Regulations · FCA · Personalised risk warning
// FCA · COBS 4.12A.22R · APPROPRIATENESS

Personalised risk warning + appropriateness.

Before a first-time investor can transact, the firm must show a personalised risk warning and run an appropriateness assessment. Not a checkbox; a sequenced flow with friction the FCA specifically wants in.

Applies to: UK-facing exchanges Wallets Onboarding flows

The rule.

COBS 4.12A.22R requires a firm to give a personalised risk warning before communicating a direct-offer financial promotion to a retail client, and to assess the client’s knowledge and experience under the appropriateness regime.

// FCA Handbook · COBS 4.12A.22R & 4.12A.24R

“Before communicating a direct offer financial promotion for a qualifying cryptoasset to a retail client, a firm must give the client a personalised risk warning, including the client’s name. The personalised risk warning must contain the prescribed wording in COBS 4.12A.25R and must be given separately from any other financial promotion.”

“A firm must assess whether a qualifying cryptoasset is appropriate for the retail client, taking into account the client’s knowledge and experience in the investment field relevant to that cryptoasset.”

The two requirements operate together: personalised warning + appropriateness assessment + 24-hour cooling-off form the three-step gate every UK-facing first-time investor flow has to pass through.

What it requires.

Four operational obligations.

Use the consumer’s name. “Personalised” is literal: the warning must address the consumer by name. A generic warning displayed to all visitors fails the personalisation requirement.

Separate surface. The personalised warning must be delivered on its own screen, not bundled with other onboarding content. The FCA explicitly wants this to be a moment of reflection, not a scroll past.

Appropriateness questionnaire. A short knowledge-and-experience assessment with substantive questions. “Do you understand crypto can lose value?” (yes/no) is not enough. The FCA expects questions that genuinely test understanding.

Negative-outcome path. If the consumer fails appropriateness, the firm must either decline the relationship or proceed with a documented warning and enhanced friction. “Pass everyone” assessments fail FCA review.

Common violations.

// Violation pattern · generic warning

Warning screen: “Investing in crypto is high-risk. Click to continue.” No name.

Not personalised. Fails 4.12A.22R. Common pattern when the same warning component is used for both the general prescribed warning and the personalised one.

// Violation pattern · trivial appropriateness

Question 1: “I understand crypto can go down in value.” [Tick to confirm]
Question 2: “I have read the risks.” [Tick to confirm]

Self-attestation, not knowledge testing. Two boxes to tick is not an appropriateness assessment in the FCA’s sense. The 2024 FCA Dear CEO letter explicitly criticises this pattern.

// Violation pattern · everyone passes

Appropriateness assessment data: 99.7% pass rate over 12 months.

An assessment that everyone passes is, by definition, not assessing anything. FCA examiners look at distribution. A pass rate above ~85% triggers scrutiny.

// Violation pattern · bundled with KYC

Onboarding screen: KYC fields + appropriateness questions + risk warning all on one page.

The personalised risk warning has to be a separate surface. Bundling defeats the purpose. Fails 4.12A.22R’s “given separately” requirement.

How to comply.

// Fix 1 · name interpolation

After KYC, render the personalised warning screen with the consumer’s legal first name interpolated into the warning. Store the timestamp of view and click-acknowledge.

// Fix 2 · substantive appropriateness questions

Build a question bank that tests actual concepts: volatility, irreversibility of on-chain transactions, custodial risk, smart-contract risk, regulatory risk, capital loss. Free-response or multiple-choice with distractors, not self-attest tickboxes.

// Fix 3 · calibrate the fail rate

Target a fail rate of 10–20% on first attempt for the right reason: the questions are testing something. Consumers who fail get a learning module and can retry, but the data shows the assessment is doing work.

// Fix 4 · standalone surface

The personalised warning is its own page with one CTA: “I have read this” with active click required. No other onboarding content, no other CTAs, no nav distractions.

// Fix 5 · audit trail

Log: warning displayed at timestamp, consumer’s assessment answers, acknowledgement click timestamp. This is the evidentiary record the FCA will ask for in a Section 165 information request.

Related rules.