-executors-checklist) for practical steps. Back to Insights