FCA Authorisations: What You Need To Know

If your business touches money, credit or investments in any way, you’ve probably heard the phrase “FCA authorisations”. It can feel daunting at first - but understanding what the Financial Conduct Authority (FCA) requires, and how to approach the process, will set you up for success.

In this guide, we’ll walk through when FCA authorisation is needed, what permissions exist, the application steps, the key documents and policies you’ll need, and what to expect after approval. We’ll also cover sensible alternatives if full authorisation isn’t the right fit right now.

The aim here is simple: help you make informed decisions, avoid common pitfalls and get your business legally protected from day one.

FCA Authorisations: What They Are And Whether You Need One

The FCA regulates certain “regulated activities” in the UK under the Financial Services and Markets Act 2000 (FSMA) and the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). If your business carries on a regulated activity “by way of business” in the UK, you generally must be authorised or exempt.

In plain English: if you’re advising on, arranging, dealing in or managing certain financial products - or providing payment services or issuing e‑money - you may need FCA authorisation (or registration, in specific regimes). The exact permission(s) you need depend on what you actually do for customers.

Common Activities That Often Require Permission

• Consumer credit (e.g. broking, credit lending, debt counselling or debt collecting)
• Insurance distribution (introducing, advising, arranging administration)
• Investment activities (advising on or arranging deals in investments, portfolio management, operating a platform)
• Payment services (e.g. operating as an Authorised Payment Institution or Small Payment Institution) and e‑money issuance
• Operating a crowdfunding or peer‑to‑peer platform

Cryptoasset firms currently require FCA registration for anti‑money laundering purposes rather than full FSMA authorisation for most activities, but this is a fast‑moving area - check the FCA’s latest position.

Key Concepts You’ll Hear

• Permissions (or “Part 4A permission”): The specific activities your firm is authorised to carry out.
• Threshold conditions: Core requirements every authorised firm must meet (e.g. appropriate resources, effective supervision, suitability, business model).
• SMCR: The Senior Managers and Certification Regime sets accountability and conduct standards for key individuals in your firm.
• Consumer Duty: If you deal with retail customers, you must act to deliver good outcomes across the product lifecycle.

Not every money‑related business needs authorisation. For example, pure invoicing software that never “touches” customer funds or executes payment orders may not be regulated. Conversely, a marketplace that holds client money or provides regulated credit introductions may need permission.

If you’re unsure, map your exact customer journey and cash flows, then compare them to the FCA’s Perimeter (PERG) guidance. When in doubt, get tailored advice - perimeter mistakes can be costly.

How To Apply For FCA Authorisation: A Step‑By‑Step Overview

The FCA uses its online “Connect” system for applications. Timeframes vary by application complexity and completeness, but a realistic window is several months. The FCA’s statutory clock is up to six months once your application is complete (and up to 12 months if it’s initially incomplete).

Step 1: Define Your Regulated Activities And Business Model

Be precise about what you’ll do, who your customers are, how you’ll get paid, and how money moves. This informs the exact permission set you request and the rules you must follow (e.g. client money, prudential rules, safeguarding, Consumer Duty).

Step 2: Choose The Right Permissions (And Prudential Category)

Permissions must reflect your services and revenue model. For investment firms, the Investment Firms Prudential Regime (IFPR/MIFIDPRU) may apply. For payment firms, the Payment Services Regulations 2017 and Electronic Money Regulations 2011 set prudential and safeguarding requirements.

Step 3: Build Your Governance And SMCR Framework

Identify Senior Management Functions (SMFs), allocate responsibilities, prepare Statements of Responsibilities and an overall responsibilities map. You’ll also set up independent compliance and (where appropriate) risk and audit functions proportionate to your size and complexity.

Step 4: Prepare Core Policies And Your Regulatory Business Plan

The FCA expects a regulatory business plan with robust financial forecasts, a wind‑down plan, risk assessment, compliance monitoring plan and detailed operational controls. Build policy suites covering AML/CTF, information security, complaints, conflicts, financial crime, safeguarding/client money and outsourcing.

Step 5: Submit Via Connect And Engage With FCA Queries

Upload forms, controllers information, fit and proper evidence for key individuals, financials and policies. Expect follow‑up questions - quick, clear responses help keep momentum. If your model evolves, you may need to refine permissions or conditions.

Step 6: Prepare Operational Readiness For Day One

Before launch, confirm customer‑facing documents, disclosures, client money or safeguarding arrangements, reporting systems, staff training and incident response plans. Consider internal sign‑off using formal board resolutions to document readiness.

Essential Policies, Contracts And Governance

Authorised firms must be able to demonstrate they’re organised and well‑controlled. The FCA focuses on substance over form - policies are only credible if you actually embed them.

Customer‑Facing Terms And Disclosures

• Clear, fair and not misleading product information and risk warnings
• Transparent pricing and fees, including how and when you charge
• Terms covering services scope, liability caps and dispute resolution

If you deliver services online, have legally robust Website Terms and Conditions and, for platforms or apps, tailored SaaS Terms aligned with FCA disclosure requirements.

Privacy And Data Protection

Financial services firms handle sensitive data. You’ll need a compliant Privacy Policy, appropriate lawful bases, data minimisation, security controls and retention rules under the UK GDPR and Data Protection Act 2018. Where you rely on vendors to process personal data, put a Data Processing Agreement in place with each processor.

Internal Policies The FCA Typically Expects

• Governance and SMCR (including fit and proper assessments and training)
• Compliance Monitoring Plan and Regulatory Change procedures
• Risk Management Framework, including operational resilience and outsourcing
• Financial Crime and AML/CTF (aligned to the Money Laundering Regulations 2017)
• Conflicts of Interest and inducements/benefits registers
• Client Assets (CASS) or Safeguarding procedures (as applicable)
• Complaints (DISP) with root cause analysis and reporting
• Incident and breach management, plus business continuity
• Wind‑down planning with realistic triggers and actions
• Whistleblowing framework - a documented Whistleblower Policy is strongly recommended

Third‑Party And Commercial Contracts

Outsourcing and critical suppliers (e.g. cloud, KYC vendors, payment processors) should be governed by robust contracts that allocate risk, ensure access to data and audit rights, and support your regulatory obligations. During pre‑launch discussions with potential principals or vendors, use a Non-Disclosure Agreement to protect your confidential information.

It’s important your legal documents are tailored to your regulated model - avoid generic templates. The FCA will look for alignment between your written policies, your contracts and your actual systems and controls.

Ongoing Duties After You’re Authorised

Getting authorised is the start, not the finish line. From day one, you must maintain the threshold conditions and comply with the FCA Handbook rules relevant to your permissions.

Conduct And Customer Outcomes

• Follow the FCA’s Principles for Businesses and, where applicable, the Consumer Duty (act to deliver good outcomes for retail customers).
• Ensure financial promotions are fair, clear and not misleading, and (where required) approved by an authorised firm.
• Handle complaints in line with DISP and report as required.

Prudential, Reporting And Notifications

• Meet capital and liquidity requirements appropriate to your firm type (e.g. MIFIDPRU for investment firms, PSRs/EMRs for payment/e‑money firms).
• Submit regulatory returns via RegData on time, and maintain accurate regulatory data.
• Notify the FCA of changes (e.g. controllers, SMF changes, material outsourcing) and apply for a Variation of Permission if your business expands into new activities.

Operational Resilience And Outsourcing

Identify important business services, set impact tolerances and test continuity. Outsourcing must be managed so you remain responsible for compliance at all times - this includes due diligence, contractual rights, oversight and exit planning.

Data Protection And Security

Keep your privacy compliance current as you add features, integrate third parties or expand to new markets. Regularly review your data map and ensure customer‑facing materials (including your Privacy Policy) stay accurate as your processing evolves.

It can feel like a lot, but you don’t have to tackle everything at once. Build a compliance calendar, set clear owners for each obligation and embed checks into BAU processes so compliance becomes routine.

Alternatives To Full FCA Authorisation (And When They Make Sense)

Full authorisation isn’t always the quickest or most efficient route, especially for early‑stage ventures testing product‑market fit. Consider these options:

Appointed Representative (AR) Model

Operate under a principal firm’s permissions while you validate your proposition. The principal accepts regulatory responsibility and must oversee you. You’ll still need solid governance, MI reporting and customer‑facing documentation consistent with the principal’s framework.

Agent Of A Payment Institution Or E‑Money Distributor

For payment or e‑money propositions, you may be able to act as an agent or distributor of an already authorised firm. This can be faster to market, with an on‑boarding and oversight process rather than a full application.

Unregulated Model With Careful Perimeter Design

Sometimes you can structure services to avoid regulated activities (for example, providing technology only, without touching funds or arranging transactions). You’ll still need robust commercial contracts (such as clear platform or Terms of Use) and consumer and privacy compliance - but no FCA permission. Take advice to ensure you genuinely remain outside the perimeter.

These routes can be stepping stones. As you grow, you can reassess and apply for your own permissions when it makes strategic sense.

Key Takeaways

• Work out exactly what you do for customers, how money flows and who you serve - this drives whether you need FCA authorisation and which permissions apply.
• A successful application rests on credible governance, SMCR arrangements, financials and policies that match your real‑world operations and risks.
• Customer‑facing contracts matter: align your Website Terms and Conditions or SaaS Terms, disclosures and complaints process with FCA conduct rules.
• Protect data from day one with a compliant Privacy Policy and appropriate processor clauses via a Data Processing Agreement.
• After approval, keep meeting threshold conditions, report on time, manage outsourcing properly and embed Consumer Duty or other conduct rules into BAU.
• If you’re not ready for full permissions, consider the AR model or operating as an agent/distributor - and document decisions with clear board resolutions.
• Get tailored advice early - addressing the perimeter and compliance foundations upfront will save time, cost and rework as you scale.

If you’d like help scoping your permissions, preparing the right documents or pressure‑testing your application, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.