FCA Authorisation Preparation: A Step-by-Step Implementation Guide

What It Is

FCA authorisation preparation is the process of assembling and documenting everything required to submit a complete, compelling application for FCA authorisation or registration. It encompasses perimeter analysis (confirming that the firm's proposed activities require authorisation), identification of the correct regulatory permissions, preparation of the business plan and financial projections, assessment of capital adequacy, selection and vetting of key individuals, design of governance and compliance arrangements, and completion of the application forms on the FCA's Connect system.

The application itself is submitted through Connect, the FCA's online regulatory portal. The forms require detailed information about the firm's ownership, governance, business model, financial resources, key personnel, compliance arrangements, and the specific regulated activities and investment types for which authorisation is sought. Supporting documents — including the business plan, financial projections, compliance monitoring programme, organisational chart, and CVs of key individuals — must accompany the application.

Authorisation is not a formality. The FCA refuses or withdraws a material proportion of applications each year, and many more are abandoned by applicants after receiving challenging questions from the case officer. The most common reasons for refusal or withdrawal are inadequate financial resources, unsuitable key individuals, unconvincing business plans, and compliance arrangements that exist on paper but would not function in practice. Thorough preparation is the single most important factor in achieving a successful outcome.

Why the FCA Cares

The FCA's authorisation function is the gateway to the UK's financial services market. The regulator has a statutory obligation under section 1B FSMA to advance its operational objectives — consumer protection, market integrity, and competition — and the authorisation process is the first opportunity to assess whether a firm is likely to support or undermine these objectives.

The FCA has stated publicly that it has raised the bar for authorisation. In its annual reports and business plans, the regulator has emphasised a more assertive approach to gateway scrutiny, with more detailed assessment of business models, financial resilience, and governance arrangements. The FCA's strategy is that preventing unsuitable firms from entering the market is more efficient and less harmful than allowing them in and supervising or enforcing them out later.

The FCA's authorisation team scrutinises applications through the lens of the Threshold Conditions (COND). These are not aspirational standards — they are minimum requirements that must be met at the point of authorisation and maintained continuously thereafter. The FCA assesses whether the firm has appropriate resources (not just financial — human, technological, and operational resources), whether it can be effectively supervised (including its regulatory reporting capability and governance structure), and whether its business model is viable and not likely to cause consumer harm.

The regulator also assesses the fitness and propriety of every individual who will hold a Senior Management Function (SMF) or other controlled function. This assessment covers honesty, integrity, reputation, competence, capability, and financial soundness. Adverse findings against key individuals are the single most common reason for application refusal, and the FCA conducts checks that extend beyond the information provided by the applicant — including DBS checks, credit checks, and searches of its own enforcement records and intelligence databases.

Who It Affects

Any person or entity that intends to carry on a regulated activity in the UK must be authorised by the FCA (or PRA, for dual-regulated firms), unless an exemption or exclusion applies. This includes firms providing investment advice, managing investments, arranging deals in investments, providing consumer credit, operating payment services, issuing e-money, carrying on insurance mediation, and operating a mortgage broking business, among many other activities defined in the Regulated Activities Order 2001.

The authorisation requirement applies regardless of where the firm is incorporated. UK-based firms, overseas firms establishing a UK branch, and newly formed entities all require authorisation if they intend to carry on regulated activities in the UK. The scope of activities that require authorisation has expanded significantly in recent years, with the inclusion of claims management companies, cryptoasset businesses (for AML registration), and buy-now-pay-later credit.

The preparation process also affects the firm's investors, shareholders, and controllers. The FCA assesses the suitability of every person who will hold 10% or more of the firm's shares or voting power (a "controller"). Controllers must notify the FCA and may be subject to their own fitness and propriety assessment. Changes of control after authorisation also require FCA approval under section 178 FSMA.

Appointed representatives do not need their own authorisation, as they operate under the umbrella of their principal firm. However, the principal firm must be authorised for the relevant activities, and the FCA has significantly tightened its scrutiny of principal-AR relationships. Firms seeking to operate as an AR rather than obtaining their own authorisation should consider whether this model genuinely suits their business or whether it introduces dependency and governance risks.

What Firms Get Wrong

The most damaging error is applying before the firm is ready. Firms submit applications with incomplete business plans, unrealistic financial projections, or key individuals who have not been properly vetted. Incomplete applications are returned, and the statutory determination clock does not start until the application is complete. Multiple rounds of supplementary information requests — "additional information" letters from the case officer — delay the process and signal to the FCA that the firm's preparation was inadequate.

The second common mistake is treating the business plan as a marketing document rather than a regulatory submission. The FCA is not interested in aspirational language about market opportunity and competitive positioning. The business plan must demonstrate how the firm will meet its regulatory obligations in practice: how it will identify and manage risks, maintain adequate capital, handle complaints, oversee appointed representatives (if applicable), produce regulatory returns, and respond to supervisory requests. The plan should be realistic, internally consistent, and supported by financial projections that show the firm can sustain itself through the initial period when revenue may be limited.

Firms frequently underestimate the importance of compliance arrangements. Listing a compliance officer by name and stating that the firm will "comply with all applicable regulations" is not a compliance arrangement. The FCA expects to see a compliance monitoring programme that identifies the key regulatory risks, specifies how each will be monitored (including frequency, methodology, and responsible individuals), and describes how compliance failures will be escalated and remediated. The monitoring programme should be tailored to the firm's specific activities and risks, not a generic template.

Capital adequacy is another area of persistent error. Firms calculate the regulatory minimum and assume this is sufficient. The FCA assesses whether the firm's capital is adequate for its business plan — which requires consideration of the firm's wind-down costs, the time needed to become cash-flow positive, and stress scenarios. A firm that meets the minimum requirement but would run out of capital within six months of authorisation if revenue targets are not met is unlikely to satisfy the appropriate resources Threshold Condition.

Finally, firms underestimate the scrutiny applied to key individuals. The FCA expects every proposed SMF holder to have demonstrable competence and experience relevant to their role. A firm that proposes a CEO with no financial services experience, or a compliance oversight holder who has never worked in a compliance function, is setting itself up for challenge. Firms should also ensure that individuals are prepared for the FCA's interview process — case officers frequently request interviews with proposed SMF holders, and poor interview performance can stall or derail an application.

What Evidence Is Expected

The FCA expects a comprehensive application pack that includes completed Connect forms, a detailed business plan, three-year financial projections (profit and loss, balance sheet, and cash flow), a regulatory capital assessment, an organisational chart showing governance and reporting lines, a compliance monitoring programme, policies and procedures for the regulated activities to be conducted, and CVs and supporting documentation for all proposed SMF holders and controllers.

The business plan must address the firm's target market, products and services, distribution model, pricing strategy, operational infrastructure, IT systems, outsourcing arrangements, key risks and mitigants, and regulatory obligations. Financial projections must be realistic, internally consistent with the business plan narrative, and accompanied by assumptions documentation that explains the basis for revenue, cost, and growth projections. The FCA frequently challenges projections that appear optimistic or unsupported.

For key individuals, the FCA requires the SMF application form (Form A) for each proposed Senior Management Function holder, a current CV, a statement of responsibilities, evidence of relevant qualifications and experience, and the results of DBS and credit checks. For controllers, a controller notification (section 178 FSMA) is required, with evidence of the source of funds used to capitalise the firm.

Compliance arrangements documentation must include the compliance monitoring programme, the firm's risk assessment methodology, policies for the specific regulatory obligations relevant to its permissions (e.g., suitability, financial promotions, complaints handling, AML/CTF, data protection), and evidence that the proposed compliance resources — whether internal or outsourced — are adequate for the firm's size and complexity. Where compliance is outsourced, the FCA expects a documented outsourcing arrangement with clear accountability retained by the firm.

Good Implementation Looks Like

A well-prepared authorisation application starts with thorough perimeter analysis. The firm has taken professional advice to confirm which regulated activities it intends to conduct, which permissions it needs, and whether any exemptions or exclusions apply. This analysis is documented and forms the foundation for the rest of the preparation process. Firms that skip this step risk applying for the wrong permissions — requiring a variation of permission post-authorisation — or failing to apply for permissions they need.

The business plan is written for its audience: FCA case officers who read hundreds of applications and can distinguish substance from padding. It is specific about what the firm will do, how it will do it, who will do it, and how much it will cost. Revenue projections are conservative, cost projections are comprehensive (including regulatory fees, PI insurance, compliance costs, and capital maintenance), and the plan demonstrates that the firm can operate for at least twelve months before reaching break-even. Stress scenarios — including delayed revenue, key person departure, and adverse market conditions — are addressed with credible contingency plans.

Key individuals are selected, vetted, and prepared before the application is submitted. Each proposed SMF holder has relevant experience, can articulate their understanding of the role's regulatory responsibilities, and has been through the firm's own fitness and propriety assessment. The firm has conducted DBS and credit checks and addressed any issues proactively. Where an individual has a disciplinary record, adverse credit history, or other potential concern, it is disclosed in the application with a clear, honest explanation — concealment is treated as a separate integrity failing.

Compliance arrangements are operational from day one. The compliance monitoring programme is not a future commitment — it is a working document with a monitoring schedule, defined methodologies, and named responsible individuals. Policies are drafted, staff training is planned, and the firm can demonstrate to the case officer that its regulatory infrastructure is ready to support the activities for which it is seeking authorisation. A firm that presents its compliance arrangements as something it will "build after authorisation" is telling the FCA it is not ready.

The firm engages with the FCA constructively throughout the process. When the case officer requests additional information, the firm responds promptly, completely, and transparently. Where concerns are raised, the firm addresses them substantively rather than defensively. The most successful applications are those where the firm demonstrates both competence and integrity — showing the FCA not just that it can meet regulatory requirements, but that it understands why those requirements exist and is committed to meeting them.

Related Tool

The MEMA FCA authorisation checklist tool provides a structured, step-by-step preparation framework that maps every requirement of the authorisation application process. It guides firms through perimeter analysis, permission identification, Threshold Condition self-assessment, business plan preparation, capital adequacy calculation, key individual vetting, and compliance arrangements documentation.

The FCA calculator module helps firms assess their regulatory capital requirements based on the specific permissions sought, calculating minimum requirements under MIFIDPRU, MIPRU, or the Payment Services Regulations as applicable. It also models wind-down costs and provides a capital adequacy buffer calculation that goes beyond the minimum requirement to meet the FCA's "adequate resources" assessment.

The tool includes document templates aligned to FCA expectations — including business plan structures, compliance monitoring programme formats, and risk assessment frameworks — that firms can customise to their specific activities. Output is formatted for direct inclusion in the Connect application, reducing the administrative burden and ensuring consistency between supporting documents and form responses.

Related Service

Our FCA authorisation service provides end-to-end support from initial perimeter analysis through to authorisation determination and post-authorisation embedding. We have supported firms across the full range of regulated activities — investment management, financial advice, consumer credit, payment services, insurance mediation, and mortgage broking — and understand the FCA's expectations for each permission type.

Our approach starts with a feasibility assessment: we evaluate whether the firm's proposed business model, key individuals, and capital position are likely to meet the Threshold Conditions, and we identify any issues that need to be addressed before the application is submitted. This front-loading of preparation avoids the costly scenario of submitting an application that attracts multiple rounds of FCA challenge.

We draft the business plan, financial projections, compliance monitoring programme, and all supporting documentation. We prepare key individuals for the FCA's interview process, conduct pre-submission fitness and propriety assessments, and manage the relationship with the FCA case officer throughout the determination process. Our involvement does not end at authorisation — we provide post-authorisation support to ensure the firm's compliance arrangements are operational and embedded from the first day of trading.

Related Sectors

Payment services firms face one of the most challenging authorisation processes. The Payment Services Regulations 2017 impose specific requirements around safeguarding of customer funds, capital adequacy, governance arrangements, and AML/CTF controls. The FCA has tightened scrutiny of payment institution applications following concerns about firm failures and consumer fund losses in the sector. Applicants must demonstrate robust safeguarding arrangements, realistic revenue models that do not depend on float income, and governance structures that can manage the operational complexity of payment processing.

Consumer credit firms must navigate a permission regime that has expanded significantly since the transfer of consumer credit regulation from the OFT to the FCA in 2014. The range of consumer credit activities requiring authorisation is broad — from lending and broking to debt adjusting, debt counselling, and credit information services. Each activity carries specific regulatory obligations, and the FCA expects the business plan and compliance arrangements to address each permission individually. Capital requirements under MIPRU apply, and the FCA assesses affordability assessment processes, forbearance arrangements, and complaints handling as part of the authorisation review.

Wealth management firms seeking authorisation for investment advice, discretionary management, or both must demonstrate suitability frameworks, investment governance processes, client money and asset safeguarding (where applicable under CASS), and robust financial resources. The FCA's assessment of wealth management applications is particularly focused on the competence and experience of key individuals — the suitability of investment advice depends directly on the quality of the people giving it. Firms must demonstrate that their proposed advisers hold appropriate qualifications (such as Level 4 diplomas or Chartered status) and have relevant market experience.