Crypto Financial Promotion Checklist: The UK FCA Compliance Guide

TL;DR — Since 8 October 2023, qualifying cryptoasset promotions in the UK have sat inside the FCA's financial promotions regime. This checklist walks through the four communication routes, the standardised risk warning, the 24-hour cooling-off period, personalised risk and appropriateness assessments, prominence rules, and the social media and influencer traps that drive most of the FCA's enforcement activity. Use it before you publish, not after.

Table of contents

• What the regulation actually says
• Why it matters now
• The four communication routes
• Risk warning, prominence and the cooling-off period
• Personalised risk and appropriateness assessments
• Social media, influencers and finfluencers
• Three recent enforcement examples
• The 12-item crypto financial promotion checklist
• How leading firms automate this with Sedric
• FAQ

What the regulation actually says

The UK regime brings qualifying cryptoassets into the scope of section 21 of the Financial Services and Markets Act 2000 (FSMA). Unless an exemption applies, a person must not communicate an invitation or inducement to engage in cryptoasset investment activity in the course of business unless the content is approved by, or originates from, an authorised firm.

The detail sits in two places. PERG 8 explains what counts as a financial promotion and which exemptions apply. COBS 4.12A and 4.12B of the FCA Handbook set out the conduct rules for direct offer financial promotions (DOFPs) of restricted mass market investments (RMMIs), which is the category most qualifying cryptoassets fall into. The non-Handbook guidance FG23/3, "Financial promotions on social media", remains the FCA's reference document for digital channels.

In plain English: if you are pushing a token, an exchange account, an earn product, or a wallet to UK consumers, you almost certainly need a compliant risk warning, a 24-hour cooling-off period for first-time investors with that firm, a positive frictions journey, and a documented appropriateness assessment for every consumer who proceeds. You also need an audit trail proving each retail customer saw and acknowledged each step.

Why it matters now

The FCA has been unusually public about its enforcement intent. In the first 12 months of the regime it issued more than 1,700 alerts about unauthorised crypto promotions and worked with social media platforms to take content down. It has also opened multiple investigations into authorised approvers, the so-called "section 21 approver" gateway, after concerns that some firms were waving promotions through without the substantive judgement the rules require.

Three pressures are converging. The dedicated gateway for section 21 approvers (in force since February 2024) means approver firms must hold explicit FCA permission. The Consumer Duty applies in parallel, so a technically compliant promotion can still breach the consumer understanding outcome if a reasonable retail investor would not actually grasp the risks. And in 2026 the FCA's new cryptoasset authorisation regime under FSMA 2023 begins to bite — firms applying for authorisation will be expected to demonstrate a clean promotions track record.

For an MLRO or Head of Compliance at a UK crypto exchange, broker, or wallet provider, the practical consequence is that promotion sign-off has become one of the highest-risk control points in the business.

The four communication routes

Every crypto promotion in the UK must use exactly one of four legal routes. Get the route wrong and the promotion is unlawful regardless of how good the content is.

1. Communicated by an FCA-authorised person. The communicator itself holds the relevant permissions. This is the cleanest route but only available to firms with an authorisation that covers cryptoasset activities, which until 2026 is a narrow group.

2. Approved by an authorised person with section 21 approver permission. A separate authorised firm with the FCA's specific approver permission reviews and signs off the promotion. The approver is on the hook for the content.

3. Communicated by, or on behalf of, a cryptoasset business registered with the FCA under the Money Laundering Regulations. This is the route most non-bank exchanges have used since October 2023. Note the FCA has been explicit that MLR registration is not authorisation, and the firm still has to comply with the conduct rules in COBS 4.

4. Reliance on an exemption in the Financial Promotion Order. Examples include promotions to investment professionals, high-net-worth individuals (with the new self-certified statement) or certified sophisticated investors. These exemptions have been tightened since 2024 and are not a safe harbour for mass-market promotions.

Document the route for every campaign. The first audit question any FCA supervisor will ask is "under which limb of section 21 did you communicate this?"

Risk warning, prominence and the cooling-off period

COBS 4.12A.21R and 4.12A.22R prescribe the standardised risk warning, which must read substantially as:

"Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment and you are unlikely to be protected if something goes wrong. Take 2 mins to learn more."

The link in "Take 2 mins to learn more" must point to the FCA's standardised risk summary, customised lightly with information about the specific cryptoasset and the firm.

Prominence requirements are unambiguous. The risk warning must be: - The first thing a consumer sees on a landing page or in an email. - In a clearly demarcated box, with the heading "Risk warning". - In a font size at least equal to the largest font used elsewhere in the promotion. - Not obscured by cookie banners, pop-ups or autoplay video.

The 24-hour cooling-off period (COBS 4.12A.27R to 4.12A.29R) applies to first-time investors with the firm. After the consumer has read the risk warning and indicated intent to proceed, the firm must wait 24 hours before allowing the customer to invest. The customer must reaffirm their intent after the cooling-off period. The clock starts from the moment the customer requests to proceed, not from sign-up.

Common failure modes we see in marketing audits: - Risk warning embedded below the fold in a long mobile scroll. - Cooling-off period waived for "VIP" or "professional" tiers without an exemption analysis. - Reaffirmation collected through a pre-ticked box (prohibited). - Re-marketing emails sent during the 24-hour window that effectively pressurise the consumer.

Personalised risk and appropriateness assessments

Two consumer journeys sit between the cooling-off period and the first trade.

The personalised risk assessment (PRA) (COBS 4.12A.23R to 4.12A.26R) asks the customer to confirm in their own words that they understand the risks of the specific cryptoasset class. The PRA cannot be a generic tickbox. The FCA has been clear that drop-downs with pre-populated answers are not compliant. Free-text or randomised-option formats with a meaningful refusal pathway are expected.

The appropriateness assessment (COBS 10A) asks whether the customer has the knowledge and experience to understand the risks involved in the specific cryptoasset product. It needs to: - Cover the product type, not just cryptoassets generally. - Be re-run if the customer attempts to invest in a materially different product (e.g. moving from spot trades to a staking earn product). - Result in a documented warning where the assessment is failed. - Capture the customer's response to the warning (proceed despite warning, or stop).

A common audit gap is treating the appropriateness assessment as a one-off onboarding step. Where a firm later offers a different product category — perpetuals, structured products, lending — a fresh assessment is required.

The records must be retrievable for at least five years and must reconstruct, for any individual customer, the exact content of each warning shown, the responses given, and the timestamps.

Social media, influencers and finfluencers

FG23/3 is the operating manual for any crypto firm with a social presence.

Each standalone post is a financial promotion. A retweet, a story, an Instagram reel, a TikTok video, a YouTube short and an X post are all separate communications. Each must, on its face, be capable of standing as a compliant promotion. You cannot rely on a risk warning on the linked landing page to cure a non-compliant social post.

The risk warning on social. FG23/3 specifies how the warning must be displayed where the platform's character or display limits make the full text impractical. The FCA's expectation is the abbreviated risk warning — "Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment. You should not expect to be protected if something goes wrong." — plus a link to the full warning, with no design hierarchy that buries it.

Influencers and "finfluencers" are inside scope. If you pay, gift, or otherwise incentivise a third party to promote your cryptoasset and they communicate in the course of their own business, they are communicating a financial promotion. They need either to be authorised or to have their content approved by a section 21 approver. The FCA brought criminal proceedings against several finfluencers in 2024 and 2025 and has been escalating cases involving paid promotion of unregulated cryptoassets.

Three practical controls firms underestimate: - A signed influencer contract is not enough. The promotional content itself, in its final form, must be reviewed and approved before publication. - Affiliate codes and referral links count as inducements. Affiliates need the same diligence as paid influencers. - Organic UGC reposted by the firm's account becomes the firm's promotion. Re-sharing a customer's "I made 500% on token X" post is communicating a promotion.

For more on the broader UK FinProms regime, see our financial promotions rules 2026 guide.

Three recent enforcement examples

Cryptoasset exchange, FCA alert, 2024. The FCA issued a public warning naming an offshore exchange targeting UK consumers without registration or approval. The platform's UK landing page lacked the standardised risk warning and the cooling-off journey. Within a month, advertising spend on UK keywords had been blocked at platform level.

Section 21 approver, supervisory action, 2025. The FCA imposed restrictions on a small authorised firm acting as a high-volume approver of cryptoasset promotions after concluding that the firm had not undertaken substantive assessments of underlying products. The firm was required to withdraw its approvals and notify all affected customers.

Finfluencer criminal case, 2024–2025. Several individuals were charged with offences under section 21 FSMA in connection with paid promotion of unregistered cryptoasset trading platforms to their UK social media audiences. The case underlined that liability follows the communicator personally, not just the brand they promote.

The 12-item crypto financial promotion checklist

Use this on every promotion before sign-off.

1. Communication route documented. Which limb of section 21 applies? Recorded with sign-off reference.
2. Standardised risk warning present. Exact wording, in the prescribed format, with the heading "Risk warning".
3. Prominence verified. First content visible above the fold on the target device. Font size at least equal to the largest used. Not obscured by overlays.
4. Abbreviated risk warning for social. Used where format constraints apply, plus link to full warning.
5. Cooling-off period. 24 hours enforced for first-time investors. No promotional re-marketing during the window.
6. Personalised risk assessment. Not a pre-populated tickbox. Free-text or randomised options. Documented refusal pathway.
7. Appropriateness assessment. Specific to the product type. Re-run on material product change. Warnings logged with customer responses.
8. No misleading claims. No past-performance dominance, no implied capital protection, no "regulated by the FCA" where only MLR-registered.
9. Influencer content pre-approved. Final form approved in writing before publication. Affiliate links treated equivalently.
10. Inducements and incentives. Cashback, sign-up bonuses and refer-a-friend assessed for inducement risk under the broader Consumer Duty.
11. Record retention. Promotion, approvals, customer interactions and timestamps retained for at least five years and retrievable in a usable format.
12. Withdrawal trigger documented. A defined process for withdrawing the promotion if the underlying product, the firm's permissions, or the market context changes materially.

How leading firms automate this with Sedric

Manual sign-off does not scale once a crypto firm runs dozens of campaigns across paid social, organic, affiliates, in-app banners and email. The failure modes that show up in FCA reviews are mostly volume failures — one influencer post out of a hundred that omits the risk warning, one DOFP page with a risk warning beneath an autoplay video, one re-marketing email sent inside the cooling-off window.

Sedric's Marketing Comms platform applies the COBS 4.12A and FG23/3 ruleset to every piece of content before it goes live. Each flag is linked to the underlying rule reference (COBS 4.12A.21R prominence, FG23/3 §4 social risk warning, COBS 10A.4 appropriateness warning) and reviewers see why the system raised the issue, not just that it did. Overrides are logged with the reviewer's reasoning. The result is an audit pack that reconstructs, for any promotion, who approved what and on which regulatory basis. This is what we mean by audit-ready by design — the work product the FCA wants to see is generated automatically as part of normal sign-off.

For firms that have not run a baseline yet, the Sedric Marketing Comms Audit ingests up to 10 recent promotions and returns a scored report against the FCA crypto FinProms ruleset, flagged by rule reference. It is a useful before-and-after benchmark.

FAQ

Is MLR registration enough to communicate crypto financial promotions in the UK? MLR registration is a route to communicate promotions under section 21(2)(d) FSMA, but registered firms must still comply with COBS 4.12A and 4.12B in full. MLR registration is not authorisation and does not extend to other regulated activities.

Does the cooling-off period apply every time a customer trades? No. The 24-hour cooling-off period applies to first-time investors with the firm. It does not re-trigger for subsequent trades, although the appropriateness assessment may need to be re-run if the customer enters a materially different product.

Can I rely on the high-net-worth investor exemption for crypto promotions? You can, but the FCA tightened the financial thresholds and the self-certification process in 2024. Mass-market promotions that simply ask consumers to self-certify HNW status will not survive supervisory scrutiny.

What is the difference between the FCA crypto FinProms regime and MiCA marketing rules? The UK regime sits inside FSMA section 21 and the FCA Handbook, with the standardised risk warning and cooling-off period at its core. The EU's MiCA marketing communications rules (Article 7 MiCA) apply to crypto-asset service providers in the EU and focus on fairness, clarity and non-misleadingness rather than a prescribed warning. See our MiCA marketing communication rules guide.

Are decentralised protocols and DeFi inside scope? The FCA's view is that whether DeFi promotions fall in scope depends on the underlying activity, not the wrapper. Where there is a clear inducement to acquire a qualifying cryptoasset in the course of business, the regime applies.

How long must I keep records of promotions and customer interactions? At least five years. Records must reconstruct the promotion as displayed to the customer, the customer's responses (PRA, appropriateness, cooling-off reaffirmation), and approval evidence.

Does the Consumer Duty add anything on top of COBS 4.12A? Yes. The Consumer Duty's consumer understanding outcome means a promotion can be technically COBS-compliant and still fail if a reasonable retail investor would not understand the risks. Cross-check with our FCA Consumer Duty examples for typical failure modes.

Run a free crypto FinProms audit

If you would like a baseline before your next quarterly campaign review, upload up to 10 promotions to Sedric's free Marketing Comms Audit. The output is a scored report against the FCA crypto FinProms ruleset — prominence, risk warning, cooling-off journey, PRA, appropriateness, social variants — with each finding linked to the rule reference. It takes ten minutes to upload and two business days to receive. Start the audit at sedric.ai.