June 2026

      In September 2025, the FCA published CP25/25 ‘Application of FCA Handbook for Regulated Crypto asset Activities’. This was one of the series of consultations setting out the proposed regulatory regime for cryptoasset activities in the UK which is due to go-live in October 2027. CP25/25 covers broad regulatory themes including whistleblowing and the responsibilities of senior management, as well as providing specific guidance for operational resilience.

      In May 2026, the FCA held a webinar on operational resilience, reinforcing the key messages in CP25/25 and clarifying what the regulator expects to see in applications for authorisation.

      In this article, KPMG in the UK summarises what this means for cryptoasset firms and highlights key actions these firms should take to drive compliance.

      At a glance, firms should:

      • Implement operational resilience processes now

        Cryptoasset firms seeking FSMA Part 4A authorisation are expected to have begun designing and embedding their operational resilience framework prior to applying.

      • Demonstrate that arrangements work in practice

        The FCA is likely to expect more than paper-based policies. Firms should be able to demonstrate that their resilience framework is operationally effective through testing, analysis and governance.

      • Focus on crypto-specific vulnerabilities

        Firms should give particular attention to private key security, validator and smart contract risks, third-party dependencies, system availability and data integrity.

      • Treat disruptions as inevitable

        Adopt a ‘not if, but when’ mindset and design resilience arrangements on the basis that disruptions will occur.

      • Make use of regulatory support and guidance

        As the opening of the gateway approaches, firms should monitor FCA authorisations guidance and consider engaging with the pre-application support service.


      Operational resilience is defined by the FCA as ‘the ability of firms and the market as a whole to prevent, adapt and respond to and, learn and recover from operational disruptions’. Although operational resilience considerations have long been the norm for traditional finance firms, for cryptoasset firms which have been subject to few regulatory obligations, they represent a step change in expectations.

      The FCA’s proposals will require a fundamental shift in behaviour to thinking about ‘when’ not ‘if’ operational disruptions will occur and how they will respond. In this article we consider the proposals in CP25/25, the unique risks which cryptoasset firms should focus on and key considerations as they prepare to seek FSMA Part 4A authorisation.

      Extending FCA SYSC 15A to cryptoasset firms

      The FCA has taken a ‘same risk, same regulation’ stance in the development of the UK regulatory regime for cryptoassets. Therefore, rather than developing a new, separate framework, it proposes to extend the existing operational resilience framework for regulated firms (set out in SYSC 15A) to cover all cryptoasset firms, except UK branches of overseas firms.

      SYSC 15A requires firms to:

      • Identify important business services (IBS)

        These are services provided by or on behalf of the firm to one or more clients which if disrupted could cause intolerable levels of harm to any one or more clients of the firm, or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets. 

      • Set impact tolerances for IBS

        Impact tolerances reflect the maximum level of disruption a firm judges to be acceptable before harm occurs to consumers, market integrity or financial stability.

      • Remain within impact tolerances

        Be able to demonstrate the ability to operate within impact tolerances for each IBS in the event of a ‘severe but plausible’ operational disruption.

      • Perform a mapping exercise

        Identify and document the people, processes, technology, facilities and information necessary to deliver each IBS, to support effective testing and help understand their vulnerabilities.

      • Plan and perform scenario testing

        Develop a clear, detailed and regularly updated testing plan that demonstrates how they will gain assurance that they are able to remain within impact tolerances for each IBS. Testing should include a diverse range of adverse scenarios varying in nature, severity and duration, relevant to cryptoasset business models.

      • Have a communications plan in place

        Maintain internal and external communication strategies to enable rapid responses in the event of disruption – including disruptions which are outside of the firm’s control. 

      • Continuous review

        Following each test, and any actual operational disruption, firms should conduct a ‘lessons learned’ exercise to identify any weaknesses exposed and inform improvements to their ability to respond to and recover from future incidents.


      Given the same operational resilience requirements have applied to traditional firms in full since 31 March 2025, there are already some best practices that can be adopted by crypto firms as they develop their thinking and processes. These include:

      • Conducting regular assessments to identify potential security vulnerabilities in IT infrastructure and carrying out appropriate remediation.
      • Using strong encryption and security protocols to protect data and code.
      • Implementing detection capabilities such as firewalls and intrusion detection systems.
      • Patching and updating software, including smart contracts, in a timely way.
      • Ensuring that information is backed up regularly, and disaster recovery and business continuity plans are in place and embedded.
      • Creating effective incident management plans that could minimise the potential impacts of disruption and openly sharing information with authorities on request.
      • Running staff training programmes for cyber and other security risks. 

      SYSC 8

      Continuing the ‘same risk, same regulation’ approach, the FCA also proposes to apply SYSC 8 to cryptoasset firms. This would mean that a firm using outsourced and other third-party service providers retains responsibility for managing risks arising from these arrangements.

      However, the FCA recognises that when using a permissionless DLT, cryptoassets firms will not have a direct contractual relationship with the DLT providers. Therefore, it proposes that the use of permissionless DLTs should not be treated as an outsourcing arrangement.

      Where a firm relies on a third party for the delivery of an IBS, the FCA expects it to have sufficient understanding of the people, processes, technology, facilities and information that support the services being provided to be able to comply with obligations under SYSC 15A. It follows that increased dependency on such providers would require increased levels of third-party risk management. 

      Crypto-specific considerations

      While there are common operational risks in both traditional financial firms and cryptoasset firms, the FCA notes that the unique characteristics of cryptoassets introduce specific technological risk challenges such as private key security risks, validator risks, code vulnerabilities and service disruptions. CP25/25 outlines key areas of risk that cryptoasset firms should focus on and what the regulator will expect.

      Cyber and technology resilience

      Firms should maintain robust and proportionate cyber and IT controls to ensure that systems which support cryptoasset related services are resilient. This includes managing risks to system availability, data integrity, third-party dependencies and using recognised international cyber security standards and relevant best practices.

      Safeguarding cryptographic keys and infrastructure

      Where firms hold or store the means of access to the cryptoasset (e.g. private keys), including any supporting infrastructure to provide this service (e.g. smart contracts or validator nodes), they should establish secure and well-defined processes. These processes should address the management of private key loss, unauthorised system access and general service disruptions. The FCA expects firms to adopt and maintain high technical standards to safeguard both private keys and the resilience of underlying infrastructure .

      Continuity and disruption planning

      Firms should develop, test and regularly update plans to maintain or restore important business services during disruptions. Scenarios should reflect cryptoasset activities carried out by the firm and the underlying infrastructure to support services (e.g. smart contract failure, failure in the technology to support stablecoin reconciliation processes and validator outages). Targeted vulnerability scans and penetration tests should be carried out to identify and address risks.

      Preparing for authorisation

      CP25/25 includes guidance on how the FCA expects firms to apply the operational resilience requirements, with relevant examples for cryptoasset business models.

      Where services are still in development but are likely to become important business services, the FCA expects firms to take a forward-looking approach e.g. by defining preliminary impact tolerances and completing early mapping. In practice this means including future and developing services within the scope of operational resilience planning.

      As the date for applications approaches, firms should ensure that they check the FCA’s Authorisations and Cryptoasset webpages regularly for further guidance on application processes. Firms may also wish to make use of the regulators’ pre-application support service (PASS) which opened to cryptoasset firms on 11 May. 

      Further policy developments

      In CP25/25, the FCA notes specific policy areas that are still developing. Guidance on the use of DLTs, expected from the ICO in autumn 2026, should provide greater clarity on the implications for operational resilience. The FCA will also consult further on operational incident reporting requirements for cryptoasset firms.


      How KPMG in the UK can help

      KPMG has extensive experience supporting financial services firms including traditional finance firms and fintechs with:

      • Applications for regulatory authorisations and variations of permissions.
      • The design, review and implementation of operational resilience processes and controls including operational resilience framework definition, target operating model (TOM) design, identifying business services, resource mapping, defining impact tolerances, resilience control assessments and scenario testing

      Please reach out to the team to discuss your requirements in more detail.


      Our insights

      Sign up for the latest regulatory insights shaping the future of financial services – delivered straight to your inbox.

      Our people