Guide

FCA Authorisation Checklist

Download a practical FCA authorisation checklist: documents, governance, controls, and common gaps.

A Nasara Connect compliance playbook, a practical step-by-step guide for teams.

Overview

A comprehensive guide to preparing your FCA authorisation application. This checklist covers all key areas the FCA assesses, from governance and ownership through to systems, controls, and consumer protection. Designed to help applicants avoid common pitfalls and reduce time to authorisation.

Scoping Your Application

Before any substantive work begins on an authorisation application, firms must carefully scope the permissions they need. This involves mapping your proposed business activities against the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) to identify which regulated activities you'll be conducting.

The consequences of incorrectly scoping permissions can be severe. Apply for too few permissions and you risk conducting unauthorised business. Apply for too many and you'll face unnecessary capital requirements, reporting obligations, and regulatory scrutiny.

Consider not just your initial business model but your medium-term growth plans. Adding permissions later through a Variation of Permission (VoP) application takes time and creates regulatory overhead. However, don't apply for speculative permissions you may never use.

Governance Framework

The FCA expects all authorised firms to have governance arrangements appropriate to the nature, scale, and complexity of their business. For new applicants, this means demonstrating that you have, or will have in place, robust governance structures before you begin conducting regulated business.

At minimum, the FCA expects a clear board structure with defined roles and responsibilities, appropriate committees (such as audit and risk committees for larger firms), documented terms of reference, and clear reporting lines between the board, senior management, and operational functions.

Your governance framework should enable effective challenge and oversight. Non-executive directors, where appointed, should have genuine independence and the experience to provide meaningful scrutiny of executive decisions.

Senior Management

The Senior Managers and Certification Regime (SM&CR) requires firms to allocate clear responsibilities to their senior managers and ensure they are fit and proper to hold their positions. For new authorisation applications, you must identify who will hold each required Senior Management Function (SMF).

At minimum, most firms need to appoint individuals to the SMF1 (Chief Executive), SMF3 (Executive Director), SMF16 (Compliance Oversight), SMF17 (Money Laundering Reporting Officer), and SMF9 (Chair) functions. The specific requirements depend on your firm type and permissions.

Each senior manager needs a Statement of Responsibilities (SoR) that clearly describes their individual accountability. These statements should be specific enough to identify who is responsible for what, avoiding vague or overlapping descriptions.

Policies and Procedures

The FCA requires authorised firms to have written policies and procedures covering all aspects of their regulated business. These documents should be proportionate to the firm's size and complexity but must address the key risk areas relevant to your business model.

Core policies typically include: compliance monitoring programme, anti-money laundering and counter-terrorist financing procedures, conflicts of interest policy, complaints handling procedures, data protection policy, business continuity planning, and operational resilience frameworks.

Your policies must be more than templates. They should reflect your actual business operations, risk profile, and the specific regulatory requirements that apply to your permissions. Generic policies that don't address your firm's reality are a common cause of FCA feedback and delays.

Financial Resources

Financial resource requirements vary significantly depending on your firm type and permissions. At minimum, all FCA-authorised firms must maintain adequate resources to meet their liabilities as they fall due. Many firm types have specific minimum capital requirements.

Payment institutions and e-money institutions must calculate their capital requirements based on payment volumes and safeguarding obligations. Investment firms have specific prudential requirements under the Investment Firms Prudential Regime (IFPR).

Beyond meeting minimum requirements, firms must demonstrate they have realistic financial projections showing how they will remain adequately capitalised during the initial years of operation, typically covering at least three years of forecasts.

Systems and Controls

The FCA's Principles for Business require firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. Your application must demonstrate you have appropriate systems and controls for your regulated activities.

Key areas include: operational controls covering day-to-day business processes, technology systems and cybersecurity, financial crime prevention including AML, sanctions, and fraud, record keeping and documentation, and management information and reporting.

Controls should be designed around your specific risk profile. A payment service provider processing high volumes needs different controls than a small advice firm. The FCA assesses whether your controls are proportionate and effective, not just whether they exist.

Consumer Protection

The Consumer Duty requires firms to act to deliver good outcomes for retail customers. For new authorisation applications submitted after the Duty came into force, you must demonstrate how your business model and operations will meet these requirements from day one.

The four outcomes under the Duty cover: products and services (ensuring they meet customers' needs), price and value (fair pricing relative to benefits), consumer understanding (clear communications), and consumer support (accessible and effective service).

Your application should show how you've designed your products, processes, and communications with the Duty in mind. This isn't about adding compliance processes after the fact but embedding customer outcomes thinking into your business design.

Application Submission

FCA authorisation applications are submitted through the Connect portal. Before beginning your submission, ensure you have all required documents prepared, all proposed senior managers identified and ready to submit their individual applications, and a clear understanding of the applicable fees.

The FCA aims to assess complete applications within statutory timeframes: 6 months for most firm types, 12 months for certain complex applications. However, incomplete applications or those requiring significant clarification can take considerably longer.

Once submitted, expect the FCA to request additional information or clarification. Respond promptly and comprehensively to these requests. The assessment team may also request meetings to discuss aspects of your application, particularly for novel or complex business models.

Who it’s for

Built for these teams.

How different roles put this guide into practice with Nasara Connect.

Fintech founders preparing for FCA authorisation

You're building a payments app or financial product and need FCA authorisation to launch in the UK market.

4 workflow steps

Compliance consultants supporting application projects

You're advising clients on FCA authorisation applications and need structured project management tools.

4 workflow steps

Existing firms applying for variation of permission

Your firm needs additional permissions to expand into new regulated activities or markets.

4 workflow steps

Legal teams advising on regulatory strategy

You're providing legal advice on regulatory perimeter questions and authorisation strategy.

4 workflow steps

Investors conducting regulatory due diligence

You're assessing a portfolio company's regulatory readiness as part of investment due diligence.

4 workflow steps

Ready to put this guide into practice?

See how Nasara Connect helps you implement these practices with structured workflows and evidence capture.