What It Is
A Variation of Permission (VoP) is the process by which an already-authorised firm changes its Part 4A permission — the precise scope of what the FCA allows it to do. A firm's permission is not a single on/off status; it is a detailed specification of the regulated activities it may carry on, the investment or product types those activities cover, the customer types it may serve, and any limitations or requirements the FCA has attached.
Under sections 55H and 55I of the Financial Services and Markets Act 2000 (FSMA), an authorised firm may apply to vary its permission in several ways: by adding a regulated activity it does not currently hold, by removing a regulated activity it no longer needs, by widening or narrowing the scope of an existing activity (for example, extending to a new customer type or investment type), or by having a limitation or requirement varied or removed. A related mechanism, the imposition or variation of requirements under section 55L, allows the FCA to attach or change conditions on a firm's permission, sometimes on the firm's own initiative (an OIREQ or VREQ).
The VoP is the counterpart to first-time authorisation. Authorisation is how a firm enters the regulatory perimeter; a VoP is how an authorised firm changes its position within it. Firms use VoPs to grow into new activities, to rationalise permissions they no longer use, to respond to changes in their business model, and to lift restrictions that were imposed at authorisation or subsequently.
Why the FCA Cares
A firm's permission defines the boundary of what it is lawfully allowed to do. Carrying on a regulated activity outside the scope of your permission is a breach of the general prohibition in the same way as operating without any authorisation at all — it can be a criminal offence and can render agreements unenforceable. The permission is therefore not an administrative label but the legal foundation of the firm's business.
The FCA cares about VoPs because a variation, particularly the addition of a new regulated activity, changes the firm's risk profile and the harm it could cause. A firm authorised only to advise may want to add arranging or dealing; a consumer credit broker may want to add lending; a payments firm may want to add new services. Each addition brings new conduct obligations, and often new prudential and financial crime requirements. The FCA assesses whether the firm has the resources, systems, governance, and competent people to carry on the new activity safely, and whether it continues to meet the Threshold Conditions across its whole business.
The regulator also uses the VoP process to keep the register accurate. Firms that hold permissions they no longer use create risk — a dormant permission can be misused, misunderstood by customers, or exploited if the firm is sold. The FCA expects firms to remove permissions they no longer need, and increasingly takes its own action to cancel unused permissions through the "use it or lose it" approach.
Who It Affects
Any authorised firm that wants to change what it does is potentially affected. Growing firms are the most common applicants: a firm that started with a narrow permission and now wants to expand its regulated activities must vary its permission before carrying on the new activity. A wealth manager adding discretionary management, a broker adding a new product line, a lender extending into a new form of credit, or a payments firm adding a new payment service all need a VoP.
Firms restructuring or rationalising also use VoPs — to remove regulated activities they have exited, to narrow permissions to match their actual business, or to simplify a permission that has become unwieldy after years of incremental change. Firms preparing for sale or acquisition often vary permissions as part of the transaction.
Firms subject to restrictions use the VoP and requirement-variation process to have limitations or requirements removed once the underlying concern has been addressed — for example, a firm that agreed a requirement not to take on new business while it remediated an issue may apply to have that requirement lifted once remediation is complete and evidenced.
Firms that hold permissions they no longer use are affected in a different way: the FCA expects them to apply to remove those permissions, and may cancel them if the firm does not. Leaving unused permissions in place is not a neutral choice.
What Firms Get Wrong
The most common failure is treating a VoP as a light-touch administrative step. Firms assume that because they are already authorised, adding a new activity is a formality. For a material addition, it is not — the FCA assesses the new activity much as it would a new authorisation, and expects the firm to demonstrate that it meets the Threshold Conditions for that activity, with the appropriate resources, systems, and competent people in place before, not after, approval.
The second failure is applying to carry on an activity the firm is not actually ready to conduct. Firms sometimes seek a permission speculatively, or before they have built the systems and controls the activity requires. The FCA expects the firm to be ready to carry on the new activity in a compliant way from the point the variation takes effect, and will probe the firm's preparedness during the assessment.
Third, firms under-scope or mis-scope the variation. A firm may apply to add a headline activity without appreciating the related permissions, customer types, or investment types it also needs — or it may apply for more than it needs, adding cost and assessment complexity. Getting the exact scope right, mapped to the firm's real business model, is a frequent stumbling block.
Fourth, firms neglect the knock-on obligations. Adding a regulated activity often brings new prudential requirements (higher capital), new conduct rules (a different sourcebook), and new financial crime exposure. Firms that focus only on the permission itself and overlook these consequential obligations find themselves non-compliant the moment the variation takes effect.
Finally, firms leave unused permissions in place. A permission that is never exercised is a liability, not an asset — it can confuse customers, create supervisory questions, and expose the firm if the entity changes hands. Firms that do not proactively remove redundant permissions increasingly find the FCA doing it for them.
What Evidence the FCA Expects
For a variation that adds a regulated activity, the FCA expects much of the evidence base of a new authorisation, focused on the new activity. This includes an updated regulatory business plan explaining why the firm wants the activity, how it will carry it on, the target market, and the expected volumes; evidence that the firm has, or will have in place before the variation takes effect, the systems, controls, and competent staff the activity requires; and financial information demonstrating that the firm meets any new prudential requirements the activity brings.
Where the new activity brings new conduct obligations, the FCA expects the relevant policies and procedures — for example, a firm adding a consumer credit activity should evidence CONC-compliant processes, and a firm adding an insurance activity should evidence ICOBS and product governance arrangements. Where financial crime exposure increases, the business-wide risk assessment and AML framework must be updated to reflect it.
For a variation that removes a permission or lifts a limitation or requirement, the FCA expects evidence that the concern underlying the restriction has been addressed and that removing it will not create risk. Where a requirement was imposed to manage a specific issue, the firm must demonstrate that the issue is resolved and evidenced, not merely asserted.
Across all variations, the FCA expects the firm to demonstrate that it continues to meet the Threshold Conditions as a whole — effective supervision, appropriate resources, suitability, a viable business model, and UK location of offices — taking account of the varied permission.
Good Implementation
A well-run variation starts with precise scoping. The firm maps the change it wants against the regulated activities, investment types, and customer types in the FCA's permissions framework, so that it applies for exactly what its business model needs — no more and no less. It uses the FCA's Perimeter Guidance to confirm that the activities it is adding are correctly identified and that it is not missing a related permission.
The firm builds readiness before it applies. Systems, controls, policies, and competent people for the new activity are in place or clearly evidenced as ready, so that the firm can carry on the activity compliantly from the moment the variation takes effect. The firm identifies and prepares for the consequential obligations — prudential, conduct, and financial crime — that the new activity brings, rather than discovering them afterwards.
The application is complete and well-evidenced. The regulatory business plan explains the rationale and operation of the new activity clearly, the supporting evidence is organised and responsive to the Threshold Conditions, and the firm anticipates the questions the case handler will ask. This is what keeps a variation within the statutory timescale rather than drifting toward the incomplete-application maximum.
The firm manages the case-handler relationship actively, responding to requisitions promptly and completely and maintaining momentum through the assessment. Where the variation removes permissions or lifts requirements, the firm presents clear, evidenced proof that the underlying concern is resolved.
Finally, the firm keeps its permission current as a matter of ongoing governance — reviewing it periodically, removing activities it no longer carries on, and treating the register entry as an accurate description of its business rather than a historical accretion.
How Our Tool Helps
MEMA's free Regulatory Perimeter Assessment tool helps firms scope a variation accurately before they apply. It maps business activities to the regulated activities, permissions, and sourcebooks that apply, drawing on PERG and the Regulated Activities Order, so a firm considering a variation can see which permissions a new activity actually requires and which consequential obligations — conduct sourcebooks, prudential requirements — it will bring.
For a firm planning to add an activity, the tool provides a structured way to identify the full scope of the change and avoid the common pitfalls of under-scoping or overlooking related permissions. For a firm rationalising its permission, it helps identify activities that are no longer needed and can be removed. The output is a useful starting point for the regulatory business plan and the variation application itself.
How Our Service Helps
MEMA's Variation of Permissions service supports authorised firms through the full VoP process. We scope the variation precisely against your business model, prepare the updated regulatory business plan and supporting evidence, ensure the systems, controls, and consequential obligations for any new activity are ready, and manage the FCA case-handler dialogue through to determination. Our team includes ex-FCA regulators who understand how variations are assessed from the inside.
For firms adding significant new activities, we treat the variation with the rigour of a new authorisation — because the FCA does — building an evidence base that meets the Threshold Conditions for the new activity and anticipates the case handler's questions. For firms seeking to remove permissions or have limitations and requirements lifted, we help present the evidence that the underlying concern is resolved.
We also help firms keep their permissions accurate over time, identifying and removing redundant activities before they become a supervisory liability, and advising on the interaction between a variation and the firm's wider prudential, conduct, and financial crime obligations.
Relevant Sectors
Consumer credit firms are frequent VoP applicants, often moving between limited and full permission, adding activities such as lending or debt administration, or extending into new forms of credit as their business grows. The interaction between the added activity and CONC obligations is a common focus.
Payment and e-money firms vary permissions to add new payment services, extend into e-money issuance, or adjust the scope of their authorisation as their product set evolves. Because these firms operate under the Payment Services Regulations and Electronic Money Regulations as well as FSMA, the scoping of a variation requires care.
Investment firms and wealth managers vary permissions to add activities such as discretionary management, dealing, or new investment or customer types, each of which brings COBS and prudential consequences that must be prepared for.
Insurance intermediaries and other conduct-focused firms use variations to add or adjust the activities and customer types they serve, bringing new ICOBS, product governance, and Consumer Duty obligations into scope. Across all sectors, firms that hold permissions they no longer use should apply to remove them before the FCA does so under its "use it or lose it" approach.
Frequently Asked Questions
What is a Variation of Permission?
A Variation of Permission (VoP) is an application by a firm that is already authorised to change its Part 4A permission — the specific set of regulated activities, investment types, customer types, and any limitations or requirements the FCA has granted it. Under sections 55H and 55I of FSMA, an authorised firm applies to add or remove regulated activities, widen or narrow the scope of what it can do, or have a limitation or requirement varied or removed. It is the mechanism for changing your permissions once you hold them, as opposed to a new authorisation application, which is for firms that are not yet authorised.
How long does a Variation of Permission take?
The FCA has a statutory maximum of six months to determine a complete VoP application and twelve months for an incomplete one, under FSMA. In practice, straightforward variations — such as removing a permission or a minor limitation — can be determined more quickly, while a variation that adds significant new regulated activities is assessed much like a new authorisation and can take several months. The timeline depends heavily on the complexity of the change and the quality of the application. Incomplete or poorly evidenced submissions are the main cause of delay.
Do I need a VoP or a new authorisation?
If your firm is already authorised and you want to change what your existing permission covers — add a regulated activity, remove one, or vary a limitation or requirement — you need a Variation of Permission. If your firm is not yet authorised, you need a new authorisation application. A VoP builds on your existing authorisation, so the FCA already holds background on your firm, but for a material addition of activities the assessment is just as rigorous as a first-time application: the firm must still meet the Threshold Conditions for the new activities.
How much does a Variation of Permission cost?
The FCA charges a VoP application fee based on the complexity of the change and the fee-blocks affected. Adding a new regulated activity typically attracts a fee linked to the pricing category of that activity, while removing permissions or minor variations may attract a lower fee or none. On top of the FCA fee, firms should budget for the advisory, documentation, and compliance-infrastructure work a significant variation requires — particularly where new activities bring new prudential, conduct, or financial crime obligations.
Need help implementing this?
Our regulatory consultants can help your firm meet FCA requirements with practical, evidence-based implementation support.
Book a Free Consultation