From September, FSMA-authorised firms will be able to apply for cryptoasset permissions through a variation of permission.
The FCA has been clear that firms will need to show they can meet higher standards than those set under the Money Laundering Regulations (MLRs). For many firms, this will mean reworking existing frameworks, controls and oversight arrangements before they submit their applications.
Based on our work with FSMA forms and current MLR-registered businesses, we've outlined some key areas where we see the biggest gaps:
Business Plans
Business plans will need to be updated to reflect how the firm will use cryptoassets in its investment proposition.
SMCR
Any Certification Staff carrying out cryptoasset-related regulatory activities must be competent and duly certified to do so.
Marketing
Any cryptoasset-related financial promotions must follow the rules for the promotion of restricted mass market investments.
Consumer Duty
Firms need to set clear cryptoasset target markets, price and value assessments, test consumer understanding, and establish appropriate consumer support requirements.
Custody
Arrangements around segregation, recording and reconciliation, as well as due diligence and oversight, must meet requirements.
Risk Management Frameworks
Frameworks will need to be updated to reflect cryptoasset-specific risks, and the mitigations put in place to manage them.
Prudential and Capital Requirements
Firms must assess whether their current capital requirements are still sufficient given the minimum requirements for each cryptoasset regulated activity and the cryptoasset k-factors.
ICARAs
ICARAs will need to be updated to include cryptoasset-specific risks and stress testing scenarios.
Operational Resilience
Frameworks will need to update their operational resilience requirements to include cryptoassets, to reflect new processes and dependencies.
Market Abuse
The introduction of the market abuse regime for cryptoassets (MARC) will require firms to expand their existing market abuse frameworks to include cryptoassets and update their monitoring tools to capture any potential market abuse taking place on-chain.
A Step Up in Expectations
The shift from MLR registration to full FSMA permissions represents a significant step up in regulatory expectations. Firms that start planning early, understand where their biggest gaps are, and take a structured approach to uplift will be in a far stronger position when the application window opens.
The FCA has been clear that it expects well-evidenced frameworks, not just intent, so preparation now will make a material difference to the success of an application later in the year.
If you want a deeper look at what this means in practice, our webinar Understanding Your FSMA Gap Assessment, on 21 April, will walk through the changes in more detail, and you’ll find out how you need to prepare for cryptoasset FCA applications.
How Thistle Initiatives Can Help
We help FSMA firms and crypto businesses understand where their frameworks need strengthening and what good looks like under the new regime.
Whether you need a focused review or wider support ahead of submitting an application, our team can guide you through the requirements in a practical and proportionate way.
Elizabeth Burns, Senior Manager 
Elizabeth is a Senior Manager in our Investments and Wealth team, where she draws on her extensive hands on experience from Compliance Advisory roles within the investment management sector. She also contributes to our crypto services and M&A services teams, advising clients on cryptoasset requirements, custody and prudential considerations, regulatory due diligence and broader readiness work. Lizzie’s combined experience across investments, emerging crypto regulation and transactional projects means she brings a clear, practical perspective to firms navigating complex regulatory expectations.