Financial Services and Markets Act 2023: Key Changes for UK Startups and SMEs

If you’re building a startup or running an SME in the UK, the Financial Services and Markets Act 2023 (often shortened to FSMA 2023) is a law worth having on your radar.

Even if you don’t think of your business as “financial services”, FSMA 2023 matters because it helps reshape how UK financial regulation works post-Brexit - and it supports a wave of changes delivered through regulator rules and secondary legislation (including stricter expectations around marketing and consumer outcomes, and a clearer pathway towards regulating fast-moving areas like cryptoassets).

This article breaks down what FSMA 2023 is, who it may affect, and practical steps you can take to reduce risk as you grow.

Note: This guide is general information, not tailored legal advice. Whether you are “regulated” (or need FCA authorisation) depends on your specific activities, how your product works, your customers, and whether any exemptions apply. If you’re unsure, it’s worth getting specific advice early - a quick decision now can save you expensive rebuilds later.

What Is The Financial Services And Markets Act 2023?

The Financial Services and Markets Act 2023 is a major piece of UK legislation that updates the UK’s financial services regulatory framework. One of the headline reasons it exists is to help the UK operate a more independent regulatory model post-Brexit, rather than relying on retained EU rules.

In plain English, FSMA 2023 is about:

• Changing how financial services rules are made (moving more detailed requirements into UK regulators’ rulebooks, with less reliance on EU-derived legislation).
• Giving regulators new powers and clarifying how they should use them.
• Creating mechanisms to extend regulation into new areas over time (particularly relevant for fintech and digital assets, but often dependent on secondary legislation and FCA rules).
• Strengthening consumer protection and improving market integrity.

For startups and SMEs, the key point is this: FSMA 2023 can affect you even if you’re not an FCA-authorised firm today, because it influences areas like financial promotions, market conduct, and how the perimeter of regulation may develop.

Does FSMA 2023 Apply To Your Startup Or SME?

A good rule of thumb is: if your business touches money, payments, investments, lending, crypto, or financial marketing, you should assume FSMA 2023 is relevant and do a proper check.

Here are common scenarios where FSMA 2023 is likely to matter.

You’re A Fintech Or You Enable Financial Services

You might not be a bank - but if your product helps people pay, invest, borrow, insure, or manage assets, you may be operating within (or close to) the UK regulatory perimeter.

This can include:

• payments and e-money products
• investment platforms and “fractional investing” tools
• robo-advice or automated portfolio tools
• embedded finance features (even where financial services are “bolted on” to a non-financial product)

You Advertise Or Promote Financial Products

Even if you’re not authorised, FSMA’s financial promotions regime can apply if you communicate an invitation or inducement to engage in investment activity (and the rules and expectations in this area can tighten over time through FCA rulemaking).

This is where many small businesses accidentally step into risk, especially when:

• running paid social media campaigns
• using affiliates or influencers
• publishing “returns” messaging or customer testimonials
• offering referral rewards linked to investments

If your business relies heavily on online marketing, your legal foundations should include clear Website Terms and Conditions and a compliant Privacy Policy. FSMA 2023 doesn’t specifically require these documents, but firms operating in regulated (or near-regulated) spaces are generally expected to be transparent, accurate, and consistent in consumer communications.

You Build In Crypto Or Digital Asset Features

FSMA 2023 is particularly relevant to cryptoasset businesses and fintechs that are “crypto-adjacent”. It supports the UK’s move towards a more comprehensive regulatory approach to certain cryptoasset activities - but the detail (including timing and scope) is typically delivered through secondary legislation and FCA rules.

If your product roadmap includes:

• token issuance
• custody or wallets
• exchange or brokerage features
• staking-like products or yield features
• crypto payments

…then you should treat FSMA 2023 as part of your compliance planning, not an afterthought.

Key Changes In FSMA 2023 That Matter Most For Small Businesses

FSMA 2023 is broad. You don’t need to memorise it, but you do want to understand the “pressure points” where it tends to affect founders, directors, and operators.

1) A More UK-Centred Rulebook (And A Faster Pace Of Change)

One practical impact of FSMA 2023 is that the UK is moving towards a model where regulators set more of the detailed requirements through their rules and guidance.

For startups and SMEs, this can mean:

• more frequent regulatory updates (and a need to monitor changes as you scale)
• less “set and forget” compliance, especially if you’re in fintech
• greater importance of having someone accountable internally for compliance and risk

This is also why it’s worth setting up your business governance properly early, including founder arrangements and decision-making processes. If you’re early-stage and raising money or bringing on co-founders, a Founders Agreement can help you avoid disputes later about who owns what, who controls what, and who is responsible for regulatory workstreams.

2) Financial Promotions: Marketing Risk Is A Legal Risk

FSMA 2023 sits alongside (and enables) a broader direction of travel in the UK: financial promotions are being taken more seriously, and regulators are focused on how products are marketed to consumers.

If your business communicates about investment-like opportunities (or anything that could reasonably be interpreted that way), you’ll want to be careful with:

• “guaranteed returns” language
• time-limited offers that pressure consumers
• unclear risk warnings
• promoting to the wrong audience (for example, retail consumers when the product is not appropriate)

Practical tip: treat marketing sign-off like a legal process, not just a growth process. Build a workflow where promotions are reviewed for accuracy and fairness before they go live. If you use affiliates, make sure you have written terms controlling what they can and can’t say.

3) Cryptoasset Regulation Is Moving Towards A More Structured Framework

Historically, crypto regulation in the UK has involved a mix of:

• anti-money laundering registration requirements for certain cryptoasset businesses
• financial promotions restrictions for cryptoasset promotions
• consumer law, advertising standards, and fraud enforcement

FSMA 2023 helps lay the groundwork for a more structured UK regime for cryptoassets - with the specifics typically coming through subsequent regulations and FCA rules.

For startups, the risk is not just “are we regulated today?” but also “could we become regulated as the UK brings more cryptoasset activities into scope?”

This can affect your:

• product design (for example, custody vs non-custodial structures)
• go-to-market plans (who you market to and what you say)
• fundraising plans (investor diligence questions come early now)
• commercial contracts (who holds liability if something goes wrong)

4) Regulators’ Focus On Consumer Outcomes (Not Just Technical Compliance)

Across UK financial regulation, there’s a strong direction towards making firms accountable for real-world consumer outcomes - not just ticking boxes.

So even for smaller firms, it’s wise to ask:

• Are we being clear and transparent about pricing, risks, and limitations?
• Could a typical customer misunderstand what we’re offering?
• Do we make it easy for customers to complain, cancel, or get support?
• Are our terms fair and easy to understand?

This isn’t just about regulator expectations. It’s also good business - disputes and reputational damage can be brutal for early-stage brands.

5) Increased Attention On Operational Resilience And Third Parties

FSMA 2023 also supports greater regulatory oversight of critical third parties to the financial sector (think major technology and infrastructure providers).

Even if your business isn’t a “critical third party”, the broader message is clear: regulators care about outages, security incidents, and dependency risk.

If you’re building a platform that handles sensitive user data or payment flows, your legal and operational setup should cover:

• security and access controls
• vendor due diligence
• incident response planning
• appropriate customer communications if something goes wrong

On the legal side, it’s worth ensuring your internal policies and external documents align - for example, your Acceptable Use Policy should match how your platform actually works, and your privacy documentation should reflect your data flows. Many startups choose to put this together as part of a broader Data Protection Pack so the documents are consistent from day one.

What Should Startups And SMEs Do Now? A Practical Compliance Checklist

Reading about the Financial Services and Markets Act 2023 is one thing - turning that into a practical plan is what actually protects your business.

Here’s a straightforward checklist you can work through.

1) Map Your Regulatory Perimeter Early

Before you spend months building (or worse, scaling), get clear on:

• what your product does today
• what you plan to launch in the next 6–18 months
• how money moves through your system
• who your customers are (consumer, business, sophisticated investors)
• how you market the product

At this stage, a targeted legal review can help identify whether you need authorisation, whether an exemption might apply, and what your marketing can safely say. If you’re moving quickly, it can be efficient to book a Legal Consultation to sense-check the structure and your growth plans before you lock them in.

2) Tighten Your Contracts And Customer Terms

Startups often leave contracts until later - but in regulated or high-risk sectors, contracts are part of compliance.

Depending on your model, you may need:

• customer/platform terms
• supplier and technology agreements
• affiliate/referral terms
• data processing terms (especially if you’re using third-party processors)

If you’re onboarding business customers (B2B), you’ll also want clear limitations of liability and defined responsibilities around data, security, and customer support. And if you’re collecting personal data (almost every online business does), you’ll want your Website Terms and Conditions and Privacy Policy to be accurate, not generic.

3) Build A Marketing Approval Process (Even If You’re Small)

FSMA 2023 sits in a world where regulators increasingly look at the substance of promotions - not just whether you included a disclaimer in tiny text.

Consider implementing:

• a pre-launch checklist for each campaign (claims, risks, audience, substantiation)
• controls for influencer/affiliate wording
• a record-keeping approach (so you can show why you believed a claim was true)

This doesn’t need to be bureaucratic. It just needs to be consistent.

4) Get Your Corporate House In Order (Because Investors Will Ask)

If you’re fundraising (seed through Series A and beyond), investors will often ask whether you’re exposed to regulatory risk and whether you have the governance to handle it.

From a legal foundations perspective, it’s smart to ensure you have:

• clear founder roles and vesting (where relevant)
• board and decision-making clarity
• shareholder rights documented properly

For many startups and growing SMEs, a Shareholders Agreement helps set out control, voting, transfer restrictions, and what happens if someone leaves - which becomes even more important when the business is operating in a regulated (or potentially regulated) market.

5) Don’t Treat Data Protection As Separate From Financial Compliance

Even where FSMA 2023 is your headline concern, most fintech and online financial-style businesses are also handling significant personal data, identity data, and behavioural data.

That means you should be thinking about UK GDPR and the Data Protection Act 2018 alongside financial regulation. In practice, that looks like:

• knowing what personal data you collect and why
• having a lawful basis for processing
• appropriate retention and deletion practices
• tight security controls and vendor management

Putting the right documentation in place early (often via a Data Protection Pack) can make your business more credible with partners, enterprise customers, and investors - and it’s often far easier to do before your systems become complicated.

Key Takeaways

• The Financial Services and Markets Act 2023 reshapes the UK’s financial regulation post-Brexit and gives regulators clearer powers - with many practical obligations and changes flowing through FCA rules and secondary legislation.
• FSMA 2023 can affect startups and SMEs even if you’re not authorised today, particularly if you market financial products, enable financial services, or build cryptoasset functionality.
• Financial promotions are a major risk area - if your marketing could be seen as an invitation or inducement to engage in investment activity, you need to be careful with wording, audience targeting, and substantiation.
• Cryptoasset regulation is moving towards a more formal framework, so “not regulated yet” doesn’t necessarily mean “low risk” (and the position can change as new rules come in).
• Consumer outcomes, transparency, and operational resilience matter in practice - your contracts, customer terms, and internal processes should support those expectations.
• Strong legal foundations (governance documents, customer terms, and privacy documentation) help reduce regulatory risk and make fundraising and partnerships smoother.

If you’d like help assessing how FSMA 2023 might affect your startup or SME - or you want support tightening your contracts and compliance foundations - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.