Perimeter Questions: When Does Your Activity Require FCA Authorisation?

What It Is

The regulatory perimeter is the boundary that separates activities requiring FCA authorisation from those that do not. Every business that provides services connected to financial products, credit, insurance, payments, or investments must determine whether its activities fall inside or outside this boundary. The perimeter is defined by statute — principally the Financial Services and Markets Act 2000 (FSMA) and the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (the RAO) — and supplemented by guidance in the FCA Handbook's Perimeter Guidance Manual (PERG).

The fundamental rule is the general prohibition: section 19 of FSMA provides that no person may carry on a regulated activity in the United Kingdom unless they are an authorised person or an exempt person. The definition of a "regulated activity" is found in section 22 of FSMA and the RAO. An activity is regulated if it is of a specified kind (Part II of the RAO), carried on in relation to a specified investment or other specified matter (Part III of the RAO), and carried on by way of business (the "by way of business" test varies depending on the activity). The RAO also contains a series of exclusions (Parts II and III) that carve out certain activities from regulation even though they would otherwise fall within the definitions.

The perimeter analysis is not a simple binary test. It requires a methodical assessment of each activity the firm carries on, the investments or products involved, whether the activity meets the "by way of business" test, whether any exclusion applies, and whether any exemption (such as the appointed representative exemption under section 39 FSMA or the professional firms exemption under Part XX FSMA) is available. The analysis must be conducted for each distinct activity — a firm may carry on some activities that are regulated and others that are not, and it must obtain authorisation only for the former.

The consequences of getting the perimeter analysis wrong are severe. Carrying on a regulated activity without authorisation is a criminal offence under section 23 FSMA. Agreements made in breach of the general prohibition may be unenforceable under section 26 FSMA. The FCA actively monitors for unauthorised activity and takes enforcement action, including prosecution, against firms and individuals that breach the general prohibition.

Why the FCA Cares

The regulatory perimeter is the foundation of the entire UK financial services regulatory system. If the perimeter is not properly maintained and enforced, the protections that FCA regulation provides — consumer redress through the Financial Ombudsman Service, compensation through the Financial Services Compensation Scheme, conduct of business standards, prudential requirements, and supervisory oversight — are undermined. Consumers dealing with unauthorised firms have none of these protections, and the harm that can result from unauthorised activity is often severe and difficult to remedy.

The FCA dedicates significant resources to perimeter enforcement. Its Unauthorised Business Department identifies and investigates firms that appear to be carrying on regulated activities without authorisation. The FCA issues consumer warnings about unauthorised firms, takes civil action to secure injunctions and restitution orders, and works with law enforcement to bring criminal prosecutions. In its 2024-25 Annual Report, the FCA reported a substantial increase in unauthorised business cases, driven in part by the growth of online financial services and crypto-related activities that operate at or beyond the regulatory perimeter.

The FCA is also concerned about what it terms the "halo effect" — the risk that consumers assume a firm is regulated when it is not, because the firm operates in a space adjacent to regulated activity or presents itself in a way that implies regulatory status. This is particularly relevant for fintech businesses, cryptocurrency platforms, and online lending platforms that may use language, branding, and marketing that suggests regulatory oversight even when the firm is not authorised. The FCA has issued guidance (including in PERG and through its Innovation Hub) to help firms in these sectors determine their perimeter position, and it has taken enforcement action against firms that mislead consumers about their regulatory status.

The perimeter is not static. As financial markets evolve, new products and business models emerge that do not fit neatly within the existing definitions in the RAO. The FCA monitors these developments and, where necessary, recommends that HM Treasury amend the RAO to bring new activities within the perimeter. Recent examples include the regulation of claims management companies (brought within the FCA's remit in 2019), the extension of the financial promotions regime to qualifying cryptoassets (implemented through the Financial Services and Markets Act 2000 (Financial Promotion) (Amendment) Order 2023), and the ongoing work to bring buy-now-pay-later credit within the consumer credit regime. Firms must keep their perimeter analysis under review as the regulatory framework evolves.

Who It Affects

The perimeter question affects every business that has any connection to financial services, credit, insurance, or payments — whether or not the business considers itself to be a financial services firm. Many businesses that do not think of themselves as operating in financial services are, in fact, carrying on regulated activities. A retailer that offers credit to customers is carrying on a consumer credit activity. A technology company that processes payments is carrying on a payment service. An estate agent that introduces buyers to mortgage brokers may be arranging deals in investments. A comparison website that recommends insurance products may be advising on contracts of insurance.

The perimeter analysis is particularly important for businesses entering the UK market for the first time, whether they are domestic startups or overseas firms. The UK's regulatory perimeter is different from that of other jurisdictions — activities that are unregulated in one country may be regulated in the UK, and vice versa. Firms cannot assume that their perimeter position in another jurisdiction translates directly to the UK.

Fintech and digital businesses face some of the most complex perimeter questions. Peer-to-peer lending platforms, cryptocurrency exchanges, robo-advisers, payment aggregators, open banking providers, and digital asset custodians all operate in areas where the regulatory boundary is nuanced and, in some cases, evolving. The FCA's Innovation Hub provides a mechanism for firms to discuss perimeter questions informally before committing to a course of action, and firms in this space should take advantage of this resource.

Professional services firms — solicitors, accountants, actuaries, and surveyors — occupy a special position in the perimeter framework. Part XX of FSMA provides an exemption for regulated activities carried on by members of designated professional bodies, provided the activities arise out of or are complementary to the provision of professional services and are not separately remunerated. This exemption has detailed conditions and limitations that must be carefully assessed — it is not a blanket exemption for all financial services activities carried on by professionals.

What Firms Get Wrong

The most fundamental error is failing to conduct a perimeter analysis at all. Many businesses assume that because they are not a bank, an insurer, or an investment firm, they are not carrying on regulated activities. This assumption ignores the breadth of the RAO, which captures activities far beyond traditional financial services. Consumer credit alone encompasses lending, credit broking, debt adjusting, debt counselling, debt collecting, debt administration, credit information services, and the provision of credit references — activities carried on by businesses across virtually every sector of the economy.

When firms do conduct a perimeter analysis, they often apply the RAO definitions too loosely. The most common analytical error is conflating the general concept of an activity with the specific statutory definition. For example, "advising on investments" under article 53 RAO has a precise meaning: it requires a personal recommendation to a specific person based on that person's circumstances. Providing generic information about investment products, publishing research, or explaining product features in general terms does not constitute advice under article 53, even though all of these activities involve talking to people about investments. The same precision is required for other activities — "arranging" under articles 25 and 25A, "dealing" under articles 14 and 21, and "managing" under article 37 all have specific statutory meanings that must be applied rigorously.

Firms also frequently misapply the exclusions. The RAO exclusions are narrowly drafted and subject to specific conditions. For example, the exclusion for introductions (article 33) is only available where the person making the introduction does not receive a pecuniary reward or other advantage from someone other than their client for making it — or where the introduction is to a firm authorised to carry on the activity in question and the introducer does not participate in the transaction. Firms that rely on exclusions without checking all the conditions may find that the exclusion does not apply, leaving them carrying on an unauthorised regulated activity.

Another pervasive error is the "substance over form" mistake. Some firms structure their activities to avoid the literal wording of the RAO definitions while, in substance, carrying on the regulated activity. The FCA and the courts look at the economic substance of the arrangement, not just its legal form. A firm that structures a lending arrangement as a "service fee" rather than "interest" is still making a loan if the economic substance is a loan. A firm that provides investment advice through an algorithm is still advising on investments if the algorithm makes personal recommendations. The FCA has taken enforcement action against firms that have attempted to use structural devices to avoid the perimeter, and the courts have consistently applied a purposive interpretation of the RAO.

What Evidence Is Expected

Firms should maintain a documented perimeter analysis that records the reasoning behind their conclusion on each activity they carry on. This analysis should identify every activity the firm undertakes that has any connection to financial services, credit, insurance, payments, or investments; assess each activity against the relevant RAO provisions, identifying the specified activity, the specified investment or matter, and whether the "by way of business" test is met; consider whether any exclusion applies, checking each condition of the exclusion and recording why it is satisfied; consider whether any exemption is available (appointed representative, professional firms exemption, etc.); and reach a conclusion on whether the activity is regulated and, if so, which FCA permissions are required.

The FCA expects this analysis to be conducted before the firm commences the activity, not retrospectively. PERG provides extensive guidance on the interpretation of the RAO provisions and the application of exclusions and exemptions — firms should reference PERG in their analysis and follow the analytical framework it sets out. For complex or borderline cases, the FCA expects firms to have obtained legal advice, and it will scrutinise the quality of that advice if questions arise about the firm's perimeter position.

For firms that have obtained authorisation, the FCA expects the permissions held to match the activities actually carried on. Firms should review their permission profile periodically — at least annually — to ensure it remains aligned with their business activities. If the firm has begun carrying on new activities that require additional permissions, it must apply for a variation of permission before conducting those activities. If the firm is no longer carrying on activities for which it holds permission, it should consider whether to surrender those permissions to avoid the associated regulatory obligations and fees.

The FCA also expects firms to maintain records that demonstrate ongoing compliance with any exclusions they rely upon. If a firm relies on an exclusion to carry on an activity without authorisation, it should be able to evidence that the conditions of the exclusion were satisfied at all relevant times. This is particularly important for exclusions that are conditional on the firm's conduct — for example, the introduction exclusion in article 33 is conditional on the nature of the introduction and the reward the introducer receives.

Good Implementation Looks Like

A firm that handles the perimeter question well embeds perimeter awareness into its business development and product governance processes. Before launching a new product, entering a new market, or changing its business model, the firm conducts a perimeter assessment to determine whether the proposed activity is regulated and, if so, what permissions are required. This assessment is conducted by someone with specialist regulatory knowledge — either in-house counsel or compliance staff with perimeter expertise, or an external regulatory adviser.

The perimeter analysis is documented, reviewed by senior management, and stored in a form that can be produced to the FCA if requested. It is not a one-off exercise — it is updated whenever the firm's activities change or when there are changes to the regulatory framework (such as amendments to the RAO or new FCA guidance) that could affect the analysis. The firm maintains a register of all its activities and the regulatory classification of each, clearly distinguishing between regulated activities (for which it holds permissions), activities that fall within an exclusion or exemption, and activities that are outside the perimeter entirely.

For activities that are borderline — where the analysis could reasonably reach either conclusion — the firm takes a cautious approach. It documents the uncertainty, considers the consequences of each possible classification, and errs on the side of seeking authorisation rather than relying on a marginal exclusion. This is not regulatory over-caution; it is pragmatic risk management. The consequences of carrying on an unauthorised regulated activity (criminal prosecution, unenforceability of contracts, regulatory sanctions) are so severe that the cost of obtaining authorisation for a borderline activity is almost always justified.

The firm also trains its staff on the regulatory perimeter as it applies to their specific roles. Client-facing staff understand which activities require authorisation and which do not, so they can identify potential perimeter issues in their day-to-day interactions with customers and escalate them to compliance. This is particularly important in businesses where the boundary between regulated and unregulated activity is encountered frequently — for example, insurance intermediaries that provide both advice (regulated) and information (not regulated), or technology companies that provide both software tools (not regulated) and automated financial advice (regulated).

Related Tool

The MEMA perimeter assessment tool provides a structured, interactive framework for conducting the perimeter analysis described in this guide. The tool walks the user through the key questions: what activities does the firm carry on? What investments or products are involved? Is the activity carried on by way of business? Does any exclusion apply? Is any exemption available? For each activity, the tool maps the relevant RAO provisions, identifies the applicable PERG guidance, and provides a preliminary classification with supporting reasoning.

The tool is designed to be used by compliance professionals, in-house counsel, and business leaders who need to assess the regulatory implications of existing or proposed activities. It does not replace legal advice for complex or borderline cases, but it provides a rigorous analytical framework that ensures no relevant consideration is overlooked and that the analysis is documented in a form that can be reviewed and defended.

The FCA calculator complements the perimeter assessment by modelling the cost implications of different authorisation options. Once the firm has identified which activities require authorisation, the calculator helps it determine the financial impact of obtaining the necessary permissions — including application fees, periodic fees, prudential capital requirements, and the cost of building and maintaining the required compliance infrastructure.

Related Service

Our FCA authorisation service begins with a comprehensive perimeter assessment. Before advising on the authorisation process, we conduct a detailed analysis of all the firm's activities — current and planned — to determine exactly which regulated activities are being carried on and which FCA permissions are required. This analysis is documented in a perimeter report that can be shared with the FCA during the application process and retained as evidence of the firm's regulatory due diligence.

For firms with complex or novel business models — particularly fintech firms, payment innovators, and businesses operating at the intersection of regulated and unregulated activities — our perimeter analysis draws on deep familiarity with the RAO, PERG, and the FCA's published guidance and enforcement practice. We identify activities that are clearly regulated, activities that clearly fall outside the perimeter, and activities that are borderline — and for the latter, we provide a reasoned recommendation with a clear explanation of the risks associated with each possible approach.

Where the firm requires authorisation, we manage the full application process from perimeter analysis through to authorisation. Where the firm does not require authorisation — because all its activities fall within exclusions or exemptions — we document the analysis in a form that provides ongoing protection against perimeter challenges, and we establish a monitoring framework to ensure the analysis remains valid as the business evolves.

Related Sectors

Consumer credit has one of the broadest regulatory perimeters in UK financial services. The range of activities caught by the consumer credit provisions of the RAO is extensive — lending, credit broking, debt adjusting, debt counselling, debt collecting, debt administration, the provision of credit information services, and the operation of electronic lending platforms. The "by way of business" test for consumer credit activities is also relatively easy to satisfy, meaning that businesses carrying on credit activities at relatively low volumes may still be within the perimeter. The FCA's CONC sourcebook and PERG 2 provide detailed guidance on the consumer credit perimeter, and firms in any sector that provides credit to consumers or businesses should conduct a thorough perimeter assessment.

The payments sector presents some of the most complex perimeter questions in current regulatory practice. The Payment Services Regulations 2017 and the Electronic Money Regulations 2011 create a separate regulatory regime that operates alongside FSMA, with its own definitions, exclusions, and authorisation requirements. Determining whether a particular payment service or e-money issuance falls within the regulated perimeter requires analysis of both the PSRs/EMRs and (in some cases) the FSMA regime, particularly where the service involves credit. The FCA's Approach Document for the PSRs and its PERG guidance on payment services provide the analytical framework, but the interaction between the regimes can be challenging to navigate.

Fintech firms face perimeter questions that often have no clear precedent. When a business model is genuinely novel, there may be no published FCA guidance directly on point, and the analysis requires extrapolation from existing provisions and principles. The FCA's Innovation Hub and Regulatory Sandbox provide mechanisms for firms to explore perimeter questions in a supported environment, and firms with innovative business models should engage with these resources early. The cost of a premature launch followed by an FCA enforcement action for unauthorised activity far exceeds the cost of engaging with the perimeter question properly before commencing business.