Cryptoassets – Exchange tokens, utility tokens and security tokens: What are they? How do they work? Are they safe? How do I know they are safe? Are consumers protected? Are the firms creating them, dealing in them, holding them and advising on them regulated? Do they need to be regulated? How do I know if they are regulated? It's probably fair to say that if you don't know the answer to the first two questions, then you probably shouldn't be thinking about getting involved in the market. However, as you move further down this road of enquiry, you get to questions that even the UK financial regulator itself has had to grapple with.

FCA Guidance on Cryptoassets

In January 2019, the FCA issued a consultation on the regulation of cryptoassets. The aim of that consultation was to provide clarity on which cryptoassets, and what activity relating to them, were regulated and, just as importantly, what was not regulated. It was also aimed at assisting consumers better understand the cryptoasset market.

On 31 July 2019, the FCA published its formal Guidance on Cryptoassets [here]. The Guidance is aimed at providing as much clarity as possible on which types of cryptoassets and which types of activities relating to cryptoassets are regulated by the FCA.

You might imagine that this Guidance is a massively complicated tome which makes provision for a whole new regulatory regime; it isn't. What sits behind the morass of new language is in fact an existing regulatory regime that applies equally to investment media such as shares, debt instruments, warrants and Collective Investment Schemes.

The problem the FCA has been grappling with is how to define and categorise the ever growing range of cryptoassets in order to provide clarity on what is and what is not regulated. The FCA itself recognises this is not straightforward and that view reflects the emerging and fluid nature of the market. However, it has not created a whole new raft of rules and regulations in order to do so. What it has been doing is working out how cryptoassets are to be defined in accordance with the range of existing rules and regulations. This means assessing their nature and characteristics under:

  • The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 – The RAO
  • The Markets in Financial Instruments Directive II – MiFID II
  • The E-Money Regulations - EMRs
  • The Payment Services Directive - PSD

What the Guidance is fundamentally helping market participants understand is when cryptoassets are specified investments under the RAO, financial instruments under MiFID II, E-Money under the EMRs and where their use is captured by the PSDs. Carrying on a specified activity in the UK involving a cryptoasset which is a specified investment is more likely than not going to require authorisation and the granting of permission by the FCA. So who is involved and how are they affected?

  • Issuers of tokens: Issuing tokens per se is not a regulated activity, but where tokens are issued through Initial Coin Offerings, FCA regulation is engaged, ie. Prospectus Regulations, Market Abuse Regulations, Disclosure Guidance and Transparency Rules, Anti-Money Laundering;
  • Financial Intermediaries: Regulated activities such as advising on investments, dealing in investments as principal and agent and arranging deals;
  • Exchanges and trading platforms: Regulated activities include dealing in investments as principal and agent, arrange deals, managing investments and safeguarding and administering investments;
  • Payment and merchant service providers: EMR and PSD are engaged.
  • Wallet and custody service providers: Regulated activities include managing investments and safeguarding and administering investments.

Importance of the Guidance for Firms

Regulation matters, of course, and to a large extent the Guidance is aimed at enabling firms dealing with cryptoassets to ensure they are authorised and have the requisite permissions. This matters because carrying out regulated activity without permission is a criminal offence punishable by up to 2 years' imprisonment and/or an unlimited fine.

Importance of the Guidance for Consumers

When making any investment, understanding risk is important. Investing in regulated assets or through regulated firms helps mitigate risk through the increased recourse that is available. Transferring, buying and selling crypto currencies are not themselves regulated activities. It is only those cryptoassets that have the characteristics of an investment product akin to traditional investment instruments such as shares, debentures or units in Collective Investment Schemes that fall within the regulatory perimeter – which means security tokens and some activity in relation to utility tokens.

Firms must ensure they are clear about whether their activities are or are not regulated. Where a firm undertakes both regulated and unregulated activity, this must be made crystal clear to the consumer.

Fraud – the Human Element

In an electronic world not restrained by physical borders, fraud remains the biggest risk but the way in which people are defrauded is, essentially, as old as the hills: theft, identity theft and confidence tricksters. The difference is it's all happening in the ether and assets can be dissipated very quickly. There are bewilderingly sophisticated ways that fraudsters can seek to intercept money in the system, but even in this increasingly electronic and automated world, human error plays a significant role.

Take, for example the role passwords play in accessing cryptoassets. Passwords are the keys to the electronic safes. We have passwords to access all storage platforms. Passwords can extend to 40 characters comprising letters, numbers and symbols. You can't possibly remember that password and all the different passwords you have for different platforms. Where and how do you store them? They can be held in e-safes and made accessible using biometric means. Quite commonly, they are stored as emails in an email folder. Worryingly, they can also still be written down or printed out and put it in a "safe place".

Of course, access to electronically stored passwords will be password protected as will access to any device you access it from – pc, laptop or phone. In this layering of password protection, human error is inescapable. Fall victim to a phishing scam and malware and spyware can harvest data from your device. Access your device using an unsecure wifi connection and login information can be intercepted. Access your device in public – in a café or on the train and someone can be looking over your shoulder or taking a video or screen shot of your screen. There is nothing new about this sort of fraud except the medium it is committed through. The fact is that the vast majority of fraud still has a human element.


It is, of course, a move in the right direction for the FCA to issue Guidance about the regulation of cryptoassets. Increasing knowledge and seeking to demystify the language are all important steps in the process of managing risk. Understanding that it is the character of cryptoassets that determines whether or not they are, or the activity around them is, regulated is crucial. Knowing those determinations are based on a long established regulatory regime ought to provide an level of comfort. Realising human interaction and error still plays a large part in this electronic world is vital to recognising and preventing fraud.

Plus ca change - the more things change, the more they stay the same. This adage applies without doubt to cryptoassets, their use and inevitable abuse.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.