CP25/14: Regulating the Custody of Cryptoassets

Background

On 28 May 2025, the FCA published CP25/14: Stablecoin issuance and cryptoasset custody. This includes the FCA's current thinking on how it intends to regulate the safeguarding of cryptoassets (or their means of access). In line with the Draft SI, the consultation does not cover 'self-custody', which sits outside the proposed regulatory perimeter of safeguarding qualifying cryptoassets.

There are a variety of business models emerging for cryptoasset custody, and the FCA states that its intention is to develop a suitable framework which accounts for different business models now and in the future. The key objective is to ensure adequate protection of clients' cryptoassets where a custodian is responsible for them, and that those assets are returned as quickly and wholly as possible to clients if a qualifying cryptoasset custodian enters an insolvency process.

The approach closely mirrors that taken in relation to custodians in traditional finance, though the FCA does diverge from this where necessary due to the differences in the nature of the assets held by cryptoasset custodians.

Four Pillars 

The FCA proposes to continue with its approach that it outlined in DP23/4, where it suggested utilising the existing CASS framework as a basis to design bespoke requirements for the safeguarding of qualifying cryptoassets. It breaks down its proposals into four core components.

1. Safeguarding clients' rights to their qualifying cryptoassets 

Segregation of client assets: Where a firm is only providing custody, they must ensure that clients' qualifying cryptoassets remain segregated from the firm's own assets at all times. The FCA is proposing to permit both individually segregated and omnibus wallets to safeguard clients' qualifying cryptoassets. Further, these assets must be held on trust, with the firm acting as a bare trustee, on behalf of the clients (at this stage the FCA is proposing a non-statutory trust).

Reuse of client qualifying cryptoassets: The FCA notes the difference between the custodians in traditional finance markets and cryptoasset markets when it comes to their reuse of client assets. The former are generally prohibited from using client assets held in custody for their own, or another client's, benefit, unless the client has given express prior consent. However, the FCA notes that in the cryptoassets market, firms such as exchanges, are often vertically integrated, providing multiple services to their clients in addition to custody. These include staking, holding cryptoassets as collateral, or in some instances lending cryptoassets to other clients. The FCA is going to consider its approach to the reuse of client qualifying cryptoassets separately.

2. Recording clients' qualifying cryptoasset holdings  

Accurate books and records: Firms will need to maintain accurate and up-to-date client-specific qualifying cryptoasset records. For each client, firms will need to be able to identify the type, quantity, and blockchain address of each cryptoasset held, as well as the nature of an individual client's claim to the qualifying cryptoasset. The records must be maintained independently from the relevant DLT used by the firm and not be supplemented by records kept by third parties or on the blockchain.

Reconciliations: The FCA proposes that custodians carry out a qualifying cryptoasset reconciliation each business day. Firms will be required to check the total amount of each cryptoasset recorded in their client specific records against the content of the wallet addresses controlled by the firm and (where relevant) against any qualifying cryptoassets held by third parties.

3. Minimising the risk of loss or diminution of clients' qualifying cryptoassets  

Adequate organisational arrangements: The FCA proposes to proceed with the approach outlined in DP23/4 to require qualifying cryptoasset custodians to have adequate organisational arrangements to minimise risk of loss or diminution of clients' qualifying cryptoassets due to misuse, fraud, poor administration, inadequate record-keeping, or negligence.

Private key management and security: The CP suggests that firms will need to have adequate organisational controls and arrangements to make sure:

• private keys and the means of access to qualifying cryptoassets are generated, stored, and controlled securely throughout their lifecycle. 
• firms maintain accurate and verifiable 'key-mapping' records which detail the qualifying cryptoassets safeguarded, the relevant wallets in which those qualifying cryptoassets are held, the means of access to those qualifying cryptoassets, and how they correspond to the relevant clients.
• firms implement strategies to mitigate loss or compromise of the means of access to qualifying cryptoassets, including arrangements for secure back-ups.
• firms maintain accurate and up-to-date records of their policies and procedures for wallet/means of access management.

Liability for loss of cryptoassets: The FCA notes that the standard of liability is generally set out in legislation rather than FCA rules. The Draft SI includes the government's proposal to not impose full, uncapped liability on the qualifying cryptoasset custodian. With that being the case, the qualifying cryptoasset custodian may still be held liable for loss of qualifying cryptoassets due to negligence or breach of contract or breaches of FCA rules, depending on the circumstances.

4. Governance and control over safeguarding arrangements of clients' qualifying cryptoasset holdings

Use of third parties: The FCA proposes that cryptoasset custodians must satisfy themselves of the following when appointing third parties to safeguard cryptoassets:

• The appointment is in the best interests of the client, and necessary for safeguarding, which firms must evidence in a written policy.
• Due diligence has been undertaken in the selection and will undertake periodic reviews of the third party.
• The expertise and market reputation of the third party has been considered, including security, market infrastructure and any legal requirements related to holding qualifying cryptoassets which could negatively impact clients' rights.
• Any cryptoassets held by a third party must be identifiable separately from the assets belonging to the custodian and qualifying cryptoassets belonging to the third party.

Client disclosures and statements: In DP 23/4 the FCA considered whether to require custodians to provide clients a statement of account, which could include a  Proof of Reserves (PoR) (a cryptographically proved, independent audit process that cryptoasset custodians can use to verify that the amount of client cryptoassets held in custody matches the assets they are holding in reserve on behalf of those clients). The FCA does not propose to mandate PoR at this point, but is considering whether to require firms to provide clients with access to an online system where up to date statements can be found, reflective of deposits and withdrawals, or at a minimum, provide a statement of account to each client at least once a year in a durable medium. It is further considering whether to require firms to disclose the wallet structures they have chosen to hold their clients' cryptoassets and why, and any changes in how their clients' qualifying cryptoassets are being held since the last disclosure the custodian made.

CASS oversight officer: The FCA proposes to mirror the requirement imposed on custodians in traditional finance to appoint an individual responsible for the operation and oversight of CASS compliance. This officer would review processes and controls and oversee third-party providers.

Client assets audit: While the FCA seems to have confirmed that it will require something akin to the CASS audits that custodians in traditional finance are required to undertake, it is going to consult further on proposed rules relating to this requirement in the 'Conduct and Firm Standards' CP.  

Regulatory reporting: While in traditional finance only CASS medium and large firms are required to submit a monthly Client Money and Assets Return (CMAR) to us, the FCA proposes that for cryptoasset custodians, firms of all sizes would be required to report this information. The FCA is of the view that the CMAR gives an important overview of a firm's client asset arrangements and industry trends which are used to assess risks, develop policy, and helps it set supervisory priorities. It is going to consult further on proposed rules relating to this requirement in the 'Trading platforms, intermediation, lending and staking' CP.