Menu Close

Blog

How to Get FCA Authorisation in 2026: A Step-by-Step Guide

Why FCA Authorisation Matters in 2026

Obtaining Financial Conduct Authority (FCA) authorisation is not merely a regulatory box-ticking exercise — it is the legal gateway to operating legitimately within the UK’s financial services sector. Without it, carrying on regulated activities under the Financial Services and Markets Act 2000 (FSMA) is a criminal offence.

In 2026, the stakes are higher than ever. The FCA has accelerated its processing ambitions, tightened its scrutiny of application quality, and embedded Consumer Duty expectations into its assessment criteria from the outset. Firms that approach this process under-prepared risk not only rejection, but lasting reputational damage with the regulator.

What Is FCA Authorisation and Who Needs It?

FCA authorisation is the formal permission granted to firms wishing to carry on one or more regulated activities as defined under FSMA 2000 and the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). It is distinct from mere registration and carries ongoing supervisory obligations.

Firms that typically require full authorisation include:

  • Banks and neo-banks accepting deposits
  • Consumer credit providers, including Buy-Now-Pay-Later (BNPL) platforms
  • Investment firms, discretionary managers, and financial advisers
  • Insurance intermediaries and brokers
  • Payment institutions and electronic money issuers
  • Firms safeguarding or administering client assets

Operating without authorisation — or without the correct permissions — can result in criminal prosecution, significant financial penalties, and prohibition from the industry.

Understanding the FCA’s Regulatory Perimeter

Before committing resources to an application, firms must establish whether their activities fall within the FCA’s regulatory perimeter. The FCA’s Perimeter Guidance Manual (PERG) is the primary reference point for this determination.

PERG sets out which activities are regulated, which are excluded, and when exempt person status may be available. Misidentifying your regulatory perimeter — either by over-applying for permissions you do not need, or under-applying and missing critical regulated activities — is a common and costly mistake. Firms should map every revenue-generating activity against the RAO before taking any further steps.

The Five Threshold Conditions Explained

Every applicant must satisfy the FCA’s five Threshold Conditions, enshrined in Schedule 6 of FSMA and detailed in the FCA’s COND Sourcebook. These are non-negotiable minimum standards that must be met at application and maintained indefinitely thereafter.

The five conditions are:

  • Location of offices — The firm must be directed and managed from the UK if incorporated here
  • Adequate supervision — The FCA must be able to supervise the firm effectively, without obstruction from opaque group structures
  • Appropriate resources — Adequate financial, human, and IT resources must be demonstrably in place
  • Suitability — Owners and senior managers must be fit and proper, possessing the requisite expertise and integrity
  • Business model — The business model must be sustainable, coherent, and must not pose undue risks to consumers or market integrity

The FCA has intensified its scrutiny of Threshold Conditions compliance in recent years, with final notices issued to firms failing to maintain them rising sharply over the past five years.

Step 1 — Define Your Regulated Activities and Permissions

The very first task is a precise identification of the regulated activities you intend to carry on and the corresponding permissions you require. This is not a superficial exercise.

Each permission must be mapped directly to a specific activity under the RAO. For example, a robo-advisory platform will require investment management and arranging permissions, whereas a payments application may require an e-money institution licence. Applying for superfluous permissions raises questions about your business model; applying for insufficient permissions creates regulatory breaches the moment you go live.

This scoping exercise should inform every subsequent document in your application, from the Regulatory Business Plan to your financial projections. Precision at this stage is the bedrock of a successful submission.

Step 2 — Build Your Regulatory Business Plan (RBP)

The Regulatory Business Plan is arguably the most critical single document in any FCA application. It is not a conventional commercial business plan; it is a regulatory document that must demonstrate to the FCA that your firm understands the regulatory environment it is entering and has a credible, compliant strategy for operating within it.

A robust RBP will typically include:

  • A clear description of the business model, products, and services
  • Target customer base and distribution channels
  • Governance and management structure
  • Revenue model and financial sustainability narrative
  • Identification of key regulatory risks and how they will be mitigated
  • Compliance monitoring arrangements

Crucially, the FCA will cross-reference the RBP against every other document submitted. Inconsistencies — even minor ones — between the RBP and financial projections, for instance, will trigger case officer queries and potentially stall the application clock.

Step 3 — Appoint Key Personnel and Meet SMCR Requirements

The Senior Managers and Certification Regime (SM\&CR) applies to all FCA-authorised firms and must be embedded from the point of application. You cannot submit a complete application without identifying and appointing your senior managers.

At a minimum, most applicants will need to designate:

  • A Chief Executive (SMF1) or equivalent senior manager function
  • A Compliance Oversight function (SMF16)
  • A Money Laundering Reporting Officer (SMF17)
  • A Director function where applicable (SMF3)

Each designated senior manager must submit an individual Form A (or equivalent) as part of the application, demonstrating their fitness and propriety. The FCA will assess their qualifications, professional history, financial soundness, and any past regulatory or criminal matters. Gaps in experience or undisclosed issues are among the most common causes of application delay.

https://bit.ly/SMCRPlaybk

Step 4 — Prepare Your Compliance Framework and Policies

A comprehensive compliance framework must exist before submission — not as an aspiration, but as a functioning set of documented policies and procedures. The FCA will expect to see evidence of operational compliance infrastructure, not merely an intention to build one.

Essential documentation includes:

  • An AML/Counter-Terrorist Financing (CTF) Policy and risk assessment
  • Conflicts of Interest Policy
  • Complaints Handling Policy (aligned to DISP)
  • Data Protection and GDPR Policy
  • Remuneration Policy (where applicable)
  • Treating Customers Fairly (TCF) / Consumer Duty framework
  • Financial Promotions Policy
  • Business Continuity and Operational Resilience Plan

Each policy must be tailored to your specific business model; generic, off-the-shelf documentation is readily identifiable to a skilled case officer and reflects poorly on your firm’s understanding of its own regulatory obligations.

Step 5 — Demonstrate Adequate Financial Resources

Financial adequacy is one of the most scrutinised aspects of any FCA application. You must demonstrate not only that you have sufficient capital at the point of authorisation, but that your financial projections are realistic and evidence ongoing financial viability.

Depending on the activities applied for, there may be a specific minimum capital requirement — for example, MiFID investment firms have prescribed initial capital thresholds. Beyond minimum requirements, the FCA will assess whether the firm’s financial resources are proportionate to the risks it proposes to assume. Three-to-five-year financial projections, stress-tested against adverse scenarios, are typically expected.

Inconsistent or overly optimistic financial forecasts are a significant red flag. The FCA is not merely assessing solvency at inception; it is evaluating whether your firm will remain financially sound as it scales.

Step 6 — Implement Operational Systems and Controls

By the time you submit your application, your operational infrastructure must be materially in place, not merely in the planning stage. The FCA expects to see systems that are built, contracted, and evidenced — not promised.

This encompasses:

  • IT systems for customer onboarding, transaction monitoring, and record-keeping
  • Cybersecurity controls and data protection architecture
  • Operational resilience frameworks, including impact tolerance definitions
  • Third-party and outsourcing oversight arrangements
  • Internal audit and management information (MI) reporting

The FCA increasingly evaluates how a firm would respond to operational disruptions, including cyber incidents and rapid volume surges. Evidence of vendor contracts and oversight frameworks for any outsourced critical functions is essential.

Step 7 — AML/Financial Crime Compliance Requirements

Anti-money laundering compliance is a non-negotiable pillar of any FCA authorisation application and receives heightened scrutiny given the regulator’s strategic focus on financial crime prevention.

Firms must demonstrate:

  • A documented, firm-wide AML/CTF risk assessment
  • A robust Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) framework
  • Procedures for Suspicious Activity Reporting (SARs)
  • Transaction monitoring systems appropriate to the firm’s risk profile
  • A designated MLRO with appropriate seniority, independence, and expertise

The MLRO must have unfettered access to senior management and adequate resources to discharge their responsibilities. Appointing a nominal MLRO without genuine authority or expertise is a scenario that the FCA’s authorisations team is experienced at identifying.

https://bit.ly/PEPHREDD

Step 8 — Consumer Duty Obligations for Applicants

Consumer Duty is no longer solely a post-authorisation obligation. In 2026, the FCA expects applicants to demonstrate how the Duty’s four outcomes — products and services, price and value, consumer understanding, and consumer support — have been embedded into the proposed business model from the outset.

This represents a material shift from previous application expectations. Firms must articulate how they will deliver good outcomes for retail customers throughout the product lifecycle, from design through to post-sale support. The FCA will scrutinise your Consumer Duty implementation plan as part of its assessment of your business model Threshold Condition.

https://bit.ly/PreFCASubAss

Step 9 — Submit Your Application via the FCA’s Connect System

All FCA authorisation applications are submitted through the FCA’s proprietary online platform, Connect. Registration on Connect is required before any application can be commenced.

The process involves:

  • Completing detailed online application forms specific to your firm type
  • Uploading all supporting documentation in the prescribed format
  • Paying the applicable application fee, which varies by firm type and permission
  • Submitting individual applications for each senior manager (Form A)

A critical point: the FCA’s statutory assessment clock — currently six months for complete applications and twelve months for incomplete ones, with new targets of four and ten months respectively — does not start until the FCA deems your application complete. If your application is missing documentation, or if the FCA has unanswered questions, it will not be classified as complete, irrespective of when you pressed “submit.”

Step 10 — Engaging With Your FCA Case Officer

Once your application is received, the FCA will assign a dedicated case officer to conduct its assessment. The relationship with your case officer is one of the most determinative factors in the speed and success of your application.

Best practices for engagement include:

  • Responding to all case officer queries promptly and comprehensively — partial or vague responses restart the query process
  • Providing additional documentation proactively where you anticipate follow-up questions
  • Being available for scheduled telephone discussions or meetings
  • Notifying the FCA immediately of any material changes to your application details

Every time the FCA raises an unanswered query, the clock effectively stops. Treating case officer engagement as a collaborative professional process, rather than an adversarial one, materially improves outcomes.

New 2026 Authorisation Timeline Targets

The FCA’s authorisation timeline has undergone significant reform. Under new statutory targets now operative in 2026, the FCA aims to process complete FSMA firm applications within four months, reduced from the previous six-month standard. Incomplete applications carry a ten-month outer limit, down from twelve.

For Variations of Permission (VoP) applications where the new permissions closely mirror an existing business model, a voluntary target of three months applies for complete submissions and six months for incomplete ones.

The FCA has been unambiguous in its messaging: faster timelines do not mean a lighter-touch assessment. Rather, speed gains are contingent entirely on application quality. Firms that submit well-evidenced, complete applications will benefit; those that do not will face no acceleration whatsoever.

Common Reasons Applications Fail or Stall

Understanding why applications fail is as instructive as knowing the steps to success. The most prevalent deficiencies include:

  • Incomplete or inconsistent documentation — discrepancies between the RBP, financials, and policies
  • Inadequate senior management — insufficient experience or undisclosed regulatory history
  • Poorly articulated business model — failure to clearly explain how the business operates within the regulatory perimeter
  • Unrealistic financial projections — optimistic forecasts lacking stress-test scenarios
  • Generic compliance policies — off-the-shelf documents not tailored to the specific business
  • Delayed responses to case officer queries — stopping the assessment clock and extending timelines
  • Insufficient AML framework — particularly absence of a credible, risk-proportionate MLRO appointment
  • Absence of Consumer Duty considerations — failing to embed the Duty into the business model pre-authorisation

Many of these failures are entirely avoidable with adequate preparation and, where appropriate, specialist external support.

Variations of Permission (VoP): What You Need to Know

Already-authorised firms wishing to add new regulated activities must apply for a Variation of Permission (VoP) rather than a new full authorisation. The process follows a broadly similar structure but is calibrated to the incremental nature of the change.

The FCA assesses whether the proposed new permissions are consistent with the firm’s existing Threshold Conditions and whether the firm has adequate resources to accommodate the expanded scope. Where the new permissions closely align with the existing business, the voluntary three-month target applies. Where they represent a material departure, the four-month statutory target is the benchmark.

Firms should not underestimate the rigour applied to VoP assessments. The FCA treats them as an opportunity to reassess the firm holistically, not merely to rubber-stamp an incremental change.

Post-Authorisation Obligations

Authorisation is not the finish line — it is the starting gate. Once on the Financial Services Register, firms assume a broad array of continuing regulatory obligations, including:

  • Annual regulatory fees payable to the FCA
  • RegData reporting submissions (formerly Gabriel) — financial, operational, and complaints data
  • Consumer Duty annual board reports evidencing outcomes monitoring
  • SM\&CR ongoing certification and annual fitness and propriety assessments
  • Financial crime returns including SARs where applicable
  • Notification obligations — material changes to the business, personnel, or ownership must be reported promptly via Connect
  • Operational resilience self-assessments — annually documenting important business services and impact tolerances

Newly authorised firms should treat their first twelve months as a critical period of embedding, during which the FCA’s supervisory scrutiny is typically elevated.

Should You Use a Compliance Consultant?

Many applicants, particularly smaller firms and start-ups, approach FCA authorisation without external support and subsequently encounter the full force of what is a substantive regulatory undertaking. The question is not whether specialist assistance adds value — it demonstrably does — but whether you have the internal capacity to replicate that expertise.

An experienced compliance consultancy will:

  • Conduct a thorough gap analysis against FCA requirements before submission
  • Draft or review the Regulatory Business Plan and supporting documentation
  • Advise on appropriate permission scope to avoid over- or under-application
  • Manage case officer engagement on your behalf
  • Identify and resolve inconsistencies before they become case officer queries
  • Ensure Consumer Duty and SMCR requirements are embedded from the outset

Given that an incomplete or poorly drafted application can add six months or more to the process, the cost of specialist support is frequently far outweighed by the commercial value of a timely authorisation.

Compliance Consultant has assisted firms through the FCA authorisation process for over 25 years. For a complimentary assessment of your application readiness, contact us at complianceconsultant.org or call 0800 689 0190.

Frequently Asked Questions

How long does FCA authorisation take in 2026?
For a complete application, the FCA’s new statutory target is four months. Incomplete applications carry a ten-month outer limit. However, the clock only starts once the FCA classifies the application as complete, and pauses each time an unanswered query exists.

What is the FCA Connect system?
Connect is the FCA’s online portal through which all authorisation applications, individual approvals, and notifications are submitted. All firms must register on Connect before commencing an application.

Do I need a compliance officer before applying?
Yes. The Compliance Oversight function (SMF16) must be identified and a Form A submitted for that individual as part of your application. The FCA will not authorise a firm without key personnel in place.

What happens if my application is refused?
You have the right to refer the matter to the Upper Tribunal (Tax and Chancery Chamber). However, a refusal represents a material regulatory event and can impede future applications. Prevention, through thorough preparation, is strongly preferable to cure.

Can I trade whilst my application is pending?
In limited circumstances, firms may carry on certain activities under the “appointed representative” regime or as an “introducer appointed representative” whilst awaiting authorisation. However, directly carrying on regulated activities whilst an application is merely pending — without any such arrangement — remains unlawful.

Is Consumer Duty relevant at the application stage?
Emphatically yes in 2026. The FCA expects Consumer Duty to be embedded in your business model and documented accordingly within your application. It forms part of the business model Threshold Condition assessment.

Social Media Profiles
Facebook | https://www.facebook.com/ComplianceConsultant
Twitter | https://twitter.com/complianceconst
Instagram | https://www.instagram.com/ukcomplianceconsultant
LinkedIn | https://www.linkedin.com/company/compliance-consultant-uk
Pinterest | http://www.pinterest.com/ComplianceConst/

author avatar
Lee Werrell
See Full Bio