The Regulatory Context

The Financial Services and Markets Act 2000 (FSMA) Part 4A gateway for cryptoasset businesses is expected to open in September 2026. This will require all firms currently registered under the temporary cryptoasset regime, and any new market entrants, to apply for full FCA authorisation with a specific permission set covering their regulated cryptoasset activities.

The FCA has been explicit about what it expects to find in applications. It has published consultation papers, review reports, and Dear CEO letters setting out where the current market falls short. In our experience working with firms preparing applications, the same gaps appear repeatedly, and most of them are avoidable.

What we are seeing

The majority of firms in preparation are underestimating the gap between their current operational state and what the FCA expects to find. A compliant business that is operating well still needs to demonstrate that compliance in a specific format, with specific evidence, structured to the FCA's assessment criteria. That work takes longer than most boards anticipate.

The Regulatory Business Plan, Where Most Applications Fail

The single most common cause of FCA application rejection, or, more precisely, the most common cause of an application being returned with a request for significant additional information, is the regulatory business plan (RBP).

This is distinct from a commercial business plan. The FCA is not assessing whether your business is a good idea. It is assessing whether your firm will operate within its regulatory obligations, manage its risks, protect customers, and meet its financial requirements. These are different questions that require a different document.

What a regulatory business plan must cover

The FCA expects the RBP to address, in sufficient depth, each of the following areas:

  • Business model and regulatory perimeter analysis, a precise description of each regulated activity, the basis on which it falls within the relevant permission set, and an explanation of any activities that are deliberately excluded
  • Customer base and target market, who you serve, how you will categorise them (retail / professional), and how your product and service design reflects their needs and characteristics
  • Governance structure, board composition, senior manager functions, committee structure, and reporting lines between the board and operational functions
  • Financial projections, three-year P&L, balance sheet, and capital adequacy projections with identified assumptions and stress scenarios, including a wind-down scenario
  • Risk framework, the firm's risk appetite statement, key risk categories, mitigation measures, and the governance of risk oversight
  • Regulatory obligations map, a structured reference to each applicable FCA sourcebook, handbook module, or rule set, with a description of how the firm will comply
  • Compliance monitoring programme, an annual compliance monitoring plan covering all regulated activities, with escalation procedures and board reporting commitments
The most common failure mode

The most common failure mode is a document that is detailed on the business proposition and thin on regulatory substance. Boards that are close to their product tend to produce documents that explain what they do at length and address regulatory obligations at summary level. The FCA reads these in reverse order of priority. A twenty-page product description with two pages on governance and compliance will not pass.

The three things the FCA checks first

Based on the pattern of FCA queries and application return letters, the three areas that receive the heaviest scrutiny at initial review are: the governance section (specifically SMCR), the financial projections (specifically capital adequacy and wind-down), and Consumer Duty implementation. Each is addressed below.

SMCR Mapping, Common Gaps the FCA Flags on First Review

All FCA-authorised firms are subject to the Senior Managers and Certification Regime (SMCR). For cryptoasset firms applying under Part 4A, this means identifying the applicable senior management functions (SMFs), completing Form A applications for each proposed SMF holder, drafting Statements of Responsibilities (SoRs), and, for enhanced scope firms, preparing a Responsibilities Map.

The SMFs most applicants underestimate

The minimum expected SMF set for a cryptoasset firm will typically include Chief Executive (SMF1), Chairman (SMF9), Compliance Oversight (SMF16), Money Laundering Reporting Officer (SMF17), and Chief Risk Officer (SMF4, where applicable). For firms with significant retail exposure, an additional Senior Manager for customer outcomes may be expected.

The FCA does not accept token appointments. Each proposed SMF holder must demonstrate genuine authority, appropriate experience, and the practical capacity to discharge their function. A compliance officer with a full-time operational role who has also been designated as Chief Risk Officer and MLRo will receive a query.

Statements of Responsibilities, the granularity the FCA requires

Statements of Responsibilities are returned more frequently than any other SMCR document. The FCA considers a SoR insufficient if it is written at a high level of abstraction, phrases like "responsible for compliance" or "oversees risk management" do not describe responsibility, they describe a job title.

A compliant SoR describes specific decisions the SMF holder is responsible for, specific matters they are required to escalate, specific reports they receive and act on, and the limits of their authority relative to the board and other SMFs. This level of specificity requires the SoR to be written by someone who understands the firm's operating model, not drafted generically and adapted.

Consumer Duty, What the FCA Actually Expects in a Cryptoasset Context

FCA PS22/9 Consumer Duty applies to all firms serving retail customers. For cryptoasset firms, this is one of the most misunderstood requirements in the authorisation process. Most applicants address it as a policy compliance exercise. The FCA treats it as an outcomes question.

The four outcome areas, products and services, price and value, consumer understanding, and consumer support, each require specific evidence of implementation, not a statement of intent. The FCA will ask what you have done, not what you plan to do.

The evidence the FCA expects to find

  • A product approval process that explicitly assesses whether the product delivers good outcomes for the target market, with documented sign-off
  • A fair value assessment for each product or service, demonstrating the fee structure is proportionate to the value delivered and the risk transferred to the customer
  • Customer testing or evidence of communication review demonstrating that retail customers can understand the product, its risks, and the fees before making a decision
  • A vulnerable customer identification and support process, with specific accommodations for customers who may be financially vulnerable or inexperienced with cryptoassets
  • A Consumer Duty implementation plan with named responsible individuals, action completion dates, and a monitoring programme
Practical note

The FCA specifically notes that cryptoassets are high-risk products with a history of significant retail customer harm. Applicants in this sector will face a higher bar of Consumer Duty evidence than applicants in lower-risk segments. A generic Consumer Duty policy that is not specifically adapted to the risks of the firm's cryptoasset products will not satisfy the FCA's review.

Wind-Down Planning, Why Applicants Consistently Underestimate It

Every FCA-authorised firm must demonstrate the ability to wind down in an orderly manner. For cryptoasset firms, this is operationally more complex than it appears, particularly where the firm holds or transfers customer cryptoassets on behalf of clients.

The wind-down plan must address: the minimum capital required to operate the wind-down, the mechanism for returning customer assets (including on-chain assets), the regulatory notifications required, the timeline from trigger event to completion, and who within the firm has authority to initiate the wind-down process.

The financial projections must include a wind-down scenario that demonstrates the firm holds sufficient capital to complete an orderly wind-down at any point in the three-year projection period, not just at the point of application. This is a stress test, not an optimistic case.

Pre-Application Engagement, Whether It Still Helps

The FCA's Innovation Pathways programme and direct pre-application engagement with supervisory teams has historically provided value for applicants with genuinely novel business models. The question of whether it still provides equivalent value for Part 4A cryptoasset applications is less clear.

The FCA has signalled that the Part 4A gateway will process a high volume of applications. Pre-application engagement may help firms confirm the scope of their required permissions and avoid obvious structural errors. It is unlikely to create a meaningful advantage in the queue or provide substantive feedback on application quality before submission.

Our view is that pre-application engagement is worth pursuing for firms with genuinely novel business models, particularly those operating at the edge of the regulatory perimeter or with cross-border structures that require clarification. For firms with standard business models applying for standard permissions, the time is better spent on application quality.

Timeline Planning, Working Backwards from September 2026

Working backwards from a September 2026 gateway opening and assuming a twelve-month FCA determination period for a well-prepared application, a firm that wants to operate under full authorisation by late 2027 needs to be in a submission-ready state by approximately Q4 2026. That means the preparation work needs to begin now.

The key preparation milestones, in order, are: perimeter analysis and permission set confirmation, governance review and SMCR mapping, RBP drafting, policy and procedure suite, financial modelling, SMCR Form A preparation, Consumer Duty implementation evidence, and wind-down plan. Each of these is a multi-week workstream. They are not sequential, several run in parallel, but they are interdependent, and gaps in early stages create compounding problems in later ones.

The timeline firms most often get wrong

The most common timeline error is treating the RBP drafting as the starting point rather than the output. The RBP can only be written once the governance structure, permission set, financial model, and compliance framework are substantially complete. Attempting to draft the RBP before these foundations are in place produces a document that describes aspiration rather than reality, which the FCA will identify immediately.

Pre-Submission Checklist

FCA Cryptoasset Authorisation, Key Pre-Submission Items
Regulatory perimeter analysis documented, each regulated activity identified with the relevant permission set
Required
Regulatory business plan drafted, not a commercial plan repurposed. Specific to FCA assessment criteria.
Required
3-year financial projections with stress scenarios and wind-down scenario
Required
SMF holders identified, Form A applications prepared for each
Required
Statements of Responsibilities drafted, granular, function-specific, not generic
Required
Consumer Duty implementation plan with evidence, not a statement of intent
Required
AML/KYC programme documented and approved, BWRA, CDD policy, MLRo designation
Required
Compliance monitoring programme drafted, annual plan, escalation procedures, board reporting
Required
Wind-down plan, mechanism, capital requirement, timeline, authority
Required
Complaints handling procedure, DISP-compliant timeframes built in
Required
Operational resilience assessment, important business services identified, impact tolerances set
Recommended
Pre-application engagement with FCA Innovation Pathways (if genuinely novel model)
Optional

How Arca Compliance Can Help

Arca Compliance advises fintech and digital asset businesses through the FCA authorisation process, from initial perimeter analysis and permission set design through to regulatory business plan drafting, SMCR mapping, Consumer Duty implementation, and application submission support.

We work on defined engagements with clear scope and deliverables. We do not offer a template-based service, every regulatory business plan we produce is written specifically for the firm's business model, governance structure, and customer profile, to the FCA's assessment criteria.

Engagements are taken by introduction. If you have been referred by a counterpart or have a specific matter you would like to discuss, the right next step is a direct introduction through Galore.club.

Back to Advisory Desk
Need FCA authorisation support? Request an Introduction →