When the FCA says it expects firms to “prepare early” for the cryptoasset authorisation gateway, what does that actually mean in practice? It means building evidence across the three areas that the FCA weights most heavily in any authorisation assessment: governance, systems and controls. These are not separate boxes to tick — they are interconnected, and weakness in one undermines the credibility of the other two.
Pillar 1: Governance
Governance is where the FCA starts. Before it reads your policies, it assesses who is running the firm and whether they are capable of doing so responsibly.
Board structure and accountability. The FCA expects a clear organisational chart showing who is responsible for what. Board terms of reference, committee structures (risk, audit, compliance) and documented reporting lines are not optional extras — they are baseline requirements.
Senior management competence. Individuals holding senior management functions must be fit and proper. For crypto firms, this means demonstrating understanding of both the regulatory framework and the technology. The FCA will interview key individuals as part of the application — they need to articulate the firm’s risk profile, not just its revenue model.
Culture and oversight. The FCA looks for evidence that compliance is embedded in decision-making, not bolted on afterwards. Board minutes showing regular discussion of regulatory risk, compliance MI and customer outcomes carry real weight.
Pillar 2: Systems
Systems covers the technology, infrastructure and operational arrangements that support the firm’s regulated activities.
Operational resilience. Crypto markets run 24/7. Your business continuity, disaster recovery and incident management arrangements need to reflect that. The FCA expects documented impact tolerances for important business services and evidence that you have tested your resilience arrangements.
IT security and data protection. Custody solutions, wallet infrastructure, blockchain node dependencies, API integrations — the FCA will want to understand your technology stack and how it is secured. Penetration testing, access controls and data encryption are expected, not aspirational.
Outsourcing oversight. If critical functions are outsourced (and in crypto they often are — custody, blockchain analytics, KYC providers), you need a formal outsourcing register, risk assessments for each provider and contractual provisions that give the FCA audit access.
Pillar 3: Controls
Controls are the policies, procedures and monitoring mechanisms that ensure the firm operates within regulatory requirements on an ongoing basis.
Financial crime controls. AML/KYC policies, transaction monitoring (covering both on-chain and off-chain activity), sanctions screening and suspicious activity reporting. This is the single area where the FCA rejects or delays the most crypto applications. Generic templates will not pass scrutiny.
Conduct and complaints. Conduct of business policies, conflicts of interest management, complaints handling procedures and record keeping. These must be tailored to your operating model and client base.
Financial promotions. An internal approval process for all UK-facing marketing, with documented sign-off, appropriate risk warnings and compliance review before publication. The FCA checks your marketing as part of the application assessment.
Ongoing monitoring. The FCA wants to see that your controls are not just documented but actively monitored. Compliance monitoring plans, regular testing, breach reporting and board-level MI demonstrate that controls are living arrangements, not shelf documents.
How LHI Consulting Can Help
We build all three pillars for firms preparing for the FCA gateway: governance frameworks, operational resilience arrangements and comprehensive control suites. Every deliverable is tailored to your firm and designed to withstand FCA scrutiny.
| Need help preparing? Contact us for a free 30-minute consultation to assess your readiness.
Email: info@lhiconsult.com | Phone: +44 203 319 5147 | Web: lhiconsult.com |
This article is for general information purposes only and does not constitute legal or regulatory advice. LHI Consulting is a trading style of LHI Holdings Ltd, registered in England and Wales, No. 11496647.
