How To Get FCA Authorisation In The UK

If your small business touches financial services - even in a limited way - there’s a good chance you’ll need permission from the Financial Conduct Authority (FCA) before you can trade legally.

That permission comes through an FCA application. It’s a detailed process, but with the right preparation, you can put forward a strong, complete application that gives the regulator confidence in your business from day one.

In this guide, we’ll walk you through when you need authorisation, how to choose the right permissions, what to prepare, realistic timelines and costs, and what happens after you’re approved. We’ll keep things practical and focused on what small firms actually need to do.

What Is An FCA Application And Do You Need One?

An FCA application is the formal process for getting permission to carry on regulated activities in the UK. You submit it via the FCA’s online “Connect” system with evidence that your business, people and controls meet regulatory standards.

You’ll need to apply if you plan to undertake one or more “regulated activities” in the UK. Common examples for small businesses include:

• Consumer credit (e.g. credit broking, debt counselling, debt adjusting, lending under CONC)
• Payment services or e‑money (e.g. operating a payments app, providing account information or payment initiation under PSRs 2017/EMRs 2011)
• Investment services (e.g. arranging or advising on investments under MiFID, now in the FCA’s MIFIDPRU regime for prudential rules)
• Insurance distribution (e.g. introducing customers to insurers or assisting with policies under IDD rules)

Not every fintech or finance-adjacent business needs its own authorisation. Alternatives include:

• Becoming an Appointed Representative (AR) of a principal firm (the principal holds the permission and oversees you).
• Relying on exemptions (limited and activity-specific; you should assess carefully).
• Using third-party providers for the regulated piece while you remain unregulated (e.g. white-labelling a payments service provider).

As a rule of thumb: if you directly hold client money, make credit decisions, arrange or advise on investments, distribute insurance, or execute payments, you should expect FCA oversight. If you’re unsure, get tailored advice before you start marketing or onboarding customers.

Choosing The Right Permissions For Your Business

Picking the correct scope of permission is where many small firms stumble. Ask for too little and you’ll be back for a variation later; ask for too much and you’ll face tougher scrutiny and higher costs. Map your business model to the FCA’s activity list and be precise.

Match Activities To Permissions

• Consumer credit: decide if you need full or “limited permission” (e.g. for certain broking or introduction activities). Check if your activities include debt counselling/adjusting (higher bar).
• Payments/e‑money: pick the right category (small payment institution, authorised payment institution, small e‑money, or authorised e‑money). Each has specific capital and safeguarding rules.
• Investments: define whether you will arrange deals, advise, or manage investments; identify retail vs professional client exposure; and whether you’ll hold client assets (CASS applies).
• Insurance distribution: be clear if you’ll just introduce (lower complexity) or assist with arranging/claims (more controls required).

Consider The Appointed Representative (AR) Route

The AR model can be faster than a full authorisation, as you operate under a principal firm’s permissions. It still comes with oversight, training and reporting obligations. The FCA has tightened the AR regime, so principals must conduct more due diligence and ongoing monitoring. Expect to provide the same quality of information you would in a direct authorisation - just to your principal as well as the FCA.

Plan For Consumer Duty

For retail-facing activities, the Consumer Duty now sets a higher bar for customer outcomes and governance. Build this into your permissions scoping, your product design and your compliance framework from the outset. It’s not just a policy - it affects board oversight, MI, testing and how you evidence “good outcomes”.

Preparing Your FCA Application: A Practical Step-By-Step

The FCA wants to see that you understand your risks and have proportionate controls. A thorough, well-structured application signals exactly that. Here’s a practical sequence that works for small firms.

1) Define Your Business Model And Regulatory Map

• Document your products, target customers, distribution channels and any outsourcing.
• Map each process step to a regulatory requirement (e.g. onboarding = KYC/AML; charging fees = disclosures/CONC or PSRs; handling complaints = DISP).
• Identify client money/safeguarding touchpoints, financial promotions, vulnerable customer scenarios, and data protection implications.

2) Choose Your Structure And Controllers

The FCA assesses controllers and governance. If you’re incorporating, finalise your company before you apply so the details align. If you still need to set up, you can register a company and get your core corporate basics in place first.

3) Appoint Senior Managers (SMCR) And Key Function Holders

• Identify Senior Management Functions (SMFs) such as SMF1 (CEO), SMF16/17 (Compliance/Internal Audit, where applicable), and the MLRO/SMF17 equivalent for AML in relevant firms.
• Draft Statements of Responsibilities for each SMF and an overall Management Responsibilities Map (even for small firms).
• Plan Conduct Rules training for all staff and SMFs.

4) Build Your Compliance Framework

Prepare core policies and procedures tailored to your model. At minimum, expect to provide (and later implement):

• Compliance Monitoring Programme and risk register
• Financial crime (AML/CTF) policy and customer risk assessment, including onboarding/KYC
• Safeguarding or CASS procedures, if applicable
• Complaints handling (DISP) and vulnerable customer policy
• Outsourcing/vendor risk management, including due diligence and ongoing oversight
• Security and data protection policies (see below)

5) Get Your Data Protection House In Order

If you handle personal data (you almost certainly will), the FCA expects robust GDPR compliance. Make sure you have a public-facing Privacy Policy, a website/app Cookie Policy with appropriate consent controls, and a proper Data Processing Agreement with any processors. For a joined-up approach to policies and training, many small firms opt for a tailored GDPR package to implement before launch.

Don’t forget ICO registration (unless exempt). The FCA may ask how you’ve assessed the position; this is where understanding ICO fee exemptions (and why most regulated firms still register) becomes relevant.

6) Draft Your Regulatory Business Plan And Financials

• Explain your market, customer journey and risks in plain English. Tie each risk to a control.
• Provide realistic financial projections (12–36 months), including capital buffers and stress testing.
• Set out your wind-down plan: how you’d exit the market safely while protecting customers.

7) Prepare Application Forms And Fit & Proper Evidence

• Complete the relevant “Connect” forms and annexes for your permissions.
• Gather ID, CVs, references and regulatory history for SMFs and controllers, showing they’re “fit and proper”.
• Collate contracts and operational evidence (bank letters for safeguarding, service/outsourcing agreements, IT architecture, training materials).

8) Sense-Check Financial Promotions And Customer Documents

If you’ll market online, the FCA expects promotions to be fair, clear and not misleading. Ensure your website terms and onboarding journeys reflect your disclosures and permissions, and that your cookie and privacy notices align with your actual data use. If you’re hiring early staff to support compliance or operations, put in place clear agreements such as an Employment Contract and a proportionate Staff Handbook that covers conduct and regulatory policies.

What The FCA Will Assess: Capital, Governance And Controls

The FCA’s job is to ensure your firm is ready, willing and organised to meet its obligations. Here’s what they’ll focus on (and what you should evidence clearly in your pack).

Financial Resources And Prudential Rules

• Minimum capital: varies by regime (e.g. fixed capital for payment institutions/e‑money; activity-based for investment firms under MIFIDPRU; prudential consolidation for groups).
• Liquidity and runway: show cash headroom, realistic revenue assumptions and contingency plans.
• Safeguarding or CASS: if applicable, provide bank acknowledgements, reconciliations, and operational walkthroughs.

Governance And SMCR

• Competent SMFs with clear, non-overlapping responsibilities.
• Board/management information, decision records and escalation paths.
• Conduct Rules training plan and disciplinary processes for breaches.

Risk Management And Compliance Monitoring

• A live risk register linked to your business model (not a generic template).
• Compliance testing plan with frequencies and owners - and how findings will be tracked to closure.
• Outsourcing oversight: meaningful KPIs, SLAs, audit rights and exit arrangements.

Customer Outcomes And Consumer Duty

• Product design for target markets, with testing for foreseeable harms.
• Fair value assessments and MI to evidence outcomes (e.g. complaints trends, approval/decline analysis).
• Vulnerable customer strategy and staff training.

Data Protection And Security

• GDPR compliance by design: data minimisation, purpose limitation and DPIAs for higher-risk processing.
• Technical and organisational security measures; incident response and breach notification processes.
• Customer-facing notices that match reality (your Privacy Policy and Cookie Policy should reflect actual data flows).

It’s important to keep everything proportionate. The FCA doesn’t expect a startup to look like a bank, but it does expect controls that match your risks - and for you to be able to explain them clearly.

After Approval: Your Ongoing FCA Compliance Duties

Authorisation isn’t the finish line. From day one, you’ll need to keep up with reporting, notifications and day‑to‑day controls. Build these rhythms into your business plan now to avoid scrambling later.

Regulatory Reporting And Notifications

• Submit periodic returns via RegData (prudential, conduct, client assets/safeguarding, complaints).
• Notify material events under SUP 15 (e.g. changes to controllers, breaches, cyber incidents, financial stress).
• Renew fees/levies and maintain up-to-date Firm Details and Directory Persons entries.

SMCR And People Management

• Annual fit & proper assessments for SMFs and Certification Staff, with training records for Conduct Rules.
• Onboarding/offboarding workflows that cover regulatory attestations and access controls.
• Periodic board reviews of the Responsibilities Map and Consumer Duty oversight.

Complaints, Financial Promotions And Customer Docs

• Handle complaints per DISP, record root causes and respond within time limits; consider FOS implications.
• Pre‑approve financial promotions and keep audit trails; use clear, balanced risk wording.
• Review customer contracts and website journeys regularly so disclosures stay accurate as you iterate products.

Risk, Audit And Continuous Improvement

• Run your Compliance Monitoring Programme and present MI to the board.
• Test business continuity and wind‑down triggers annually.
• Review outsourcing and IT risks - especially if you scale quickly or add new vendors.

As you grow, you’ll likely revisit your permissions. A variation of permission (VoP) can be straightforward if you’ve maintained solid controls and have good change-management evidence.

Key Takeaways

• Start with scope: map your exact activities to the right FCA permissions, and consider whether the Appointed Representative route is a better first step for your model.
• Demonstrate readiness: a strong application shows capable people (SMCR), adequate capital, clear governance and proportionate controls that fit your risks.
• Prepare the pack: regulatory business plan, financials and wind‑down, policies (AML/CTF, complaints, safeguarding/CASS), and GDPR compliance with a robust Privacy Policy, Cookie Policy and Data Processing Agreement.
• Expect realistic timelines: complete applications are typically decided within six months (incomplete can take up to 12). Budget for application fees and capital runway.
• Plan for life after authorisation: build in reporting, SUP 15 notifications, SMCR cycles, Consumer Duty oversight and change-management from day one.
• Get help where it counts: decisions around permissions, governance structure, data protection and customer documentation benefit from tailored legal advice.

If you’d like help scoping your FCA application, preparing your compliance documents or aligning your website and customer contracts with regulatory requirements, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.