The fintech market has developed at pace in the United Kingdom, which is seeking to become a hub for fintech companies. A particular area of focus is the use of AI and crypto-assets, and in this respect it is interesting that the UK has taken a relatively slower approach to seeking to regulate AI, in line with the USA, whilst also making overtures to seek to align its approach to blockchain and crypto with that in the USA.

The size of the United Kingdom as a financial services regulatory hub has meant that the full range of fintech firms are operating in the United Kingdom. The three largest areas of focus currently seen are:

• blockchain and Web3;
• artificial intelligence (AI); and
• payment services.

In the UK there is one core regulatory regime, set out in the Financial Services and Markets Act 2000 (FSMA), as well as specific regimes for specific types of activity. 

FSMA, by reference to the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO), generally sets out which activities are regulated in the United Kingdom, as well as the powers of the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (the two lead regulators for financial services in the UK) in respect of their oversight of firms conducting such activities.

FSMA also sets out the basis for the general prohibition on making certain communications into the UK, where these relate to invitations or inducements to buy, sell, subscribe for or underwrite qualifying crypto-assets (defined as covering a large range of unregulated crypto-assets where they are both fungible and transferrable), without the appropriate approval from an FCA-authorised firm. This requirement is likely be replaced towards the end of next year with a requirement instead to obtain a domestic UK authorisation in order to make such communications into the UK.

The main exception to this currently is the fact that certain activities in relation to crypto-assets (specifically acting as a crypto-asset exchange provider or custodian wallet provider) are specified in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). This has caused confusion as to, for example, the scope of the meaning of “making arrangements with a view to” a crypto-asset transaction. It has also caused friction in terms of the fact that the FCA generally has oversight over the conduct of business of firms within its remit, whereas the MLRs are focused solely on reducing the risk of money laundering and terrorist financing, meaning there is a lack of clarity regarding the expectations in relation to the FCA’s oversight. It is therefore helpful that towards the end of next year the MLRs regime for crypto-assets is expected to be superseded by a more traditional approach to requiring authorisation under FSMA.

For other business, generally, the Financial Conduct Authority’s expectations are as set out in the FCA’s Handbook of Rules and Guidance. That being said, there are still some specific regimes, the most notable of which are the Payment Services Regulations 2017 and the Electronic Money Regulations 2011, which generally set out the rules for firms in the payment services industry.

Compensation models and associated disclosures are highly specific to the nature of the activity in question; however, in broad terms, there is a focus on avoiding any compensation which is likely to cause a conflict with the interests of the consumer, which is a shift from previous thinking, which was more along the lines of disclosure obligations.

Firms that provide services in relation to securities are generally subject to the most onerous obligations; for example, financial advisers are not permitted to receive payments which may impact their advice. A recent focus has also been on inducements to invest, and it is notable that the FCA has prohibited these when selling in-scope crypto-assets (ie, fungible and transferable unregulated crypto-assets) to the general UK retail public.

Generally, there is no distinction drawn between fintech industry participants and legacy players, with a view to keeping a level playing field.

However, there is a recognition that new technologies may achieve the same (or better) outcomes for consumers through approaches not originally anticipated by the existing rules. Where this is the case, the general approach has been “same risk, same regulatory outcome”. In addition, the UK has pioneered the use of sandboxes, which enable interaction between the regulator and fintechs to assess how best to oversee new technologies.

The UK has a range of sandboxes, run by different regulators. These include the original sandbox, operated by the FCA, which allows firms with a genuine innovation with a UK nexus to conduct a test under its oversight.

The PRA and Bank of England also run sandboxes, and again these are generally chances for firms to be able to interact with these regulators to test new concepts which may be of relevance to them.

The use of a sandbox should be seen as a chance to explore a concept with a regulator – it is not a means to avoid regulation. Once a sandbox is successful, firms are still expected to obtain all the relevant authorisations and registrations that may be considered pertinent to the running of their business.

For financial services firms, the primary regulator is the FCA, which is responsible for both the conduct of business and prudential running of these businesses.

However, certain businesses (in particular banks, building societies, credit unions, insurers and major investment firms) are also regulated by the PRA, alongside the FCA. The general theme of these businesses is that they may pose a systemic risk to the UK financial services sector, so the PRA has a particular focus on matters such as the solvency of such institutions and mitigating the impact of any wind-down.

Another regulator that UK businesses generally have to deal with is the Information Commissioner’s Office, which is responsible for ensuring that businesses comply with their obligations with respect to processing personal data.

Firms may also have to comply with the requirements of the Advertising Standards Authority (ASA) if marketing in the United Kingdom; however, if they are regulated by the FCA/PRA, that tends to be more onerous than, and supersede, the requirements of the ASA.

Regulators in the UK do not issue “no-action” letters. However, there may be cases where they issue guidance as to the approach they will take in relation to certain business models.

Regulated firms are not able to outsource responsibility for their regulated activities. As a result, there are specific requirements for such firms to have a business continuity policy and planning in place. Further, institutions such as banks which pose a market integrity risk must ensure that they have provisions to keep key operations functioning in the event of, for example, a solvency risk.

Generally, for any product there will be a person considered to be “doing” the relevant activity. This person will have to therefore take responsibility for the activity, regardless of whether a fintech provider is leveraged in order to provide the product. As a result, they will subject the fintech provider to appropriate due diligence.

Furthermore, for certain activities (for example in relation to payments and certain activities in connection with securities), it may be possible for a fintech to leverage the licence of an existing FCA-authorised firm. Where this is the case, the FCA-authorised firm will be responsible for, and have oversight of, the fintech provider.

The FCA has taken a variety of enforcement actions in relation to firms that have breached its expectations. Whilst the FCA has taken steps to enforce all aspects of its rules, a particular focus has been on financial crime as a high priority. 

Generally, the biggest area of focus is the protection of personal data, particularly with regard to how it should be regulated post-Brexit. There is a belief that the existing requirements are relatively onerous in a way that may not be achieving the intended outcome. However, this needs to be balanced with the requirement to continue equivalence with the EU.

Banks have been taking an increasingly interventionist approach towards regulating firms, in particular in terms of not providing banking support to those firms that the bank deems high risk. This has been controversial, as it is open to accusations that banks may act in a way that is anti-competitive – particularly where a fintech concept may be considered a potential alternative to traditional banking. 

Generally, firms offering unregulated products and services in conjunction with regulated products and services are required to be very clear with consumers as to which products are/are not regulated. Furthermore, the FCA may seek to exercise oversight in respect of the unregulated aspects of the business, both in terms of:

• any risk the unregulated activities could pose to regulated activities; and
• the FCA’s expectation that regulated firms uphold a certain standard of conduct, even in respect of unregulated business.

Generally, AML and Sanctions Rules are well settled for most fintechs. However, there are two areas worthy of particular consideration.

Firstly, the AML and Sanctions Rules that apply to crypto-asset firms are considered some of the most onerous internationally, and historically this has meant that such firms have tended to locate outside of the United Kingdom and thereby fall outside the regime. On the other hand, further regulation of the financial promotion of certain crypto-assets may impact this trend as they make it harder to operate with the UK market generally without obtaining an FCA registration and complying with the full AML and Sanctions Rules.

Also, whilst the AML and Sanctions Rules for payment services firms are well established, it is suggested that there may be better ways of obtaining the outcomes of such rules, with less inconvenience to the customer, through the use of new innovations. As a result, particularly as the UK has greater freedom to amend its AML and Sanctions Rules post-Brexit, it may be that there are changes to these rules in the future as part of making the UK financial services sector more competitive.

Anti-money laundering and sanctions rules follow the standards imposed by the Financial Action Task Force.

Whilst the position is complex, in practice, reverse solicitation does not exist in the United Kingdom, and certainly cannot be used as a way of marketing regulated products into the United Kingdom. 

The restrictions on financial promotions apply to any communication that is capable of having an effect in the United Kingdom. Whilst there is an exemption to the financial promotion restriction, the exemption is very narrowly defined; for example, it can only be of relevance to corporate customers or others who are acting in the course of business. There is also a more fundamental difficulty: if no prior promotion has taken place, it is hard to see how a customer would know to enquire about a particular product in the first place. This makes it difficult to rely on the exemption with any confidence in practice, and the use of reverse solicitation is therefore generally avoided.

There is a single regulated activity of giving investment advice, which applies to certain asset classes such as securities. All in-scope assets are regulated under the same set of rules and requirements.

Giving advice in relation to unregulated crypto-assets is not regulated – only advice in relation to a security token is regulated.

Generally, legacy players are seeking to use robo-advisers to further their own businesses. This may be by making products available to robo-advisers so that customers are advised to participate in them, or it may be by making a robo-advice platform (which may be under a different brand) with a remit to sell products sold by the legacy player. In the second case, care needs to be taken to ensure that consumers are not misled into thinking that the advice they receive takes into account a broader range of products than that actually considered – and there is specific regulation to ensure that this is the case.

The United Kingdom has implemented MiFID II, and, as a result, has generally the same best execution obligations as applicable to investment firms in the EU. Firms are required to deliver best execution taking into account factors such as price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of an order.

There are substantial differences between loans to individuals and loans to corporate entities.

Where a loan falls within the definition, for example, of “credit agreement”, being defined as the provision of credit to:

• individuals;
• partnerships consisting of two or three persons not all of whom are bodies corporate; or
• an unincorporated body of persons which does not consist entirely of bodies corporate and is not a partnership,

this is highly regulated, and there are prescribed obligations regarding matters such as the terms on which such agreement can be entered into, and as regards protecting vulnerable persons.

Other loans that are not with consumers/retail may be completely unregulated, and so there are no such considerations. As a result, if an agreement is not a regulated credit agreement, it is unregulated regardless of the size of the borrower.

Where lending involves providing consumer credit, the lender will need to be regulated by the FCA for this purpose and to comply with the FCA’s requirements for lenders.

There is no such obligation in relation to unregulated lending.

There is no specific regulation regarding what the source of funds should be for a loan; however, depending on how the loan is financed, this may trigger regulation. In this respect, it is noted that if money is borrowed from one person and then on-lent to another person, this may well constitute the activities of running a collective investment scheme (if there is a look-through to how the funds are on-lent) or deposit-taking (if there is no look-through to how the funds are on-lent). The issues therefore depend on the nature of the activity; for example for a collective investment scheme there is an emphasis on ensuring that the funds are properly managed and that the fund management activity is properly overseen. On the other hand, the focus on deposit-taking tends to be as regards ensuring that the risk of solvency of the institution is properly managed.

Syndication of loans does take place. Outside of the scenarios set out in 4.3 Sources of Funds for Fiat Currency Loans, this is generally unregulated and, as a result, there is no specific legal practice. However, there are usually commercial norms; for example, there tends to be a lead lender who organises the syndicate and is the primary entity performing due diligence.

Generally, payment processes need to use a payment rail in order to operate.

The provision of cross-border payments and remittances from abroad is generally unregulated if there is no UK establishment.

The provision of cross-border payments and remittances from the UK to other countries is generally regulated the same way as payment services generally; however, there are some differences in terms of operational aspects, such as the allowed settlement time for payments.

The nature of the regulation of a marketplace is dependent on the way in which it is set up and the nature of the asset traded.

With respect to the trading of regulated financial instruments (which does not include crypto-assets), the most regulated markets are regulated markets, followed by multilateral trading facilities, organised trading facilities and firms “making arrangements with a view to” transactions.

Regulated markets include entities such as the London Stock Exchange, with onerous listing rules for firms wishing to trade on those exchanges.

Multilateral trading facilities have to operate in accordance with non-discretionary rules, whereas order execution must be carried out on an organised trading facility (OTF) on a discretionary basis.

The activity of “making arrangements with a view to” a transaction is the most light-touch, and generally applies to firms that connect buyers and sellers of in-scope assets. This is therefore the activity most relevant to most fintechs, and there is a focus on how the firm conducts its business with users to ensure that they are appropriately protected, and receive appropriate disclosures in respect of potential investments.

Different asset classes have different regulatory regimes. Currently, crypto-asset exchanges are generally subject to a different regime to that set out above, being one focused on stopping money laundering rather than a full conduct of business regime. Over the next year, this is expected to change as a new regime for crypto-asset businesses is being developed. Whilst the specifics are currently to be determined, it is clear that the new regime for crypto-asset exchanges will be heavily influenced by the traditional approach to securities regulation, with some differences reflecting the specifics of the crypto industry (for example, the nature and source of insider information in relation to a crypto-asset may be different to that which exists in relation to equity).

The regulation of crypto-assets has traditionally been handled differently to other asset classes, in particular by requiring registration with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. The focus of this requirement has been on prevention of money laundering, rather than, for example, conduct of business and solvency. As a result, it has represented something of an anomaly within the broader UK regulatory framework. Furthermore, given the MLRs set out a separate regulatory regime to that which applies to securities, firms seeking to trade both securities and crypto-assets need both licences, which is very rare and has hindered the development of this industry.

In the future, this is going to change as the MLRs are phased out, and the regulation of crypto-asset exchanges will deal with issues that are broader than money laundering risk; for example, there will be a focus on disclosure requirements, conduct of business and preventing market abuse.

The requirement for listing standards very much depends on the nature of the securities exchange. There may be a requirement for a prospectus when selling certain securities – and at the other end of the spectrum, listing on a regulated market requires compliance with a detailed rulebook of requirements.

In the context of crypto-assets, the FCA has published a discussion paper (DP24/4) setting out proposed requirements for disclosures when seeking to admit crypto-assets to exchanges so that they can be sold into the UK. These are currently high level; however, further detail is expected as the rules come into effect during the next year.

In relation to securities, order handling rules already exist. In broad and general terms, firms authorised to execute orders on behalf of clients must implement procedures and arrangements which provide for the prompt, fair and expeditious execution of client orders, relative to other orders or the trading interests of the firm. These procedures or arrangements must allow for the execution of otherwise comparable orders in accordance with the time of their reception by the firm.

The requirements for an undertaking for a collective investment in a transferable securities (UCITS) management company providing collective portfolio management services are slightly different, as they must establish and implement procedures and arrangements in respect of all client orders they carry out which provide for the prompt, fair and expeditious execution of portfolio transactions on behalf of the UCITS scheme it manages.

In relation to crypto-assets, whilst the rules do not yet exist, the direction of regulatory travel suggests that they should be formulated in the next year.

Peer-to-peer trading platforms are common in the United Kingdom, and are generally regulated (as they will involve an activity such as “making arrangements with a view to” a regulated transaction).

The regulatory challenge has been to ensure that such platforms treat customers fairly, and, for example, do not hold themselves out as having done more due diligence on the products they make available than is actually the case.

In relation to securities, whilst not necessarily prohibited outright per se, the FCA considers that payment for order flow is generally incompatible with the FCA’s rules on conflicts of interest and inducements, and risks compromising firms’ compliance with best execution. As a result, the general position is that this is effectively not permitted in the UK.

There is no prohibition in relation to exchanges for unregulated crypto-assets; however, this may change in the future as new requirements are coming into force in relation to crypto-asset exchanges generally.

The UK position on market abuse and market integrity in relation to securities generally follows a similar position to that in the EU, as the Market Abuse Regulation has been onshored to the UK post-Brexit. Preventing, detecting and punishing market abuse is a high priority for the FCA.

The FCA has powers and responsibilities for preventing and detecting market abuse, including insider dealing, unlawful disclosure, market manipulation and attempted market manipulation (which are civil offences). Furthermore, insider dealing and market manipulation are also criminal offences.

Currently, unregulated crypto-assets fall outside of the UK market abuse and market integrity rules; however, this is going to change in the near future as new requirements are being considered in relation to crypto-asset exchanges. It is worth noting that offences such as fraud exist independently of the market abuse rules, and firms should, in any event, be careful as behaviour which may technically fall outside of the market abuse rules on the basis that the assets are not securities may still be considered illegal.

There is no specific regulation of high-frequency and algorithmic trading technologies; however, they cannot be used in a way that breaches the more general requirements that all firms are subject to – for example in relation to securities, they need to comply with the rules on market abuse and market manipulation.

Dealing as principal is a regulated activity in the UK requiring FCA authorisation, and such firms need to comply with the FCA’s requirements generally. An area of particular note here is as regards capital requirements. Firms that deal as principal have a permanent minimum capital requirement of GBP750,000. This reflects the fact that such firms have a higher solvency contagion risk.

Funds and dealers are subject to very different regulatory regimes, reflecting the different nature of the activities undertaken. The activities of fund managers involve exercising discretion on behalf of investors, and so there are specific requirements in terms of ensuring that that discretion is properly defined and monitored, for example by fund administrators, custodians, accountants, etc.

Dealers do not exercise discretion – they simply execute – and the risks here are different. Considerations are more limited and focused on matters such as disclosure, best execution and avoiding conflicts of interest.

Programmers who develop and create trading algorithms and other electronic trading tools are not regulated. However, those that use such in connection with undertaking a regulated activity will be regulated, and will therefore have responsibilities in monitoring and overseeing the trading algorithms and other electronic trading tools they use.

The insurance industry in the UK is highly regulated, and those advising on contracts of insurance, including the underwriting thereof, need to be regulated. As a result, there are specific requirements that they need to satisfy in order to comply with their regulatory obligations.

Insurance is regulated differently depending on the nature and function of the insurance contract; for example, the FCA differentiates between investment and non-investment insurance contracts. The regulation of each depends on its specific characteristics and risks.

Regtech providers are not regulated unless they are also undertaking a regulated activity in conjunction with their business. In the experience of the authors, regtech providers are generally set up as an adjunct to a regulated business, meaning that the provider is not regulated, but its clientele is.

This often depends on the nature of the regtech provider and the solution being provided. For example, in fund management, there are regtech providers that facilitate fund distribution, and in such a case there are often stringent obligations to ensure performance and accuracy, as well as sample testing to ensure that all the requirements are being met. On the other hand, there are some AI prediction tools that only have a percentage accuracy and are used for helping firms model products. In this case, the limitations are recognised and accepted. The overall picture is that clients have an obligation to meet their regulatory obligations, and the contractual terms will depend on the latitude the clients have in this respect.

There has been a steady increase in both the acceptance of blockchain by traditional players and increasing interest regarding its utilities for such businesses. This has grown beyond simply considering crypto-assets as an investable asset class to increasing discussion as to how to deliver traditional products in a cheaper and more efficient way using blockchain technology.

The FCA has generally been supportive of the use of blockchain, and indeed a common use of the FCA sandbox has been to test new innovations using blockchain technology. More recently, the FCA has been involved in the fund industry and real-world asset initiatives to encourage the use of blockchain.

In terms of actual regulation, the FCA has generally adopted an approach of applying existing regulation to blockchain solutions on the basis that blockchain solutions should manage the risks covered by existing regulation, and there should be a level playing field between traditional and blockchain-based methods of operating. However, in providing the sandbox, the FCA is recognising that, in certain cases, assumptions regarding how risks may be mitigated may prove false for blockchain solutions, thus giving gives firms the ability to show the FCA where existing FCA rules may be properly adapted to take advantage of the new technology.

Whether a blockchain asset is considered a form of regulated financial instrument depends on the features of the asset, as an asset having the features of a regulated financial instrument shall be regulated as such.

Broadly, this means that the classification of crypto-assets splits into three categories.

• Security Tokens: These are tokens, other than e-money tokens, with specific characteristics which mean they meet the definition of a “Specified Investment” under the RAO, and which are therefore within the FCA’s perimeter. This means that firms that deal in these tokens generally need to be authorised by the FCA under the FSMA to do so.
• E-Money Tokens: These are tokens that meet the definition of e-money, in which case certain activities in relation to them, particularly those linked to payments, may be within the FCA’s perimeter.
• Unregulated Tokens: These consist of tokens that are not e-money tokens and are not security tokens. Dealing in these tokens does not require FCA authorisation.

Regardless of the classification of crypto-assets, UK firms need to register with the FCA under the MLRs if they engage in any of the following activities:

• exchange, or arrange or make arrangements with a view to exchanging crypto-assets for money or vice versa, or one crypto-asset for another crypto-asset;
• operate a machine that uses automated processes to exchange money for crypto-assets or vice versa (eg, an ATM); or
• provide custodian services for:
1. crypto-assets on behalf of customers; and/or
2. private cryptographic keys to hold, store and transfer crypto-assets.

Furthermore, any invitation or inducement to invest in some crypto-assets (a “financial promotion”) is subject to the “General Prohibition” set out in Section 21 of the FSMA, meaning that such activity must either be approved by an FCA-authorised firm with the requisite competence to do so, or fall within an exemption. Generally, this is most relevant to consider for:

• security tokens; and
• unregulated tokens that are fungible and transferrable – and the exemptions are slightly broader for security tokens*.

Moving forwards, so-called “unregulated” tokens will in fact become increasingly regulated, and the new legislation is likely to be highly influenced by the existing securities regime, which may well narrow the difference between unregulated tokens and security tokens. In particular, the FCA has indicated that there will be new disclosure requirements before unregulated tokens can be sold into the UK, as well as rules designed to prevent market abuse with respect to such crypto-assets. Bespoke regimes are also being created for stablecoins, which will require in-scope firms to satisfy onerous regulatory requirements.

* It is worth noting that a firm registered with the FCA for its crypto-asset business will fall within an exemption and therefore is able to approve its own financial promotions. It is also worth noting that the requirements of the financial promotions rules are onerous – for example, they incorporate the need for an appropriateness assessment and a 24-hour cooling-off period for first-time buyers. Firms complying with this regime need to dedicate appropriate resources to complying with it.

This “issuer” of a blockchain asset is not regulated per se; however, issuance is generally often linked to a sale, in which case that activity is subject to the potential requirement to:

• register with the FCA under the MLRs; and
• comply with the financial promotion restrictions outlined in 10.3 Classification of Blockchain Assets. 

In the future, as assets are listed on an exchange, even if the asset is considered an “unregulated” crypto-asset, disclosure and market abuse rules will likely apply.

With respect to real-world assets, there is no bespoke regime for crypto-assets representing assets per se, and so the general approach still applies. This means that NFTs tend to fall outside of regulation if sold into the UK on a cross-border basis (or companies may be required to register with the FCA under the MLRs if sold from the UK) or they will be treated as no different from other unregulated tokens if they do not fall within the definition of a security. A particular complexity here is as regards the definition of “collective investment scheme” (or colloquially, a “fund”) because real-world asset tokens that pay out a variable yield often run the risk of being characterised as a collective investment scheme, raising their operational costs and substantially limiting the potential investor market they can be sold to in the UK.

If trading of blockchain assets is conducted by a UK business, this is likely to trigger the requirement to register with the FCA under the MLRs. It is worth noting that the focus of this regime is on preventing money laundering, and it is going to be replaced in the near future with a broader regime that will also set out obligations in respect of matters such as conduct of business requirements and stopping market abuse and manipulation. 

For crypto-assets that are not NTFs, such firms will also likely need to comply with the financial promotion restrictions outlined in 10.3 Classification of Blockchain Assets.

In the near future, the FCA has indicated that firms will likely need to set up a local legal entity in the UK as well as become directly authorised by the UK in order to serve the UK (particularly retail) market.

Staking is not, per se, regulated in the United Kingdom; however, care does need to be taken to determine whether a particular set-up would constitute a “collective investment scheme” (ie, a fund). A particular issue in this respect has been, for example, in relation to staking models that pool crypto-assets, or where (for example, in the context of delegated or liquid staking) a particular entity is responsible for optimising the smart contracts that perform staking, in order to improve yield.

There is a move in the UK to narrow the definition of a collective investment scheme, such that staking falls outside of scope of the definition, and instead to have a specific regime in place in relation to staking that deals with the specific nuances of that activity. This includes additional obligations with respect to disclosure, operational resilience and prudential requirements.

Lending activities in relation to unregulated crypto-assets are not regulated, as they do not meet the definition of being a regulated “credit agreement”. However, this is likely to change over the next year as the FCA has indicated that a regulatory regime for lending in crypto-assets will be implemented. The new regime is going to be interesting as it recognises that lending in crypto-assets is different to consumer credit in general, and, as a result, a different approach to regulation is more appropriate. For example, instead of assessing the ability of the borrower to repay, firms may require borrowers to over-collateralise the loan – the total potential loss then being limited to the amount posted as collateral so that retail borrowers are protected from losses exceeding a pre-agreed amount.

Cryptocurrency derivates are regulated in the United Kingdom, falling within the general securities framework. As a result, they are subject to the usual requirements to obtain FCA authorisation when performing regulated activities in relation to them, as well as the overall financial promotions restrictions.

Furthermore, the sale of derivates in relation to certain crypto-assets, in particular unregulated crypto-assets such as bitcoin, are banned to the UK retail market, being considered too high risk. 

There is no specific regulation of DeFi in the United Kingdom. Where activities are being undertaken on a “truly decentralised basis – ie, where there is no person that could be seen to be undertaking the activity by way of business”, such activities would not fall in scope of the regulated activities. Currently, the debate on what constitutes “true decentralisation” remains unresolved; however, the FCA has proposed plans to issue guidance in this regard. Despite efforts to leave true DeFi out of scope of regulations, the current regulations could inadvertently capture such software providers. For example, “making arrangements with a view to” the exchange of one crypto-asset for another (or for fiat) is a regulated activity under the MLRs that is given a wide interpretation, and, as a result, it is likely that operating a DeFi protocol would trigger a requirement to become FCA registered under the MLRs. This is, however, tricky conceptually given that the core of DeFi is that there is no centralised entity, and therefore no entity to register with the FCA. As a result, there is generally no substantive DeFi offering provided from a UK-based company (however, there are many UK companies that provide the intellectual property to offshore DeFi protocols).

A further point to consider is the restrictions on financial promotion of investment activity in certain crypto-assets into the UK. These apply to whoever is making the promotion into the United Kingdom to either limit communications to those that fall within an exemption to the restriction, or require the financial promotion to be signed off by an FCA-authorised firm. Getting signed off is a relatively high bar to selling into the UK, because the FCA-authorised firm takes some degree of responsibility in relation to the offering as a whole, and this option can be expensive. As a result, it is more common to rely on exemptions; however, this does significantly limit the persons who can be communicated to. In particular, the most commonly used exemptions are those that enable fund managers and corporates with assets over GBP5 million to receive communications.

Funds that invest in blockchain assets are regulated the same way as funds generally. However, it should be noted that currently crypto-assets are not an eligible investment for retail funds, and, as a result, crypto funds are generally restricted to professional investors. It should also be noted that, whilst the regulation of crypto funds is not distinct from funds generally, existing service providers may not feel competent to operate with crypto funds. Consequently, there has been a notable increase in new service providers specifically targeting the crypto funds sector to address this gap in the market.

There is no specific regulation of virtual currencies other than that as set out above in 10.3 Classification of Blockchain Assets.

In the future, however, there is likely to be a move to regulate stablecoins used for payment services. A core focus here is where such stablecoins may be used for payments analogous to traditional payment services. The proposed new regime will be influenced both by the existing approach to regulating payment services as well as the approach used in traditional investment management in terms of protecting backing assets. There will also be requirements in terms of the composition and location of backing assets.

Please see 10.3 Classification of Blockchain Assets regarding the regulation of crypto-assets generally. It should be noted that NFT projects are generally structured so as not to involve the selling of an unregulated token. As a result, if they are sold into the UK from a jurisdiction outside of the UK, they are generally outside of the financial promotion restriction as well as the other parts of the UK regulatory framework. It is therefore relatively uncommon for such platforms to be set up in the UK, as it is generally cheaper to sell into the UK on a cross-border basis.

Stablecoins are in the process of becoming regulated in the UK, with the regime being brought into being in various phases.

The current focus is on stablecoins that reference a fiat currency, and seek or purport to maintain a stable value in relation to that referenced fiat currency by the issuer holding, or arranging for the holding of, either fiat currency or fiat currency and other assets. The FCA has set out a proposed approach to such stablecoins in its Consultation Paper CP25/14: Stablecoin Issuance and Cryptoasset Custody.

Under the proposals, issuers of in-scope stablecoins would need FCA authorisation, and the framework is designed to ensure that stablecoins maintain their value, are backed by high‑quality liquid assets, and are redeemable at par. This marks a significant milestone in the UK’s roadmap for crypto regulation, complementing HM Treasury’s draft legislation and aligning with the Bank of England’s forthcoming systemic stablecoin regime.

For issuers, the FCA proposes stringent requirements around reserve management. Stablecoins must be fully backed by low‑risk, liquid assets such as short‑term government debt or on‑demand bank deposits. These reserves must be held in trust for the benefit of coin holders, segregated from the issuer’s own funds, and reconciled daily to ensure 1:1 parity with the reference currency. Importantly, issuers cannot pass on interest earned from reserve assets to stablecoin holders, reinforcing the stablecoin’s role as a payment instrument rather than an investment product. Consumers must also have an unconditional right to redeem their holdings at par value, ensuring confidence in the instrument’s stability.

On custody, CP25/14 outlines a framework for safeguarding qualifying crypto-assets, drawing inspiration from the FCA’s existing CASS rules but adapted to the unique nature of digital assets. Custodians must segregate client assets from their own, either through individually segregated or omnibus wallets, and hold them on trust for clients. The FCA also addresses the reuse of client assets, noting that crypto markets often involve vertically integrated firms offering services such as staking or lending alongside custody. The consultation seeks to balance innovation with consumer protection, ensuring that clients’ rights are preserved and assets can be returned swiftly in the event of insolvency.

Finally, the FCA emphasises that these proposals are part of a broader effort to create a safe, competitive, and sustainable crypto-asset sector in the UK. The consultation runs until July 2025, with feedback informing final rules expected in 2026. The regime will affect a wide range of stakeholders, including stablecoin issuers, custodians, payment service providers, auditors, and consumer groups. By embedding prudential safeguards, disclosure requirements, and operational resilience standards, CP25/14 aims to provide clarity for firms while protecting consumers, positioning the UK as a leading jurisdiction for regulated crypto innovation.

Whilst the United Kingdom is outside of the EU, the Payment Services Directive (PSD2) has been implemented in the UK. UK banks have been instructed to support open banking, and this has led to a plethora of new payment service firms operating in the UK. In this respect, it is worth noting that in the wake of PSD2 there has been a focus on attracting new account information service providers (AISPs), payment initiation service providers (PISPs) and card-based payment instrument issuers (CBPIIs) to the UK.

There are clear rules and requirements governing the protection of data privacy and data security in the UK, and these are complied with by participants in the ecosystem. This has facilitated banks and technology providers in enabling open banking, as they are clear as to their obligations.

The concept of fraud is broader than just financial services and fintech, and is a general offence in the UK.

The Fraud Act 2006 sets out the definition of fraud and defines it broadly in terms of the following.

• Fraud by False Representation: A person commits this offence if he or she:
1. dishonestly makes a false representation; and
2. intends, by making the representation to make a gain for himself/herself or another, or to cause loss to another or to expose another to a risk of loss.
• Fraud by Failing to Disclose Information: A person commits this offence if he or she:
1. dishonestly fails to disclose to another person information which he or she is under a legal duty to disclose; and
2. intends, by failing to disclose the information to make a gain for himself/herself or another, or to cause loss to another or to expose another to a risk of loss.
• Fraud by Abuse of Position: A person commits this offence if he or she (by act or omission):
1. occupies a position in which he or she is expected to safeguard, or not to act against, the financial interests of another person;
2. dishonestly abuses that position and intends, by means of the abuse of that position to:
1. make a gain for himself/herself or another; or
2. cause loss to another or to expose another to a risk of loss.

The regulators in the UK are focused on stopping any type of fraud, particularly where it may affect the UK retail market. Fraud is a particular issue that has arisen in respect of firms misrepresenting the nature of the products that they sell/make available to clients, as well as where they make a secret profit at the expense of their consumers. 

In relation to authorised push-payment fraud (“APP fraud”), the UK has implemented a specific regime requiring payment service providers to put in place systems and controls to combat APP fraud. These requirements also require that, if someone is the victim of APP fraud, they can claim for the loss. These rules will apply in relation to payments made via Faster Payments or CHAPS from one UK bank account to another, and will require both sending and receiving payment services firms to split the costs of reimbursement 50:50 in the event of APP fraud.

Please see 12.2 Areas of Regulatory Focus.