What Happens When FCA Authorisation Expires?

If your business offers regulated financial services, your FCA status underpins everything - from your ability to trade to the contracts you sign with customers and partners.

But what actually happens when FCA authorisation “expires”, lapses or is cancelled? And what should a small business do next to protect clients, staff and the company?

In this guide, we’ll unpack what “expiry” usually means under UK law, the immediate steps to take if you’re no longer authorised, and your options to get back on track (or wind down safely) without breaching the Financial Services and Markets Act 2000 (FSMA).

Does FCA Authorisation Actually Expire?

Strictly speaking, FCA authorisation doesn’t “expire” on a set date like a driving licence. Instead, your permission can be cancelled, varied, or otherwise cease to apply if you no longer meet the regulator’s requirements.

Common triggers include:

• Failing to pay FCA periodic fees or meet reporting obligations (e.g. returns via RegData)
• No longer meeting the FCA’s threshold conditions (capital, effective supervision, appropriate resources, suitability, business model)
• Not carrying on the regulated activity for a period (the FCA can cancel dormant firms)
• Voluntary cancellation or variation of permission (VoP) by the firm
• Permissions tied to a temporary regime ending (e.g., after a transitional period)

In practice, businesses often discover “expiry” when the FCA cancels or restricts permission, or when a required approval (like an SMF role) lapses and the firm can’t legally continue core activities.

The big legal point: under FSMA’s “general prohibition” (section 19), it’s a criminal offence to carry on a regulated activity in the UK unless you’re authorised or exempt. If your authorisation is gone, you must stop regulated activities immediately until you are covered again (for example, via fresh authorisation or as an appointed representative).

What Happens The Moment You’re No Longer Authorised?

If your FCA authorisation is cancelled, restricted or otherwise no longer covers your activity, there are immediate consequences for your business. Think of it in two buckets: what must stop right now, and what must be managed urgently to protect clients and the firm.

Activities You Must Stop

• Carrying on any regulated activity in the UK (unless an exemption applies).
• Making financial promotions that invite or induce engagement in regulated activities, unless they are lawfully approved by another authorised firm.
• Holding or controlling client assets or money (if applicable) beyond what’s reasonably necessary to return them, consistent with CASS rules and any FCA direction.

Immediate Compliance Actions

• Notify the FCA and respond to any supervisory requests or directions.
• Cease onboarding new customers for regulated products/services.
• Suspend or adjust your website, app and marketing so you’re not representing the business as FCA-authorised. This usually means updating your footer, disclosures and Terms of Use to avoid misleading statements.
• Review client contracts, pipeline and live cases to determine what can be fulfilled lawfully, what must be paused, and what requires approved oversight.
• Contact customers promptly and transparently about service changes, next steps and how their funds/data will be handled.
• If you hold client money/assets, prioritise reconciliation and orderly return in line with CASS and any FCA guidance.

Risks If You Don’t Act

• Criminal liability for carrying on regulated activities without authorisation.
• Enforcement action, fines and potential prohibitions against individuals (e.g., SM&CR consequences).
• Civil consequences for contracts - certain agreements entered into in breach of the general prohibition may be unenforceable and expose your firm to restitution claims.
• Reputational damage and complaints that can attract further regulatory scrutiny.

If this feels daunting, don’t worry - with a rapid, structured response, many small firms manage the situation safely while they regroup or transition.

How To Respond: A Step-By-Step Plan

Here’s a practical sequence we recommend small businesses follow. The exact steps will depend on your permissions and business model, so take tailored advice before making big decisions.

1) Freeze Regulated Activities And Update Public Statements

Stop any regulated activity immediately. Remove claims of FCA authorisation from your site, decks and marketing, and ensure your Terms of Use and customer communications accurately describe your current status. Avoid implying you’re authorised when you’re not - that can be a separate regulatory breach.

2) Stabilise Client Money, Assets And Live Cases

If you handle client money or assets, prioritise safeguarding and return procedures in line with CASS and any FCA direction. Keep detailed logs and confirm all communications in writing. For live cases, decide what can proceed lawfully (e.g., purely administrative steps) and what must be paused.

3) Notify Customers And Partners

Be clear and factual. Explain what’s changing, how their interests are protected, and who to contact. Give timelines for returns or transfers. Maintain a consistent script across channels and log all outbound notices for your records.

4) Decide Your Pathway: Re-Authorise, Vary, Appointed Representative Or Wind Down

Your options typically include:

• Apply to re-authorise or vary permission if you can quickly meet threshold conditions (capital, governance, resources, business model) and resolve the FCA’s concerns.
• Operate as an appointed representative (AR) of an authorised principal who oversees your activities - this can be a faster way to resume certain services lawfully. The commercial oversight relationship should be captured in robust agency agreements.
• Wind down regulated activities in an orderly way, potentially continuing unregulated parts of the business if it makes commercial sense.

5) Strengthen Governance, Policies And Records

The FCA will look closely at culture, systems and controls. Use this period to uplift your documentation and training:

• Refresh your Staff Handbook and role descriptions so responsibilities for regulatory reporting, complaints and client money are crystal clear.
• Make sure you have a compliant Privacy Policy and Cookie Policy, reflecting how you handle personal data and tracking technologies.
• Document incident handling with a Data Breach Response Plan and encourage internal speaking up via a Whistleblower Policy.

6) Prepare Your Regulatory Engagement

Assemble a concise pack that addresses the FCA’s concerns head-on:

• Updated business plan and financials demonstrating sustainability
• Organisational chart, SM&CR allocation, training and competency records
• Compliance monitoring plan and remedial actions taken to date
• Client money/asset reconciliations and wind-down approach
• Evidence of systems upgrades and third-party oversight

Clear, candid engagement goes a long way. If your route is re-authorisation or AR status, be ready to show how risks will be controlled from day one.

Key Legal Issues To Watch Under UK Law

While every firm is different, several legal themes come up again and again when authorisation ceases or permissions are cut back.

FSMA General Prohibition And Unauthorised Business

The starting point is FSMA’s general prohibition: don’t carry on regulated activities in the UK unless authorised or exempt. Breach can be a criminal offence, and customers may have rights to unwind deals and seek restitution. Even well-intentioned “helpful” steps can stray into regulated territory, so sanity-check internal processes before staff act.

Consumer Duty And Fair Treatment

Even while paused, you still owe customers fair, clear and not misleading communications. The FCA’s Consumer Duty and Principles (PRIN) expectations require firms to consider customer outcomes - for example, promptly returning funds, minimising harm from service disruption, and providing practical alternatives where possible.

Complaints Handling (DISP)

You’ll still need a functioning complaints process. Make sure staff know the script and deadlines, and that you maintain logs and final responses as required by DISP. Where redress is due, calculate and pay it promptly, keeping written evidence.

Client Money And Assets (CASS)

If applicable, prioritise safeguarding, reconciliation and return of client money/assets. Keep complete audit trails. Coordinate with banks, custodians or payment providers early to avoid bottlenecks.

Senior Managers & Certification Regime (SM&CR)

Responsibility still sits with named Senior Managers. Maintain Statements of Responsibilities, attestations and training records. If roles change during a pause or wind-down, reflect this immediately in documentation and directory entries as needed.

Data Protection And Records

Pausing services doesn’t pause your data protection duties. Under the UK GDPR and Data Protection Act 2018, you must protect personal data, respect rights requests, and maintain accurate records. Ensure your Privacy Policy aligns with what you’re doing now (for instance, if you’re transferring accounts to a principal firm under an AR model, you’ll need a lawful basis and clear notices). For readiness, many firms bundle core templates in a Data Protection Pack.

Can You Continue Trading In Any Form Without FCA Authorisation?

Potentially, yes - but only for activities that are genuinely unregulated or exempt, and only if you’re not misleading customers about your status. Many firms continue non-regulated operations, such as purely administrative support, lead generation (watch the financial promotion rules), or purely educational content.

Realistically, if your core service is regulated, you’ll need one of the following to keep offering it lawfully:

• Re-authorisation or variation of permission covering your actual business model and product lines; or
• Becoming an appointed representative of an authorised principal who oversees and approves your regulated activity and financial promotions.

If you adopt an AR model, invest proper time in your principal agreement, reporting obligations and oversight mechanics. This isn’t a “light touch” arrangement - it’s a real regulatory relationship, so business terms should be captured in robust agency agreements and operational schedules.

Best Practices To Avoid A Future Lapse

Prevention is always better (and cheaper) than cure. Build these controls into your BAU so the risk of cancellation or restrictions is minimal.

• Calendar your regulatory returns, audits and fees with owner-level accountability and backup coverage.
• Resource compliance properly - under-resourcing is a common root cause of reporting and controls failures.
• Test wind-down plans annually so you can protect customers quickly if things change.
• Keep governance documentation current - statements of responsibility, committee TORs, MI packs, and staff training via a living Staff Handbook.
• Maintain clear customer touchpoints - standardised scripts, service status pages and FAQ templates reduce the chance of misleading communications during a disruption.
• Harden your data compliance with an up-to-date Privacy Policy, a tested Data Breach Response Plan, and cookie disclosures aligned to reality via a current Cookie Policy.
• Enable internal escalation - a practical Whistleblower Policy helps you spot issues early, before they become regulatory events.

Key Takeaways

• FCA authorisation doesn’t “expire” like a licence, but it can be cancelled or restricted - and you must stop regulated activities immediately if you’re no longer authorised or exempt.
• Act fast: freeze regulated activity, stabilise client money/assets, correct your public statements, and notify customers with clear next steps and timelines.
• Choose a lawful pathway forward: re-authorise or vary your permission, operate as an appointed representative with robust agency agreements, or wind down regulated services safely.
• Keep consumer protection front-of-mind: meet Consumer Duty expectations, handle complaints under DISP, and document everything.
• Don’t neglect data protection during a pause - align your Privacy Policy, test your Data Breach Response Plan, and keep your Cookie Policy accurate.
• Prevent recurrences by resourcing compliance, diarising regulatory deadlines, refreshing your Staff Handbook, and enabling early internal escalation through a Whistleblower Policy.

If you’re facing a lapse in FCA authorisation or considering the appointed representative route, it’s wise to get tailored legal advice. For help shaping your next steps and getting protected from day one, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.