Consumer Duty and crypto: defining "good outcomes" when loss is irreversible

GC26/2 explains how Consumer Duty applies to cryptoasset firms. Here's what 'good outcomes' means operationally — and a scam-resilience playbook for holders and advisers.

Introduction

Back to Insights The FCA's guidance consultation GC26/2 explains how the Consumer Duty applies to cryptoasset firms. Published alongside CP26/4, it sets out how firms should deliver good outcomes for retail customers in a market where transactions are irreversible, custody is often self-managed, and scam exposure is high. The FCA describes its aim as ensuring firms "deliver good outcomes for retail customers" through guidance issued under section 139A of the Financial Services and Markets Act. For anyone involved in crypto inheritance planning or non-custodial crypto security in the UK, this guidance matters because it defines what 'good' looks like — and the failure modes it expects firms to address are exactly the ones that destroy families' access to digital assets: scams, social engineering, loss of access, incapacity, and death.

Explore key topics

• What GC26/2 is and how it relates to Consumer Duty • Defining 'good outcomes' in operational terms • The failure modes Consumer Duty must address • Scam-resilience playbook • Practical scam spotting tips (NCSC guidance) • Bitzo practical checklist • For professionals: what to do next • For families and executors: how to stay safe

What GC26/2 is and how it relates to Consumer Duty

GC26/2 is the FCA's guidance consultation on applying the Consumer Duty (Principle 12 and PRIN 2A) to cryptoasset firms. It supplements — rather than replaces — existing Consumer Duty rules, providing crypto-specific guidance across the four Consumer Duty outcomes: 1. Products and services: are they designed to meet the needs of the target market? 2. Price and value: is the relationship between price and benefit fair and transparent? 3. Consumer understanding: do customers receive clear, timely, and relevant information? 4. Consumer support: can customers get help when things go wrong, and is that help effective? For crypto, each of these outcomes has a distinctive operational dimension. Products involve custody models that most consumers do not fully understand. Price includes hidden fees, spread, and staking risks. Understanding requires explaining irreversibility and self-custody consequences. Support must account for the fact that some losses are permanent. The consultation is open until 12 March 2026.

Defining 'good outcomes' in operational terms

Consumer Duty language can feel abstract. In crypto, 'good outcomes' translate to concrete operational standards: • Good outcome: a customer understands that if they lose their seed phrase, no one — not the firm, not the FCA, not anyone — can recover their assets • Good outcome: a customer is warned about common scam patterns before they become a victim, not after • Good outcome: a customer's family can access a formal complaints process if a custodial provider fails during estate administration • Good outcome: a customer with a non-custodial wallet has been guided to document access and verify trusted contacts Bad outcomes — the ones Consumer Duty exists to prevent — include: a customer losing everything to a social engineering attack because no one explained the risk; a family discovering after death that assets are permanently inaccessible because no continuity plan existed; a customer being unable to complain because the provider has no UK establishment. Bitzo's non-custodial approach is designed around preventing these bad outcomes: documentation, verification, and coordination — without ever holding custody.

The failure modes Consumer Duty must address

Crypto has specific failure modes that Consumer Duty guidance must account for: 1. Scams and social engineering: deepfakes, impersonation of support staff, urgent-pressure phishing, and off-platform communications designed to extract keys or authorise transfers 2. Loss of access: lost seed phrases, destroyed hardware wallets, forgotten PINs, locked exchange accounts after 2FA device loss 3. Incapacity: a holder becomes unable to act, with no documented process for a trusted contact to step in 4. Death: assets become permanently inaccessible because no executor knows they exist, where they are, or how to recover them 5. Provider failure: a platform or custodian ceases operations, and the customer has no redress route Traditional financial products have backstops for most of these: FSCS protection, bank account recovery, beneficiary designations. Crypto, especially self-custody crypto, has none of these by default. That is why operational planning — non-custodial crypto security — is the real safety net.

Scam-resilience playbook

Scams are the single largest cause of involuntary crypto loss. A scam-resilience playbook should address these attack patterns: Deepfake impersonation: AI-generated video or audio mimicking a trusted person (adviser, family member, exchange support). Defence: verify identity through a pre-agreed secondary channel; never act on a single communication. Urgent pressure: messages claiming your account is compromised and demanding immediate action. Defence: pause and verify independently. Legitimate organisations will not pressure you to move funds within minutes. Off-platform communications: scammers redirect conversations to WhatsApp, Telegram, or personal email to bypass platform safeguards. Defence: conduct all official business on the platform's own channels; verify any request to move off-platform. Fake support agents: someone contacts you claiming to be from your exchange or wallet provider, requesting your seed phrase or remote access. Defence: no legitimate provider will ever ask for your seed phrase. Full stop. Recovery scams: after an initial loss, a second scammer contacts you claiming to be a 'recovery specialist' who can retrieve your funds for a fee. Defence: there is no legitimate service that can recover crypto from a scammer. Report to Action Fraud. The NCSC's guidance on defending against phishing attacks recommends a multi-layered approach: "make it difficult for attackers to reach your users, help users identify and report suspected phishing, and protect your organisation from the effects of undetected phishing emails." This layered thinking applies directly to personal crypto security.

Practical scam spotting tips (NCSC guidance)

The National Cyber Security Centre provides practical guidance for identifying scam communications. Applied to crypto: 1. Check the sender: does the email address match the organisation it claims to be from? Scammers use lookalike domains (e.g. 'bltzo.net' instead of 'bitzo.net') 2. Look for urgency: legitimate organisations rarely demand immediate action. If you feel panicked, pause 3. Verify links before clicking: hover over links to check the actual destination. Do not click links in unexpected messages 4. Be suspicious of unsolicited contact: if someone contacts you about your crypto holdings and you did not initiate the conversation, treat it as suspicious 5. Use two-factor authentication: enable 2FA on all crypto accounts, preferably using a hardware key or authenticator app rather than SMS 6. Report suspicious messages: forward suspicious emails to [email protected] and report scam texts by forwarding to 7726 These steps apply to everyone — holders, family members, executors, and professional advisers. Scam risk increases during high-stress periods like bereavement, exactly when crypto inheritance planning is most critical.

Bitzo practical checklist

A Consumer Duty-aligned approach to non-custodial crypto security: 1. Document all wallets and platforms — without exposing keys or seed phrases 2. Verify trusted contacts through identity-checked, recorded processes with rotating codes 3. Create a continuity plan (Policy Pack) that executors and solicitors can follow 4. Brief all trusted contacts on scam patterns — especially deepfakes and impersonation 5. Establish a verification protocol: how will you confirm identity during a recovery event? 6. Review periodically: contacts, platforms, devices, and recovery arrangements change 7. Keep audit trails: every verification attempt, every contact change, every review Bitzo coordinates this entire process without holding custody, without requesting keys, and without providing financial or legal advice. We focus on the operational outcomes that Consumer Duty thinking demands. Browse our full library at /insights for more on digital asset estate planning UK and crypto inheritance planning UK.

For professionals: what to do next

Advisers, solicitors, and accountants should consider how Consumer Duty thinking applies to their client relationships around crypto: • Understand the four Consumer Duty outcomes and how they translate to crypto risk • Ask providers you introduce clients to: 'How do you ensure clients understand risks, and how do you support them when things go wrong?' • Integrate scam-awareness into client education — especially for HNW clients with significant crypto holdings • Offer non-custodial continuity planning as part of your service proposition • Visit our advisers page (/advisers) for a structured professional workflow Related reading: our CP26/4 checklist (/insights/fca-cp26-4-handbook-crypto-activities-permissions-gateway) covers the broader regulatory framework, and our social engineering playbook (/insights/crypto-security-threat-persuasion-social-engineering-playbook) goes deeper on attack patterns.

For families and executors: how to stay safe

Consumer Duty is about firms delivering good outcomes. But families and executors need their own operational safeguards: • Never share seed phrases, private keys, or recovery codes with anyone who contacts you — no matter who they claim to be • Be especially cautious during bereavement: scammers monitor obituaries and social media for targets • Verify the identity of anyone claiming to be an adviser, solicitor, or recovery specialist through independent channels • If in doubt, pause. Legitimate requests can wait for proper verification • Ensure a continuity plan exists before it is needed — documented, verified, and accessible to the right people Bitzo helps families prepare for bitcoin inheritance UK and non-custodial crypto security UK by coordinating documentation and verification in advance, so that when the time comes, the process is clear and the risks are managed. Back to Insights