The primary audience for the Exec Capital guides is boards and chairs appointing at board level. But several of the guides are directly and practically relevant to the CFOs, Finance Directors and senior finance function leaders who work in FCA-regulated environments — and whose own regulatory position, under the SMF2 designation, places them squarely within the governance framework these guides address. We have written this post to identify the guides most useful to FD Capital’s audience and to explain why the content matters to finance leaders operating in regulated firms, not just to the boards who appoint them.

Why the Regulatory Governance Landscape Matters More Now

The intensity of FCA supervision has increased considerably over the past three years. Consumer Duty came into force in 2023 and placed specific board-level governance obligations on all firms serving retail clients. The FCA’s supervisory approach to the Senior Managers Regime has become more granular — the regulator now pays closer attention to the quality of individual Statements of Responsibilities, the robustness of firms’ certification processes, and the adequacy of succession planning for senior management functions. And the expansion of SMCR to cover a broader range of firm types has brought a new population of regulated businesses into the personal accountability framework for the first time.

For CFOs and Finance Directors at regulated firms, this intensification has practical consequences. The expectations attached to the SMF2 designation have not changed formally, but the FCA’s willingness to scrutinise whether individual SMF holders are genuinely meeting those expectations has increased. An FD who treats their SMCR obligations as administrative compliance rather than genuine personal accountability is increasingly out of step with the regulator’s supervisory approach — and the Exec Capital guides provide a useful reference point for understanding what the framework actually requires at the individual level.

The SMF2 Dimension: Why CFOs and Finance Directors Need to Understand This Framework

The Chief Finance function — SMF2 — is one of the core senior management functions under SMCR. The FD or CFO at an FCA-regulated firm is not simply a financial professional in a regulated environment. They are a designated senior manager who has been personally approved by the FCA, who holds their own Statement of Responsibilities defining what they are personally accountable for, and who is subject to the Duty of Responsibility — meaning that if a regulatory failure occurs within their area of accountability, they must demonstrate they took reasonable steps to prevent it.

This is a fundamentally different accountability model from working as a finance leader at an unregulated business. The personal dimension is real, and the consequences of regulatory action against an individual SMF holder — fines, prohibition from working in regulated financial services, public censure — are career-defining. Understanding the framework within which you operate is not a compliance exercise for someone else to manage; it is a professional obligation for every SMF2 holder.

The Exec Capital guides address this framework from the board’s perspective, but the substance is directly applicable to any individual holding an SMF designation. The guides on Form A, Statements of Responsibilities, succession planning and dual SMF arrangements are equally relevant to the SMF2 holder as to the chair or CEO. We strongly encourage FD Capital clients and candidates who hold or are likely to hold SMF designations to use these guides as a reference.

FCA Form A: What Boards Need to Know

The FCA Form A guide is the most practically immediately useful of the Knowledge Centre pieces for any finance leader preparing to move into a new role at a regulated firm. The Form A application is the mechanism by which the FCA approves an individual for an SMF designation — including SMF2 for the CFO or FD function. The guide covers what the application requires, what regulatory references must contain, what material disclosures the individual is required to make, and how the FCA’s assessment of fitness and propriety works in practice.

For CFOs and FDs who are new to regulated environments — moving from a professional services, technology or industrial background into a regulated financial services business for the first time — the Form A process is often the first detailed encounter with the personal accountability framework, and it can be a significant source of uncertainty. The guide demystifies the process, sets realistic expectations for the timeline (typically six to twelve weeks for a standard application), and addresses the regulatory reference requirements that many candidates underestimate in terms of both their scope and their practical significance.

The guide also covers the regulatory interview — the FCA’s mechanism for directly assessing a proposed SMF holder’s understanding of their role and the regulatory environment. For a CFO moving into a complex or higher-risk regulated firm for the first time, the regulatory interview is a real possibility, and preparation for it should begin well before the Form A is submitted. The guide is a useful starting point for that preparation.

Statements of Responsibilities: Best Practice

The Statements of Responsibilities guide addresses the document that sits at the centre of every SMF holder’s personal accountability — including the SMF2 holder’s accountability for the firm’s finance function. The guide sets out what the FCA expects a Statement of Responsibilities to contain, what the common drafting mistakes are, and how to maintain and update the document as the individual’s responsibilities change over time.

For CFOs and FDs, the Statement of Responsibilities is not simply a regulatory submission produced by the compliance department at the point of appointment and filed away. It is a live document that defines the scope of their personal regulatory accountability — and if the document does not accurately reflect their actual current responsibilities, it creates a governance risk both for them personally and for the firm. An FD whose SoR was drafted on appointment and has never been updated to reflect changes in the firm’s structure, the individual’s scope, or the regulatory framework will find, in the event of supervisory scrutiny, that the gap between the document and reality is both visible and difficult to explain.

The guide’s discussion of how to draft SoRs that are specific rather than generic is particularly useful for finance leaders. The instinct to produce a broad, comprehensive SoR that captures everything the CFO is involved in frequently results in a document that is too vague to be meaningful — stating that the CFO “is responsible for the financial management of the firm” rather than identifying the specific regulatory obligations, committees, and governance processes for which they are personally accountable. The Exec Capital guide explains how to strike the right balance.

SMCR and Board Succession Planning

The SMCR succession planning guide is relevant to finance leaders in two distinct ways. First, as SMF2 holders, CFOs and FDs are subject to the succession planning obligations that apply to all senior management functions — the firm must have a plan for managing an FD departure, and the FD themselves has an interest in understanding how their own succession is being managed. Second, finance function leaders at regulated firms are frequently involved in the governance processes that underpin succession planning — preparing the financial projections for a period of leadership transition, managing the cost implications of interim coverage arrangements, or supporting the board’s assessment of the firm’s capacity to absorb the cost of a retained search for the replacement.

The guide addresses the realistic timeline for SMF succession — five to six months from initiating a search to an approved replacement being in post under favourable conditions, seven to nine months at more complex firms. For finance function leaders who are responsible for planning the cost and operational impact of a senior departure, this timeline reality is directly relevant. An unplanned FD departure that is managed without adequate successor planning can create both regulatory exposure (an extended SMF2 vacancy without compliant coverage) and significant unbudgeted cost. The guide helps boards and their finance leaders plan for this more effectively.

The Dual SMF Holder at Smaller Regulated Firms

The Dual SMF Holder guide is particularly relevant to FD Capital’s client base among smaller regulated firms — the growth-stage fintechs, payment institutions, boutique asset managers and newly authorised businesses where a single senior individual frequently covers multiple SMF designations. At many of the firms FD Capital works with in this segment, the fractional or part-time FD who holds the SMF2 designation may also hold other designated functions — making them a dual or multiple SMF holder whose regulatory position is more complex than that of a full-time FD at a larger firm.

The guide sets out which SMF combinations are permitted, what the FCA assesses in a dual SMF application, the governance risks of overloading an individual with designations they cannot genuinely fulfil, and how to identify the point at which a combined arrangement should be separated as the firm grows. For fractional and part-time FDs at regulated firms — a significant part of FD Capital’s specialist market — this is directly applicable guidance. An FD who holds SMF2 and additional designations on a fractional basis should understand both the regulatory permissions that make that arrangement possible and the governance expectations that make it sustainable.

Consumer Duty Annual Board Report

The Consumer Duty Annual Board Report guide addresses a governance requirement that has a specific and often underappreciated finance function dimension. The fair value assessment — one of the four Consumer Duty outcome areas — requires retail-facing regulated firms to demonstrate that the total cost of their products and services represents genuine value for the outcomes delivered to retail clients. This is an analytically demanding assessment that requires the CFO and finance function to produce the cost and revenue data on which the board’s fair value conclusions rest.

A board that produces a Consumer Duty annual report without robust financial analysis supporting the fair value section — or whose CFO has not been directly involved in the fair value assessment methodology — is producing a report that will not withstand FCA scrutiny. The guide explains what the board report must contain, what the FCA expects the board’s oversight role to involve, and what the fair value and other outcome assessments should look like. For CFOs at retail-facing wealth managers, insurers, consumer credit businesses and retail investment firms, this is governance content that directly affects their role in the annual reporting cycle.

The Broader Suite — Blog Posts Worth Reading

Alongside the Knowledge Centre guides, Exec Capital has published a series of blog posts directly addressing appointment and governance challenges at regulated firms. Several are particularly relevant to FD Capital’s audience:

Certification Regime vs Senior Managers Regime: Who Gets Approved, Who Gets Certified — a clear explanation of which employees fall into which regulatory tier. For CFOs responsible for overseeing their firm’s SMCR compliance, understanding the full population of staff subject to the regime — not just the SMF holders — is a governance requirement. This post sets out the distinction clearly.

CEO Succession at Regulated Firms: Timelines, FCA Engagement and Contingency Planning — highly relevant for FDs who are involved in governance discussions about CEO succession. The financial and operational planning that a CEO transition requires is the finance function’s domain, and the regulatory timeline realities in this post are directly relevant to that planning work.

First-Time SMF1: Hiring a CEO Who Has Never Held an SMF Role Before — relevant to any regulated firm considering a CEO search that might bring in a candidate from outside the regulated sector. The finance function’s perspective on this decision — understanding the regulatory risk implications of a first-time SMF1 appointment — is a legitimate board input.

How FD Capital and Exec Capital Work Together for Regulated Firm Clients

FD Capital and Exec Capital are sister practices with complementary but clearly defined positioning. FD Capital’s focus is the finance function — fractional CFO and Finance Director appointments, interim finance leadership, and permanent senior finance hires, including for FCA-regulated firms where the finance leader carries the SMF2 designation. Exec Capital’s focus is the broader C-suite and board — CEO, COO, CMO, CTO and NED appointments, with a particularly strong specialism in FCA-regulated firm executive and board-level search.

Where a regulated firm needs both a finance function leader and a senior executive or board appointment, both practices contribute their specialist knowledge to ensure the regulatory and governance dimensions of each appointment are properly integrated. The FD’s SMF2 designation and the CEO’s SMF1 designation interact directly in the firm’s governance structure — the Statement of Responsibilities for each must be drafted consistently, the Form A applications must be managed with awareness of each other’s timelines, and the interim coverage arrangements for both must be coordinated if transitions overlap.

The Exec Capital Knowledge Centre guides provide the regulatory governance reference material that underpins both practices’ work with regulated firm clients. We are pleased to share them with the FD Capital community and to encourage any finance leader who works in or is moving into an FCA-regulated firm to use them as a practical resource. The full suite is available at Exec Capital’s FCA regulated firm practice page.

If you are a CFO, Finance Director or fractional finance leader working in or considering a move to an FCA-regulated firm — or if you are a regulated firm seeking a senior finance leader — speak to FD Capital about the finance function appointment. And if the board-level search at that firm requires a specialist in regulated firm executive appointments, the team at Exec Capital is the right conversation to have alongside it.

The SUP sourcebook is the FCA’s supervisory framework — the rules and guidance governing how regulated firms interact with the FCA on an ongoing basis. SUP 15 deals specifically with notifications: the events, changes and circumstances that firms must report to the FCA as they occur. Understanding SUP 15 fully is an essential compliance competency for any SMF16 (compliance oversight function) holder, but it is also relevant to every senior manager who has accountability for areas of the firm’s activities that generate notification obligations.

The Structure of SUP 15

SUP 15 is organised into sections covering: general notification obligations; notifications required in specific circumstances; material changes that must be notified; and the procedures for making notifications. The general notification obligation in SUP 15.3 sits alongside and reinforces the Principle 11 disclosure obligation: firms must notify the FCA promptly if they become aware of anything that could materially affect the FCA’s view of the firm’s fitness and propriety, or that could have a significant adverse impact on the firm’s customers or the financial system. This general obligation is supplemented by the specific notification requirements in SUP 15.4, 15.5 and 15.8, which identify particular events that require notification regardless of whether they also trigger the general standard.

Category One: Significant Events

SUP 15.3.1R requires firms to notify the FCA immediately if they become aware of a series of specific categories of event. These are the most serious notification obligations — events so significant that the FCA needs to know about them without delay, without waiting for regular reporting cycles.

Insolvency proceedings. If any corporate entity within the firm’s group enters administration, receivership, liquidation or any equivalent insolvency proceeding in any jurisdiction, the firm must notify immediately. The FCA needs this information because insolvency events in connected entities can affect the regulated firm’s financial position, its ability to meet its regulatory capital requirements, and its operational continuity. Early notification allows the FCA to assess the impact and, where necessary, to exercise its supervisory powers before harm reaches customers.

Regulatory action by other authorities. Where a firm or a connected entity is subject to significant regulatory action by an overseas regulator — including a formal investigation, a suspension, a fine or a restriction — notification to the FCA is required. The FCA’s interest is in whether the overseas action is indicative of conduct or governance issues that are also present in the UK-regulated entity, and whether the action affects the firm’s fitness and propriety. Firms that receive overseas regulatory correspondence should assess its notification implications immediately rather than treating it as a purely local matter.

Material litigation. Civil proceedings or arbitration that could have a material impact on the firm — either financially or in terms of its ability to carry on regulated activities — must be notified. The financial materiality threshold is relative to the firm’s size and regulatory capital: a claim that would represent a significant proportion of the firm’s capital resources triggers the notification requirement even if it is small in absolute terms. Firms that receive letters before action or claim forms should therefore consider their SUP 15.3.1R implications as part of their initial response process.

Loss of key personnel. Where the loss of a key individual could affect the firm’s ability to carry on its regulated activities or its compliance with threshold conditions, notification is required. The most obvious category is the unexpected loss of an SMF holder, particularly where the firm has no immediate replacement — the FCA must be informed so that it can assess whether the firm continues to meet its governance and management requirements. But the obligation can also extend to non-SMF personnel whose loss creates a material operational or compliance risk.

Category Two: Material Changes

SUP 15.3.8G and the associated rules require firms to notify the FCA of significant changes to their business, activities or circumstances that are not covered by the specific SUP 15.3.1R obligations but that the FCA would reasonably want to know about.

Changes to business activities. Material changes to the nature, scope or scale of the firm’s regulated activities must be notified. This overlaps with the Variation of Permission obligation for changes that take the firm outside its current permission, but it is broader: changes that remain within the current permission but that significantly alter the risk profile of the firm’s activities may still require notification even if no formal VoP application is needed. A firm that significantly expands its consumer credit lending by moving into a higher-risk product segment, or that shifts its investment management focus to a materially riskier asset class, should consider its SUP 15 notification obligations even if the existing permission technically covers the new activities.

Changes to ownership or control. Changes in the ownership or control of the firm — including the acquisition of a qualifying holding, a change in the identity of the firm’s controller, or a change in group structure that affects the firm — trigger specific notification requirements under SUP 11. SUP 15 reinforces these obligations by requiring notification where any change in the firm’s circumstances is such that the FCA would reasonably expect notice. Firms planning mergers, acquisitions, management buyouts or significant investor changes should map their notification obligations across both SUP 11 and SUP 15 as part of the transaction planning process.

Financial position deterioration. Where the firm’s financial position deteriorates materially — including where it falls below or is at risk of falling below its regulatory capital requirements — prompt notification is required. The FCA does not want to discover a firm’s financial difficulties through the firm’s prudential reporting alone: where the firm’s management becomes aware of a material emerging financial problem, the notification obligation crystallises at that point, not when the problem has progressed to the point of formal threshold breach. Firms should build explicit financial monitoring triggers into their capital adequacy governance — alerting the compliance function and the SMF holder when capital levels reach defined early-warning levels — so that the SUP 15 obligation is recognised and discharged in good time.

Significant systems or operational failures. Major operational incidents — IT outages, data breaches, third-party failures — that have caused or could cause material harm to customers or operational disruption to the firm’s regulated activities must be notified. The FCA’s operational resilience framework, introduced in 2021, requires firms to identify their important business services and to set impact tolerances for their maximum acceptable downtime. Where an incident breaches or threatens to breach an impact tolerance, this is a clear indicator that a SUP 15 notification is required. Firms that have implemented the operational resilience framework should build their SUP 15 notification assessment into their incident response process rather than treating it as a separate consideration.

Category Three: SMF-Specific Notifications

SUP 15 contains specific notification requirements related to Senior Manager Functions. These include: notification where an SMF holder ceases to perform their function; notification of any matter that may affect the fitness and propriety of an approved person; and notification of the appointment of a new individual to perform a required SMF function where that individual has not yet been approved by the FCA.

The cessation notification is one of the most time-sensitive in the SMF context. Where an SMF holder leaves their role unexpectedly — whether through resignation, illness, dismissal or any other reason — the firm must notify the FCA promptly. If the function is a required function (one that the firm must have a holder for under the applicable rules), the firm must also have arrangements in place for how the function will be covered in the interim. The FCA’s expectations around interim coverage are set out in the SMCR rules, but the SUP 15 notification obligation runs from the moment the SMF holder ceases — which may be before any interim arrangement has been confirmed.

The fitness and propriety notification is broader and more judgmental. Where the firm becomes aware of any matter that may affect an approved person’s fitness and propriety — including a criminal caution or conviction, an adverse finding in civil proceedings, a disciplinary matter, a significant financial difficulty, or a concern raised by another regulator — it must assess whether the matter is significant enough to require notification. The test is again what the FCA would reasonably expect to be told: a minor historical matter with no current relevance may not require notification; a serious recent matter with direct bearing on the individual’s conduct in their SMF role almost certainly does.

Timing: When Must Notifications Be Made?

SUP 15 specifies different timing requirements for different categories of notification. The general principle is that notifications should be made as soon as practicable after the relevant event or awareness arises. For the most serious events — imminent insolvency, significant operational failures causing material customer harm — “as soon as practicable” means within hours, not days. For other notifications, the standard is typically one business day to ten business days depending on the specific obligation.

The compliance function must therefore have clear internal processes for identifying when a SUP 15 notification obligation has crystallised and for ensuring the notification is made within the applicable time limit. This means the compliance function needs access to information about events that trigger notification obligations across the firm’s business — which requires the compliance function to be embedded in the firm’s operational and incident management processes rather than receiving information through downstream reporting channels. A compliance function that learns about a major IT outage from a press enquiry rather than from the operations team has a process failure that will likely result in a late notification to the FCA.

How to Make Notifications: The Connect System

Most SUP 15 notifications are made through the FCA’s Connect system. Firms should designate one or more named users with Connect access who are responsible for making notifications. The notification form should include: a clear description of the event or change being notified; the date on which the event occurred or the firm became aware of it; an assessment of the significance and impact of the event; and the steps the firm has taken or is taking in response. The FCA does not require a perfectly formatted notification at the initial stage of an urgent event — a brief but accurate notification promptly made is preferable to a comprehensive account provided too late.

For certain specific notifications — changes to control, passporting applications, appointed representative notifications — SUP requires the use of specific forms rather than general Connect notifications. The compliance function should maintain a current register of the specific forms applicable to each notification category, and should test its Connect access and notification processes periodically rather than discovering connectivity or access issues at the point when an urgent notification needs to be made.

Consequences of Failure to Notify

The FCA consistently identifies failures to notify on time — or at all — as one of the most frequently encountered compliance deficiencies in its supervisory work. The consequences range from formal regulatory censure and financial penalties, through increased supervisory intensity, to use of the notification failure as evidence of broader governance and compliance culture failures that justify a more comprehensive regulatory response.

Late notification is often more seriously received by the FCA than the underlying event itself. A firm that experiences a significant operational failure, manages it competently and notifies the FCA promptly is in a very different regulatory position from one that experiences the same failure and notifies three months later after the FCA has already become aware of the incident through other channels. The FCA has stated publicly that it places particular weight on timeliness and transparency in its supervisory relationships, and notification failures are treated as evidence of a deficit in both.

Building an Effective SUP 15 Notification Framework

Effective SUP 15 compliance requires a notification framework that is embedded in the firm’s operational processes rather than administered as a standalone compliance function responsibility. The framework should include: a notification trigger register identifying the events and circumstances that generate SUP 15 obligations and the applicable timing requirement for each; clear ownership for the notification assessment, typically at SMF16 level with escalation to the CEO for significant events; designated Connect access for one or more compliance team members; an internal escalation process that ensures relevant developments are flagged to the compliance function promptly; and a notification log documenting all notifications made, the basis for each, and the timeline from event to notification.

The notification trigger register should be reviewed at least annually against any changes to SUP 15 and against the firm’s own business development — new activities, new products or new risk exposures may create notification obligations that did not previously apply. The register should also be reviewed following each notification to assess whether the event could have been identified and escalated faster, and whether the internal processes supported the timely discharge of the obligation.

Key References

• FCA Handbook SUP 15 — Notifications to the FCA
• FCA Connect — Notification portal
• FCA PRIN 2.1 — Principle 11

The general prohibition in Section 19 of FSMA 2000 provides that no person may carry on a regulated activity in the United Kingdom unless they are either FCA-authorised or exempt. Breach of the general prohibition is a criminal offence, punishable by up to two years’ imprisonment and an unlimited fine. The FCA also has civil enforcement powers to take action against unlawful activities, and can seek injunctions, restitution orders and other remedies against individuals and businesses that carry on regulated activities without authorisation. Understanding where the perimeter falls — and what the consequences are of inadvertently crossing it — is not just a compliance matter. It is fundamental to the legal operation of any business in or adjacent to the financial services sector.

What Is a Regulated Activity?

A regulated activity is an activity of a specified kind carried on by way of business in relation to an investment, specified product or specified service of a specified kind. This sounds circular and it is — the substance is in the specification. The Regulated Activities Order 2001 (the RAO) sets out the activities that are regulated and the investments, products and services to which the regulation applies. The principal regulated activities include: accepting deposits; effecting and carrying out contracts of insurance; dealing in investments as principal or agent; arranging deals in investments; managing investments; providing investment advice; acting as a custodian; establishing collective investment schemes; and a number of activities in consumer credit, payment services and consumer hire.

The RAO also defines the scope of each activity precisely. “Dealing in investments as principal” means buying, selling, subscribing for or underwriting investments as principal — but only if the investment falls within the specified investment categories listed in the RAO. A business that buys and sells interests in property companies may or may not be dealing in investments as principal, depending on whether those interests fall within the specified investment definition. A software company that provides a marketplace connecting investors with opportunities may or may not be arranging deals in investments, depending on how its platform functions and what role it plays in the transaction. The analysis is always fact-specific, and the fact-specific nature of the RAO definitions is precisely what creates perimeter uncertainty for new and innovative business models.

Exclusions and Exemptions: The Other Side of the Perimeter

The RAO not only specifies regulated activities — it also provides exclusions from those activities that effectively move businesses back outside the perimeter. The exclusions are critically important because many businesses that would otherwise carry on regulated activities fall within them. Common exclusions include: the own account exclusion (which excludes certain dealing activities carried on by businesses that are dealing only for themselves); the group exclusion (which excludes certain activities between companies in the same group); the professional firm exclusion (which allows certain firms like law firms and accountants to carry on limited regulated activities without FCA authorisation); and various other exclusions specific to particular activity types.

Exemptions operate differently from exclusions. Exemptions are granted to specific categories of person — the Bank of England, Lloyd’s of London, certain government bodies, Appointed Representatives of authorised firms — and remove those persons from the FCA authorisation requirement entirely. The Appointed Representative regime is the most commercially significant exemption: it allows businesses to carry on regulated activities under the umbrella of an authorised principal firm, without themselves being directly authorised, provided the principal accepts responsibility for the AR’s regulated activities.

The practical consequence of the exclusions and exemptions regime is that perimeter analysis is never simply a question of whether an activity is regulated. The question is always whether the activity is regulated and whether an exclusion or exemption applies. Many businesses that appear to be carrying on regulated activities are in fact excluded or exempt. Equally, many businesses that believe they fall within an exclusion or exemption do not — because they have not analysed their activities precisely against the relevant RAO provisions, or because their business model has evolved beyond the scope of the exclusion they relied on.

The Financial Promotions Perimeter: A Separate but Connected Issue

The general prohibition operates alongside — but is separate from — the financial promotions restriction in Section 21 of FSMA. Section 21 restricts communications that invite or induce the making of investments or agreements to make investments unless the communication is made by or approved by an FCA-authorised person. The financial promotions perimeter is conceptually related to but legally distinct from the regulated activities perimeter.

A business that is not carrying on any regulated activity may nonetheless be restricted under Section 21 if it is communicating a financial promotion — for example, a marketing campaign for a property investment scheme or a crowdfunding opportunity. Equally, a business may be carrying on regulated activities without communicating any financial promotion. Understanding both perimeters — the regulated activities perimeter and the financial promotions perimeter — is necessary for a complete analysis of a business’s regulatory position.

The FCA’s enforcement approach to financial promotions perimeter breaches has become increasingly rigorous, particularly in relation to cryptoasset and high-risk investment promotions. The introduction of the Financial Promotions Gateway in 2024 created a new gateway requirement for authorised firms approving financial promotions — and the FCA has signalled clearly that it will pursue both unauthorised promotions and authorised firms that approve promotions without adequate due diligence on the promotion’s compliance with applicable rules.

How the FCA Identifies Perimeter Issues

The FCA has several mechanisms through which it identifies potential perimeter breaches. Consumer complaints are a primary source: where consumers report being sold financial products or services by unlicensed entities, the FCA will investigate whether the selling firm was required to be authorised. The FCA’s ScamSmart and InvestSmart campaigns actively encourage consumers to check the FCA Register before engaging with financial services providers — and the complaints data generated by consumers who did not check, or who were deceived by unregistered clones of legitimate firms, feeds directly into the FCA’s perimeter enforcement activity.

Market intelligence is a second major source. The FCA monitors financial markets, online platforms, social media and financial press for activity by firms that appear to be carrying on regulated activities without authorisation. The rapid growth of investment promotion activity on social media — particularly through influencer marketing of high-risk investments — has significantly increased the FCA’s monitoring activity in this space. The FCA’s Consumer Investments team specifically focuses on investment fraud and unregulated activity, and it has demonstrated a willingness to use its enforcement powers aggressively against identified perimeter breaches.

Industry reporting is a third mechanism. Authorised firms have an obligation under Principle 11 and SUP 15 to report to the FCA where they become aware of activities by other parties that may constitute unauthorised regulated activities. Law firms, accountants, and other professional advisers who identify potential perimeter issues in their clients’ activities similarly have professional obligations that may lead to regulatory reporting. The FCA has therefore created a network of institutional sensors that can identify potential perimeter breaches through normal commercial activity, without requiring direct consumer complaints.

Self-referrals represent a fourth category that is underappreciated but important. Some businesses that identify potential perimeter issues in their activities proactively approach the FCA through its pre-application services or through a formal FCA contact. The FCA generally treats proactive self-referral more favourably than perimeter breaches that are identified through enforcement activity — which is a strong practical argument for seeking regulatory clarity at the outset rather than hoping the question never arises.

Common Perimeter Issues by Business Type

Fintech and payment platforms. Payment and money services businesses frequently encounter perimeter questions around the boundary between payment services (regulated under the Payment Services Regulations 2017) and non-regulated activities. E-wallets, stored value products and payment facilitation services can trigger PSR authorisation requirements depending on how the platform is structured and what happens to funds in transit. Businesses that begin as technology platforms providing payment infrastructure can cross the regulated activities perimeter as their functionality expands.

Crowdfunding and peer-to-peer platforms. Online investment platforms — including loan-based crowdfunding, equity crowdfunding and property investment platforms — sit in a complex regulatory position. Loan-based platforms operating under FCA authorisation must manage the perimeter carefully as they expand their product range. Property investment platforms that structure their products as unregulated collective investments may find that changes to their structure bring them inside the collective investment scheme regime, triggering authorisation requirements they had not anticipated.

Introducers and referral arrangements. Businesses that introduce clients to financial services providers operate on the perimeter of the “arranging deals” regulated activity. An introducer that simply passes names and contact details to an authorised firm, without providing any advice or information about the products on offer, can typically rely on the introduction exclusion. An introducer that discusses the firm’s products, provides product information, or assists in completing applications has likely moved into arranging — and the RAO exclusion no longer applies.

Restructured professional services firms. Law firms, accountants and management consultants that provide advice on transactions, investments or corporate structures frequently encounter the perimeter of investment advice and corporate finance activity. The professional firm exemption allows these firms to carry on limited regulated activities without FCA authorisation, but the exemption has specific conditions — including that the regulated activity must be incidental to the professional services being provided — and many firms that rely on it do not analyse their activities carefully enough against those conditions.

Using PERG: The Perimeter Guidance Manual

The FCA publishes the Perimeter Guidance Manual (PERG) as part of the FCA Handbook. PERG provides the FCA’s interpretation of the regulated activities framework, including guidance on specific activities and their regulated status, explanations of the exclusions and exemptions, and Q&A-style analysis of common perimeter questions. PERG is not legally binding — it represents the FCA’s view of how the legislation applies — but it is the most authoritative public source of perimeter analysis available and is widely used by legal advisers and businesses navigating perimeter questions.

Businesses that are uncertain about their regulatory position should start with PERG before seeking specialist legal advice. In many cases, PERG provides sufficient clarity to answer the perimeter question without further analysis. Where PERG does not resolve the question — typically because the business model is sufficiently novel that the guidance does not address it directly — specialist legal advice and potentially a formal FCA pre-application engagement are the appropriate next steps.

What to Do if You Think You May Be Outside the Perimeter

The most important step for any business that suspects it may be carrying on regulated activities without authorisation is to take specialist legal advice immediately. The general prohibition creates criminal liability that cannot be managed through self-assessment alone, and the consequences of continuing to operate outside the perimeter while the position is being analysed can include aggravated enforcement action and personal criminal liability for the firm’s directors.

Subject to legal advice, the options typically available to a business that identifies a potential perimeter breach include: applying for FCA authorisation to regularise the position on a prospective basis; restructuring the business model to bring it within an available exclusion or exemption; appointing an Appointed Representative of an existing authorised firm to operate under its umbrella while the business’s own authorisation is in process; seeking a voluntary requirement from the FCA to cease the regulated activity pending authorisation; and in some cases, making a voluntary disclosure to the FCA while simultaneously implementing remediation measures.

The FCA’s approach to firms that self-disclose perimeter breaches and take prompt remedial action is meaningfully different from its approach to those where the breach is identified through enforcement activity. While a self-disclosure does not guarantee leniency, and the criminal consequences of the general prohibition breach cannot be waived by the FCA alone, the regulator’s consistent messaging is that firms that identify issues and come to it proactively are treated more favourably than those that continue unauthorised activities until they are caught.

Key References

• FSMA 2000, Section 19 — The general prohibition
• FCA Handbook PERG — Perimeter Guidance Manual
• The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001

Principle 11 of the FCA’s eleven Principles for Business states: “A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice.” It is one of the shortest principles and one of the most consequential. The FCA has repeatedly used Principle 11 as the basis for enforcement action against firms that failed to tell it about significant developments in their business — not because those firms were hiding information, but because they did not properly understand the scope of what they were required to disclose and when.

The Two Limbs of Principle 11

Principle 11 contains two distinct obligations that operate simultaneously. The first is the cooperation obligation: firms must deal with the FCA in an open and cooperative manner. This covers not just what firms say to the FCA, but how they engage with it — whether they respond promptly to information requests, whether they provide complete and accurate information rather than technically accurate but misleading responses, and whether they approach the supervisory relationship as a genuine engagement rather than as a process to be managed at arm’s length.

The second is the disclosure obligation: firms must proactively disclose anything of which the FCA would reasonably expect notice. This is the more complex of the two because it requires firms to make a judgment — not just about what they are required to report under specific SUP rules, but about what the FCA would want to know even if no specific rule requires the notification. The disclosure obligation is therefore open-ended by design: the FCA has deliberately not defined exhaustively what must be disclosed, because to do so would allow firms to treat disclosure as a checklist exercise while withholding information that falls outside the enumerated categories.

The Relationship with SUP 15

The Principle 11 disclosure obligation is broader than the specific notification obligations in SUP 15. SUP 15 sets out specific categories of event that must be notified to the FCA, with specific timelines. Complying with SUP 15 is a necessary but not sufficient condition for meeting the Principle 11 disclosure obligation.

A firm that complies precisely with its SUP 15 notification obligations but fails to disclose a significant development that falls outside the specific SUP 15 categories has nonetheless breached Principle 11 if the FCA would reasonably have expected to be notified. This is not a hypothetical distinction — the FCA has taken enforcement action against firms that met all their specific notification requirements while failing to disclose broader developments that the FCA considered it should have known about. The Principle 11 obligation requires firms to ask a wider question than “does this trigger a SUP 15 notification?” — it requires asking whether the FCA would reasonably want to know about this, and disclosing where the answer is yes.

What the FCA Would Reasonably Expect Notice Of

The standard is what the FCA would “reasonably expect notice of” — which is a deliberately objective test. It does not ask whether the firm thought the development was significant, but whether the FCA would have considered it significant from its regulatory perspective. Firms therefore need to adopt the FCA’s perspective, not their own, when assessing whether a disclosure obligation is triggered.

The FCA’s perspective on what matters is guided by its statutory objectives: consumer protection, market integrity, promoting effective competition, and the financial stability objective for PRA-regulated firms. Developments that are relevant to any of these objectives are likely to fall within the Principle 11 disclosure scope. In practice, the categories that most frequently generate Principle 11 obligations include:

Material adverse developments in the firm’s financial position. Where the firm’s capital, liquidity or financial condition deteriorates materially — including where it falls below or is at risk of falling below regulatory minimums — the FCA expects prompt disclosure. This applies even before any formal threshold is breached: the FCA expects to be informed of significant emerging financial stress, not just of completed breaches of capital requirements.

Significant changes to the firm’s business or business model. Where the firm materially changes the nature of its activities, its target market, its product range or its business model, the FCA expects to be informed — particularly where the change affects the regulatory risk profile of the firm’s activities or its compliance with its existing permission. This obligation overlaps with the Variation of Permission process: where a business model change takes the firm outside its current permission, both a formal VoP application and a Principle 11 disclosure may be required.

Significant compliance failures. Where the firm discovers a material breach of FCA rules — particularly where customers may have suffered harm — the FCA expects prompt disclosure. The threshold for what counts as material is not defined precisely, but the FCA has consistently treated failures affecting significant numbers of customers, involving significant financial amounts, or involving systematic rather than isolated rule breaches as Principle 11 disclosable events. A single isolated compliance failure may not require Principle 11 disclosure; a pattern of the same failure repeated across the customer base almost certainly does.

Matters affecting the fitness of approved persons. Where the firm becomes aware of information that may affect the fitness and propriety of an approved person — including disciplinary proceedings, criminal proceedings, significant financial difficulties or regulatory concerns raised by another regulator — it has a Principle 11 obligation to disclose this promptly. The SMCR Senior Manager Conduct Rule 4 creates a parallel obligation on the individual, but the firm has its own Principle 11 obligation that runs independently.

Significant operational incidents. Cybersecurity incidents, IT failures, third-party outages or other operational events that have caused or may cause material disruption to the firm’s services or harm to its customers fall within the Principle 11 scope. The FCA’s interest in operational resilience has increased significantly in recent years, and firms should treat major operational incidents as potential Principle 11 disclosable events even where no specific rule requires notification.

Regulatory actions by other authorities. Where the firm or its affiliates receive significant regulatory attention from other domestic or overseas regulators — enforcement actions, supervisory directions, requirements, or formal investigations — the FCA expects to be informed. A firm that is being investigated by a foreign regulator and fails to disclose this to the FCA may have breached Principle 11 even if the overseas investigation relates to activities outside the FCA’s jurisdiction.

Material litigation and legal proceedings. Civil proceedings, arbitration, regulatory investigations, or significant threatened claims that could have a material impact on the firm’s financial position or its ability to meet its regulatory obligations fall within the Principle 11 scope. The threshold is materiality relative to the firm’s size and resources — a £50,000 claim against a large bank requires no Principle 11 consideration; the same claim against a small investment manager with limited capital may be a disclosable event.

The Timing Obligation: What Does “Appropriate” Mean?

Principle 11 requires disclosure “appropriately” — which includes a timing dimension. Disclosure that is technically made but unreasonably delayed does not meet the Principle 11 standard. What constitutes appropriate timing depends on the nature and urgency of the event: a major IT outage affecting thousands of customers in real time requires much more immediate disclosure than a gradual deterioration in capital adequacy that has not yet reached a critical threshold.

The FCA’s general expectation is that firms should disclose material developments as soon as they become aware of them, or as soon as they should reasonably have become aware of them. The “should reasonably have become aware” element is important: a firm cannot avoid its Principle 11 obligation by maintaining governance arrangements that prevent information about significant events from reaching the management team or compliance function. The FCA will assess whether the information existed within the firm, and whether an appropriately governed firm would have known about it and disclosed it, regardless of whether the specific individuals responsible for disclosure were actually aware.

For compliance functions, this creates a specific responsibility: ensuring that the firm has adequate processes to identify Principle 11 disclosable events and escalate them promptly. This means the compliance function must be integrated into the firm’s incident management, litigation management, financial monitoring and operational risk processes — not as a downstream recipient of information, but as an active participant in identifying when the disclosure threshold has been reached.

The SMCR Dimension: Senior Manager Conduct Rule 4

Senior Manager Conduct Rule 4 in COCON places a parallel disclosure obligation directly on individual SMF holders: they must disclose to the FCA, the PRA or other relevant regulatory bodies any information of which those bodies would reasonably expect notice. This creates a dual obligation — the firm has a Principle 11 obligation and each SMF holder has a personal Conduct Rule 4 obligation — that run independently of each other.

The significance of the dual obligation is that the FCA can take action against both the firm (for Principle 11 breach) and the individual SMF holder (for Conduct Rule 4 breach) arising from the same failure to disclose. Where a firm fails to disclose a material compliance failure, the firm may face a financial penalty under Principle 11, and the SMF holder with compliance oversight accountability may face personal enforcement action under Conduct Rule 4 — even if the SMF holder was not personally responsible for the underlying failure, if they were aware of it and failed to ensure it was disclosed.

For SMF holders, the practical implication is that they cannot rely on the compliance function to manage the Principle 11 disclosure process as a purely operational matter. Each SMF holder has a personal obligation to consider, within their area of accountability, whether there are matters that should be disclosed to the FCA — and to act on that obligation independently of what the compliance function may or may not be doing.

Consequences of Failure

The FCA has used Principle 11 consistently as an enforcement lever — both as a standalone basis for action and as an aggravating factor in enforcement proceedings where the underlying conduct could have been managed had the FCA been informed earlier. The consequences of Principle 11 failure range from financial penalties for the firm and the relevant SMF holders, to a more difficult ongoing supervisory relationship, to an increased risk of further enforcement action where the FCA concludes that the non-disclosure was part of a pattern of misleading engagement.

Crucially, Principle 11 failures rarely occur in isolation. A firm that fails to disclose a significant compliance problem typically also has underlying governance and compliance culture issues that the FCA will examine once it becomes aware of the non-disclosure. The Principle 11 failure therefore often becomes the entry point for a much broader supervisory or enforcement engagement. Prompt and transparent disclosure — even of uncomfortable developments — is consistently the more favourable path, both from a regulatory relationship perspective and from the perspective of managing the scope and duration of the FCA’s engagement.

Building Effective Principle 11 Processes

Effective Principle 11 compliance cannot be achieved through a policy document alone. It requires the firm to embed the disclosure standard into its incident management, governance and escalation processes in a way that ensures potential Principle 11 events are identified, assessed and escalated to decision-makers promptly.

The most effective Principle 11 frameworks share several characteristics. First, they define the disclosure assessment as a formal step in the firm’s incident and issue management process — not an afterthought, but a structured question asked each time a significant incident or issue is identified: would the FCA reasonably want to know about this? Second, they assign clear ownership for the Principle 11 assessment, typically to the SMF16 (compliance oversight function) with explicit escalation obligations where the assessment is uncertain. Third, they create a simple and fast escalation path to the CEO and Chair so that disclosure decisions — which often need to be made quickly — can be taken at the right level without bureaucratic delay. Fourth, they maintain a disclosure log that records all Principle 11 assessments made, whether they resulted in disclosure or a decision not to disclose, and the rationale for each decision. This log is itself evidence of compliance: it demonstrates that the firm is actively applying the Principle 11 standard rather than treating the obligation as notional.

Key References

• FCA Handbook PRIN 2.1 — The Principles
• FCA Handbook COCON — Senior Manager Conduct Rule 4
• FCA Handbook SUP 15 — Notifications to the FCA

For many regulated firms, SYSC 4 operates largely in the background — referenced in governance policies, cited in training materials, but rarely examined in depth. This is a mistake. SYSC 4 sets the governance standard against which the FCA assesses whether a firm’s management body is capable of overseeing the firm effectively, whether its organisational structure is clear and appropriate, and whether its decision-making processes are consistent with the expectations of a well-governed regulated entity. Getting SYSC 4 right is not just a compliance matter — it is the foundation for the SMCR’s accountability framework, the threshold conditions assessment at authorisation, and the FCA’s supervisory view of whether the firm’s senior management is fit for purpose.

The Scope and Structure of SYSC 4

SYSC 4 applies to all FCA-regulated firms with a Part 4A permission, though its specific requirements vary by firm type. For most investment firms, the requirements are set out in SYSC 4.1, which implements the governance provisions of MiFID II. For banks and building societies, PRA requirements run alongside SYSC 4 and are typically more prescriptive. For smaller consumer credit or payment institution firms, the SYSC 4 requirements are somewhat lighter in their formal structure but the underlying governance principles remain the same.

The sourcebook is organised around four interconnected obligations: the management body requirement, the organisational structure requirement, the four-eyes principle, and the record-keeping and delegation framework. Understanding each in depth, and understanding how they interact in practice, is the starting point for building a governance framework that genuinely satisfies the FCA’s expectations.

The Management Body: Composition and Capability

SYSC 4.3A requires firms to have a management body that is collectively responsible for the firm’s strategy, governance and oversight. The management body must collectively possess adequate knowledge, skills and experience to understand the firm’s activities, including its principal risks. Individual members must be of sufficiently good repute, act with integrity and independence of mind, commit sufficient time to their functions, and avoid conflicts of interest that could compromise their independent judgment.

In practice, the FCA assesses management body composition primarily through the SMF approval process. Each proposed member of the management body who holds an SMF must demonstrate individual fitness and propriety through the Form A application process. But the SYSC 4.3A collective assessment goes further: the FCA expects the firm to have assessed whether the management body as a whole — not just individual members — has the range of experience and expertise needed to govern the firm’s specific business.

For a payment institution with a technical founder as CEO, the management body collective capability assessment might identify a gap in regulatory expertise that needs to be filled by an independent non-executive director with a compliance or regulatory background. For a wealth management firm, the collective assessment might identify a gap in investment expertise at board level that requires either a new board appointment or a restructuring of the committee framework to bring that expertise into the governance structure through a sub-committee. The SYSC 4.3A assessment is therefore both a diagnostic tool and a governance design exercise.

The time commitment requirement in SYSC 4.3A is more significant than it might appear. The FCA expects management body members to commit sufficient time to perform their functions effectively — which means not holding so many directorships that their ability to engage with the firm’s business is impaired. For non-executive directors, the FCA has been explicit in its guidance that the time commitment to each board role must be assessed at the point of appointment and monitored thereafter. A non-executive director who holds eight board roles cannot realistically meet the time commitment standard for each of them, and a firm that appoints such an individual has not met its SYSC 4.3A obligation.

The Four-Eyes Principle in Practice

SYSC 4.1.1R requires that the firm’s business is managed by at least two persons — the four-eyes principle. The rationale is straightforward: sole decision-making at the most senior level of a regulated firm creates unacceptable concentration risk. Where a single individual controls all significant decisions, there is no internal check on that individual’s judgment, conduct or potential for misconduct.

The four-eyes principle does not simply require two individuals to hold SMF titles. It requires that the firm’s business is genuinely managed by at least two individuals — meaning both must have real decision-making authority over the firm’s principal activities, not one as a principal and another as a nominal requirement. The FCA looks at the substance of the arrangement: do both individuals attend key governance meetings? Do both have access to management information? Do both take decisions and exercise judgment on significant matters? Where one individual is clearly dominant and the second is present in name only, the four-eyes principle is not satisfied regardless of what the governance documents say.

For early-stage firms, the four-eyes principle creates a practical challenge when the founding management team is small. A founder who is sole CEO must find a genuine counterpart — whether a co-founder, a non-executive chair, or an independent director — who has real authority and engagement with the business. This is often the first governance design challenge that firms face in the FCA authorisation process, and it is one where getting the right person matters more than getting the right title.

Organisational Structure: Clarity and Appropriateness

SYSC 4.1.1R also requires firms to have a clear and appropriate organisational structure with well-defined, transparent and consistent lines of responsibility. In practice, this means the firm must be able to demonstrate — on paper and in reality — who is responsible for each significant area of the firm’s activities, how that responsibility is exercised, and how information flows between the different parts of the organisation to support effective oversight.

The organisational structure requirement has two dimensions. The first is the internal structure: how the firm’s management layers, business lines and support functions relate to each other, and how authority is distributed across them. The second is the SMCR dimension: how the firm’s management responsibilities map against the SMF holders who bear accountability for each area. SYSC 4’s organisational structure requirement and the SMCR’s Management Responsibilities Map are two expressions of the same underlying obligation — that the firm’s governance structure is coherent and that accountability is clearly allocated.

Firms with matrix structures, dotted-line reporting relationships, or shared service arrangements with group entities face particular challenges in meeting the SYSC 4 organisational clarity standard. The FCA expects to be able to trace accountability from each regulated activity to a named individual with clear responsibility for it. Where dotted-line reporting creates ambiguity about whether a compliance function’s primary accountability is to a local managing director or to a group head of compliance in another jurisdiction, the firm must resolve that ambiguity — typically through clear documented governance arrangements that specify which lines carry accountability rather than simply information-sharing.

The Three Lines of Defence and SYSC 4

SYSC 4 does not prescribe the three lines of defence model, but it is the dominant framework through which FCA-regulated firms operationalise the SYSC 4 governance requirements. The first line — operational management — owns the risks within its business area and is the primary control environment. The second line — risk and compliance — provides independent oversight and challenge of the first line’s risk management. The third line — internal audit — provides independent assurance to the board on the effectiveness of the first and second lines.

The FCA’s SYSC 4 expectations interact with the three lines in specific ways. For the compliance function, SYSC 6 (which sits alongside SYSC 4) requires firms to have a permanent, effective and independent compliance function. For the risk function, SYSC 4.3A requires that the risk function has appropriate stature within the firm — including direct access to the management body and, in the most significant firms, a dedicated Chief Risk Officer (SMF4) who reports directly to the board. For internal audit, SYSC 4.3A and the separately designated SMF5 function require that the head of internal audit has the authority and independence to provide genuine assurance rather than management-directed review.

Where firms cannot sustain all three lines on a standalone basis — as is typically the case for smaller regulated firms — the FCA accepts proportionate arrangements. A small payment institution may not have a dedicated internal audit function, but it must be able to demonstrate how independent assurance is obtained — whether through outsourced audit, periodic independent review by external experts, or audit committee oversight by non-executives with the relevant expertise. The key is proportionality combined with genuine independence: the arrangement must provide real assurance, not just the appearance of it.

Delegation Under SYSC 4

SYSC 4.1.1R requires firms to have adequate internal control mechanisms, including sound administrative and accounting procedures, and arrangements for managing risks. One of the most practically significant aspects of this is the delegation framework — how the management body delegates specific functions to individuals and sub-committees, while retaining ultimate responsibility for the outcomes.

Under SYSC 4, delegation does not transfer accountability. A board that delegates the oversight of the compliance framework to the audit committee retains accountability for ensuring the audit committee is properly constituted, adequately informed and effectively performing its delegated function. An SMF holder who delegates specific tasks to a team retains the SMCR reasonable steps obligation to oversee the delegate’s performance. This is a fundamental principle that firms with complex governance structures must embed in their governance design: delegation is a management technique, not an accountability transfer mechanism.

The delegation framework must be documented. The FCA expects firms to be able to produce a clear record of what has been delegated, to whom, with what authority limits, and with what monitoring and reporting obligations. In practice, this means maintaining a delegation register or equivalent document that links the management body’s responsibilities to the individuals and sub-committees that exercise them. Board terms of reference, committee charters and individual job descriptions should all be consistent with the delegation framework and should be reviewed and updated when organisational changes affect the allocation of responsibilities.

SYSC 4 and the SMCR: The Accountability Interface

SYSC 4 and the SMCR are deeply interconnected, and understanding how they interact is essential for firms that want to build a coherent governance framework rather than two parallel systems that run alongside each other without genuine integration.

The SMCR’s Statement of Responsibilities maps directly onto the SYSC 4 organisational clarity requirement: the SoR is the individual-level expression of what the Management Responsibilities Map describes at the firm level. A firm with a clear SYSC 4 governance structure will find the SoR drafting exercise straightforward, because the accountability it documents in the SoR should be a direct reflection of the governance structure that SYSC 4 requires. A firm that struggles to draft clear SoRs typically has an underlying governance clarity problem that SYSC 4 is designed to address.

The SMCR’s reasonable steps obligation — the mechanism through which SMF holders avoid personal liability for failures within their area — also operates through the governance framework that SYSC 4 requires. An SMF holder who can point to a governance structure that provides them with adequate information, through clear reporting lines, from appropriately resourced functions, is in a much stronger position to demonstrate reasonable steps than one operating in an ad hoc governance environment where information flows are informal and accountability is unclear.

Common SYSC 4 Failures Identified in FCA Supervision

The FCA’s supervisory and enforcement work consistently identifies the same categories of SYSC 4 failure. The most common are: management bodies that lack genuine collective expertise across the firm’s principal risk areas; organisational structures with unclear lines of responsibility particularly at the boundary between business lines and control functions; governance documents that describe an aspirational structure rather than the one actually in operation; delegation frameworks that exist on paper but are not reflected in how the firm actually makes decisions; and compliance and risk functions that lack the independence, stature and resource to provide genuine second-line challenge rather than documentation of first-line decisions.

Each of these failures has two dimensions: the technical breach of SYSC 4’s requirements, and the more significant practical consequence that the firm’s governance does not actually provide the oversight and control that SYSC 4 is designed to require. The FCA’s supervisory approach has consistently been to look through governance documentation to assess whether the firm’s governance actually operates as described — and where it does not, to treat the gap between documented and actual governance as the primary concern.

Building a SYSC 4-Compliant Governance Framework in Practice

For a firm building its governance framework from scratch — typically in the context of an FCA authorisation application or a significant governance restructuring — the starting point is a gap analysis against the SYSC 4 requirements. This covers: the management body’s collective competence across the firm’s principal activities and risks; the four-eyes principle and whether the two most senior individuals have genuine joint accountability; the organisational structure and whether lines of responsibility are clear, documented and consistent with the SMCR allocations; the three lines of defence and whether each line has appropriate independence and resource; and the delegation framework and whether the board’s delegated functions are properly documented and monitored.

The governance framework that results from this analysis should be documented in a set of core governance documents: board terms of reference; committee charters for each sub-committee; a delegation register; the Management Responsibilities Map; and individual Statements of Responsibilities for each SMF holder. These documents should be consistent with each other, reviewed at least annually, and updated when material organisational changes occur. The consistency between these documents and the firm’s actual governance practice is the standard the FCA will assess — and it is the standard that SMF holders should hold themselves to, not simply as a regulatory compliance matter but as the foundation of the individual accountability that the SMCR requires them to exercise.

Key References

• FCA Handbook SYSC 4 — General organisational requirements
• FCA Handbook SYSC — Senior management arrangements, systems and controls
• FCA — SMCR guidance

As part of the FCA authorisation process and the gateway assessment for certain regulated activities, the CEO (SMF1) and Chair (SMF9) of the applicant firm are required to provide statements that describe their understanding of the firm’s business, its regulatory obligations, its governance framework and their personal accountability under the SMCR. These statements are assessed by the FCA as evidence of leadership competence and regulatory understanding — not as a formality to be signed off at the end of the application process.

What the FCA Is Assessing

The FCA uses the CEO and Chair Statements to assess three things: whether the individual understands the regulatory framework applicable to the firm’s proposed activities; whether they understand their personal accountability under SMCR and what the Statement of Responsibilities means in practice; and whether the firm’s governance arrangements — as described by the CEO and Chair — are credible and proportionate to the firm’s activities and risk profile.

A statement that reads as if it has been drafted by a solicitor or compliance consultant and signed without genuine engagement from the individual will typically generate FCA queries — or, in the worst case, an invitation to an FCA interview to assess whether the signatory actually understands the content. The FCA’s interviewers are experienced at identifying the difference between a statement drafted by the individual and one drafted on their behalf.

The CEO Statement: Structure and Content

Business and strategy. The CEO statement should open with a concise description of the firm’s proposed business — what it does, who its clients are, and what regulated activities it will carry on. This should be specific to the firm, not a restatement of the generic regulatory business plan. The CEO’s description of the business should reflect their direct involvement in defining the strategy and their understanding of how the firm will compete and generate revenue in its chosen market.

Regulatory framework. The CEO must demonstrate that they understand which regulatory framework applies to each aspect of the firm’s proposed activities — which FCA rules govern the client-facing activities, what the capital requirements are and why, and how the firm’s compliance arrangements are designed to address those requirements. This section should be specific to the firm’s actual permission rather than a generic description of FCA regulation. A CEO who can articulate why the firm’s specific business model requires specific compliance controls has demonstrated a level of engagement that the FCA will find reassuring.

Personal accountability. The CEO’s statement must address their understanding of their SMCR obligations — the functions they will hold, the responsibilities allocated to them in their Statement of Responsibilities, and what “reasonable steps” will look like in practice in their role. This should go beyond a description of the SMF1 function to describe how the CEO will actually discharge their oversight responsibilities: what MI they will receive, what decisions they will take, how they will interact with the compliance and risk functions.

Risk and governance. The statement should address the firm’s key risks — the risks inherent in its business model, client base and regulatory activities — and describe how the governance framework is designed to identify, manage and escalate those risks. The CEO should be able to describe the firm’s governance structure in their own terms, not in the formal language of the regulatory business plan. A CEO who can explain why the firm’s committee structure is designed the way it is has demonstrated genuine ownership of the governance framework.

The Chair Statement: A Different Focus

The Chair’s statement covers different ground from the CEO’s. The FCA expects the Chair to demonstrate their understanding of their role as an independent oversight function — how they will challenge the executive, how the board will be constituted and governed, and how they will ensure that the firm’s governance framework operates effectively in practice rather than just on paper.

Independence and challenge. The Chair must be able to articulate what genuine independence looks like in the context of this specific firm. For a new or small firm where the Chair may know the executive team personally or have been involved in founding the business, the question of independence is particularly important. The FCA will look for evidence that the Chair understands the potential conflicts and has a credible approach to managing them.

Board constitution and effectiveness. The statement should describe how the board is constituted, what the relevant skills and experience of board members are, and how the Chair will ensure that the board operates as an effective governance body rather than as a rubber stamp for executive decisions. The FCA expects the Chair to describe the processes for board evaluation, skills assessment and succession planning — even for early-stage firms.

SMF9 accountability. The Chair holds SMF9 — the Chair of the Governing Body function — and must demonstrate their understanding of what that accountability means. The Chair’s statement should describe how they will discharge their reasonable steps obligations as SMF9: what information they will receive, what their role is in relation to the SMF1 CEO, and how they will manage situations where they have concerns about executive conduct or governance failures.

Common Weaknesses the FCA Identifies

Generic language is the most consistent weakness. A statement that describes the firm’s governance framework in terms that could apply to any regulated firm — “the board will meet quarterly to review performance against strategic objectives and ensure regulatory compliance” — tells the FCA nothing about this specific firm. The statement should be specific enough that the FCA can tell it was written for this application, not repurposed from a template.

Regulatory framework descriptions that are too high-level or inaccurate. CEOs and Chairs who describe their regulatory obligations in terms that do not match the firm’s actual permission — or who confuse the regulatory requirements applicable to different types of firm — signal that the individual has not engaged closely with the regulatory framework. The FCA will query or escalate any statement that suggests a material misunderstanding of the applicable rules.

SMCR accountability described in passive terms. A CEO who describes their SMCR accountability as “overseeing the compliance function” or “taking responsibility for regulatory compliance generally” has not described the active, specific oversight obligation the SMCR creates. The statement should describe what the CEO will do — not what the compliance function will do on the CEO’s behalf.

Tone and Length

The statements should be in the first person, written in the individual’s own voice, and should reflect genuine engagement rather than technical drafting. They do not need to be long — a focused two to three pages for a CEO and one to two pages for a Chair is typically sufficient for a non-bank regulated firm. Length does not substitute for specificity: a concise statement that addresses each of the FCA’s assessment criteria specifically is significantly more effective than a lengthy one that covers each in general terms.

Key References

• FCA — Authorisation application guidance
• FCA Handbook FIT — fit and proper requirements

A Variation of Permission (VoP) allows an FCA-authorised firm to modify its existing Part 4A permission — adding or removing regulated activities, changing the scope or conditions on existing activities, or removing limitations that were imposed at authorisation. VoPs are regulated under Section 55I of FSMA and are assessed by the FCA using the same threshold conditions framework as the original authorisation.

When Does a Firm Need a VoP?

A firm needs a VoP whenever it wishes to carry on a regulated activity not currently covered by its permission, or to remove a limitation or condition that is preventing it from operating as it wishes. Common triggers include: adding a new product or service that involves a regulated activity (for example, a payment firm adding consumer credit); expanding into a new regulated business area (for example, a wealth manager adding discretionary management to an advisory-only permission); removing the client or counterparty limitations that were imposed at the time of original authorisation; and upgrading from a limited to a full permission in areas such as consumer credit.

A common mistake is to assume that if an activity is within the general scope of the firm’s existing permission, no VoP is needed. In practice, FCA permissions are often more narrowly defined than firms realise — the regulated activity description, client categorisation limits and geographic limitations in the original permission may exclude activities the firm now wants to conduct. Firms should check their permission on the FCA Register against the proposed new activity before proceeding, and obtain legal advice if the position is unclear.

What the VoP Application Involves

The VoP application is submitted through FCA Connect and follows a similar structure to the original authorisation application — but scoped to the new or varied activities. The key components are: a description of the proposed new or varied activities and the regulated activity category they fall within; an updated or supplementary regulatory business plan addressing the new activities specifically; evidence of financial resources adequate to support the expanded activities; confirmation of the SMF holders who will be accountable for the new activities; and, where the new activities create new regulatory risks, an explanation of the controls the firm has in place to manage them.

Where the VoP involves adding a significantly different category of regulated activity — for example, a payment firm adding consumer credit, or an investment firm adding insurance distribution — the FCA will assess the new activities against the full threshold conditions framework. This means the VoP application for a materially new activity is almost as comprehensive as a fresh authorisation application for that activity in isolation.

VoP Timelines

The statutory framework for VoPs mirrors the authorisation framework: the FCA has six months from receipt of a complete application to determine it. In practice, straightforward VoPs — adding a related activity to an existing permission for a firm with a clean supervisory history — are typically determined in six to ten weeks. VoPs involving a new category of activity, a change in the firm’s business model, or submission by a firm currently under FCA supervisory attention take considerably longer and should be planned for on a three to five month timeline.

One underappreciated timing issue: the FCA cannot process a VoP application while the firm has an outstanding information request or is the subject of an ongoing supervisory action. Firms in active supervisory engagement should resolve that engagement before submitting a VoP, or should disclose the supervisory context in the application and discuss the timing with their FCA supervisory contact.

FCA-Imposed VoPs: The Other Direction

VoPs are not only firm-initiated. The FCA has the power under Section 55J to impose a variation of permission on its own initiative — restricting or removing regulated activities from the firm’s permission as a supervisory or enforcement measure. These own-initiative VoPs (OIREQs) are a less severe alternative to full cancellation, used where the FCA wants to constrain the firm’s activities without removing its authorisation entirely.

Firms subject to an own-initiative VoP receive a Warning Notice in the same way as firms subject to cancellation proceedings, and have the same rights to make representations and to refer to the Upper Tribunal. The same considerations on the Warning Notice stage apply: it is the most productive point at which to engage with the FCA’s concerns and, where possible, to agree a voluntary variation rather than waiting for the imposed one.

SMF Implications of a VoP

Where a VoP adds new regulated activities that fall within an existing SMF holder’s accountability, the firm must consider whether the SMF holder’s Statement of Responsibilities should be updated — and whether the FCA expects notification of that change. Where the new activities fall outside the existing SMF holders’ accountabilities and a new SMF appointment is required, the Form A application for the new SMF holder must be processed in parallel with the VoP. The FCA will not approve new regulated activities under a VoP while the required SMF approvals are outstanding.

The interaction between VoP timelines and SMF approval timelines is one of the most common planning failures in permission expansion projects. Firms that submit the VoP application before identifying the SMF holder responsible for the new activities — or that identify the holder but fail to submit the Form A simultaneously — create a dependency that extends the overall project timeline by the full duration of the Form A process.

Key References

• FSMA 2000, Section 55I — Variation of permission on application
• FCA — Varying your permission

Section 55J of FSMA gives the FCA the power to cancel a firm’s Part 4A permission — its authorisation to carry on regulated activities. The power can be exercised on the FCA’s own initiative (known as OIREQ, or Own Initiative Requirement) or in response to specific triggers identified in the FCA’s supervisory process. This post covers the main triggers, the procedural framework the FCA must follow, and how firms should respond.

The Grounds for Cancellation

The FCA can cancel a firm’s permission under Section 55J on several grounds. The most commonly invoked are: the firm is failing or likely to fail to satisfy one or more of the threshold conditions (particularly the appropriate resources and suitability conditions); the firm has not carried on a regulated activity for which it has permission for 12 months; the firm has provided false or misleading information in its application or in subsequent regulatory submissions; the firm has seriously or persistently failed to comply with FCA rules; or cancellation is necessary to protect consumers or the integrity of the financial system.

Of these, the threshold conditions ground is the most frequently used in practice. A firm that has allowed its financial resources to fall below the minimum required, that has lost its key personnel and has no adequate replacements, or that has engaged in conduct that calls its suitability into question will typically find the FCA invoking the appropriate resources or suitability threshold condition as the basis for cancellation proceedings.

The Warning Notice Process

Before cancelling a permission, the FCA must (in all but emergency cases) issue a Warning Notice to the firm. The Warning Notice sets out the proposed action, the FCA’s reasons and the evidence on which it relies. The firm then has a specified period — typically 28 days — to make written representations and, if it requests, an oral hearing before the Regulatory Decisions Committee (RDC).

The Warning Notice stage is critical and frequently underused by firms. Many firms treat the Warning Notice as the beginning of the end rather than as a genuine opportunity to respond. In practice, well-prepared representations — addressing each of the FCA’s stated grounds specifically, providing remediation evidence, and demonstrating that the concerns have been or are being addressed — can and do result in the FCA withdrawing the proposed cancellation or agreeing to a lesser action such as a Requirement or Variation of Permission instead.

Emergency Cancellation: The Urgent Cases Power

Where the FCA considers it necessary to act immediately to protect consumers or the financial system, it can cancel a firm’s permission without issuing a Warning Notice first, under the urgent cases provisions in FSMA. In these circumstances, the FCA issues a Decision Notice cancelling the permission and the firm’s right to challenge runs from that point — through the Upper Tribunal if the firm disagrees with the decision.

Emergency cancellations are relatively rare — the FCA uses them where it has evidence of ongoing harm that requires immediate action. They are most commonly seen in response to Ponzi scheme activity, misappropriation of client assets, or firms that have made fraudulent representations to clients or to the FCA itself.

The Decision Notice and Upper Tribunal

If the firm’s representations do not persuade the FCA to withdraw the Warning Notice, the RDC considers the matter and the FCA issues a Decision Notice. The firm then has 28 days to refer the matter to the Upper Tribunal (Tax and Chancery Chamber), which conducts a full merits review of the FCA’s decision — not merely a judicial review of whether the FCA followed its process correctly.

Upper Tribunal proceedings are full hearings with evidence and legal argument. They are expensive, time-consuming, and uncertain in outcome. Firms considering a Tribunal challenge should take legal advice at the Warning Notice stage rather than at the Decision Notice stage — by the time the Decision Notice is issued, the time available for preparation is significantly shorter. The Tribunal has the power to uphold the FCA’s decision, substitute a different decision, or remit the matter back to the FCA for reconsideration.

Voluntary Cancellation vs FCA-Initiated

Firms that are planning to wind down, cease regulated activities, or restructure their permissions can apply for a voluntary cancellation of permission under Section 55H. This is a fundamentally different process from Section 55J cancellation — it is initiated by the firm, not the FCA, and does not carry the reputational and regulatory consequences of a forced cancellation.

Where a firm is facing potential FCA-initiated cancellation proceedings, voluntary cancellation is sometimes considered as a way of controlling the process. This approach requires careful legal advice: voluntary cancellation does not preclude the FCA from subsequently investigating the firm’s former activities or taking action against individuals under the SMCR. In some circumstances, voluntary cancellation can demonstrate cooperation with the FCA’s concerns and reduce the risk of further enforcement action; in others it has no such effect.

How Firms Should Respond to Early Supervisory Warning Signs

Section 55J proceedings rarely arise without prior supervisory warning signals. A firm facing an FCA visit, a Section 166 review, an information request under Section 165, or a proposed requirement under its supervisory powers is at an earlier stage of a process that can — if not well managed — culminate in cancellation proceedings. The most effective point at which to address the FCA’s concerns is always the earliest — before formal cancellation proceedings are triggered.

Firms receiving any FCA supervisory communication that suggests dissatisfaction with their compliance, governance or financial position should immediately ensure that: their SMF16 (compliance oversight function) holder is actively engaged; their legal advisers are briefed; and their board is made aware of the supervisory interaction and its potential implications. The SMCR obligation on SMF holders to disclose matters the FCA would reasonably expect to be informed of applies throughout — a firm that receives a Warning Notice and does not disclose this to the FCA in the context of related applications or dealings has compounded its regulatory exposure.

Key References

• FSMA 2000, Section 55J — Cancellation of permission
• FCA — Enforcement and supervisory powers

New firms approaching the FCA authorisation process consistently underestimate how long it will take and what it requires. This post covers realistic timelines for 2026 based on current FCA processing patterns, the specific factors that create delay, and how firms can manage the process to avoid the most common bottlenecks.

The Statutory Framework

Under FSMA, the FCA has six months to determine a complete application, or 12 months for an incomplete one. These are hard statutory deadlines — the FCA cannot exceed them. In practice, the FCA aims to assess applications significantly faster than these maximums. The six-month clock starts from when the FCA receives a complete application, not from first submission — which means that applications with gaps, missing information or unanswered queries effectively have their clock paused or extended until the deficiency is remedied.

Realistic 2026 Timelines by Firm Type

Standard investment firm or payment institution (straightforward): A clean application — complete regulatory business plan, appropriate capital, clear SMF holders with adequate experience, no novel business model — typically receives acknowledgement within two to four weeks and determination within 10 to 16 weeks of that acknowledgement. Total elapsed time from submission: three to four months.

Investment firm or payment institution (with queries): Where the FCA has specific questions — about the regulatory business plan, a proposed SMF holder’s experience, the adequacy of the firm’s financial resources, or the business model’s fit with the regulatory framework — each query round adds four to eight weeks. A single query round takes a well-prepared application from three to four months to four to six months. Multiple rounds push timelines to five to seven months.

Bank or building society (PRA dual-regulated): Dual-regulated applications are processed jointly by the FCA and PRA, and are consistently more time-intensive. Timelines of 12 to 18 months are normal, with some complex banking applications exceeding two years. The PRA’s capital assessment and resolution planning requirements add layers of analysis that the FCA-only process does not require.

Consumer credit firm: Consumer credit authorisation (as distinct from full FSMA authorisation) has historically been faster — three to five months for straightforward applications — but FCA supervisory priorities in 2025 and 2026 have meant more detailed scrutiny of credit business models, particularly those involving BNPL-adjacent products and high-cost credit features.

Cryptoasset firm (registration): The FCA’s cryptoasset registration regime has been significantly more challenging than most applicants anticipate. Rejection rates are high and the FCA has been explicit about the standards it expects — particularly on AML controls, MLRO capability, and sanctions screening. Timelines for crypto registration are highly variable and firms should plan for 9 to 18 months from submission to determination.

The Five Biggest Sources of Delay

1. The regulatory business plan. The RBP is the document on which the FCA’s assessment turns most heavily — it describes the firm’s proposed business, regulatory framework, governance structure, risk management approach and financial projections. RBPs that are generic, that fail to address the specific regulatory requirements applicable to the proposed activities, or that contain inconsistencies with other parts of the application generate significant FCA queries. Investing in a well-drafted RBP before submission saves multiples of that time in query management.

2. SMF regulatory references. The most common single cause of timeline extension is delay in obtaining regulatory references for proposed SMF holders. References must cover the preceding five years and must be obtained before the FCA can complete its assessment. Firms that initiate reference requests after submitting the application rather than before routinely add four to six weeks to the timeline purely because of the reference chase.

3. Financial resources adequacy. The FCA requires firms to demonstrate adequate financial resources — not just minimum capital, but a realistic projection of what the firm needs to operate through its first 12 months. Applications that submit minimum capital without a credible financial model showing resource adequacy against projected operations attract queries that require additional financial analysis and modelling to resolve.

4. Novel or complex business models. Applications involving activities the FCA has not frequently assessed — new payment models, hybrid regulatory perimeters, unusual distribution structures — take longer because the FCA must develop its own understanding of the risks before it can assess the adequacy of the firm’s proposed controls. The FCA’s Innovation Hub can provide pre-application engagement for genuinely novel business models, which is worth pursuing if the firm’s activities are unusual.

5. FCA resourcing fluctuations. The FCA’s authorisation team processes a high volume of applications and its effective throughput varies. Peaks in application volumes — often in Q4 following pre-deadline submission rushes — can add four to six weeks to processing times independently of the individual application’s quality.

Planning Around the Timeline

The most important practical step is to plan the authorisation timeline into the firm’s business plan and funding model. A firm that raises seed investment on the assumption of a three-month FCA process and then encounters a six-month timeline faces a cash and operational problem alongside a regulatory one. Modelling for five to six months as a base case — with contingency for seven to eight months — is prudent for most non-bank applications.

Pre-application engagement with the FCA is available and underused. The FCA’s Connect platform supports pre-application meetings for firms with complex or novel authorisation requirements. These meetings do not accelerate the formal timeline, but they allow the FCA to flag concerns with the proposed business model before the formal clock starts — which is significantly more efficient than discovering those concerns in a query letter eight weeks into the assessment.

Key References

• FCA — Applying for authorisation
• FCA Connect — authorisation portal

Treating Customers Fairly was the dominant conduct framework for FCA-regulated retail firms for nearly two decades. When Consumer Duty came into force in July 2023, it did not replace TCF — Principle 6 and the TCF obligations remain live. But Consumer Duty raised the standard materially, changed how firms must evidence compliance, and shifted the FCA’s enforcement posture. This post explains what actually changed and where firms most commonly misunderstand the transition.

TCF: A Principles-Based Framework With Process Focus

TCF, operationalised through Principle 6 (“a firm must pay due regard to the interests of its customers and treat them fairly”), was a high-level obligation. The FCA articulated six consumer outcomes it expected firms to achieve, but the mechanism was largely principles-based: firms had to demonstrate that treating customers fairly was embedded in their culture, and that their processes were designed to produce fair outcomes.

In practice, TCF compliance was evidenced through management information — reports showing complaints data, mystery shopping, product performance monitoring, staff training records. The obligation was predominantly backward-looking: the question was whether the firm had processes in place and whether those processes had produced fair outcomes in aggregate. It was also predominantly passive in its governance requirements — boards received MI on TCF outcomes but there was no prescribed format for how that oversight should be structured or how frequently it needed to occur.

Consumer Duty: A Prescriptive Outcomes Framework

Consumer Duty operates through Principle 12 — “a firm must act to deliver good outcomes for retail customers” — supported by four prescribed outcome areas and three cross-cutting rules. The shift from TCF is in three dimensions: specificity, proactivity and governance intensity.

Specificity. Where TCF required firms to treat customers fairly in general terms, Consumer Duty specifies four outcome areas that firms must actively deliver: products and services that are fit for purpose, fair value, consumer understanding, and consumer support. Each outcome area has supporting rules in PRIN and COBS that define in practical terms what “delivering good outcomes” means. Firms cannot satisfy Consumer Duty with a general statement that they treat customers fairly — they must demonstrate performance against each outcome area specifically.

Proactivity. TCF focused materially on whether harm had occurred — whether the firm’s products and processes had produced fair outcomes in practice. Consumer Duty adds a forward-looking obligation: firms must act to avoid foreseeable harm, not merely respond to harm after it occurs. A firm that identifies a product feature that is likely to cause poor outcomes for a segment of its customer base must act to remediate it, even if no customer has yet complained. This is a fundamentally different compliance posture from TCF.

Governance intensity. Consumer Duty requires a documented annual board report assessing whether the firm is delivering good outcomes across all four areas. This is a prescribed governance obligation — not a management information package, but a formal board-level assessment that must be signed off by the appropriate senior manager. Under TCF, the board received MI; under Consumer Duty, the board owns the outcome assessment and is accountable for remedial action where outcomes are falling short.

The Fair Value Obligation: TCF Had No Equivalent

The Consumer Duty price and value outcome is probably the most significant new obligation — it has no meaningful equivalent in TCF. Firms must assess and be able to demonstrate that the price customers pay for a product or service is reasonable relative to the benefits they receive. This requires a structured fair value assessment covering: the costs of the product, the benefits delivered to the target market, the value relative to comparable products in the market, and whether different segments of the customer base receive materially different value for the same price.

For wealth management firms, the fair value obligation has direct implications for charging structures — particularly trail commissions, adviser charges and platform fees applied to legacy products where ongoing service levels may not justify the ongoing charge. The FCA has been explicit that fair value assessments must be genuinely analytical, not a narrative explanation of why the firm believes its pricing is reasonable.

Distribution Chain Obligations: No TCF Equivalent

Consumer Duty imposes obligations across the entire distribution chain in a way TCF did not. Manufacturers — firms that create or significantly adapt products — must define a target market, conduct fair value assessments, and share the information distributors need to sell the product appropriately. Distributors must act consistently with the manufacturer’s target market and fair value assessment and must share outcome data with manufacturers.

Under TCF, a firm could discharge its obligations primarily by reference to its own processes. Under Consumer Duty, a distributor cannot claim good consumer outcomes if it is distributing a product to customers outside its intended target market, even if the distributor’s own processes are sound. The obligation runs through the chain.

The Evidencing Shift: From Process to Outcomes

Under TCF, firms typically evidenced compliance through process documentation — training records, policy documents, MI packs. The FCA’s supervisory approach was largely to check that the processes were in place and that MI showed broadly acceptable outcomes. A firm with well-documented TCF processes could generally satisfy supervisory scrutiny even where individual customer outcomes were suboptimal, provided the process failures were not systemic.

Consumer Duty changes the evidencing standard. Firms must demonstrate actual outcomes, not just sound processes. MI under Consumer Duty should show: the proportion of the target market receiving the intended product outcomes; fair value assessment results; consumer understanding testing (for communications); consumer support resolution rates and accessibility metrics; and the outcomes for vulnerable customers compared to the general customer population. Process documentation remains important as evidence of how the firm intends to produce good outcomes — but it cannot substitute for evidence that good outcomes are actually being achieved.

What TCF Compliance Does — and Does Not — Cover Under the New Regime

TCF remains live under Principle 6. A firm cannot satisfy Principle 6 by reference to Consumer Duty compliance alone — the two obligations are parallel, not substitutes. In practice, however, a firm with a mature Consumer Duty framework will typically satisfy its TCF obligations as a consequence, because Consumer Duty sets a higher standard in almost every area.

The areas where firms with legacy TCF frameworks most commonly fall short of Consumer Duty are: the fair value assessment (TCF had no equivalent); the annual board report (TCF had no prescribed governance format); consumer understanding testing (TCF focused on clear communication but did not require testing comprehension); and the forward-looking harm prevention obligation (TCF was primarily backward-looking). Firms migrating from a TCF compliance mindset need to address each of these gaps specifically — they cannot be filled by more of the same TCF-style MI.

Key References

• FCA — Consumer Duty guidance and resources
• FCA Handbook PRIN 2A — The Consumer Duty