UK Crypto Regulation Moves Forward: Lending, Staking & DeFi - Key Takeaways from FCA CP25/40

The close of 2025 highlighted the continuing momentum for the digital asset industry, with regulatory developments accelerating rather than slowing. In December, the UK Government and the Financial Conduct Authority (FCA) released a series of draft instruments and consultation papers that are poised to play a significant role in shaping the sector’s future. On 15 December 2025, HM Treasury (HMT) published a revised draft of The Financial Services and Markets Act 2000 (Cryptoassets) Order 2025. This was followed on 16 December 2025 by the FCA’s publication of three consultation papers addressing core elements of the forthcoming cryptoasset regulatory framework: (1) CP25/40 Regulating Cryptoasset Activities, (2) CP25/41 Regulating Cryptoassets: Admissions & Disclosures and Market Abuse Regime for Cryptoassets, and (3) CP25/42 A Prudential Regime for Cryptoasset Firms. Momentum continued into the new year. On 8 January 2026, the FCA provided further detail on its proposed “gateway” the application process through which firms will seek authorisation to carry on newly regulated cryptoasset activities under the UK’s forthcoming regime.

Together, these developments underscore that the UK is not retreating from digital asset regulation but instead progressing steadily toward the establishment of a comprehensive and structured framework. Earlier this month, we offered a high‑level overview of the regulatory timeline and anticipated changes arising from these late‑2025 and early‑2026 announcements in our Client Alert, UK’s Digital Assets Regulatory Framework Takes Shape. In this piece, we build on that overview by providing a more detailed analysis of the evolving landscape, with particular focus on the FCA’s proposals relating to lending and borrowing (L&B), staking, and decentralised finance (DeFi) set out in CP25/40 (CP25/40).

CP25/40: Activities Key proposals

Lending and Borrowing

The FCA proposes to bring cryptoasset lending and borrowing squarely within the UK regulatory perimeter by designating it as a regulated cryptoasset activity. Firms would be required to obtain authorisation where their services amount to dealing as principal or agent, or to arranging, with the scope of authorisation tailored to the specific structure of the L&B model. This would capture arrangements in which firms lend cryptoassets to third parties, borrow cryptoassets from clients, or facilitate products that allow clients to earn a return through lending.

The FCA’s position represents a notable evolution from DP25/1. Rather than restricting retail participation, CP25/40 permits retail access subject to appropriate mitigants, reflecting parallels with high‑risk traditional finance products and concerns that an outright ban could drive consumers offshore or into DeFi. Firms would be required to provide clear, prominent, and appropriately tailored disclosures before a client enters into an L&B arrangement. These disclosures must cover the nature of the service and assets, transfer and return mechanics, access and eligibility criteria, restrictions, key risks, and the timing of the most recent update, with clients to be notified of any material changes.

In addition, firms must obtain the client’s express prior consent to the key terms each time the client enters an L&B agreement and retain auditable records of that consent. CP25/40 also proposes a prohibition on the use of proprietary tokens in any aspect of L&B, including as loaned or borrowed assets, collateral, yield, or as a means of offering preferential rates to token holders.

For retail borrowing, the FCA proposes mandatory over‑collateralisation, with modelled and reasonable loan‑to‑value ratios, margin call thresholds, and liquidation levels designed so that margin calls or liquidations would not be expected within the first six months. Firms would need express client consent for any automatic collateral top‑ups, subject to a hard cap of 50% of the initial collateral (net of fees and interest), with clients able to set a lower cap if they choose. Negative balance protection would also apply, limiting the client’s liability to the dedicated collateral only.

Staking

 Staking is a newly regulated cryptoasset activity and will require firms to obtain specific FCA permission. Regulation is triggered where a firm facilitates or provides staking services to clients, including custodial or pooled staking arrangements, situations in which a firm stakes clients’ cryptoassets on their behalf, and models where the firm generates and distributes staking rewards. Although staking will not be prohibited for retail clients, the FCA identifies material risk and intends to apply additional safeguards. The regulatory framework draws a clear distinction between self‑staking, which involves no intermediary service and falls outside the regulatory scope, and intermediated staking, which will be subject to the new requirements.

Firms offering staking services will be required to provide clear, comprehensive, and prominent risk disclosures. These must address, among other things, how clients’ cryptoassets and any associated rewards are transferred, held, and returned; clients’ ability to access assets and rewards during the staking period; the consequences of any transfer of ownership; and the potential for loss arising from operational or technological disruption. In addition, firms must obtain explicit and informed client consent before staking any cryptoassets. This consent must be specific to staking, rather than embedded within a general consent, and must ensure that clients fully understand both the risks involved and the status of their assets throughout the staking process. Staking services must also be marketed in a clear, fair, and non‑misleading manner. In particular, firms must avoid placing undue emphasis on potential yields.

From a governance and operational perspective, earlier proposals that would have required firms to compensate retail clients for losses caused by preventable operational or technological failures have been withdrawn following consultation. Instead, firms providing regulated staking services will be subject to the FCA’s existing requirements, including the operational resilience framework set out in CP25/25.

 DeFi Approach

CP25/40 proposes applying the same rules set out in Chapters 2–6 of DP25/1 to DeFi where there is an identifiable controlling person (or persons) carrying on one or more regulated cryptoasset activities. This approach reflects the FCA’s “same risk, same regulatory outcome” principle, aiming to ensure consistent levels of consumer protection and market integrity regardless of the underlying technology or governance structure.

Where activities are conducted on a “truly decentralised” basis, meaning that no person can be regarded as carrying on the activity by way of business, the activity would fall outside the scope of the regulated activities, in line with HM Treasury’s stated policy intent. The FCA does not propose introducing bespoke DeFi rules at this stage. Instead, it intends to apply the existing proposals to DeFi arrangements involving a controlling entity, with the objective of minimising regulatory arbitrage and delivering an appropriate and consistent level of protection for users accessing regulated services. The FCA will separately consult on dedicated DeFi guidance. This will address indicators of control and varying degrees of (de)centralisation, how Chapters 2–6 would apply in practice to DeFi firms, and examples of good practice for mitigating operational resilience and financial crime risks when authorised firms interact with highly automated or decentralised systems.

Timing and Next Steps

The consultation period for CP25/40 is open for comments and feedback until 12 February 2026, with final rules expected to be issued in policy statements in 2026.

For More Information

If you have any questions regarding this subject or related subjects, or if you need assistance, please contact Yulia Makarova (Partner), Rebecca Jack (Partner), or your Winston & Strawn relationship attorney. You can also visit our Cryptocurrencies, Digital Assets & Blockchain Technology page for more information.

Raveen Kumarasinghe, Trainee Solicitor, also co-authored this alert.