FCA/PRA June 2026: Sanctions, Crypto Market Abuse Penalties and Basel 3.1 Updates
The FCA and PRA have released a cluster of significant regulatory updates this month. For UK accounting firms, auditors, and CFOs with cryptoasset exposure, the most immediate items are a consultation that extends the market abuse penalty framework to cryptoassets and a sanctions review that found persistent control gaps across financial services. Neither development can wait for a quarterly compliance review.
FCA Sanctions Review: Where Firms Are Still Falling Short
The FCA has published findings from its review of sanctions systems and controls across financial services. The headline is cautiously positive: firms have made meaningful progress in preventing breaches. The underlying detail is less reassuring.
The Most Common Root Causes of Breaches
The regulator identified weaknesses across three broad areas:
- Due diligence failures, particularly at onboarding and during periodic reviews
- Alert management and screening system deficiencies
- Difficulties managing frozen assets and complying with both specific and general licences
The FCA's expectation is explicit: firms must proactively identify, investigate, and mitigate suspicious activity. Reactive postures are no longer acceptable. Compliance teams should benchmark their current systems and controls against the review's findings and document that benchmarking exercise. For firms handling cryptoassets, the stakes are amplified because on-chain transactions create a much larger surface area for inadvertent sanctions exposure. Understanding how sanctions screening gaps create crypto accounting exposure has become a core operational concern, not an edge case.
FCA DEPP Consultation: Cryptoasset Market Abuse Enters the Penalty Framework
This is arguably the most consequential item for firms active in digital assets. The FCA is consulting, with responses due by 10 August, on targeted amendments to its Decision Procedure and Penalties Manual.
Two Changes That Matter for Crypto Firms
The first change is procedural: the minimum fine for individuals involved in the most serious market abuse cases rises from £100,000 to £150,000. The second change is structural, and it directly affects the digital asset sector. The consultation proposes extending the penalty framework to cover cryptoasset market abuse. Until now, the FCA's formal deterrent architecture for market manipulation sat firmly in traditional financial instruments. That boundary is being removed.
The proposal also introduces flexibility for the FCA to calibrate penalties against a person's income and assets as an additional deterrent mechanism. Firms that advise on or hold cryptoassets on behalf of clients should treat this consultation as read-and-act, not read-and-file. Responses are due by 10 August.
PRA Basel 3.1: IMA Consultation and Pillar 2A Final Policy
Two PRA publications cover capital framework refinements. Both are technically dense, but each has a clear operational implication.
CP9/26: Internal Model Approach Adjustments
The PRA is consulting, with responses due by 18 September, on targeted amendments to the internal model approach for market risk under Basel 3.1. The proposals in CP9/26 address calibration, proportionality, and operational friction that firms flagged during implementation. Key changes include extending the monitoring period for the profit and loss attribution test from one year to three years, adjustments to the risk factor eligibility test, and measures designed to make the gradual approval pathway for IMA more accessible. The relevant sections of the PRA Rulebook affected are the Trading Book, Market Risk: Internal Model Approach, and Reporting parts. IMA implementation remains on track for 1 January 2028.
PS on Pillar 2A Phase 1: Implementation Date Moves to January 2027
The PRA has published its final policy statement following consultation CP12/25 on Phase 1 of the Pillar 2A review. Several adjustments from the original consultation proposals are worth noting. On credit risk, exposures to SMEs are excluded from the systematic methodology for unconditionally cancellable commitments in the retail exposure class. Firms also gain greater flexibility in assessing idiosyncratic credit risks rather than being required to use credit scenarios as originally proposed. On operational risk, the methodology for Small Domestic Deposit Takers has been aligned with the approach for other firms, along with transparency and guidance improvements. The implementation date has shifted from 1 July 2026 to 1 January 2027, harmonising timelines across pension, market, and counterparty credit risk workstreams.
Other Regulatory Movements Worth Noting
FCA Streamlines Retail Banking Data Collections
The FCA has consolidated its previously ad hoc Retail Banking Business Models data collections into a single annual regulatory return, effective from 1 June 2026 under PS26/8. This applies to retail banks and building societies. The change removes the unpredictability of ad hoc requests and consolidates reporting via RegData.
PRA Insurance Branches and Captives
PS13/26 updates the policy framework for insurance third-country branches, including an increased subsidiarisation threshold and revised reporting requirements. Quarterly reporting is discontinued for all branches, not just smaller ones, reducing operational burden while annual reporting continues on either a full or reduced basis. Separately, the PRA is consulting in summer 2026 on a UK captive insurance regime, targeting a competitive and credible framework by 2027.
FCA Money Market Fund Reform
The FCA has updated its plans to reform the UK Money Market Fund Regulation. A proposed new rule would require all UK MMFs to hold sufficient liquidity for adequate resilience, with a modified approach to Weekly Liquid Assets thresholds. The government plans to repeal the UK MMFR by end of 2026, with the FCA making replacement rules to match that timeline.
Finfluencer Enforcement Week
The FCA led a coordinated international action involving 17 regulators to address illegal financial influencer activity, more than double the participants from the previous year. The FCA's own activity included criminal proceedings for illegal promotions, warning letters, and account takedown requests to social media platforms.
FAQs
What does the FCA's DEPP consultation mean for firms holding or advising on cryptoassets?
The consultation proposes extending the FCA's formal market abuse penalty framework to cryptoassets. If adopted, the FCA would have explicit authority to apply fines, including the proposed raised minimum of £150,000 for the most serious individual cases, to cryptoasset market abuse. Firms should review their cryptoasset trading surveillance and internal escalation procedures before the 10 August response deadline.
What gaps did the FCA's sanctions review identify?
The FCA found the most common breach drivers were weaknesses in due diligence, alert management, and screening systems, along with difficulties managing frozen assets and complying with licence conditions. The FCA expects firms to proactively review their controls against the review findings, not simply wait for a breach to occur.
When does the PRA's IMA for market risk under Basel 3.1 take effect?
The internal model approach will proceed as planned from 1 January 2028. The current consultation, CP9/26, addresses calibration and proportionality issues ahead of that date, with responses due by 18 September 2026.
Has the Pillar 2A Phase 1 implementation date changed?
Yes. The PRA moved the implementation date from 1 July 2026 to 1 January 2027 to harmonise timelines across pension, market, and counterparty credit risk workstreams. The final policy statement also introduced several adjustments to the credit risk and operational risk methodologies based on consultation feedback.
How does this month's FCA activity connect to ongoing UK AML supervision priorities?
The sanctions review findings align closely with broader UK AML supervision themes. Firms that have already reviewed their controls against HMRC economic crime supervision obligations will find many of the FCA's expectations familiar, but the FCA's focus on alert management and frozen asset handling adds granularity that AML frameworks alone may not fully address.
Source: KPMG Digital Assets
FAQ
The consultation proposes extending the FCA's formal market abuse penalty framework to cryptoassets. If adopted, the FCA would have explicit authority to apply fines, including the proposed raised minimum of £150,000 for the most serious individual cases, to cryptoasset market abuse. Firms should review their cryptoasset trading surveillance and internal escalation procedures before the 10 August response deadline.
The FCA found the most common breach drivers were weaknesses in due diligence, alert management, and screening systems, along with difficulties managing frozen assets and complying with licence conditions. The FCA expects firms to proactively review their controls against the review findings, not simply wait for a breach to occur.
The internal model approach will proceed as planned from 1 January 2028. The current consultation, CP9/26, addresses calibration and proportionality issues ahead of that date, with responses due by 18 September 2026.
Yes. The PRA moved the implementation date from 1 July 2026 to 1 January 2027 to harmonise timelines across pension, market, and counterparty credit risk workstreams. The final policy statement also introduced several adjustments to the credit risk and operational risk methodologies based on consultation feedback.
The sanctions review findings align closely with broader UK AML supervision themes. Firms that have already reviewed their controls against HMRC economic crime supervision obligations will find many of the FCA's expectations familiar, but the FCA's focus on alert management and frozen asset handling adds granularity that AML frameworks alone may not fully address.
