A quiet line in the FCA's new crypto rulebook could catch out wallets, payment apps and exchanges: hold a customer's crypto for more than 24 hours, or be able to move it without them, and you're a regulated custodian needing a full safeguarding licence.
Important Risk Warning
This is not financial advice. Cryptocurrency investments are highly volatile. The value of your investment can go down as well as up, and you could lose all the money you invest. Don't invest unless you're prepared to lose all the money you put in.
There's a sentence buried in the FCA's new crypto rules that's keeping compliance officers up at night. Put plainly: if your business holds a customer's crypto for more than 24 hours, or you can move their assets without their say-so, you're treated as a regulated custodian — and that means a full safeguarding licence, capital requirements and the heavy obligations that come with looking after other people's money.
It sounds technical. It isn't, really. It's the difference between "we pass your crypto straight through" and "we hold it" — and a lot of firms that thought they were the first turn out to be the second.
The FCA's draft framework defines crypto custody around two triggers: time and control. Hold a client's cryptoassets for longer than 24 hours, or have the technical ability to override the client's authority and move those assets yourself, and the activity counts as safeguarding and administering cryptoassets — a regulated activity needing authorisation.
Either trigger is enough on its own. A firm that returns assets within the day but holds the private keys in a way that lets it move funds unilaterally is still caught, because it fails the control test even if it passes the time test. The rule is trying to capture the substance — who can actually move the money — rather than the marketing label a firm puts on itself.
The 24-hour window is the part that surprises people. It's short. A weekend delay, a stuck transaction, a manual review that drags past a day — and a firm that designed itself to avoid custody can find it has drifted into it by accident.
Because custody is where customers actually lose money. The whole history of crypto blow-ups — FTX being the obvious one — runs through firms that held client assets, mixed them with their own, and couldn't give them back. The FCA's instinct is that anyone with the practical power to lose your coins should be regulated as if they're holding your coins, regardless of how briefly.
There's logic in being strict here. The 24-hour line removes a loophole. Without it, a firm could claim "we never really custody anything" while sitting on client balances for days. By putting a hard clock on it, the FCA forces a choice: either genuinely pass assets through fast, or get authorised as a custodian and accept the responsibilities.
The cost of that strictness lands on smaller players. A full safeguarding authorisation isn't a form you fill in over a weekend. It means systems for segregating client assets, reconciliation, governance, capital buffers and ongoing reporting. For a lean startup, that's the difference between a viable business and a regulatory project that eats the runway.
The interesting victims aren't the big exchanges — they always knew they'd need a custody licence. It's the firms at the edges:
If any of that describes a firm, the safe assumption is that it needs to map every point in its flow where it could hold or move a client's assets, then time each one against the clock.
The clock that matters most isn't the 24-hour one — it's the calendar. The application window for the new regime runs from 30 September 2026 to 28 February 2027, with the regime expected to come fully into force around 25 October 2027. Firms that need a custody licence have to be in the queue during that window, not scrambling afterwards.
Practically, that means three jobs now. First, an honest custody audit: where, technically, can the firm touch client assets, and for how long? Second, a decision — redesign the flow to genuinely avoid custody, or commit to authorisation. Third, if authorisation is the path, getting the safeguarding systems, capital and governance into shape, because the FCA will test them, not take them on trust.
The firms most at risk are the ones telling themselves "the 24-hour rule won't apply to us" without actually timing their own flows. That confidence is exactly what the rule is designed to puncture.
What triggers the FCA's crypto custody rule? Two things, either on its own: holding a client's cryptoassets for more than 24 hours, or having the technical ability to move a client's assets without their authority. Meet either condition and the activity is regulated custody requiring FCA authorisation.
Does the 24-hour clock reset if I return assets quickly? The time test is about whether you hold assets beyond 24 hours in a given flow. But even fast-returning firms are caught if they fail the control test — that is, if they could move client assets unilaterally at any point.
Are non-custodial wallets exempt? Only if they're genuinely non-custodial in substance. The FCA looks at whether the provider has any practical ability to access or move user funds. A wallet marketed as non-custodial that retains recovery powers may still be treated as custody.
When do I need to apply for authorisation? The application window runs from 30 September 2026 to 28 February 2027. The wider cryptoasset regime is expected to take full effect around 25 October 2027. Firms needing a custody licence should apply within that window.
What happens if a firm ignores the rule? Carrying out a regulated activity without authorisation is a serious matter in the UK and can amount to a criminal offence, alongside FCA enforcement action. Firms unsure of their status should take legal advice rather than assume they fall outside the rule.
This article is general information about UK crypto regulation, not legal or financial advice. Firms should seek qualified legal counsel on their specific authorisation obligations.
We use cookies to enhance your experience. By clicking "Accept", you agree to our use of cookies for analytics. See our Privacy Policy.
