FCA Authorisation Preparation: A Step-by-Step Implementation Guide

What It Is

FCA authorisation preparation is the process of assembling and documenting everything required to submit a complete, compelling application for FCA authorisation or registration. It encompasses perimeter analysis (confirming under PERG that the firm's proposed activities require authorisation under the Financial Services and Markets Act 2000 and the Regulated Activities Order 2001), identification of the correct regulatory permissions (Part 4A permissions under section 55A FSMA), preparation of the business plan and financial projections, assessment of capital adequacy under the applicable prudential regime (MIFIDPRU, MIPRU, or the Payment Services Regulations 2017), selection and vetting of key individuals who will hold Senior Management Functions, design of governance and compliance arrangements that satisfy the Threshold Conditions in Schedule 6 FSMA, and completion of the application forms on the FCA's Connect system.

The application itself is submitted through Connect, the FCA's online regulatory portal. The core application form varies by firm type — the most common are the "Authorisation" form for investment and insurance firms, the "Full Authorisation" form for payment institutions, and the "Consumer Credit" form for credit-only firms. The forms require detailed information about the firm's ownership and control structure, governance arrangements, business model, financial resources, key personnel (via Form A for each SMF holder), compliance arrangements, and the specific regulated activities and investment types for which authorisation is sought. Supporting documents — including the business plan, three-year financial projections (profit and loss, balance sheet, and cash flow), compliance monitoring programme, organisational chart, CVs and qualification certificates for key individuals, PI insurance confirmation, and AML policies — must accompany the application.

Authorisation is not a formality. The FCA's Annual Report 2023/24 shows that it refused, withdrew, or saw the voluntary withdrawal of approximately 22% of all applications in that year. Many more are abandoned by applicants after receiving challenging questions from the case officer. The most common reasons for refusal or withdrawal are inadequate financial resources (Threshold Condition 2D), unsuitable key individuals (Threshold Condition 2E), unconvincing or unviable business plans (Threshold Condition 2F), and compliance arrangements that exist on paper but would not function in practice (Threshold Condition 2C — effective supervision). Thorough preparation is the single most important factor in achieving a successful outcome — and the difference between a three-month determination and a twelve-month ordeal.

Why the FCA Cares

The FCA's authorisation function is the gateway to the UK's financial services market. The regulator has a statutory obligation under section 1B FSMA to advance its operational objectives — consumer protection, market integrity, and competition — and the authorisation process is the first opportunity to assess whether a firm is likely to support or undermine these objectives. Section 55B FSMA provides that the FCA "must ensure that [the applicant] will satisfy, and continue to satisfy" the Threshold Conditions.

The FCA has stated publicly and repeatedly that it has raised the bar for authorisation. In its 2023/24 Business Plan, the regulator described gateway scrutiny as a "key lever" for preventing harm, stating: "It is far better to prevent unsuitable firms from entering the market than to allow them in and supervise or enforce them out later — which is more expensive, slower, and causes more harm to consumers." This philosophy has translated into more detailed assessment of business models (with particular focus on viability, resilience, and the potential for consumer harm), financial resilience (including stress testing and wind-down planning), and governance arrangements (including the quality, competence, and independence of compliance functions).

The FCA's authorisation team scrutinises applications through the lens of the five Threshold Conditions (COND 2.1-2.5). These are not aspirational standards — they are minimum requirements that must be met at the point of authorisation and maintained continuously thereafter:

• COND 2.1 — Location of offices: If the firm is a body corporate incorporated in the UK, its registered office and head office must be in the UK
• COND 2.2 — Effective supervision: The FCA must be satisfied that it is capable of effectively supervising the firm, considering the firm's group structure, any overseas connections, and the transparency of its arrangements
• COND 2.3 — Appropriate resources: The firm must have resources (financial, human, and technological) that are adequate in relation to the regulated activities it seeks to carry on. This is assessed dynamically — the FCA considers whether resources will remain adequate as the business grows
• COND 2.4 — Suitability: The firm must be a fit and proper person, considering its connection with any other person, the nature of any regulated activity it carries on, and the need to ensure that its affairs are conducted soundly and prudently
• COND 2.5 — Business model: The firm's business model must be suitable for a person carrying on the regulated activities that the firm carries on or seeks to carry on. The FCA must be satisfied the business model does not pose a risk to the FCA's objectives

The regulator also assesses the fitness and propriety of every individual who will hold a Senior Management Function (SMF) or other controlled function under FIT 1 and FIT 2. This assessment covers honesty, integrity, and reputation (FIT 2.1), competence and capability (FIT 2.2), and financial soundness (FIT 2.3). Adverse findings against key individuals are the single most common reason for application refusal, and the FCA conducts checks that extend beyond the information provided by the applicant — including DBS checks, credit reference agency checks, searches of its own enforcement records and intelligence databases, and searches of overseas regulator records where the individual has worked abroad. The FCA may also interview proposed SMF holders — and poor interview performance (including inability to articulate regulatory responsibilities, unfamiliarity with the business plan, or inconsistency with the application) can stall or derail an application.

Who It Affects

Any person or entity that intends to carry on a regulated activity in the UK must be authorised by the FCA (or PRA, for dual-regulated firms), unless an exemption or exclusion applies under the FSMA 2000 (Exemption) Order 2001 or the Regulated Activities Order 2001. The general prohibition is set out in section 19 FSMA: "No person may carry on a regulated activity in the United Kingdom... unless he is an authorised person or an exempt person." Breach of this prohibition is a criminal offence under section 23 FSMA, punishable by up to two years' imprisonment and an unlimited fine, and agreements made in breach are unenforceable under section 26 FSMA (the customer can recover any money paid).

Regulated activities requiring authorisation include (among many others defined in the RAO): accepting deposits (Article 5), dealing in investments as principal or agent (Articles 14, 21), arranging deals in investments (Article 25), managing investments (Article 37), providing investment advice (Article 53), establishing or operating a collective investment scheme (Article 51ZC), providing consumer credit (Articles 60B-60H), operating payment services (as defined in the PSR 2017), issuing e-money (as defined in the EMR 2011), carrying on insurance mediation (Article 25A), and operating a mortgage broking business (Articles 25A, 53A, 61). The scope has expanded significantly in recent years, with the inclusion of claims management companies (from April 2019), cryptoasset businesses (for AML registration under the MLRs, from January 2020), and — pending legislation — buy-now-pay-later credit.

The preparation process also affects the firm's investors, shareholders, and controllers. Under section 178 FSMA, any person who decides to acquire or increase control over an FCA-authorised firm (defined as holding 10%, 20%, 30%, or 50%+ of shares or voting power) must notify the FCA and receive approval before completing the acquisition. Controllers are subject to their own fitness and propriety assessment, and the FCA can object to a proposed acquisition on grounds including the suitability of the acquirer, the financial soundness of the acquisition, and the impact on the firm's ability to meet the Threshold Conditions. Changes of control after authorisation also require FCA approval under section 178 — an obligation that catches private equity transactions, management buyouts, and sometimes even inheritance events.

Appointed representatives do not need their own authorisation, as they operate under the umbrella of their principal firm under section 39 FSMA. However, the principal firm must be authorised for the relevant activities, and the FCA has significantly tightened its scrutiny of principal-AR relationships through PS22/11 (Improving the Appointed Representatives regime). The FCA's 2023/24 data showed that ARs were responsible for a disproportionate share of supervisory complaints. Firms considering the AR model should assess carefully whether it genuinely suits their business — the FCA now expects principal firms to demonstrate the same quality of oversight of AR activity as they would of their own operations, and the regulatory burden on principals has increased substantially.

What Firms Get Wrong

The most damaging error is applying before the firm is ready. Firms submit applications with incomplete business plans, unrealistic financial projections, key individuals who have not been properly vetted, or missing supporting documents. Incomplete applications are not accepted for processing — the FCA will issue a "minded to refuse to accept" notice, and the statutory determination clock (six months for straightforward applications under section 55V FSMA) does not start until the application is deemed complete. Multiple rounds of supplementary information requests — "additional information" letters from the case officer — delay the process and signal to the FCA that the firm's preparation was inadequate, which influences the assessor's view of the firm's overall competence and readiness.

The second common mistake is treating the business plan as a marketing document rather than a regulatory submission. The FCA is not interested in aspirational language about market opportunity, competitive positioning, or growth potential. The business plan must demonstrate how the firm will meet its regulatory obligations in practice: how it will identify and manage risks relevant to its activities, maintain adequate capital through the initial growth period and beyond, handle complaints under DISP, oversee appointed representatives if applicable, produce regulatory returns on time, manage conflicts of interest, and respond to supervisory requests. The plan should be realistic, internally consistent (financial projections must align with the narrative), and supported by assumptions documentation that the FCA can interrogate. Case officers are experienced — they read hundreds of applications and can distinguish substance from padding.

Firms frequently underestimate the importance of compliance arrangements. Listing a compliance officer by name and stating that the firm will "comply with all applicable regulations" is not a compliance arrangement. The FCA expects to see a compliance monitoring programme (CMP) that identifies the key regulatory risks specific to the firm's activities, specifies how each will be monitored (including frequency, methodology, sample sizes, and responsible individuals), describes how compliance failures will be escalated and remediated, and includes a monitoring schedule for the first 12 months. The CMP should be tailored to the firm's specific activities and risk profile — not a generic template. The FCA case officer will test the CMP against the proposed activities: if the firm is seeking permission for investment advice, the CMP must address suitability file reviews; if the firm will handle client money, the CMP must address CASS reconciliation; if the firm will conduct financial promotions, the CMP must address promotions sign-off and monitoring.

Capital adequacy is another area of persistent error. Firms calculate the regulatory minimum under the applicable regime (MIFIDPRU 4, MIPRU 4, or PSR 2017 regulation 6) and assume this is sufficient. The FCA assesses whether the firm's capital is adequate for its specific business plan under Threshold Condition 2.3 — which requires consideration of the firm's wind-down costs (the capital needed to exit the market in an orderly fashion, meeting all obligations to customers, counterparties, and regulators), the time needed to become cash-flow positive (for new firms, this may be 12-24 months), and stress scenarios (including delayed revenue, key person departure, adverse market conditions, and operational incidents). A firm that meets the minimum requirement but would run out of capital within six months of authorisation if revenue targets are missed by 30% is unlikely to satisfy the appropriate resources condition. The FCA expects firms to demonstrate capital headroom above the minimum — and for firms to have a documented capital adequacy assessment (an ICARA process under MIFIDPRU, or equivalent) before authorisation.

Firms also underestimate the scrutiny applied to key individuals. The FCA expects every proposed SMF holder to have demonstrable competence and experience relevant to their specific role (FIT 2.2). A firm that proposes a CEO (SMF1) with no financial services experience, or a compliance oversight holder (SMF16) who has never worked in a compliance function, is setting itself up for challenge — and likely refusal. The FCA has specifically warned (in its 2023 Approach to Authorisation document) against "brass plate" arrangements where individuals are named in the application but will not perform the function in practice. Firms should ensure that individuals are prepared for the FCA's interview process. Case officers frequently request interviews with proposed SMF holders, particularly the CEO and compliance officer. Individuals who cannot explain the firm's business model in regulatory terms, cannot articulate the specific risks of the proposed activities, or give answers inconsistent with the application are likely to be found unsuitable.

Finally, firms fail to account for the timeline. The FCA recommends that firms begin preparation at least six months before their intended authorisation date. In practice, for complex applications (payment institutions, investment firms with multiple permissions, firms with overseas controllers), 9-12 months of preparation is realistic. Firms that underestimate the preparation timeline are forced to choose between submitting an incomplete application (which will be delayed) or delaying their market entry — neither is desirable.

What Evidence Is Expected

The FCA expects a comprehensive application pack that includes:

• Completed Connect forms — the core application form, plus Form A for each proposed SMF holder, plus controller notifications under section 178 FSMA where applicable
• Business plan — addressing target market, products and services, distribution model, pricing strategy, operational infrastructure, IT systems, outsourcing arrangements, key risks and mitigants, and regulatory obligations specific to each permission sought
• Three-year financial projections — profit and loss, balance sheet, and cash flow, accompanied by an assumptions document explaining the basis for revenue, cost, and growth projections. The FCA expects projections to include a base case, an optimistic case, and a stress case. Revenue projections should be bottom-up (derived from specific activity assumptions) rather than top-down (derived from market share assumptions)
• Regulatory capital assessment — demonstrating that the firm meets the applicable minimum requirement and has adequate headroom for its business plan. For MIFIDPRU firms, this means an initial ICARA assessment. For payment institutions, this means a safeguarding assessment demonstrating how customer funds will be protected under regulation 23 PSR 2017
• Organisational chart — showing governance and reporting lines, including the relationship between the board, senior management, compliance, and operational functions
• Compliance monitoring programme — as described above, tailored to the firm's specific activities and risk profile
• Policies and procedures — for each regulated activity the firm will conduct, including (as applicable) suitability policy, financial promotions policy, complaints handling procedure, AML/CTF policy, client money and asset procedures, conflicts of interest policy, and data protection procedures
• Key individual documentation — CV, qualification certificates, evidence of relevant experience, DBS and credit check results, and a draft Statement of Responsibilities for each proposed SMF holder
• Controller documentation — source of funds evidence for the capitalisation of the firm, personal financial statements for individual controllers, and corporate structure charts for corporate controllers

The FCA frequently challenges projections that appear optimistic or unsupported. Case officers compare the firm's assumptions against sector benchmarks and their own experience of similar firms. Projections that show rapid revenue growth with no marketing expenditure, or low cost assumptions that do not include regulatory fees, PI insurance, compliance costs, and capital maintenance buffers, are likely to be challenged.

Good Implementation Looks Like

A well-prepared authorisation application starts with thorough perimeter analysis. The firm has taken professional advice to confirm which regulated activities it intends to conduct (referring to the specific RAO articles), which Part 4A permissions it needs, and whether any exemptions or exclusions apply. This analysis is documented and forms the foundation for the rest of the preparation process. Firms that skip this step risk applying for the wrong permissions — requiring a costly variation of permission (VoP) post-authorisation — or failing to apply for permissions they need, which could mean conducting unauthorised activity (a criminal offence). Common perimeter errors include failing to recognise that arranging introductions constitutes "arranging deals in investments" under Article 25, assuming that debt collection does not require credit-related permissions, and failing to identify that operating a payment account constitutes a payment service.

The business plan is written for its audience: FCA case officers who read hundreds of applications and can distinguish substance from padding. It is specific about what the firm will do (the regulated activities, in regulatory language), how it will do it (the operational model, including technology, staffing, and outsourcing), who will do it (named individuals with specified qualifications and experience), and how much it will cost (with granular cost projections including regulatory fees, FOS levy, FSCS levy, PI insurance, compliance costs, and capital maintenance). Revenue projections are conservative — the FCA is more likely to approve a firm that projects modest initial revenue with a clear path to profitability than one that projects aggressive growth based on untested assumptions. Stress scenarios — including 50% revenue shortfall in year one, key person departure, and adverse market conditions — are addressed with credible contingency plans (including capital buffers, cost reduction levers, and an orderly wind-down plan).

Key individuals are selected, vetted, and prepared before the application is submitted. Each proposed SMF holder has relevant experience in the specific regulated activities the firm will conduct, can articulate their understanding of the role's regulatory responsibilities (including SM&CR obligations, the duty of responsibility, and the specific risks relevant to their area), and has been through the firm's own fitness and propriety assessment under FIT 1-2. The firm has conducted DBS and credit checks and addressed any issues proactively. Where an individual has a disciplinary record, adverse credit history, regulatory findings, or other potential concern, it is disclosed in the application with a clear, honest explanation — concealment is treated as a separate integrity failing under FIT 2.1 (honesty, integrity, and reputation) and is likely to result in refusal.

Compliance arrangements are operational from day one. The compliance monitoring programme is not a future commitment — it is a working document with a monitoring schedule for the first 12 months, defined methodologies for each monitoring activity, and named responsible individuals. Policies are drafted in final form (not placeholder documents), staff training is planned and costed, and the firm can demonstrate to the case officer that its regulatory infrastructure is ready to support the activities for which it is seeking authorisation. A firm that presents its compliance arrangements as something it will "build after authorisation" is telling the FCA it does not meet Threshold Condition 2C (effective supervision).

The firm engages with the FCA constructively throughout the process. When the case officer requests additional information, the firm responds promptly (ideally within 14 days), completely (addressing every question raised, not selectively), and transparently (providing documents and explanations without defensive positioning). Where concerns are raised, the firm addresses them substantively — either providing additional evidence that satisfies the concern, or modifying its proposal to remove the concern. The most successful applications are those where the firm demonstrates both competence and integrity — showing the FCA not just that it can meet regulatory requirements, but that it understands why those requirements exist and is committed to meeting them.

Related Tool

The MEMA FCA authorisation checklist tool provides a structured, step-by-step preparation framework that maps every requirement of the authorisation application process against the firm's specific permission type. It guides firms through perimeter analysis (with RAO article references), permission identification, Threshold Condition self-assessment (with specific evidence requirements for each condition), business plan preparation (with section-by-section guidance aligned to FCA expectations), capital adequacy calculation, key individual vetting (including DBS and credit check workflows), and compliance arrangements documentation.

The FCA calculator module helps firms assess their regulatory capital requirements based on the specific permissions sought, calculating minimum requirements under MIFIDPRU 4 (for investment firms, with Class 1/2/3 classification), MIPRU 4 (for insurance intermediaries and mortgage advisers), or the Payment Services Regulations 2017 regulation 6 (for payment institutions, with initial capital requirements of EUR 20,000/50,000/125,000 depending on services). The calculator also models wind-down costs — estimating the capital needed to exit the market in an orderly fashion over a 3-6 month period — and provides a capital adequacy buffer calculation that goes beyond the minimum requirement to meet the FCA's "adequate resources" assessment under Threshold Condition 2.3. The model includes stress-testing scenarios (revenue shortfall, cost overrun, operational incident) to demonstrate resilience.

The tool includes document templates aligned to FCA expectations — including business plan structures (with section headings that mirror what case officers expect), compliance monitoring programme formats (with monitoring frequency, methodology, and sample size guidance), risk assessment frameworks, and financial projection models with built-in consistency checks. Output is formatted for direct inclusion in the Connect application, reducing the administrative burden and ensuring consistency between supporting documents and form responses.

Related Service

Our FCA authorisation service provides end-to-end support from initial perimeter analysis through to authorisation determination and post-authorisation embedding. We have supported firms across the full range of regulated activities — investment management, financial advice, consumer credit, payment services (including payment initiation and account information), e-money issuance, insurance mediation, and mortgage broking — and understand the FCA's expectations for each permission type, including the specific questions case officers ask and the evidence standards they apply.

Our approach starts with a feasibility assessment: we evaluate whether the firm's proposed business model, key individuals, and capital position are likely to meet the Threshold Conditions, and we identify any issues that need to be addressed before the application is submitted. This may include strengthening the management team, securing additional capital, restructuring the business model to reduce regulatory risk, or obtaining professional qualifications for key individuals. This front-loading of preparation avoids the costly scenario of submitting an application that attracts multiple rounds of FCA challenge — or, worse, refusal followed by a reapplication.

We draft the business plan, financial projections, compliance monitoring programme, and all supporting documentation. We prepare key individuals for the FCA's interview process — conducting mock interviews based on the questions case officers actually ask, reviewing the individual's understanding of their proposed responsibilities, and ensuring consistency between interview answers and application content. We manage the relationship with the FCA case officer throughout the determination process, including responding to additional information requests promptly and constructively.

Our involvement does not end at authorisation. We provide post-authorisation support to ensure the firm's compliance arrangements are operational and embedded from the first day of trading. This includes activating the compliance monitoring programme, completing the firm's initial regulatory returns (including the first annual report under SUP 16, the first complaints return, and the first financial crime data return), and conducting a 90-day post-authorisation health check to identify any early issues before they become supervisory concerns.

Related Sectors

Payment services firms face one of the most challenging authorisation processes. The Payment Services Regulations 2017 impose specific requirements around safeguarding of customer funds (regulation 23 — firms must either segregate funds in a ring-fenced account, cover them with an insurance policy or guarantee, or invest them in specified low-risk assets), capital adequacy (with initial capital of EUR 20,000 for money remittance, EUR 50,000 for payment initiation, and EUR 125,000 for all other payment services), governance arrangements, and AML/CTF controls. The FCA has tightened scrutiny of payment institution applications following concerns about firm failures and consumer fund losses — the FCA's 2023 Dear CEO letter to payment firms noted that "safeguarding failures remain one of the most significant risks in this sector." Applicants must demonstrate robust safeguarding arrangements from day one, realistic revenue models that do not depend on float income (the FCA has challenged business models that rely on earning interest on safeguarded funds as their primary revenue source), and governance structures that can manage the operational complexity of payment processing, agent oversight, and cross-border fund movements.

Consumer credit firms must navigate a permission regime that has expanded significantly since the transfer of consumer credit regulation from the OFT to the FCA in 2014 under the Financial Services and Markets Act 2000 (Regulated Activities) (Amendment) (No.2) Order 2013. The range of consumer credit activities requiring authorisation is broad — from lending and broking to debt adjusting, debt counselling, debt collecting, and credit information services. Each activity carries specific regulatory obligations, and the FCA expects the business plan and compliance arrangements to address each permission individually. Capital requirements under MIPRU 4 apply (minimum GBP 50,000 for limited permission firms), and the FCA assesses affordability assessment processes (under CONC 5), forbearance arrangements (CONC 7), complaints handling (DISP, integrated with CONC-specific requirements), and financial promotions (CONC 3) as part of the authorisation review. The FCA has indicated that consumer credit applications are subject to particular scrutiny on business model sustainability — firms that depend on income from default charges or that lend to borrowers who cannot afford to repay are unlikely to be authorised.

Wealth management firms seeking authorisation for investment advice (Article 53 RAO), discretionary management (Article 37), or both must demonstrate suitability frameworks aligned to COBS 9 and 9A, investment governance processes, client money and asset safeguarding under CASS 6 and 7 (where applicable — this adds significant operational complexity and capital requirements), and robust financial resources under MIFIDPRU (GBP 75,000 minimum for SNI firms rising to GBP 750,000 for Class 1 firms). The FCA's assessment of wealth management applications is particularly focused on the competence and experience of key individuals — the suitability of investment advice depends directly on the quality of the people giving it. Firms must demonstrate that their proposed advisers hold appropriate qualifications (Level 4 diploma in regulated financial planning, or equivalent, for investment advice; CFA or equivalent for discretionary management is strongly preferred), have relevant market experience (the FCA looks unfavourably on individuals with no track record advising on the asset classes or client types the firm proposes to serve), and are subject to ongoing competence assessment under TC. The FCA's 2024 review noted that wealth management applications had a higher-than-average refusal rate, primarily due to concerns about key individual competence and the viability of business models relying on ongoing advice charges with limited ongoing service.