Module Application
Does your organisation want to provide regulated financial services activities in the UK? If so, does it know how to comply with the relevant processes and procedures such as those involving authorisation, preliminary matters, using prescribed forms and fees, as well as understanding its options to appeal an authorisation refusal?
Does your organisation ensure that any person, whether employee or contractor, performing a controlled function on its behalf has obtained FCA approval?
Does your organisation understand and fulfil its legal duties when acting as principal for an appointed representative?
Does your organisation, when intending to either increase or decrease its control in another regulated organisation, understand and adhere to the appropriate consent and notification procedures relating to that change of control?
Does your organisation, when proposing to make changes to its products and/or services, comply with variation of permission requirements?
Does your organisation understand the full extent of its reporting obligations in connection with its authorisation to carry on regulated activity in the UK?
Does your organisation have adequate systems and controls in place to mitigate the risk of financial crime, bribery and corruption, as well as the loss or misuse of customer data?
Does your organisation comply with operational resilience requirements administered by the FCA?
Does your organisation make sure its employees are appropriately qualified, adequately trained, and possess the necessary level of competence to perform their respective work duties?
Is your organisation equipped with the necessary systems, procedures, protocols, and appropriate training material to comply with the FCA’s Consumer Duty requirements?
Module Scope
An organisation seeking to offer regulated financial services activities or consumer credit to consumers in the UK is subject to strict legal processes and procedures, including obtaining formal authorisation to provide such services or credit. This module breaks these processes and procedures into the following core obligations:
1. Authorisation (Firms)
If an organisation intends to offer regulated financial services activities or a consumer credit business in the UK, then it must first obtain approval to do so from the Financial Conduct Authority (FCA). If the organisation is part of a small group of organisations, such as a bank or insurance firm, then it also needs to obtain additional authorisation from the Prudential Regulation Authority (PRA).
All individuals and organisations are prohibited from carrying on a regulated activity without having in place appropriate authorisation or relevant exemption. This is referred to as the ‘general prohibition.’
Before an organisation can lodge an application for authorisation, it must satisfy certain criteria, including:
- meeting the FCA’s minimum standards (known as the ‘Threshold Conditions’)
- applying for registration on the FCA’s Connect portal
- ensuring the use of appropriate trading and business names
Applicants from overseas, including organisations operating in innovation and tech-focused industries, are subject to additional requirements.
Organisations must, at the very least, provide the minimum information required, otherwise will risk their application being refused by the relevant regulatory body.
2. Authorisation (People)
After obtaining authorisation from the FCA, organisations must take reasonable care to ensure that any person, whether employee or contractor, performing a controlled function on its behalf has also obtained FCA approval (referred to as an ‘Approved Person’) before these persons are permitted to perform their duties. Individuals exercising controlled functions can range from those who deal directly with customers to those with managerial functions, collectively known as Senior Management Functions (SMFs).
An application for Approved Persons status is made:
- at the same time as the organisation submits its own application for authorisation
- when it recruits additional staff
- when it conducts staff assessments and concludes that it needs Approved Person status
An organisation is also required to inform the FCA about any changes to staff who are designated as Approved Persons.
Organisation should not permit any person to carry on any controlled function while that person’s application is under review.
3. Principals and Appointed Representatives
An appointed representative (AR) refers to a person who has entered into a written, legally binding, agreement with an authorised person (the principal), which in turn permits the AR to conduct certain regulated activities.
Since obtaining authorisation status can be complex, time-consuming, and carries no guarantee of success, an organisation may decide to operate as an AR under an already authorised person (i.e., the Principal). However, under these circumstances, the scope of the AR’s activities is limited to the activities the principal is permitted to do under its own authorisation. In other words, the AR’s actions are treated as being the actions (or omissions) of the Principal.
Where an organisation takes on the role of principal, it must comply with specific ongoing requirements, such as routine reviewing the AR’s activities, its business and its senior management, as well as notifying the FCA when certain changes have been made to the arrangement between the AR and the Principal.
4. Change in Control
If an organisation wishes to increase or decrease its interest/degree of control in another regulated organisation, then the former must first obtain the FCA’s approval to do so.
An organisation needs to satisfy all preliminary requirements before it submits a notification to the FCA, including identifying all the controllers of the organisation, and providing all relevant documentation which includes a comprehensive business plan.
5. Variation of Permission
Where an organisation wants to make changes to its offerings, such as by pursuing a new line of business, offering a new regulated activity or a new product, then it must first obtain the FCA’s permission to authorise this variation. Where the proposed change includes accepting deposits or effecting and/or carrying out contracts of insurance, then the PRA’s consent is also required.
6. Regulatory Reporting (General)
There are several regulatory reporting requirements that an organisation must comply with in connection with its authorisation to undertake regulated activities in the UK. These reporting obligations include:
- Submitting annual accounts and reports
- Reporting annually on its controllers
- Reporting client assets
- Submitting a monthly Client Money and Assets Return (CMAR)
- Keeping its details up to date
- Submitting product transaction data to the FCA (if relevant)
- Complying with the relevant remuneration code
- Recording and reporting all customer complaints
- Informing the FCA that it is no longer closely linked to a person
- Reporting under the money laundering regulations
7. Financial Crime
Organisations have a duty and responsibility to implement adequate controls and systems to mitigate and manage the risk of financial crime in its organisation, including the risk of:
- Bribery and corruption
- Data security
- Fraud
- Money Laundering and terrorist financing
Organisations also have several legal obligations under UK’s financial sanctions regimes, including making sure to report actual or potential sanctions evasion by other organisations/individuals.
Strong governance, risk, and internal control procedures to manage such risks are required. An effective risk mitigation strategy means that an organisation must be capable of:
- Identifying and verifying the identify of its customers
- Understanding its relationship with those customers
- Closely monitoring customer use of services to identify any suspicious activity
Systems and controls must be risk-based and appropriate to the nature and size of the organisation’s business.
8. Operational Resilience
Organisations need to be made aware of and comply with the FCA’s requirements relating to operational resilience. The purpose of these requirements is to help organisations prepare for, prevent, adapt, and recover and learn from operational disruption. These requirements must be complied with prior to 31 March 2025.
9. Training and Competence
Employees must be appropriately qualified and possess the level of competence required to perform their respective jobs – as set out in the FCA’s established training and competence requirements.
The organisation should ensure its induction programs incorporate information about appropriate training and competence required for employees holding certain roles and responsibilities.
The organisation should nominate a suitably qualified officer who is responsible for overseeing the implementation of the FCA’s training and competence requirements.
10. Consumer duty
The FCA’s Consumer Duty (‘Duty’) aims to protect consumers and provides the objectives that organisations must meet on the standard of customer service that is expected from them. The Duty requires organisations to:
- act in good faith towards retail customers
- avoid causing harm to retail customers
- support retail customers to pursue their financial objectives
The Duty also imposes several rules on how an organisation must run financial promotions. Specifically, they must be clearly communicated and accurate, to enable customers to make informed decisions. Promotions and financial services must also be targeted to the right class of consumers.
All consumers must be provided with customer support, and prices need to be proportionate to the service offered.
An appropriate person must be assigned specific responsibility for the implementation of the Duty.