What Happens If You’re Not FCA Authorised For Regulated Activities

If your business touches money, investments, consumer credit or payments, chances are you’ve bumped into the Financial Conduct Authority (FCA). It’s common for growing startups and SMEs to move into “regulated” territory without realising how strict the rules are.

Here’s the bottom line: if a firm undertaking regulated activities is not FCA authorised (and no exemption applies), that’s a serious breach of UK law with criminal and civil consequences. The good news is that with the right checks, you can quickly work out whether you need authorisation, rely on an exemption, or adjust your model.

This guide breaks down what “regulated activities” are, the risks of operating without approval, and the practical steps to get compliant and protect your business as it scales.

What Counts As A “Regulated Activity” In The UK?

In the UK, the Financial Services and Markets Act 2000 (FSMA) sets the framework. The “general prohibition” in section 19 FSMA makes it an offence to carry on a regulated activity in the UK unless you’re authorised or exempt. Whether something is “regulated” is largely defined by the Regulated Activities Order (RAO).

Common examples that catch small businesses include:

• Arranging deals in investments, investment advice, or managing investments (e.g. introducing clients to investors and being paid per deal, providing tailored investment recommendations).
• Consumer credit activities under the FCA’s CONC rules, such as credit broking, debt counselling, debt adjusting or debt administration.
• Payment services under the Payment Services Regulations 2017 (PSRs), including operating a payment account, acquiring transactions or money remittance.
• E-money issuance and distribution under the Electronic Money Regulations 2011 (EMRs).
• Insurance distribution (e.g. selling or arranging insurance, or assisting in the administration and performance of insurance contracts).

It’s also easy to overlook that “arranging” can include seemingly light-touch activity like making introductions, forwarding applications or putting parties in touch, if those steps have more than a minimal effect on the transaction.

Two other traps we see regularly:

• Financial promotions (FSMA s21): You must not communicate an invitation or inducement to engage in investment activity unless you’re authorised or the content is approved by an authorised firm, or an exemption applies. This applies to websites, emails and social media as well as adverts.
• Cross‑border services: If you’re targeting UK customers (or carrying out activities in the UK), UK rules can apply even if you’re based overseas.

If you’re unsure whether your model includes a regulated activity, the FCA Perimeter Guidance (PERG) is a helpful starting point-but it’s still wise to get tailored advice before you launch promotions or onboard customers.

Do You Need FCA Authorisation Or An Exemption?

You need to be authorised by the FCA (or by the PRA for certain firms) unless an exemption applies. Here are the common routes businesses consider:

1) Full Authorisation Or Registration

If your core service is regulated (e.g. payment services, consumer credit, insurance distribution, investment services), you typically need authorisation or registration before going live. The application is made through the FCA’s Connect system and must show you meet the FCA’s Threshold Conditions (e.g. suitable business model, adequate resources, fit and proper management).

2) Appointed Representative (AR) Model

Under section 39 FSMA, a firm can act as an Appointed Representative of an authorised “principal” firm for certain activities. The principal takes regulatory responsibility and must oversee the AR. For startups, this can be a quicker way to market, but it comes with close supervision and contractual controls by the principal. You’ll still need solid onboarding documentation and oversight arrangements.

3) Relying On Exclusions Or Limited Permission

The RAO and FCA rules include specific exclusions-for example, certain introducer activities, group company exemptions, or limited permission consumer credit for businesses where credit activity is genuinely ancillary. These carve-outs are technical and narrow, so don’t rely on them without checking the precise conditions.

4) Adjusting The Business Model

Sometimes the quickest solution is to change how you operate so you no longer perform a regulated activity (e.g. reframing a service as pure software without touching client money, or removing tailored investment recommendations). You’ll still need strong customer contracts like clear Terms of Sale and website terms, but you may stay outside the regulated perimeter.

5) Sector-Specific Regimes

Don’t forget sector rules: PSRs for payments, EMRs for e-money, insurance distribution rules, and CONC for consumer credit. Each regime has its own permissions, capital and conduct requirements.

What Are The Risks If You Operate Without FCA Authorisation?

If a firm undertaking regulated activities is not FCA authorised (and no exemption applies), the risks are significant:

• Criminal offence: Breaching FSMA’s general prohibition (s19) is a criminal offence. Penalties can include imprisonment (up to two years) and/or an unlimited fine.
• Unenforceable agreements: Under FSMA s26–s27, agreements made by unauthorised persons in the course of a breach can be unenforceable against the customer. You may have to return any money or property received, with customers able to unwind the deal.
• Restitution and redress: The FCA and courts have powers to order restitution (e.g. under s382 and s384 FSMA). You could face section 384 disgorgement of profits and customer remediation.
• Financial promotions breaches: Communicating an unlawful financial promotion (s21 FSMA) is a separate breach. With tighter rules on approvers introduced recently, this area is under active FCA scrutiny.
• Regulatory action: The FCA can seek injunctions, publicity notices, and apply to court for orders. There’s also reputational damage with banks, partners and customers.
• Director and senior manager risk: Individuals can face prohibition orders and, in serious cases, director disqualification.

Even if your core service is unregulated, you still must follow general UK law for customers, data and marketing. Make sure you have a compliant Privacy Policy, clear Website Terms and Conditions and a proper Cookie Policy, and that your messaging aligns with UK consumer protection laws.

Immediate Steps To Take If You’ve Been Operating Unauthorised

If you suspect you’ve been within the perimeter without approval, act quickly and constructively. The FCA expects firms to take remediation seriously and engage openly.

1) Stop The Regulated Activity

Cease any activities that might be regulated. This could mean pausing onboarding, disabling certain website journeys, or suspending financial promotions until you’ve clarified your status.

2) Conduct A Perimeter Assessment

Map each activity against the RAO, PSRs, EMRs or CONC definitions. Identify whether you’ve been “arranging,” “advising,” “operating a payment account,” “issuing e‑money,” or broking credit. Document your rationale, including any exclusions or exemptions you think apply.

3) Triage Customer Agreements And Money Flows

Identify impacted contracts and whether section 26–27 FSMA unenforceability might bite. Consider escrow and safeguarding arrangements, and whether any client money rules (CASS) should have applied.

4) Communications And Remediation Plan

Prepare a plan for customer communications, refunds or unwinding transactions if required. You may also need to notify partners, banks and payment providers. A robust internal reporting and a proportionate Whistleblower Policy can help you surface issues early and show the FCA your governance is improving.

5) Consider The Best Route To Compliance

Decide whether to apply for authorisation, become an Appointed Representative, alter the product so it falls outside the perimeter, or wind down the activity. Document why the chosen route is appropriate and how you’ll manage interim risks.

6) Update Your Customer-Facing Materials

Check your website, app and marketing for financial promotions issues. If you continue offering unregulated services, ensure your legal content is tight-clear Terms of Sale, enforceable website terms, and accurate disclosures. If you handle personal data, ensure your Data Processing Agreement with processors is up to date.

Getting Authorised: How The FCA Application Process Works

If you need to be authorised, a well-prepared application will save weeks (or months) of back‑and‑forth. The FCA is focused on business models, consumer outcomes and culture-especially under the Consumer Duty (PRIN 12).

1) Clarify Your Permissions

Pin down the exact permissions you need (e.g. credit broking vs debt counselling; payment initiation vs account information; insurance distribution vs dealing in investments as agent). Aim for a precise scope to avoid unnecessary capital and compliance burdens.

2) Build A Documentation Pack

Typical application artefacts include:

• Regulatory Business Plan detailing your model, risks and controls.
• Governance: Board terms of reference, organisation chart, and SMCR mapping of Senior Management Functions and Certified roles.
• Policies: Compliance Monitoring Plan, Risk Framework, Financial Crime & AML (MLRs 2017), Complaints (DISP), Conduct/Risk Appetite, Conflicts of Interest, Outsourcing, Vulnerable Customers, and CASS (if applicable).
• Capital and liquidity forecasts, client assets plans (if relevant), and wind‑down plan.
• Financial promotions strategy (including approvals if you’re not yet authorised) and website controls.

You should also ensure customer-facing paperwork (e.g. onboarding terms, pricing, disclosures) is aligned and fair. Strong online terms-like clear Website Terms and Conditions and robust product-specific terms-help demonstrate Consumer Duty outcomes and reduce friction once live.

3) Fit And Proper People

Senior managers must satisfy the “fit and proper” test (honesty, integrity and reputation; competence and capability; and financial soundness). Expect detailed CVs, references and background checks, and be ready to explain relevant experience.

4) Operational Readiness

The FCA will want to see you can operate compliantly on day one. Evidence matters-system screenshots, process maps, training records, third‑party contracts, safeguarding accounts for payments, and call monitoring arrangements for credit or insurance.

5) Engage Early And Be Transparent

If you’ve previously operated in the perimeter without authorisation, disclose the issue, show what you’ve done to fix it, and outline how your new controls prevent recurrence. A candid approach is generally better received than minimising the issue.

Ongoing Compliance Once You’re Authorised

Authorisation isn’t the finish line-it’s the start. The FCA expects proportional but effective systems and controls tailored to your risk profile. Here are the core areas to keep on top of:

Consumer Duty And Principles

The FCA’s Principles for Businesses (PRIN) and the Consumer Duty require firms to deliver good outcomes for retail customers. In practice: clear communications, fair value, suitable products and strong customer support. Keep your disclosures, pricing and website journeys aligned with these obligations-and make sure your customer content is consistent with your consumer protection laws obligations too.

Financial Promotions

All promotions must be fair, clear and not misleading, and approved by an authorised firm where required. Maintain a promotions register, approval workflow and periodic review of your site and social posts. If your site includes legal notices and disclaimers, ensure they are consistent with your Website Terms and Conditions and properly incorporated.

Data Protection And Confidentiality

Handling customer data engages the UK GDPR and Data Protection Act 2018. Maintain an accurate Privacy Policy, processor contracts via a Data Processing Agreement, and aligned cookie consent via your Cookie Policy. Data minimisation, security and retention policies are essential in regulated environments.

Complaints And Redress

Follow DISP rules for complaint handling, with clear timeframes and referrals to the Financial Ombudsman Service where relevant. Track root causes and feed them into product and journey improvements.

Financial Crime And AML

Under the MLRs 2017, have a risk‑based AML/CTF framework, customer due diligence, ongoing monitoring and suspicious activity reporting. Staff training and independent testing are key-document everything.

Outsourcing And Third Parties

For material outsourcing, ensure robust due diligence, contracts, SLAs, exit plans and oversight. Keep written records of risk assessments and performance reviews-these will be requested in supervisory interactions.

Governance, SMCR And Culture

Allocate Senior Management Functions clearly, define responsibilities through Statements of Responsibilities, and maintain a healthy compliance culture. Regular board reporting, MI dashboards and actionable compliance plans show you’re in control as you grow.

FAQs We Hear From Small Businesses

Can Disclaimers Or “Information Only” Labels Keep Us Outside Regulation?

Not if the substance of your service is regulated. The FCA looks at what you actually do. If you give tailored investment recommendations or arrange credit, a disclaimer won’t convert a regulated activity into an unregulated one.

We Only “Introduce” Clients-Is That Regulated?

Introductions can be regulated “arranging” if they’re more than merely incidental and have a meaningful effect on the transaction. The RAO has narrow exclusions-get advice before assuming they apply.

Can We Start Trading And Apply Later?

No-if you need authorisation or registration, you must have it before you start. Operating first and applying later risks criminal liability, unenforceable contracts and forced remediation.

Does This Apply If We’re Based Outside The UK?

If you carry on activities in the UK or target UK customers, UK rules are likely to apply. Cross‑border firms often need authorisation or a local presence, depending on the model.

Key Takeaways

• If a firm undertaking regulated activities is not FCA authorised (and no exemption applies), it breaches FSMA’s general prohibition-this can be a criminal offence and can render your customer agreements unenforceable.
• Common regulated areas for SMEs include consumer credit, insurance distribution, payments and e‑money, and investment intermediation-check the RAO, PSRs and EMRs, and consider PERG guidance.
• Consider routes to compliance: full authorisation, becoming an Appointed Representative, relying on a narrow exclusion, or adjusting your model to sit outside the perimeter.
• If you’ve been operating without permission, stop the activity, assess the perimeter, plan remediation and choose a compliant path forward-be open with the FCA.
• Once authorised, focus on Consumer Duty outcomes, financial promotions controls, AML, complaints, governance and data protection-with clear terms like your Website Terms and Conditions, Terms of Sale and Privacy Policy aligned.
• Set up your legal foundations early-strong contracts, compliant customer journeys and proportionate controls will protect your business from day one and support growth.

If you need help assessing whether your activities require FCA authorisation-or putting the right documents and controls in place-our team can help you map the perimeter and get compliant quickly. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.