Overview
Every FCA-regulated firm must monitor its own compliance. This is not optional — SYSC 6.1.3R requires firms to establish and maintain adequate policies and procedures sufficient to ensure compliance with their obligations under the regulatory system. The question is not whether to monitor, but how.
In practice, most firms fall somewhere on a spectrum between two approaches: manual monitoring using spreadsheets, email, and document folders; and structured monitoring using a defined framework with purpose-built processes, standardised evidence capture, and systematic reporting. Many firms start with spreadsheets — they are cheap, familiar, and flexible. The problems emerge gradually, and by the time they become acute, the firm has accumulated years of monitoring debt that is expensive and painful to unwind.
This comparison is not about selling software. A structured compliance framework can be built on spreadsheets if it is well-designed. The distinction we draw is between ad hoc, person-dependent monitoring and systematic, process-dependent monitoring — regardless of the technology underneath. That said, as firms grow beyond a handful of staff and a narrow set of regulated activities, the practical advantages of purpose-built tooling become difficult to ignore.
When Manual / Spreadsheet Makes Sense
Manual compliance monitoring is a reasonable starting point for newly authorised firms with limited activities and small teams. A sole trader providing independent financial advice, for example, can maintain an effective compliance monitoring programme using a well-structured spreadsheet, a document filing system, and a calendar of review dates. The volume of monitoring activity is low enough that one person can maintain oversight without the process becoming unwieldy.
Firms in their first year of operation often benefit from starting manually because it forces the compliance officer to engage directly with every monitoring activity. There is no abstraction layer between the person and the process. This hands-on approach builds deep understanding of the firm's regulatory obligations and risk profile, which is valuable regardless of what tools are adopted later.
Where the firm's regulated activities are narrow and stable — a firm that only provides mortgage advice, for example, with no plans to expand into other product areas — the monitoring programme is correspondingly limited in scope. A structured spreadsheet with clear tabs for each monitoring area, documented findings, and tracked remedial actions can meet the FCA's expectations if maintained consistently.
The key requirement for manual monitoring to succeed is discipline. The spreadsheet must be updated consistently, evidence must be filed systematically, findings must be escalated and tracked, and the compliance officer must resist the temptation to let monitoring slip when the business is busy. Manual systems fail not because they are inherently inadequate, but because they depend entirely on individual discipline and institutional memory.
When Structured Framework Makes Sense
The case for a structured compliance framework strengthens as complexity increases along any dimension: more regulated activities, more staff, more clients, more regulatory change, or more supervisory scrutiny.
Firms with multiple advisers or multiple regulated activities need monitoring that scales. When ten advisers each require file reviews, training records, CPD tracking, competence assessments, and complaint monitoring, a spreadsheet becomes a liability. Rows multiply, cross-references break, version control fails, and the compliance officer spends more time maintaining the spreadsheet than actually monitoring compliance.
Firms that have experienced or anticipate FCA supervisory engagement should treat structured monitoring as essential. When the FCA visits — whether through a scheduled supervision meeting, a thematic review, or a reactive investigation — it expects to see evidence quickly. A structured framework with organised evidence, complete audit trails, and standardised reporting can produce an evidence pack in hours. A manual system may require days or weeks of frantic assembly, during which gaps and inconsistencies become visible.
Firms subject to the Senior Managers and Certification Regime (SMCR) have specific obligations around the oversight and documentation of conduct and competence. The compliance monitoring programme must demonstrate that senior managers are discharging their prescribed responsibilities and that certified staff remain fit and proper. These obligations are difficult to track reliably in a manual system, particularly as staff numbers grow.
Post-Consumer Duty, the FCA expects firms to monitor outcomes across four specific areas and produce an annual board-level assessment. This requires consistent data collection throughout the year, not a retrospective scramble at assessment time. A structured framework embeds this data collection into ongoing operations; a manual approach typically results in incomplete data and a weaker assessment.
Key Considerations
The FCA assesses effectiveness, not tools. The regulator does not mandate any particular compliance monitoring platform or methodology. It assesses whether your monitoring is risk-based, whether it covers your regulatory obligations adequately, whether findings are actioned, and whether the programme adapts to changes in your business and the regulatory environment. A well-maintained spreadsheet can pass this test. A poorly implemented framework can fail it. Effectiveness is what matters.
Audit trails are where manual systems fail. The single most common deficiency in spreadsheet-based monitoring is the audit trail. When did this review happen? Who performed it? What evidence was examined? What was the finding? When was it escalated? Who approved the remedial action? When was it completed? A spreadsheet can record this information, but it cannot enforce its capture. Structured frameworks make evidence capture mandatory rather than optional, which is why they consistently produce better audit trails.
Key person dependency is a governance risk. If your compliance monitoring programme is understood by one person and that person leaves, you have a serious problem. Manual systems are particularly vulnerable because the logic, conventions, and institutional knowledge are often held in one person's head rather than embedded in the process. The FCA has specifically flagged key person dependency as a governance risk in smaller firms. A structured framework with documented processes and standardised workflows is inherently more resilient to staff changes.
Board reporting quality reflects monitoring quality. SYSC requires firms to provide management information to the governing body that enables effective oversight. Compliance monitoring reports that are late, inconsistent, or incomplete undermine the board's ability to discharge its governance obligations. Structured frameworks produce standardised reporting as a byproduct of the monitoring process. Manual systems require the compliance officer to build reports from scratch each period, which is time-consuming and prone to inconsistency.
The cost of remediation exceeds the cost of prevention. Firms that discover monitoring deficiencies during an FCA visit face remediation costs — both direct (engaging consultants to rebuild the framework, backfilling evidence gaps) and indirect (increased supervisory attention, potential enforcement action, reputational damage). Investing in a structured framework before problems emerge is almost always cheaper than fixing them afterwards.
Regulatory change is accelerating. The pace of regulatory change in UK financial services has increased materially in recent years: Consumer Duty, the FCA's revised approach to supervision, enhanced financial crime requirements, sustainability disclosure regulations, and ongoing SMCR evolution. A manual monitoring system requires the compliance officer to identify each change, assess its impact, update the monitoring programme, and adjust monitoring activities — all manually. Structured frameworks can incorporate regulatory change more systematically, reducing the risk that new requirements fall through the cracks.
Our Recommendation
For firms beyond the initial startup phase — broadly, any firm with more than three or four regulated individuals, multiple permission types, or aspirations for growth — a structured compliance monitoring framework is the more prudent choice. The initial investment is modest relative to the risk reduction it provides, and the operational benefits compound over time as the firm grows.
Firms that are currently operating with manual monitoring and experiencing any of the following signals should prioritise the transition: compliance monitoring reviews consistently running late, difficulty producing evidence on request, board reporting that is delayed or incomplete, anxiety about an FCA visit, or the compliance officer spending more time on administration than on substantive monitoring.
For newly authorised firms with simple permission sets, starting with a well-designed spreadsheet approach is reasonable — but build it with structure from the outset. Use a risk-based monitoring plan, standardise your evidence templates, and create processes that are documented well enough for someone else to follow. When the time comes to transition to a more structured approach, you will have a solid foundation to build on rather than a legacy of inconsistency to unpick.
How We Can Help
MEMA provides compliance monitoring framework design and implementation for firms at every stage. For firms transitioning from manual to structured monitoring, we conduct a gap analysis of your current arrangements, design a risk-based monitoring programme calibrated to your business, and support the implementation — whether that involves purpose-built tooling or a well-structured document-based framework.
Our compliance outsourcing service provides ongoing monitoring delivery for firms that prefer to delegate. We act as your outsourced compliance monitoring function, conducting reviews against your monitoring plan, documenting findings with full evidence, tracking remedial actions, and producing board-ready reports on a regular cycle. This is particularly valuable for smaller firms where hiring a dedicated compliance officer is not yet justified.
For firms that want to maintain monitoring in-house but need external assurance, we offer annual compliance monitoring programme reviews. We assess the effectiveness of your existing programme, benchmark it against FCA expectations and sector best practice, and provide a prioritised set of recommendations. This serves a similar function to an internal audit review and provides the board with independent assurance over the compliance framework.
Frequently Asked Questions
What does the FCA expect to see in a compliance monitoring programme?
The FCA expects firms to have a documented compliance monitoring programme that is risk-based, covers all relevant regulatory obligations, and produces evidence of the monitoring activities performed and their outcomes. SYSC 6.1.3R requires appropriate arrangements to ensure compliance with regulatory obligations and to counter the risk of financial crime. The FCA will examine whether monitoring is genuinely risk-based, whether findings are escalated and remediated, and whether the programme adapts to reflect changes in the business, regulatory environment, and risk profile. A spreadsheet can technically meet these requirements, but in practice the FCA's expectations around evidence quality and audit trail make this increasingly difficult.
Can a small firm justify continuing with spreadsheet-based compliance monitoring?
Yes, provided the monitoring is genuinely effective and well-documented. The FCA applies proportionality — it does not mandate specific tools or platforms. A sole trader or small firm with limited regulated activities can operate effective compliance monitoring using spreadsheets if the monitoring plan is risk-based, findings are documented with evidence, remedial actions are tracked to completion, and the compliance officer can demonstrate the programme's coverage and effectiveness to the FCA on request. The risk is that as the firm grows, the spreadsheet approach fails to scale and gaps emerge before they are recognised.
How often should compliance monitoring reviews be conducted?
Frequency should be risk-based. High-risk areas such as financial promotions, client money handling, anti-money laundering, and suitability of advice typically warrant quarterly or more frequent monitoring. Lower-risk areas may be reviewed semi-annually or annually. The monitoring plan should set out the frequency for each area with a documented rationale linked to the firm's risk assessment. The FCA expects the monitoring programme to cover all key risk areas within a twelve-month cycle at minimum.
What is the difference between compliance monitoring and internal audit?
Compliance monitoring is a first or second line activity that tests whether the firm is meeting its regulatory obligations on an ongoing basis. It is typically performed by the compliance function and focuses on current adherence to rules, policies, and procedures. Internal audit is a third line activity that independently assesses the effectiveness of the compliance framework itself, including whether the monitoring programme is adequate. Smaller firms may not have a separate internal audit function, but the FCA still expects some independent assurance over the compliance framework, which can be achieved through external reviews or board-level challenge.
Need help deciding?
Our consultants can assess your specific situation and recommend the right approach for your firm.
Book a Free Consultation