DP25/1: Staking as a Service, Affordability Checks and Decentralisation Audits

The UK’s Financial Conduct Authority (FCA) took a decisive step towards shaping the future of digital asset regulation with the release of Discussion Paper DP25/1. For professionals operating in the digital asset and web3 sector – whether in DeFi, custody, trading, or the wider ecosystem – DP25/1 signals a shift from fragmented oversight to a coherent, activity-based regime.

New to digital assets? Definitions of key terminology used in this article can be found at the end. 

What DP25/1 Covers

DP25/1 proposes to regulate a wide range of cryptoasset activities, including:

• Cryptoasset trading platforms (CATPs)
• Custody and safekeeping
• Lending and borrowing
• Staking
• Stablecoin issuance and redemption
• Decentralised finance (DeFi)
• Use of credit for crypto purchases

The FCA’s approach is grounded in the principle of “same risk, same regulatory outcome”, aiming to apply traditional financial safeguards to the web3 and digital assets ecosystem while acknowledging its unique features.

In this article we will be covering the proposals for Staking, Credit in Crypto Purchases, and DeFi.

Staking

The FCA has drawn a distinction between staking via a third party (“Staking as a Service”) and staking completed directly by the user with no use of an intermediary. It is proposed that Staking as a Service be brought within the regulatory perimeter, encompassing those operating as validators, custodial staking (where a platform or intermediary pools and staked users’ assets in proof-of-stake networks), and liquid staking tokens.

The FCA concerns centre around:

• information asymmetries, where users may not fully understand the risks or mechanics of staking;
• operational risks, such as slashing penalties or validator mismanagement; and
• liquidity risks, especially where assets are locked for a period.

Key proposals to address these risks include holding firms financially liable for retail consumer losses resulting from inadequate assessments of their technological and operational resilience, including third-party dependencies, and requiring firms to maintain sufficient capital to absorb losses such as those caused by slashing. To improve consumer understanding, firms will need to obtain explicit consent from retail consumers regarding the amount staked, terms of payment, repayment, return, and fees, and must also provide a key features document outlining staking product details and associated risks. To mitigate safeguarding risks, firms must keep consumers’ staked cryptoassets in separate wallets from their own and those of other consumers, maintain accurate records at all times, and conduct regular reconciliations to ensure asset integrity.

By bringing Staking as a Service within the regulatory perimeter, the FCA aims to enhance consumer protection, promote transparency, and ensure the resilience of cryptoasset markets as they continue to evolve.

Use of Credit for Crypto Purchases

The FCA is also considering restricting or banning the use of credit cards and other forms of credit for purchasing cryptoassets, raising concerns over:

• consumer over-indebtedness;
• speculative investment behaviour; and
• a lack of affordability checks.

Exceptions may be made for regulated stablecoins, and the FCA is seeking feedback on whether firms should be required to assess affordability before enabling credit-based purchases.

With stablecoins being pivotal to DeFi and Web3 development, the proposed exemption for regulated stablecoins seems to have had a positive reception. However, concerns remain over whether a blanket ban on credit would unfairly limit access to crypto markets and it is noted this is not implemented in traditional financial markets. Alternatively, affordability checks or another method for assessing and distinguishing user profiles and cryptoassets could be introduced. However, it should be noted that exchanges will likely bear the burden of such measures and real-time implementation could be challenging. 

DeFi

DeFi is one of the most complex areas addressed in DP25/1. Ultimately, the FCA expects DeFi platforms to manage risks in the way traditional financial services do. If a DeFi activity is deemed “by way of business” and not sufficiently decentralised, the operator may need FCA authorisation. Thus, protocols with identifiable persons or governance structures (such as core teams or the use of multisig wallets), could find their activities regulated under current proposals.

The FCA however acknowledges that truly decentralised protocols may fall outside the regulatory perimeter and is exploring how to define “sufficient decentralisation”, a concept still evolving globally. The aim is to capture CeDeFi projects (DeFi protocols with centralised control). The proposed test for “sufficient decentralisation” assesses whether:

1. there is an identifiable controlling party;
2. the operation is autonomous (i.e. no human intervention or discretionary decision-making);
3. governance is conducted through a DAO with decisions made transparently and collectively by tokenholders; 
4. user engagement is direct or facilitated by a centralised platform; and
5. an identifiable party profits from the protocol’s operation or otherwise has a commercial interest.

This nuanced approach suggests that DeFi projects will need to assess their current governance, transparency, and compliance strategies to ensure they remain viable in the UK market. As such, DeFi projects may wish to consider conducting a decentralisation audit to assess governance, control over smart contracts, and treasury management. The absence of a controlling party or presence of a DAO with distributed governance should be documented or alternatively third-party verification or certification of decentralisation could be employed. 

How the UK Compares with the EU and US Regimes

What Web3 Firms Should Do Now

Assess your exposure: 

Are your activities likely to fall within the new regulated perimeter?

DeFi projects with identifiable teams or treasury control may need to consider compliance pathways.

Prepare for authorisation: 

Firms involved in custody, trading, or lending may need to seek FCA approval under the new regime.

• Map your activities to the proposed regulated activities (e.g., lending, custody, staking).
• Consider your existing operations and customer engagement arrangements; are there identified gaps or weaknesses to address?
• Engage with legal counsel to assess whether your protocol or DAO needs a UK-regulated entity and how best to build your business for success in a regulated context.

Implement Risk and Compliance Controls:

• Integrate on-chain AML, sanctions and other analytics tools to monitor for illicit activity and ensure regulatory compliance.
• Establish smart contract audit protocols and publish results.
• Provide disclosures on risks, fees, and protocol mechanics to users.
• Consider the robustness of your compliance and risk oversight functions.

Clarify Governance Structures:

• Define and disclose the roles and responsibilities of DAO members or contributors.
• Implement transparent voting mechanisms and publish governance decisions.
• Consider legal wrappers (e.g. foundations or DAOs with UK-compliant structures) to manage liability and interface with regulators.

Please note, this article is provided for general information purposes only and should not be relied upon as legal advice for any specific transaction or situation.

If you would like to discuss the FCA proposals or your organisation’s next steps, please speak to your usual Burges Salmon contact, Martin Cook (Partner, Fintech & Technology) or Eleanor Furlong (Associate, Corporate and M&A). 

Key Terminology