.png)
Securing FCA authorisation from the Financial Conduct Authority (often referred to as FCA licensing) can be a daunting process for any organisation. According to the FCA’s 2023/24 Annual Report, 36% of firms applying solely for AML supervision were rejected, withdrawn, or refused—up from 21% in 2021/22. These numbers highlight the FCA’s firm stance on financial crime prevention. This emphasises the critical importance of robust AML/ATF frameworks, as discussed in more detail below.
Processing timelines to become an authorised firm can range from six months for complete applications up to a year for incomplete submissions. The application requires meticulous preparation, detailed documentation, and the foresight to identify potential red flags before they arise. Proactive risk mitigation is not just a best practice; it’s essential to ensure a smooth path to authorisation and to avoid costly delays.
In this guide, we’ll explore the most common issues that aspiring authorised firms encounter when applying for FCA authorisation and outline actionable strategies for overcoming them. Whether your firm seeks Payment Institution (PI), Electronic Money Institution (EMI), Account Information Service Provider (AISP), or Payment Initiation Service Provider (PISP) authorisation, these insights will help you anticipate and manage risk effectively.
For a deeper look at the foundational frameworks and considerations for payment firms, see our Understanding UK Payment Licensing Requirements article, which highlights the critical role of regulatory compliance, data protection, and future-focused innovation in building trust and resilience.
Before initiating the FCA authorisation process, it’s crucial to understand the specific requirements outlined by the Financial Conduct Authority (FCA) Authorisation.
TABLE OF CONTENTS
Common Problematic Areas in FCA Authorisation
Achieving FCA authorisation demands robust planning across multiple operational and compliance areas. Even minor oversights in financial projections, IT documentation, or governance can lead to significant delays—or even a rejected application. To help you navigate these challenges, we’ve outlined the most frequent pitfalls and provided targeted strategies for mitigating each risk effectively.
Insufficient Financial Projections
The FCA requires realistic and detailed financial projections as part of a business plan to assess an organisation’s long-term sustainability. Unsubstantiated or incomplete projections can trigger concerns about solvency.
Mitigation Strategy
Base projections on comprehensive market research and realistic assumptions.
Include historical data (if available) and align figures with industry benchmarks.
Account for all operational costs, compliance outlays, and revenue streams.
Incomplete IT Documentation
Thorough IT documentation is crucial to demonstrate operational readiness. If your systems, architecture, or security measures are unclear, your application for FCA authorisation could be delayed.
When handling payment data, compliance with PCI DSS standards can bolster your cybersecurity posture and protect cardholder information. Failing to showcase robust IT documentation and data protection practices can lead to significant FCA scrutiny.
Mitigation Strategy
Provide clear system architecture diagrams and robust cybersecurity details.
Include incident response and disaster recovery plans.
Align data protection protocols with GDPR standards.
Inadequate AML/ATF Policies
Anti-Money Laundering (AML) and Anti-Terrorist Financing (ATF) frameworks are foundational for regulatory compliance. Weak or incomplete policies raise immediate red flags for the FCA.
Additionally, for cross-border or EU-involved activities, referencing EBA guidelines under PSD2 can help clarify safeguarding obligations within the broader European regulatory framework.
Mitigation Strategy
Develop AML/ATF policies that meet both FCA and Financial Action Task Force (FATF) guidelines.
Implement a rigorous Customer Due Diligence (CDD) process, including Enhanced Due Diligence (EDD) for high-risk cases.
Appoint a qualified Money Laundering Reporting Officer (MLRO) with clearly defined responsibilities.
Weak Safeguarding Measures
For firms handling customer funds, safeguarding arrangements must be robust to protect these funds in the event of insolvency.
Mitigation Strategy
Clearly outline your safeguarding policies and fund segregation procedures.
Demonstrate the existence of safeguarding accounts or insurance arrangements.
Perform regular reconciliations of safeguarding accounts to ensure compliance.
Unclear Governance and Organisational Structure
The FCA scrutinises governance frameworks to ensure accountability and effective oversight. Any ambiguity in roles and responsibilities can compromise your application.
Firms that are dual-regulated—such as certain banks and larger investment institutions—must also consider the requirements from the Prudential Regulation Authority (PRA) when setting up governance frameworks.
Mitigation Strategy
Clearly define the duties and responsibilities of senior management and key personnel.
Document reporting lines and escalation procedures.
Align roles with a transparent governance framework.
Lack of Incident Response or Disaster Recovery Plans
Applicants must show they can manage operational disruptions—such as cyberattacks or service outages—without jeopardising customer interests.
Mitigation Strategy
Develop a formal incident response plan.
Include a disaster recovery protocol for system outages and data breaches.
Conduct scenario-based stress testing and maintain up-to-date documentation.
Incomplete Customer Journey and Consent Management
For PISPs and AISPs in particular, ensuring a seamless and compliant customer journey is vital. This includes robust consent management under General Data Protection Regulation (GDPR).
Also, be sure to align with GDPR regulations by consulting the Information Commissioner’s Office (ICO) for official guidance on data protection and privacy requirements.
In the context of Open Banking, aligning your customer journey with Open Banking UK standards can provide a more seamless user experience while ensuring robust consent management and data security.
Mitigation Strategy
Map the end-to-end customer journey with visual mockups of user interfaces.
Implement GDPR-compliant processes for capturing and managing user consent.
Clearly articulate data protection policies in your application.
Unrealistic Operational Readiness
Your organisation must demonstrate adequate preparedness for launch. If readiness is unclear, the FCA may delay or reject the application.
If your firm provides payment services, you should be familiar with the UK Payment Services Regulations 2017 to ensure every operational aspect meets the legal requirements.
Mitigation Strategy
Provide evidence of key operational systems and processes (e.g., fraud detection, payment platforms).
Include relevant vendor and technology provider contracts.
Document staff onboarding and training programmes.
Why People Assessment Is Critical
The FCA places significant weight on the fitness and propriety of key personnel, as strong leadership underpins a firm’s ability to meet regulatory obligations. Below are common challenges and how to address them.
Avoid costly delays and compliance setbacks by assessing senior staff suitability upfront. Download our Key Personnel Assessment Checklist to streamline your FCA authorisation process.
Insufficient Experience or Qualifications
If senior team members lack relevant qualifications or industry experience, the FCA may question the firm’s leadership credentials.
Mitigation Strategy
Appoint individuals with demonstrable expertise and accreditation.
Highlight previous roles in compliance, governance, or operational management.
Present a plan for ongoing professional development (CPD).
Unclear Roles and Responsibilities
Vague job descriptions or reporting lines can undermine accountability and effective oversight.
Mitigation Strategy
Prepare detailed job descriptions for each senior position.
Clearly allocate regulatory duties, especially under the Senior Managers and Certification Regime (SMCR).
Align governance roles with the firm’s broader organisational framework.
Adverse Regulatory History
Individuals with past regulatory issues may raise concerns about integrity and propriety.
Mitigation Strategy
Conduct thorough background checks on all key personnel.
Address any historical regulatory infractions with transparent disclosures and mitigating evidence.
Lack of Understanding of Responsibilities
The FCA expects senior management to fully understand their regulatory obligations and operational responsibilities.
Mitigation Strategy
Provide targeted training on SMCR requirements.
Conduct workshops that clarify role-specific responsibilities and expectations.
Insufficient Board Composition
A board lacking independent directors or sector-relevant expertise may raise doubts about governance quality.
Mitigation Strategy
Include independent directors, subject-matter experts, and executive leadership on the board.
Highlight the diversity and breadth of expertise among board members.
Benefits of Proactive Risk Mitigation
By proactively identifying and addressing the most common red flags in your FCA authorisation application, you stand to gain:
Faster Approvals: A well-prepared submission reduces the likelihood of queries and substantial delays.
Greater Regulatory Confidence: Demonstrates your firm’s commitment to strong governance and compliance.
Cost Savings: Minimises the need for costly revisions or multiple re-submissions.
What to Do if Your FCA Application Gets Rejected
Step 1. Identify and Document the Reason for Rejection
In the event of a refusal or a 'minded to refuse' notice, the FCA generally provides clear feedback outlining the specific deficiencies—such as incomplete documentation, weak governance structures, or underdeveloped AML measures. This guidance is intended to help applicants correct any shortcomings, ensuring a stronger submission if they choose to reapply.
Tip: Create a checklist of the FCA’s comments to ensure you address each issue when resubmitting.
Step 2. Consult with Experts
Engage a regulatory consultant or legal advisor who specialises in FCA authorisation. They can help interpret the regulator’s feedback and guide you in re-preparing a robust application.
Tip: If cost is a factor, seek initial advice from industry bodies or associations that offer free or discounted support.
Step 3. Strengthen Internal Processes
Reassess your governance, compliance, and risk mitigation frameworks. For example, if AML policies were deemed insufficient, update them to align with the latest FCA and FATF guidelines.
Tip: Document improvements in a clear, concise manner so you can submit a well-organised, evidence-based reapplication.
Step 4. Gather Additional Evidence
If you lacked robust financial projections or safeguarding measures, gather more data—like audited statements or new policy documents—to support your claims of operational readiness.
Tip: Supplement your application with proofs such as board minutes, vendor contracts, staff training logs, and security certifications.
Step 5. Address Skills Gaps
If people assessment was a stumbling block (e.g., lack of experienced senior managers), recruit or train personnel to fill these gaps.
Tip: Showcase new hires’ qualifications and relevant experience, and outline your training and professional development roadmap.
Step 6. Engage with the FCA
In many cases, maintaining open communication with the FCA can help resolve issues more swiftly.
Tip: Contact your assigned FCA case officer to confirm that you’ve addressed the identified shortcomings and ask if there are any additional clarifications needed.
Step 7. Prepare for Resubmission
Once you’ve rectified the issues, compile a fresh application or an addendum with updated documents and data.
Tip: Use a project-management approach—assign clear responsibilities, set deadlines, and carry out quality checks before resubmitting.
Conclusion
Securing FCA authorisation may be a formidable challenge, but with proactive risk mitigation and thorough preparation, it becomes a well-managed process. By focusing on the critical areas outlined in this article—from robust financial projections to well-defined governance structures—you’ll be well-positioned to earn the FCA’s trust and build a solid foundation for your financial services operations.
Need assistance with your FCA authorisation?
Contact us today to discover how our team can guide you through the complexities of FCA licensing and help you achieve regulatory compliance.
Frequently Asked Questions (FAQs)
1. How can I ensure my financial projections meet the FCA’s expectations?
Answer:
Base your projections on comprehensive market research and realistic assumptions.
Include any historical financial data (if available) and align figures with industry benchmarks.
Accurately reflect all operational costs, compliance expenditures, and revenue streams so the FCA sees you’ve planned for sustainable operations.
2. What key IT documentation does the FCA expect to see?
Answer:
Clear system architecture diagrams that illustrate how your technology stack is set up and secured.
Detailed cybersecurity measures, including how you protect customer data and respond to threats.
Incident response and disaster recovery plans that show how you’d handle disruptions without endangering customers or business continuity.
3. Why is AML/ATF compliance such a major focus in the FCA authorisation process?
Answer:
Anti-Money Laundering (AML) and Anti-Terrorist Financing (ATF) frameworks are fundamental for preventing financial crime.
The FCA’s 2023/24 Annual Report shows high rejection rates linked to inadequate AML controls—especially in the crypto sector.
Your AML/ATF policies should align with both FCA and Financial Action Task Force (FATF) guidelines, and you must appoint a qualified MLRO with clearly defined duties.
4. What does “safeguarding measures” mean for firms handling customer funds?
Answer:
Safeguarding is about protecting customer funds in the event of insolvency or operational failure.
You should demonstrate segregation of customer funds, reconcile safeguarding accounts regularly, and possibly have insurance arrangements in place.
These measures reassure the FCA—and your customers—that their money is safe at all times.
5. Why does the FCA scrutinise governance and organisational structure so closely?
Answer:
A clear and well-documented governance framework ensures accountability and effective oversight.
Ambiguities in senior roles, reporting lines, and decision-making processes raise red flags about how well you can manage compliance and risk.
Dual-regulated firms (e.g., certain banks) must also meet PRA requirements, adding another layer of complexity.
6. Is an Incident Response or Disaster Recovery Plan really necessary?
Answer:
Yes. The FCA wants to see you can handle operational disruptions like cyberattacks or system outages without jeopardising customer funds or data.
A formal incident response plan and a tested disaster recovery protocol show you’re prepared for emergencies and uphold operational resilience standards.
7. What if my AISP/PISP customer journey and consent management are incomplete?
Answer:
AISPs and PISPs must provide a seamless user experience that is also GDPR-compliant.
Map the customer journey in detail, include visual mockups, and show how you collect and manage consent.
Align with Open Banking UK standards for transparency and security if your business model involves open banking services.
8. How do I demonstrate “operational readiness” to the FCA?
Answer:
Provide evidence of all key operational systems (e.g., payment gateways, fraud detection).
Include relevant vendor contracts, staff training records, and onboarding procedures.
Refer to the UK Payment Services Regulations 2017 if you handle payment services, as failing to meet these can lead to delays or rejection.
9. How critical is the “people assessment” portion of the application?
Answer:
The FCA heavily weighs the fitness and propriety of senior personnel.
Weaknesses—like insufficient experience or past regulatory issues—can undermine your entire application.
Providing detailed CVs, job descriptions with specific responsibilities, and relevant qualifications helps the FCA see you have the right people in place.
10. What steps should I take if my application is rejected?
Answer:
Identify and document the reason for rejection by reviewing the FCA’s feedback in detail.
Strengthen internal processes by updating policies, governance frameworks, or IT systems, depending on the deficiencies noted.
Gather additional evidence (e.g., audited financials, board minutes) and engage with your FCA case officer to address concerns before resubmission.
Comments