How FCA supervision works after authorisation: the portfolio model, fixed versus flexible firms, regulatory returns, notifications and staying ready.

Getting authorised is a milestone, but it is not the finish line. From the day your permission takes effect, your firm enters an ongoing relationship with the Financial Conduct Authority. That relationship is called supervision, and it shapes how the regulator watches your market, forms a view of the harm your business could cause, and decides when to intervene.
Many newly authorised firms are unsure what supervision actually looks like in practice. Will a named supervisor call every quarter? What returns must you file, and through which system? When are you obliged to pick up the phone and tell the FCA something has gone wrong? The answers depend heavily on the size and business model of your firm, because the FCA supervises firms in very different ways.
This guide sets out what to expect from FCA supervision after authorisation. It explains the portfolio model, the difference between fixed and flexible portfolio firms, the tools the regulator uses, and the day-to-day obligations that keep you compliant. It draws only on the FCA's own published material so you can plan with confidence.
The FCA does not supervise every firm in the same way. It divides the financial sectors it regulates into portfolios, each made up of firms with similar business models. These groupings adapt over time as markets evolve, and each firm is assigned to a portfolio that reflects its primary business. This lets the regulator look at whole markets rather than only individual firms.
The FCA describes its approach as forward-looking and pre-emptive. It aims to understand the drivers of behaviour in firms, judge where the greatest risk of harm sits, and act before problems escalate. In its published approach the FCA sets out five principles that guide supervision: it is forward looking, outcomes focused, proportionate and evidence led, transparent, and integrated and coordinated across its teams.
In practice this means supervision is both proactive and reactive. The regulator carries out planned work aimed at the harms it expects in a market, and it also responds to events as they arise. Alongside firm-specific work, thematic reviews are a significant part of the FCA's approach, used to assess current or emerging risks across a number of firms in a sector or market.
If you want help mapping your permissions and business model to the supervisory expectations that follow, our authorisation support is built around exactly this transition from application to ongoing compliance.
The single most important distinction for a newly authorised firm is whether it is a fixed portfolio or a flexible portfolio firm. This determines how much direct contact you have with the FCA and how your supervision is structured.
Fixed portfolio firms are a smaller number of firms that, because of their size, complexity or potential impact, are allocated a named individual supervisor. They are proactively supervised through a continuous assessment approach, with a firm-specific supervisory strategy and an underlying programme of work. If you are a large or high-impact firm, expect a named contact and a regular, structured relationship.
Flexible portfolio firms make up the large majority of authorised firms. They are not allocated a named individual supervisor. Instead they are supervised through market-wide programmes of communication, thematic work and event-driven activity. For firms without dedicated supervisory resource, the first point of contact for many issues is the FCA's Supervision Hub, rather than a specific individual. Most newly authorised smaller firms will fall into this category.
Being a flexible portfolio firm does not mean you are lightly regulated. It means the FCA reaches you through market communications, data analysis and targeted interventions rather than a standing relationship. The obligations to report, to notify and to respond to information requests apply regardless of which model you sit in.
| Feature | Fixed portfolio firms | Flexible portfolio firms |
|---|---|---|
| Named individual supervisor | Yes, an allocated supervisor | No named individual supervisor |
| Typical profile | Larger, more complex or higher-impact firms | The large majority of authorised firms |
| Primary contact route | The allocated supervisor | The FCA's Supervision Hub |
| Supervisory method | Firm-specific continuous assessment and strategy | Market-wide programmes, thematic and event-driven work |
| Regulatory reporting | Required via RegData | Required via RegData |
Whichever portfolio you sit in, the FCA draws on a common set of supervisory tools. It uses a variety of analyses to decide where to focus, including market analyses, data analytics on regulatory returns, and real-time intelligence from its interactions with firms and consumers. This is what the regulator means when it describes its approach as data led and intelligence driven.
The FCA sets out that it can use tools such as attestations, skilled person reviews and thematic reviews. An attestation asks a senior individual to confirm formally that a specific action has been taken or a risk addressed. A skilled person review, sometimes referred to by the underlying statutory power, requires an independent expert to examine an aspect of your firm and report back. Thematic reviews look across many firms at once to test how a market is behaving.
The regulator's aim is to take prompt and incisive action once harm has been identified. For a newly authorised firm the practical message is that supervision is continuous and evidence based. The data you submit, the way you answer questions and the speed of your responses all feed the FCA's view of your firm.
Understanding these tools before they are used on you is far easier than reacting under pressure. The firms that cope best keep the evidence, controls and audit trail that supervisory requests tend to demand, ready in advance rather than assembled in a rush.
The principles the FCA states guide its approach to supervision.
Every authorised firm has to submit regulatory data, and the FCA collects it through RegData, its data collection platform for gathering regulatory data from firms. RegData is where you submit your regulatory returns, view a tailored schedule of your reporting requirements, and see all your submissions in one place.
The specific returns you owe depend on your permissions and business model. They can cover areas such as your financials, client money and other prudential data. RegData shows the due dates and the status of each submission, so your schedule is visible in advance. Late or missing returns are one of the most common and most avoidable supervisory failings, because the deadlines are known well ahead of time.
Because the FCA runs data analytics on regulatory returns to spot risk, the quality of what you file matters as much as the timing. Returns that are inaccurate, inconsistent or incomplete can draw supervisory attention on their own. Treat regulatory reporting as a core operational process with clear ownership, not an afterthought delegated to whoever is free at the deadline.
Supervision is not only about scheduled returns. The FCA expects firms to tell it about significant events promptly, and this obligation sits at the heart of Principle 11. Principle 11 requires a firm to deal with its regulators in an open and cooperative way and to disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice.
The Handbook makes some of these expectations specific. Under the general notification requirements, a firm must notify the FCA immediately if it becomes aware, or has information which reasonably suggests, that certain matters have occurred, may have occurred or may occur. These include the firm failing to satisfy one or more of the threshold conditions, and any matter that could have a significant adverse impact on the firm's reputation or affect its ability to provide adequate services to customers.
There are further specific triggers. Firms must notify significant breaches of rules, including the Principles, as well as certain civil, criminal or disciplinary proceedings, significant fraud or irregularities, and insolvency-related events. A notification under Principle 11 can be given orally or in writing, but the FCA may request written confirmation, and a firm should notify in writing where a matter is complex or may require the FCA to act.
The timing test is judgement based. The period of notice depends on the event, but the FCA expects a firm to discuss relevant matters at an early stage, before making internal or external commitments. When in doubt, the safer course is to notify early rather than to wait until you are certain.
For years the FCA communicated its priorities to whole portfolios through portfolio letters, which set out its view of the main risks of harm in a portfolio, the actions it asked firms to take, and what it would be doing to reduce harm in that market. Historically it also issued Dear CEO letters to address senior people about significant issues requiring quick action.
This has changed. From 30 April 2025 the FCA stopped issuing and publishing portfolio letters. Existing portfolio letters and Dear CEO letters remain accessible at their existing links but are clearly marked as historical and no longer current, and firms are told not to rely on pre-April 2022 material as a statement of current expectations.
In their place the FCA is moving to a smaller number of market reports and to annual regulatory priorities communications, which it says give a more transparent view of the key risks, priorities and areas of focus in each market. Dear CEO letters have not disappeared entirely as a mechanism for significant issues that require action, but the routine channel for setting priorities is now these market-level publications.
The practical takeaway for a newly authorised firm is to know which market reports and priorities communications apply to your business and to read them as statements of what the FCA expects. They are the clearest signal you will get, outside of direct contact, about where supervisory attention is heading.
Supervision rewards firms that are organised. The obligations are largely predictable, so the firms that struggle are usually those without clear ownership of reporting and notifications rather than those hit by genuine surprises. Building a simple operating rhythm around the FCA's expectations removes most of the risk.
The steps below give a practical foundation. None of them require a large compliance team, but they do require someone to own each task and a record that shows the work was done.
FCA supervision after authorisation is best understood as an ongoing, evidence-based relationship rather than a series of one-off checks. Whether your firm is supervised through a named contact as a fixed portfolio firm or reached through market communications and the Supervision Hub as a flexible portfolio firm, the same core duties apply: file accurate regulatory returns through RegData on time, notify the FCA promptly of significant matters, and respond openly to information requests.
The firms that find supervision manageable are the ones that treat it as routine. Know which portfolio you sit in, know your reporting schedule, know your notification triggers, and keep the evidence that shows you are doing what you said you would. If you would like a structured approach to building that discipline, arrange a demonstration to see how it works in practice.
Fixed portfolio firms are allocated a named individual supervisor and are proactively supervised through continuous assessment. Flexible portfolio firms, which are the large majority, have no named supervisor and are supervised through market-wide programmes and thematic work, with the FCA's Supervision Hub as their first point of contact.
The FCA uses a data-led, intelligence-driven approach. It draws on market analyses, data analytics on regulatory returns and real-time intelligence from its interactions with firms and consumers to judge where the greatest risk of harm sits, and it aims to be forward looking and pre-emptive rather than only reactive.
The returns you owe depend on your permissions and business model, and can cover areas such as financials and client money. You submit them through RegData, the FCA's data collection platform, which shows a tailored schedule of your reporting requirements and their due dates.
Principle 11 requires firms to deal with regulators openly and disclose anything of which the FCA would reasonably expect notice. The Handbook sets out specific triggers, such as failing to meet a threshold condition or matters with a significant adverse impact on the firm. The FCA expects early discussion, so notify promptly rather than waiting for certainty.
No. From 30 April 2025 the FCA stopped issuing and publishing portfolio letters. It has moved to a smaller number of market reports and annual regulatory priorities communications. Older portfolio and Dear CEO letters remain online but are marked as historical and no longer current.
The FCA can use tools including attestations, skilled person reviews and thematic reviews, alongside routine analysis of your regulatory returns and information requests. Its stated aim is to take prompt and incisive action once harm has been identified.
Nasara Authorise helps UK firms send and control payments with lower fees, better rates and full visibility.



Practical guides and updates for UK firms, straight to your inbox.