If your business holds other people’s crypto, the FCA is paying close attention. Custody is one of the highest-risk permission categories in the new cryptoasset regime, and the requirements go well beyond what most firms currently have in place. Whether you’re a dedicated custodian, a platform that holds assets on behalf of users, or a firm offering wallet services, this applies to you.
Why Custody Gets Extra Scrutiny
When things go wrong in crypto, custody is usually where the damage lands. FTX, Celsius, countless smaller collapses — the common thread is client assets being lost, misused or insufficiently protected. The FCA knows this, and its custody requirements reflect it. Expect the bar to be set significantly higher than for other cryptoasset permissions.
What the FCA Will Want to See
Clear asset segregation
Client assets must be identifiable and separable from the firm’s own assets at all times. This isn’t just about keeping them in different wallets — it’s about demonstrating through your records, reconciliation processes and technology that you can account for every client’s holdings at any moment.
Robust reconciliation processes
Daily reconciliation between your internal records and on-chain balances. Discrepancies need documented escalation procedures. If you can’t prove that what you say you’re holding matches what’s actually there, the application stalls.
Technology and security controls
How are private keys generated, stored and managed? What’s your split between hot and cold storage? How do you handle key recovery? What penetration testing have you done? The FCA will dig into the technical detail — vague answers about “industry-standard security” won’t be enough.
Operational resilience
What happens if your systems go down, if a key person is unavailable, or if a third-party provider fails? Custody firms need business continuity arrangements that account for the 24/7 nature of crypto markets and the irreversibility of blockchain transactions.
Wind-down planning
The FCA will ask: if your firm fails, how do client assets get returned? You need a credible wind-down plan that demonstrates assets are protected even in insolvency. This is where many firms’ applications fall short.
The Mistake Most Custodians Make
Treating custody compliance as a technology problem rather than a regulatory one. Having excellent security infrastructure is necessary but not sufficient. The FCA also wants governance around custody — who is responsible, how decisions are made, how risks are escalated, how clients are informed. If your custody framework reads like a technical whitepaper rather than a regulatory submission, it needs reworking.
Get It Right First Time
LHI Consulting has 25+ years of experience helping firms meet the FCA’s expectations. We build custody compliance frameworks that cover the full picture: asset segregation, reconciliation, technology controls, resilience and wind-down planning — all in the format the FCA expects to see.
Want to talk this through?
We offer a free 30-minute consultation to help you understand what the FCA will expect from your firm.
Email: rm@lhiconsult.com | Web: lhiconsult.com
