Professional & Financial Services

Run a regulated financial services firm

Every financial intermediary shares a core of regulated-firm duties: hold the right FCA permissions for what you do, operate the Senior Managers and Certification Regime, deliver the Consumer Duty on retail business, keep promotions compliant, handle complaints under the FCA's rules, run anti-money-laundering controls, meet operational resilience requirements, and protect personal data. Pension administrators have their own section — The Pensions Regulator's regime applies to them even where no FCA permission is held.

UK-wide Updated 9 Jun 2026

On this page

UK-wide

Cryptoasset Business Regulation

Regulatory requirements for cryptoasset businesses in the UK - how token classification determines whether you need full FCA …

Financial intermediary compliance checklist

A confirmation checklist for financial intermediaries — insurance distributors and loss adjusters, advisers and intermediaries, investment firms and …

Tech Sector Licensing and Authorisations

Comprehensive guide to licences and regulatory authorisations required for technology businesses - telecommunications, financial services, intellectual property, export …

Get FCA authorisation for financial services

How to apply for Financial Conduct Authority authorisation to carry on regulated financial activities. Covers the application process, …

Understanding UK consumer credit regulation

What consumer credit regulation is, why it exists, and who it applies to. Covers the relationship between the …

Whatever kind of intermediary you are — a broker, an adviser, a dealer, a fund manager or an administrator — the same regulated-firm duties form your baseline. Put these in place, then follow the guide for your specific activity. Everything in this guide applies UK-wide.

Hold the right permissions

Most intermediary activities — advising, arranging, dealing as agent, managing investments, insurance distribution — are regulated activities under the Regulated Activities Order: you need FCA Part 4A permission for each one you carry on, or — where available — an exemption such as appointed representative status. Check the perimeter with do I need FCA authorisation, weigh appointed representative against direct authorisation, and apply via apply for FCA authorisation — you will need to meet the threshold conditions on an ongoing basis.

FCA Regulated Activities Requiring Authorisation

Activities under the Financial Services and Markets Act 2000 (Regulated Activities Order 2001) that require FCA authorisation.

Operating any of these activities without FCA authorisation is a criminal offence under Section 19 FSMA, punishable by up to 2 years imprisonment and unlimited fines.

Accepting deposits: Article 5 RAO - Only regulated activity applying to deposits
Dealing in investments as principal: Article 14 RAO - Trading own account
Dealing in investments as agent: Article 21 RAO - Trading on behalf of clients
Arranging (bringing about) deals in investments: Article 25(1) RAO - Facilitating transactions
Making arrangements with a view to transactions: Article 25(2) RAO - Preparatory arrangements
Advising on investments: Article 53(1) RAO - Excludes P2P agreements and deposits
Safeguarding and administering investments: Article 40 RAO - Custody services
Sending dematerialised instructions: Electronic settlement instructions
Legislative source: Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544)

Operate the SM&CR

As a solo-regulated firm you sit in the SM&CR's limited scope, core or enhanced tier depending on your size and activities: senior managers need FCA approval, certification staff are assessed annually, and conduct rules apply to almost everyone.

Senior Managers & Certification Regime (SM&CR)

Individual accountability requirements for FCA-regulated firms

Core Senior Management Functions (all firms)

SMF1 - Chief Executive: Executive responsibility for conduct of firm
SMF16 - Compliance Oversight: Responsibility for regulatory compliance
SMF17 - Money Laundering Reporting Officer: AML compliance responsibility

Enhanced SMFs (core investment firms, banks, insurers)

SMF2 - Chief Finance Officer
SMF3 - Executive Director
SMF9 - Chair of Governing Body
SMF10-14 - Risk and control functions

Application requirements

Form A application to FCA (£250 per person)
Statement of Responsibilities (SoR)
Regulatory references (6 years)
Criminal records check
Fit and proper assessment

Certification Staff

Annual certification required for customer-facing roles and material risk takers.

Conduct Rules

Individual Conduct Rules apply to all staff. Senior Manager Conduct Rules apply to SMFs.

Deliver the Consumer Duty

If retail customers sit anywhere in your distribution chain, the Consumer Duty (Principle 12) applies: fair value, communications that support understanding, and monitoring of customer outcomes.

Consumer Duty requirements overview

The Consumer Duty framework requiring firms to deliver good outcomes for retail customers, including implementation timeline and scope.

The Consumer Duty is the FCA's flagship conduct standard, requiring firms to act to deliver good outcomes for retail customers. It applies to all firms in the retail distribution chain.

Consumer Principle (Principle 12): A firm must act to deliver good outcomes for retail customers
Legal basis: FCA PRIN 2A (Principles for Businesses sourcebook)
Final rules published: 27 July 2022
Implementation plans agreed: 31 October 2022
Open products/services deadline: 31 July 2023
Closed products/services deadline: 31 July 2024
Replaces: Principles 6 (treating customers fairly) and 7 (clear communications) for retail business

For implementation detail, see FCA Consumer Duty compliance requirements.

Keep promotions compliant

Everything you publish to win business is potentially a financial promotion under section 21 FSMA — it must be fair, clear and not misleading, and approving promotions for unauthorised persons has its own gateway.

Financial promotions compliance — the section 21 FSMA restriction

The restriction on communicating financial promotions under section 21 of the Financial Services and Markets Act 2000, the approver-permission gateway introduced by the Financial Services and Markets Act 2023, the fair, clear and not misleading standard, and the consequences of an unlawful promotion. The general s.21 regime applying across financial services (the estate's other promotion atoms are credit- and crypto-specific).

Under section 21 of the Financial Services and Markets Act 2000 (FSMA) a person must not, in the course of business, communicate an invitation or inducement to engage in investment activity (a financial promotion) unless they are an authorised person, the promotion has been approved by an authorised person with the relevant permission, or an exemption applies. Breach of the restriction is a criminal offence.

Statutory source: FSMA 2000 section 21; Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (SI 2005/1529)
Regulator: Financial Conduct Authority (FCA)
The restriction: No person may communicate a financial promotion in the course of business unless authorised, approved by an authorised person, or exempt
Approver permission gateway: Since the FSMA 2023 reforms, an authorised person must hold specific FCA permission to approve the financial promotions of unauthorised persons
Core standard: Promotions must be fair, clear and not misleading (FCA Handbook, including COBS 4 and CONC 3 for credit)
High-risk investments: Additional rules apply to restricted and non-mass-market investments, including risk warnings and consumer journey requirements
Consequence: Communicating an unlawful financial promotion is a criminal offence under section 25 FSMA; resulting agreements may be unenforceable

The approver gateway (FSMA 2023): Before the Financial Services and Markets Act 2023, any authorised person could approve the financial promotion of an unauthorised firm. The 2023 Act introduced a regulatory gateway: an authorised person must now obtain specific FCA permission before it can approve the promotions of unauthorised persons. This targets the quality of approvals for products marketed by unauthorised firms.

Sector rules: Consumer-credit promotions must additionally comply with CONC 3 of the FCA Handbook, and promotions for high-risk investments are subject to enhanced rules (risk warnings, positive frictions and appropriateness assessments). Whatever the product, the overarching standard is that a promotion must be fair, clear and not misleading.

Handle complaints under DISP

Complaints from eligible complainants follow the FCA's Dispute Resolution sourcebook, with referral rights to the Financial Ombudsman Service.

Complaints handling (FCA DISP) and Financial Ombudsman Service referral

The FCA complaints-handling rules in the DISP sourcebook — acknowledgement and resolution time limits, the final response, the duty to signpost the Financial Ombudsman Service, eligible-complainant definitions, and periodic complaints reporting to the FCA. The general FCA DISP regime (the estate's other complaints atoms are sector-specific — consumer credit, insurance, legal).

Authorised firms must operate complaints-handling procedures that comply with the FCA's Dispute Resolution: Complaints (DISP) sourcebook. DISP sets the time limits for handling complaints from eligible complainants, the content of the final response, and the obligation to tell complainants about their right to refer the matter to the Financial Ombudsman Service (FOS), which is established under Part XVI of the Financial Services and Markets Act 2000.

Source: FCA Handbook, Dispute Resolution: Complaints (DISP); Financial Ombudsman Service established under Part XVI FSMA 2000
Regulator: Financial Conduct Authority (FCA); Financial Ombudsman Service (FOS)
Prompt acknowledgement: Complaints must be handled promptly; firms must send a final response (or explain why one is not yet possible) within 8 weeks of receipt
Final response: The final response must address the complaint and inform the complainant of their right to refer it to the Financial Ombudsman Service
FOS signposting: Firms must provide the FOS's contact details and a copy of its standard explanatory leaflet at the appropriate time
Eligible complainant: Includes consumers, micro-enterprises, small businesses, charities and trusts within the thresholds set in DISP
Time to refer to FOS: A complainant generally has 6 months from the date of the final response to refer the complaint to the FOS
Reporting: Firms must submit periodic complaints returns to the FCA (and publish complaints data where they meet the reporting threshold)

The 8-week rule and the Ombudsman: If a firm cannot resolve a complaint within 8 weeks, it must write to the complainant explaining why and confirming the complainant's right to take the complaint to the Financial Ombudsman Service. The FOS provides an independent, free service for resolving disputes and can make binding awards within its monetary limits.

Run anti-money-laundering controls

Financial intermediaries are squarely in scope of the Money Laundering Regulations: risk assessments, customer due diligence, monitoring and reporting, with the FCA supervising most authorised firms.

Anti-money laundering requirements

MLR 2017 obligations for financial services

The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) require:

Risk assessment - assess your business's ML/TF risks
MLRO appointment - designate a Money Laundering Reporting Officer
Customer due diligence (CDD) - verify customer identity
Enhanced due diligence - for higher-risk customers
Ongoing monitoring - monitor transactions and relationships
Suspicious activity reports (SARs) - report suspicious activity to NCA
Record keeping - retain CDD records for 5 years after relationship ends
Staff training - initial and ongoing AML training

Record retention: 5 years from end of business relationship
SAR deadline: As soon as practicable after suspicion formed

Meet operational resilience requirements

In-scope firms must identify their important business services, set impact tolerances for disruption and be able to stay within them. See also cyber security for financial services firms.

FCA/PRA operational resilience requirements for financial services

Key deadline (31 March 2025) and core requirements for financial services firms including IBS mapping, impact tolerances, scenario testing, and third-party risk.

All in-scope financial services firms must comply with operational resilience requirements by 31 March 2025. This includes banks, insurers, electronic money institutions, payment institutions, investment firms, and certain other authorised firms.

The FCA has identified unregulated third-party issues as the primary source of operational incidents in 2022-2023.

Compliance deadline: 31 March 2025
In-scope firms: Banks, insurers, electronic money institutions (EMIs), payment institutions (PIs), investment firms, certain other authorised firms
Regulatory bodies: Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Bank of England
Requirement 1: Important Business Services (IBS) mapping: Identify and map all services that if failed would cause intolerable harm to consumers, threaten firm's viability, or threaten market integrity/financial stability
IBS mapping requirements: Complete mapping exercise, identify all components (people, processes, technology, facilities, information, third parties), understand dependencies, document end-to-end service delivery
Requirement 2: Impact tolerances: Set maximum tolerable level of disruption for each IBS (hours/days downtime, regulatory metrics, financial metrics, customer impact)
Requirement 3: Scenario testing: Test whether you can stay within impact tolerances during severe but plausible scenarios
Scenarios must include: Cyber attack, loss of key supplier, loss of critical staff, technology failure, third-party failure
Testing methods: Desktop exercises, simulation exercises, live testing (where safe)
Testing frequency: Regular testing (at least annually for critical scenarios)
Requirement 4: Third-party risk management: Due diligence before engagement, contractual security requirements, ongoing monitoring, exit plans, cyber security standards for third parties
FCA recommended practice: TLPT: Threat-Led Penetration Testing - extremely effective tool for identifying unknown vulnerabilities
FCA baseline expectation: Implement NCSC 10 Steps to Cyber Security as foundational cyber security
Future consultation (H2 2025): FCA and PRA intend to consult on ICT and cyber risk management policy (likely DORA-style requirements)
PRA 2025 focus: Insurers' cyber resilience under spotlight (hold significant customer data, critical role in financial system)

Protect personal data and pay the ICO fee

Client financial data is core personal data — handle it under the UK GDPR, and unless exempt register with the ICO and pay the annual data protection fee.

Data protection fee: ICO registration

Legal requirement to pay data protection fee to ICO under Data Protection Act 2018.

Under the Data Protection (Charges and Information) Regulations 2018, most organizations that process personal data must pay an annual data protection fee to the Information Commissioner's Office (ICO).

Who must pay

Must pay if your business:

Processes personal information about individuals (customers, employees, suppliers)
Is not covered by a limited exemption

Personal data includes: Names, addresses, email addresses, phone numbers, IP addresses, employee records, customer orders, marketing lists.

Tier 1 fee (most small businesses): £52 per year - Turnover up to £632,000 AND 10 or fewer staff (from Feb 2025)
Tier 2 fee: £78 per year - Turnover up to £36 million AND 250 or fewer staff (from Feb 2025)
Tier 3 fee (large organizations): £3,763 per year - Turnover over £36 million OR over 250 staff (from Feb 2025)
Penalty for non-payment: Up to £4,350 plus the fee owed

When to register

Before you start processing personal data - this means from day one for most businesses. You process personal data if you:

Keep customer records (names, email addresses, order history)
Have employees (employment records, payroll, contact details)
Use suppliers (contact information)
Send marketing emails
Use cookies on your website
Store business contacts in a CRM

Exemptions

Very limited exemptions exist. You're exempt only if you:

Only process personal data for personal or household purposes (not business)
Only process data for accounts, records, and admin required by law (very narrow - consult ICO guidance)
Are an MP, elected representative, or judge (specific exemptions)

Most businesses are NOT exempt - if you have any customer or employee data, you likely need to pay.

Registration process

Self-assess your tier using ICO's online tool
Register online at ico.org.uk
Pay annual fee by Direct Debit or card
Receive registration confirmation - Your registration appears on ICO's public register
Renew annually - ICO will remind you when renewal is due

Renewal: Annual - ICO sends renewal reminder before expiry
Public register: Your registration is publicly searchable on ICO website
Direct Debit discount: £5 discount if paying by Direct Debit

Pay the data protection fee

If you administer occupational pension schemes

Pension scheme administration is regulated by The Pensions Regulator, not the FCA — these duties apply even if you hold no FCA permission. As an administrator acting for trustees you support the scheme's TPR obligations: registrable information and scheme returns, record-keeping and data quality, and connection to pensions dashboards. Alongside these, the industry's administrator competence standards — Pensions Management Institute qualifications and PASA accreditation — are the recognised, though non-statutory, benchmark.

Occupational pension scheme administration

Administering occupational pension schemes engages the Pensions Act 2004 and The Pensions Regulator (TPR): scheme-funding and governance duties, maintaining accurate scheme data to TPR record-keeping standards, and connecting to the Pensions Dashboards by the staged deadline under the Pensions Dashboards Regulations 2022. Defined-benefit funding follows the Occupational Pension Schemes (Scheme Funding) Regulations 2005. Administrator competence is supported by industry standards (e.g. the Pensions Management Institute) rather than a statutory licence.

Regulator: The Pensions Regulator (TPR)
Requirement: Scheme funding/governance; data quality; dashboards connection

The trustees' own duties — funding, knowledge and understanding, the scheme-side dashboards obligations — are in run an occupational pension scheme.

Next steps

With the shared duties in place, follow the guide for your activity:

Then confirm everything with the financial intermediary compliance checklist.

Related guides in Financial Regulation Overview