Guide
Fintech regulation and FCA authorisation
How to navigate FCA regulation for fintech businesses. Covers e-money and payment services, Open Banking, crypto-assets, and innovation support programmes including the Regulatory Sandbox.
Activity-based regulation in fintech
The UK regulates financial technology based on the activities you perform, not your business model or technology stack. Whether you're a mobile app, API provider, or traditional bank, if you handle customer money, facilitate payments, or provide financial services, you need authorisation from the Financial Conduct Authority (FCA).
This activity-based approach means fintech firms face the same regulatory requirements as traditional financial institutions when performing regulated activities. However, the FCA provides innovation support programmes to help you navigate regulation whilst developing new products.
E-money and payment services
If you issue electronic money (e-money) or provide payment services, you need authorisation as either an E-Money Institution (EMI) or Payment Institution (PI). The level of authorisation depends on your transaction volumes.
E-money is electronically stored monetary value that represents a claim against the issuer. Examples include prepaid cards, digital wallets, and stored value accounts. Payment services include money remittance, card payments, direct debits, and Open Banking services.
Choosing between Small and Full authorisation: Most startups begin as Small EMIs or Small PIs due to lower capital requirements and faster registration (£500-£1,000 fee, 3-6 months). However, you cannot passport to the EEA and have no mandatory safeguarding obligations as a small institution.
Once you exceed the thresholds (€5m outstanding e-money or €3m monthly payments), you must upgrade to Full authorisation within the required timeframes. This triggers higher capital requirements and full safeguarding duties.
Capital requirements for payment institutions
Full Payment Institutions must hold minimum capital depending on the services you provide. Capital requirements exist to protect customers and ensure you can meet obligations if the business fails.
Calculating your capital requirement: If you provide multiple payment services, you need the highest applicable capital amount. For example, if you offer both money remittance (€20k) and card payments (€125k), you need €125k minimum capital.
Capital must be 'own funds' - this includes paid-up share capital and reserves, but excludes loans and intangible assets in most cases. Your accountant should verify your capital calculation meets FCA requirements before you apply.
Open Banking services (AIS and PIS)
Open Banking enables third-party providers to access bank account data (Account Information Services) or initiate payments (Payment Initiation Services) with customer consent. These services are regulated under Payment Services Regulations 2017 and the CMA Open Banking Order.
Open Banking has transformed UK fintech since 2018, with over 11 million active users and 300+ enrolled firms. If you want to build apps that connect to customers' bank accounts, you need appropriate authorisation.
Choosing between AIS and PIS authorisation: Account Information Services (AIS) are simpler to authorise - no minimum capital, £500 registration fee, and you can register as a standalone Registered AIS Provider (RAISP). This suits apps that aggregate account data, budgeting tools, or credit reference services.
Payment Initiation Services (PIS) require Full Payment Institution authorisation with €50,000 minimum capital. PIS allows you to initiate payments directly from customers' bank accounts, bypassing card networks. This suits payment apps, e-commerce checkout solutions, or bill payment services.
Technical requirements: You must use Open Banking APIs - screen scraping is prohibited. Strong Customer Authentication (SCA) is mandatory for all transactions, with 90-day re-authentication required. Familiarise yourself with UK Open Banking API standards before applying.
Crypto-asset businesses and financial promotions
If you operate a crypto-asset business - including exchanges, wallet providers, or crypto ATMs - you must register with the FCA under Money Laundering Regulations. Additionally, since 8 October 2023, crypto-asset financial promotions face strict marketing rules.
Who the promotions regime applies to: If you market crypto-assets to UK consumers - through websites, social media, influencer partnerships, or advertising - all promotions must be approved by an FCA-authorised firm and follow financial promotions rules.
This regime has significantly changed crypto marketing in the UK. You cannot run referral bonus schemes, you must include prominent risk warnings, and first-time investors face a mandatory 24-hour cooling-off period before they can invest.
Crypto registration backlog: FCA crypto-asset registration currently faces a significant backlog (6-18 months). Many applications are rejected for inadequate financial crime controls. Ensure your anti-money laundering (AML) systems, know-your-customer (KYC) processes, and sanctions screening are robust before applying.
FCA innovation support programmes
The FCA operates several innovation support programmes designed to help fintech firms test products, navigate regulation, and bring innovation to market faster. These programmes can significantly reduce time-to-market and regulatory uncertainty.
Regulatory Sandbox
The FCA Regulatory Sandbox allows you to test genuinely innovative products with real customers under regulatory supervision. Over 800 firms have been supported since 2016, with approximately 90% successfully exiting to full authorisation.
When to apply for the Sandbox: The Sandbox suits firms that have developed a testable proposition but face regulatory uncertainty. You must demonstrate genuine innovation and consumer benefit - incremental improvements to existing products rarely qualify.
The Sandbox operates in cohorts with application windows typically twice per year. Testing periods last 3-6 months with live customers. The FCA provides individual guidance, relaxes certain rules where appropriate, and helps you transition to full authorisation.
Sandbox vs traditional authorisation: The Sandbox does not replace authorisation - you still need FCA authorisation to operate commercially after testing. However, sandbox participation demonstrates regulatory engagement and de-risks your proposition before committing to full authorisation costs.
Digital Sandbox
Launched in 2023, the Digital Sandbox provides year-round testing with synthetic data. Unlike the Regulatory Sandbox, you don't need customer interaction, making it ideal for early-stage testing before applying to the traditional sandbox or for authorisation.
Using the Digital Sandbox strategically: Because the Digital Sandbox is always open and requires no live customers, use it to test technical infrastructure, API integrations, and regulatory reporting systems before engaging with real customers.
Many fintech startups use the Digital Sandbox first to validate their product concept, then apply to the Regulatory Sandbox to test with real customers, and finally apply for full authorisation once the business model is proven.
Authorisation timelines
FCA authorisation is not quick. Plan your runway carefully, as you cannot operate commercially until authorisation is granted. Timelines vary significantly by service type and application quality.
What 'complete application' means: These timelines start when your application is complete, not when you first submit. The FCA will reject incomplete applications or request additional information, which pauses the clock.
A complete application includes detailed business plans, financial projections, financial crime controls, governance structures, key personnel CVs, and regulatory capital evidence. Most applications require multiple rounds of FCA queries before approval.
Expediting your application: Using innovation support programmes (Regulatory Sandbox, Innovation Pathways, Scalebox) can reduce timelines by providing pre-application guidance. Firms that engage with the FCA early through these programmes submit higher-quality applications with fewer delays.
Plan for longer timelines: Budget 12-18 months from starting your application to receiving authorisation, especially for complex activities like crypto registration or if you're a first-time applicant. Do not commit to commercial launch dates until authorisation is confirmed.
Preparing for authorisation
Before applying for FCA authorisation, ensure you have:
- Sufficient capital: Meet minimum capital requirements for your service type, with evidence of source of funds
- Fit and proper persons: Senior managers and key personnel must pass FCA fitness and propriety assessments (clean regulatory record, relevant qualifications/experience)
- Financial crime controls: Robust AML/CTF systems, KYC processes, sanctions screening, and transaction monitoring
- Governance and risk management: Clear organisational structure, risk framework, compliance monitoring, and audit trails
- Consumer protection: Complaints handling, vulnerable customer policies, clear terms and conditions, and fair treatment outcomes
- Operational resilience: IT systems, cybersecurity, business continuity, and outsourcing governance
Consider engaging specialist regulatory consultants or lawyers for your first application. The cost of professional advice (£10k-£50k) is small compared to the cost of delays or rejection (months of runway burned whilst your application is stuck).