Download a practical FCA authorisation checklist: documents, governance, controls, and common gaps.

A comprehensive guide to preparing your FCA authorisation application. This checklist covers all key areas the FCA assesses, from governance and ownership through to systems, controls, and consumer protection. Designed to help applicants avoid common pitfalls and reduce time to authorisation.
Before any substantive work begins on an authorisation application, firms must carefully scope the permissions they need. This involves mapping your proposed business activities against the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) to identify which regulated activities you'll be conducting.
The consequences of incorrectly scoping permissions can be severe. Apply for too few permissions and you risk conducting unauthorised business. Apply for too many and you'll face unnecessary capital requirements, reporting obligations, and regulatory scrutiny.
Consider not just your initial business model but your medium-term growth plans. Adding permissions later through a Variation of Permission (VoP) application takes time and creates regulatory overhead. However, don't apply for speculative permissions you may never use.
The FCA expects all authorised firms to have governance arrangements appropriate to the nature, scale, and complexity of their business. For new applicants, this means demonstrating that you have, or will have in place, robust governance structures before you begin conducting regulated business.
At minimum, the FCA expects a clear board structure with defined roles and responsibilities, appropriate committees (such as audit and risk committees for larger firms), documented terms of reference, and clear reporting lines between the board, senior management, and operational functions.
Your governance framework should enable effective challenge and oversight. Non-executive directors, where appointed, should have genuine independence and the experience to provide meaningful scrutiny of executive decisions.
The Senior Managers and Certification Regime (SM&CR) requires firms to allocate clear responsibilities to their senior managers and ensure they are fit and proper to hold their positions. For new authorisation applications, you must identify who will hold each required Senior Management Function (SMF).
At minimum, most firms need to appoint individuals to the SMF1 (Chief Executive), SMF3 (Executive Director), SMF16 (Compliance Oversight), SMF17 (Money Laundering Reporting Officer), and SMF9 (Chair) functions. The specific requirements depend on your firm type and permissions.
Each senior manager needs a Statement of Responsibilities (SoR) that clearly describes their individual accountability. These statements should be specific enough to identify who is responsible for what, avoiding vague or overlapping descriptions.
The FCA requires authorised firms to have written policies and procedures covering all aspects of their regulated business. These documents should be proportionate to the firm's size and complexity but must address the key risk areas relevant to your business model.
Core policies typically include: compliance monitoring programme, anti-money laundering and counter-terrorist financing procedures, conflicts of interest policy, complaints handling procedures, data protection policy, business continuity planning, and operational resilience frameworks.
Your policies must be more than templates. They should reflect your actual business operations, risk profile, and the specific regulatory requirements that apply to your permissions. Generic policies that don't address your firm's reality are a common cause of FCA feedback and delays.
Financial resource requirements vary significantly depending on your firm type and permissions. At minimum, all FCA-authorised firms must maintain adequate resources to meet their liabilities as they fall due. Many firm types have specific minimum capital requirements.
Payment institutions and e-money institutions must calculate their capital requirements based on payment volumes and safeguarding obligations. Investment firms have specific prudential requirements under the Investment Firms Prudential Regime (IFPR).
Beyond meeting minimum requirements, firms must demonstrate they have realistic financial projections showing how they will remain adequately capitalised during the initial years of operation, typically covering at least three years of forecasts.
The FCA's Principles for Business require firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. Your application must demonstrate you have appropriate systems and controls for your regulated activities.
Key areas include: operational controls covering day-to-day business processes, technology systems and cybersecurity, financial crime prevention including AML, sanctions, and fraud, record keeping and documentation, and management information and reporting.
Controls should be designed around your specific risk profile. A payment service provider processing high volumes needs different controls than a small advice firm. The FCA assesses whether your controls are proportionate and effective, not just whether they exist.
The Consumer Duty requires firms to act to deliver good outcomes for retail customers. For new authorisation applications submitted after the Duty came into force, you must demonstrate how your business model and operations will meet these requirements from day one.
The four outcomes under the Duty cover: products and services (ensuring they meet customers' needs), price and value (fair pricing relative to benefits), consumer understanding (clear communications), and consumer support (accessible and effective service).
Your application should show how you've designed your products, processes, and communications with the Duty in mind. This isn't about adding compliance processes after the fact but embedding customer outcomes thinking into your business design.
FCA authorisation applications are submitted through the Connect portal. Before beginning your submission, ensure you have all required documents prepared, all proposed senior managers identified and ready to submit their individual applications, and a clear understanding of the applicable fees.
The FCA aims to assess complete applications within statutory timeframes: 6 months for most firm types, 12 months for certain complex applications. However, incomplete applications or those requiring significant clarification can take considerably longer.
Once submitted, expect the FCA to request additional information or clarification. Respond promptly and comprehensively to these requests. The assessment team may also request meetings to discuss aspects of your application, particularly for novel or complex business models.
How different roles put this guide into practice with Nasara Connect.
You're building a payments app or financial product and need FCA authorisation to launch in the UK market.
4 workflow stepsYou're advising clients on FCA authorisation applications and need structured project management tools.
4 workflow stepsYour firm needs additional permissions to expand into new regulated activities or markets.
4 workflow stepsYou're providing legal advice on regulatory perimeter questions and authorisation strategy.
4 workflow stepsYou're assessing a portfolio company's regulatory readiness as part of investment due diligence.
4 workflow stepsSee how Nasara Connect helps you implement these practices with structured workflows and evidence capture.