FCA Regulated Activities: Do Startups And SMEs Need Authorisation?

If you’re building a startup or running an SME, it’s normal to want to move fast - ship the product, sign customers, and start generating revenue.

But if your business touches payments, lending, investments, cryptoassets, insurance, or “money handling” in any meaningful way, you may be carrying on FCA regulated activities without realising it.

That matters because in the UK, carrying on a regulated activity by way of business without the right permissions can create serious legal and commercial risk. It can also derail fundraising, partnerships, and customer trust (especially if you’re in fintech).

Below, we break down what “FCA regulated activities” actually means, the common triggers for startups and SMEs, and practical ways to reduce risk while you figure out the right structure for your business.

What Are FCA Regulated Activities (In Plain English)?

In the UK, the Financial Conduct Authority (FCA) regulates certain financial services and products. The legal framework comes mainly from:

• Financial Services and Markets Act 2000 (FSMA) (the core framework for authorisation and financial promotions), and
• The Regulated Activities Order (RAO) (which lists what counts as a “regulated activity”).

When people talk about FCA regulated activities, they’re usually referring to business activities that:

• involve specific financial products (like investments, insurance contracts, or certain credit agreements); and/or
• amount to a regulated service (like arranging, advising, dealing, or safeguarding assets).

Common Examples Of FCA Regulated Activities

The list is detailed, but these are the kinds of activities that frequently show up in startup business models:

• Advising on investments (e.g. telling customers which shares/funds to buy or sell)
• Arranging deals in investments (e.g. introducing and facilitating investments)
• Dealing in investments as agent or principal
• Insurance distribution (e.g. selling or arranging insurance)
• Consumer credit activities (e.g. lending, credit broking, debt adjusting)
• Payment services and e-money (typically regulated under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011, with the FCA as the main supervisor for authorisation/registration in this area)
• Safeguarding and administering investments (custody-like models)
• Operating an investment platform or certain types of marketplace models

Important: “We’re just a tech platform” isn’t automatically a get-out-of-jail-free card. Regulators look at what you actually do (and how customers experience it), not just what you call it in your pitch deck.

What Does “By Way Of Business” Mean?

In simple terms, if you’re doing something as part of a commercial operation (even early-stage) - charging fees, taking a margin, earning commission, or building a recurring business around it - you’re more likely to be seen as carrying on the activity “by way of business”.

This is why early MVPs can still create risk. If you test the model with real customers and real money, the legal obligations can follow.

Do UK Startups And SMEs Need FCA Authorisation?

Sometimes yes - but not always. The tricky part is that the answer depends on:

• your exact customer journey (what the customer is told, what they click, what happens next)
• where money flows (who receives it, holds it, and controls it)
• what you’re “arranging” or “advising” in practice
• the legal nature of the product (loan? investment? e-money? insurance?)
• whether any exemptions apply (and whether you can rely on them safely)

Three Common Pathways For Businesses In The FCA Perimeter

Most startups and SMEs exploring regulated models end up in one of these buckets:

• Fully authorised: you apply for FCA authorisation/registration yourself and meet ongoing compliance requirements.
• Operate via a regulated partner: a third party is authorised and you provide services under a commercial contract (careful drafting matters here).
• Appointed Representative (AR): you operate under the responsibility of an FCA-authorised “principal” (not available or appropriate in all cases, and the market has tightened).

Which route fits best is a business decision and a legal risk decision. You’ll also want to think about what investors and enterprise partners will accept.

Even if you’re not authorised, you still need to get your commercial documentation right - for example, clear Website Terms And Conditions can help align expectations about what your platform does (and doesn’t) do.

Common Startup Scenarios That Can Trigger FCA Regulated Activities

Founders often ask, “We’re not a bank - how could this be regulated?” The reality is that regulation can be triggered by the function your product performs, not the brand identity you project.

Here are scenarios where FCA regulated activities commonly pop up for startups and SMEs.

1) Marketplaces And Platforms That “Arrange” Financial Products

If your platform introduces customers to providers of loans, investments, or insurance - and you do more than a passive directory - you may be “arranging” or “making arrangements” in a regulated sense.

Common risk factors include:

• you filter or rank offers based on customer inputs
• you pre-fill application forms or pass data to the provider in a structured way
• you handle the customer journey through to application or completion
• you receive commission or a success fee

Commercially, you’ll also want your relationships with suppliers and partners locked down - a properly drafted Service Agreement often sits at the centre of these arrangements.

2) Subscription Or Membership Models With Financial “Benefits”

Some SMEs package financial tools into a paid membership (e.g. budgeting tools plus “access” to credit products, or subscription-based wealth features). The subscription model itself isn’t the issue - it’s what the subscription unlocks and what you do in the funnel.

This is also where marketing language can create risk. If you’re promoting certain financial products or services, you might be caught by the UK’s “financial promotion” rules under FSMA (even if you’re not authorised), depending on the content and who it’s communicated to.

3) Handling Customer Money (Even Temporarily)

If you collect, hold, or control customer money - even briefly - you may be moving into payment services or e-money (depending on structure). In some models, additional safeguarding requirements may also apply.

Questions to pressure-test your model:

• Does customer money ever enter your bank account?
• Do you control when money is released?
• Are you “holding funds” on behalf of customers or merchants?
• Are you issuing something that behaves like stored value?

If you’re processing personal data to deliver these services (which is very likely), make sure your Privacy Policy and internal data practices match what the product is actually doing.

4) Lead Gen And Introducer Models (Commission-Based)

Lead generation can look simple: “We’ll send leads to providers and get paid per conversion.”

But in regulated sectors, the line between “introducer” and “arranger/broker” can get thin very quickly, especially if:

• you qualify leads in a way that influences the outcome
• you recommend a product/provider (explicitly or implicitly)
• you present comparisons in a way that looks like advice
• you take steps that form part of the chain of events leading to the deal

This is one of those areas where careful wording really matters, including your website copy and customer-facing onboarding. It’s also why it’s worth understanding what makes a contract legally binding - because the promises you make in marketing and onboarding can end up shaping disputes later.

5) Cryptoasset Business Models

Crypto can touch multiple regimes. Depending on what you do, you may need to register with the FCA under the UK’s anti-money laundering rules (for example, if you carry on certain cryptoasset exchange or custodian wallet activities). Separately, if your crypto model involves specified investments or otherwise crosses into regulated activity (for example, certain token structures or investment-like services), you may also need authorisation and permissions under FSMA/RAO.

Because the perimeter evolves, it’s especially important to get tailored advice before you assume your crypto model is “unregulated”.

What Happens If You Carry On FCA Regulated Activities Without Authorisation?

This is the part founders don’t like thinking about - but dealing with it early is how you protect your business from day one.

If you carry on FCA regulated activities without the right permissions, the risk isn’t just theoretical. Potential consequences can include:

• Criminal and regulatory exposure (FSMA includes offences relating to unauthorised regulated activity)
• Contracts being unenforceable in certain circumstances (which can become a commercial nightmare if you’re trying to recover fees)
• Customer claims and complaints, especially if customers believe they were misled
• Partner and banking issues (banks and payment providers often offboard businesses they perceive as outside their risk appetite)
• Investor due diligence problems (fundraising can stall if your permissions position is unclear)
• Reputational damage that makes enterprise partnerships harder to win

Also, even if your underlying activity is unregulated, the way you market it can still cause problems. Overpromising or implying guarantees can trigger consumer protection issues, and in some financial contexts, financial promotion restrictions can apply.

This is why your legal foundations aren’t just a “later” problem - they’re part of building a scalable product.

How To Check Whether Your Business Falls Within FCA Regulated Activities

You don’t need to become a regulatory lawyer to do a sensible first-pass risk assessment. But you do need a structured approach.

Step 1: Map The Customer Journey (Not Just The Product)

Write down each step from:

• first marketing touchpoint
• signup and onboarding
• how you collect and use information
• what the customer sees as “recommendations”
• where money moves, and who controls it
• what happens when things go wrong (refunds, complaints, chargebacks)

Often, the “regulated” part isn’t the headline feature - it’s a small operational detail like handling funds or nudging customers to pick a product.

Step 2: Identify What You Do: Advising, Arranging, Dealing, Holding?

Ask yourself:

• Are we advising, or just providing information?
• Are we arranging the deal, or just introducing parties?
• Are we handling money, or is it processed entirely by a third party?
• Are we acting as an agent for the customer or provider?

The labels in your UI (“advisor”, “broker”, “concierge”, “wealth coach”) can also create risk if they imply regulated activity.

Step 3: Check If You’re Relying On An Exemption (And Whether It Really Fits)

There are exemptions and exclusions in UK financial services law, but they can be narrow and fact-specific.

If your business model only works if an exemption applies, that’s usually a sign you should get advice early - because if you grow or tweak a feature, you might unintentionally “break” the exemption.

Step 4: Put The Right Contracts And Policies In Place

Even at MVP stage, you’ll want to document the key relationships and risk allocation properly, such as:

• partner / supplier agreements (especially where a regulated firm is involved)
• customer terms (clear scope, disclaimers, liability allocation)
• data protection terms with vendors and processors
• internal procedures (complaints, security, record-keeping)

If you share personal data with partners (for example, passing lead/customer details to providers), you may also need a Data Processing Agreement in place, depending on who is processing what and on whose instructions.

And if you have staff building or operating the platform, an Employment Contract can help protect IP ownership and confidentiality from the start.

Key Takeaways

• FCA regulated activities can be triggered by what your business does in practice - not just what you call yourself (or whether you consider yourself “a tech platform”).
• Common triggers for startups and SMEs include arranging financial products, advising customers, handling customer funds, and commission-based introducer models that go beyond a passive directory.
• Whether you need FCA authorisation depends on your customer journey, money flows, and whether any exemptions apply - it’s often a detailed, fact-specific assessment.
• Getting it wrong can lead to serious consequences, including regulatory exposure, unenforceable contracts, investor due diligence issues, and reputational damage.
• A practical way to start is to map your end-to-end customer journey, identify where you might be advising/arranging/holding funds, and get your contracts and policies aligned early.
• If your model sits anywhere near financial services, getting tailored advice early can save a lot of time (and cost) later - especially before you scale, launch paid features, or raise investment.

Note: This article is general information only and isn’t legal or financial advice. FCA perimeter questions are highly fact-specific, so you should get advice on your particular product, customer journey, and money flows.

If you’d like help working out whether your business is carrying on FCA regulated activities (and what your practical options are), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.