Most regulatory problems are predictable. Most are preventable. The firms that avoid them work with advisers who have been on the inside — who know what the FCA actually looks for, what good looks like in practice, and what to do when things get complicated.
FINANCIAL SERVICES REGULATORY ADVISORY
UK Regulation Is Complex. Your Adviser Shouldn’t be.
Cambitas brings together decades of senior in-house regulatory experience — built inside major financial institutions — and applies it directly to the challenges regulated firms face today.
No obligation. Confidential from the first conversation.
Why Cambitas
The Firm That Has Been Where You Are.
Cambitas is led by principals who spent decades as General Counsel, Head of Enforcement, Head of Compliance and Head of Legal inside major financial institutions and technology companies. That means we have sat in the exact seat our clients occupy — building compliance frameworks under commercial pressure, managing FCA relationships, navigating investigations, and advising boards on regulatory risk. We are not academics interpreting regulation from the outside. We know what it actually feels like to carry this responsibility.
When you instruct Cambitas, you work directly with our principals. Your matter is not handed to a junior team. The people who take the call are the people who do the work.
FREE DOWNLOAD
FCA Authorisation Guide 2026
A practical guide to FCA authorisation — what the process involves, what the FCA actually assesses, why applications stall and how to prepare effectively. Written for founders, GCs and compliance officers.
No obligation. No sales call unless you ask for one.
OUR SERVICES
What We Do And Why It Matters
Each service below includes what we typically see going wrong in practice, and exactly what we do about it. No vague descriptions. Real guidance, upfront.
1. FCA Authorisation & Licensing
Most firms that struggle with FCA authorisation do not have a business problem. They have a preparation problem.
What we see in practice
The FCA does not reject applications because a business model is unviable. It rejects or delays them because the governance evidence is thin, the regulatory business plan does not explain the model clearly, or senior managers cannot demonstrate they understand their individual responsibilities under SM&CR. We fix these problems before submission — not during the FCA's review.
What we do
We assess your regulated activities, design your authorisation strategy, build the regulatory business plan, prepare governance documentation and manage the FCA dialogue throughout. A well-prepared application establishes the right regulatory relationship from day one.
2. SMCR & Individual Accountability
SM&CR is not a compliance exercise. It is a personal liability framework — and most firms treat it like the former.
What we see in practice
The FCA's enforcement record since SM&CR came into full force is instructive: when regulatory failures occur at firms, the FCA investigates whether the governance framework genuinely allocated accountability — or whether it created the appearance of accountability on paper. Senior managers whose responsibilities are vaguely defined, inadequately documented or poorly communicated are exposed. The FCA treats this as a governance failure, not an administrative one.
What we do
We design SMCR frameworks built around how your firm actually operates. This means accurate accountability mapping, clear Statements of Responsibilities, governance structures the FCA would recognise as genuine, and honest conversations with senior individuals about what their function covers and what happens if something goes wrong.
3. Regulatory Investigations & Enforcement
Receiving contact from the FCA is unsettling. What you do in the first 72 hours matters more than most firms realise.
What we see in practice
The FCA's approach to investigations is shaped significantly by how a firm behaves when it first receives contact. Firms that respond promptly, transparently and with a clear strategy consistently fare better than those that react defensively, delay or appear to minimise the concern. The instinct to manage down the seriousness of the situation is understandable — and almost always counterproductive. Regulators notice it immediately.
What we do
We provide structured advisory from the first moment of FCA contact — whether a Regulatory Priorities letter, Dear CEO letter, supervisory data request, Section 166 skilled person review or formal enforcement. We help you understand what the contact means, how to respond effectively and how to position the firm constructively throughout the process.
4. Financial Crime & AML Compliance
The FCA does not fine firms for bad intentions. It fines them for inadequate systems — whether or not the systems were used.
What we see in practice
AML enforcement by the FCA and the wider UK regulatory system has accelerated significantly. The standard the FCA applies is not whether your AML policies say the right things — it is whether your controls demonstrably work in practice. Customer due diligence processes that are not consistently applied, transaction monitoring thresholds that have never been tested, MLRO governance arrangements that exist on paper only — these are the gaps that supervision and enforcement finds. And once found, they are expensive.
What we do
We design financial crime compliance frameworks built to function under scrutiny — not to satisfy a checklist. CDD architecture, transaction monitoring design, MLRO governance, board oversight arrangements and SAR frameworks. We also advise on sanctions compliance, which since 2022 has become significantly more complex for UK regulated firms.
5. Regulatory Perimeter Analysis
The most dangerous assumption in fintech and financial services is "we probably don't need authorisation."
What we see in practice
The UK's regulatory perimeter is not always obvious — and the regulator's approach to firms that cross it without authorisation is not sympathetic. Payment services, financial promotions, consumer credit, investment arrangements, insurance distribution and cryptoassets all have perimeters that catch businesses off guard. The risk is not theoretical: unauthorised regulated activity is a criminal offence under FSMA, and the FCA investigates proactively.
What we do
We provide clear, documented perimeter analysis before you launch, before you add a revenue stream, before you expand into the UK market. We then advise on structuring options that allow you to operate confidently — whether that means proceeding without authorisation, seeking permissions, or partnering with an authorised firm.
6. Ongoing Compliance & Governance
The FCA does not supervise firms once at authorisation. It supervises them continuously — and the bar keeps rising.
What we see in practice
Consumer Duty has fundamentally changed what ongoing compliance looks like for retail-facing firms. It is no longer enough to have processes in place — firms must demonstrate they are delivering genuinely good outcomes for customers at every stage of the product lifecycle. This requires a different kind of compliance framework: one built around monitoring outcomes, not documenting procedures. The FCA is actively reviewing firms' Consumer Duty implementation right now.
What we do
We support regulated firms with Consumer Duty frameworks, compliance monitoring programme design, regulatory change management and board-level regulatory reporting. For firms that need sustained senior regulatory input without building an in-house function, Cambitas provides the depth and continuity of a fully embedded adviser.
Have a Specific Regulatory Challenge in Mind?
Authorisation, SMCR, investigations, AML, Consumer Duty — bring it to us directly.
GO DEEPER
Explore Our Advisory Guides
Each of the pages below goes further — real detail on what we do, what you should expect and what the FCA is looking for.
FCA Authorisation Advisory
The most comprehensive guide to FCA authorisation we've written — timelines, what the FCA really assesses, and why most applications stall at the governance stage.
Regulatory Investigations
What actually happens when the FCA makes contact — the spectrum from investigation gathering to enforcement — and how to respond at each stage.
SMCR & Senior Manager Accountability
A practical guide to SM&CR implementation — mapping individual responsibilities, designing governance structures and protecting senior managers personally.
WHAT GOOD LOOKS LIKE
The Difference Between Compliance That Works and Compliance That Looks Like It Works
The FCA's job — through supervision, reviews and enforcement — is to find the gap between the two. Here is what that gap looks like in practice across the areas we work in most.
| Area | What the FCA Typically Finds | What Good Actually Looks Like |
|---|---|---|
| FCA Authorisation | A regulatory business plan written around the FCA's form fields, with vague descriptions of the business model and governance lifted from template documents. | A plan that tells a coherent commercial story — why this business, why now, how risks are managed — written for a senior FCA official who will probe every assertion. |
| SMCR Implementation | A Statement of Responsibilities drafted by the compliance team, never reviewed with the senior manager named, covering responsibilities that do not reflect their actual role. | Responsibilities mapped to what the individual actually does. Reviewed together. Written so the senior manager could defend every line under FCA questioning. |
| AML Framework | A 100-page AML policy last updated three years ago. Customer due diligence processes that are not consistently followed. Transaction monitoring thresholds set at implementation and never reviewed. | Live, tested controls. CDD processes followed consistently and evidenced. Thresholds reviewed against current risk. An MLRO who can explain every aspect of the framework to the FCA. |
| Governance Framework | A governance manual that describes a three-lines-of-defence model. Board minutes that record decisions but not the discussions or challenges that preceded them. | A governance structure that reflects how decisions are actually made. Board and committee oversight that is visible in practice. An audit trail the FCA would find credible under scrutiny. |
If any row in the left column describes your current position, that is where we start.
HOW IT WORKS
FCA Authorisation: What the Process Actually Looks Like
Most authorisation guides describe what the FCA requires. This one describes what actually happens — and where firms typically run into problems.
Regulatory Perimeter Review
We clarify exactly which permissions you need and why — based on your actual business model, not a generic template. Many firms apply for the wrong permissions, triggering unnecessary FCA queries.
Weeks 1–2
Governance & Individuals
We design your SM&CR framework, map individual responsibilities and work with proposed senior managers on their Statements of Responsibilities. This is the stage most applications fail to do properly.
Weeks 2–5
Regulatory Business Plan
We build the regulatory business plan — the most scrutinised document in the application. It must tell a coherent story about your model, your risks and your controls. Vague plans invite FCA queries.
Weeks 3–6
Supporting Documentation
Financial projections, wind-down plans, compliance monitoring programmes, AML policies, systems and controls documentation. Each must be proportionate to your business and internally consistent.
Weeks 4–7
Application Submission
We review the complete application package before submission. The FCA has a 6-month statutory clock for complete applications — but it starts when the application is accepted as complete, not when it is submitted.
Week 7–8
FCA Review & Engagement
The FCA reviews the application and may raise queries. We manage this dialogue — translating FCA questions, preparing responses and ensuring the firm presents itself constructively throughout.
Months 2–6
Typical timeline for a well-prepared application: 4–6 months from engagement to authorisation. Most delays occur at Steps 2 and 3. We front-load preparation to prevent them. Note the timeline may vary depending on the permissions sought, the complexity of the business model and other factors.
WHO WE WORK WITH
We Work Best With Firms Who Want to Get This Right
Not every firm needs the same thing from a regulatory adviser. Here is who we work with — and what we help each of them with.
| Regulated Financial Institutions |
|---|
| Banks, investment firms, trading firms, broker-dealers and authorised providers. Ongoing governance support, regulatory change management, supervisory engagement and the depth of advisory that keeps a regulated business running smoothly through a challenging regulatory period. |
| Fintech & Payment Companies |
|---|
| Technology-driven businesses navigating FCA authorisation, safeguarding obligations and the ongoing compliance demands that come with holding permissions. Firms that treat regulation as a competitive advantage grow faster than those that treat it as a constraint. |
| Asset Managers & Investment Firms |
|---|
|
Fund managers, discretionary portfolio managers and investment advisers managing conduct requirements, governance expectations and the evolving Consumer Duty obligations across their client base. |
| Crypto & Digital Asset Businesses |
|---|
| UK crypto businesses — exchanges, custody providers, brokers, stablecoin issuers — preparing for full FCA authorisation from 2026. And UAE-based digital asset firms navigating VARA licensing alongside UK regulatory strategy. |
| Boards & Senior Management Teams |
|---|
| Directors and Senior Managers who carry personal regulatory accountability under SM&CR and need clear, honest advice — not hedged opinions that leave them none the wiser. The individuals most at risk if something goes wrong. |
| International Businesses Entering the UK |
|---|
| UAE-based financial services and digital asset businesses expanding into UK regulated markets. Firms that need to understand what FCA authorisation requires and how to build a UK regulatory strategy that sits alongside their existing VARA or ADGM frameworks. |
| Insurance Intermediaries and MGSs |
|---|
| Insurance Intermediaries & Managing General Agents navigating FCA authorisation, consumer duty implementation and financial promotions compliance. Firms that take regulations as a growth enablers. |
| Consumer Credit Firms |
|---|
| Consumer Credit firms operating under FCA supervision. Firms that are navigating through consumer duty obligations and the constant regulatory changes pressure. |
| Professional Services and Corporate Finance Firms |
|---|
| Section 13 exempt firms and corporate advisory houses sitting near the regulatory perimeter. Firms that need clear perimeter advice and require fast authorisation. Firms that understand that getting this wrong is operating an unauthorised business. |
COMMON CHALLENGES
We Hear These Every Week. Here Is What We Do About Them.
These are not hypothetical problems. They are real situations that regulated firms bring to us — sometimes urgently, sometimes with enough time to handle them properly.
"I don't know if we need FCA authorisation"
This is more common than most people admit — and the consequences of getting it wrong are serious. Unauthorised regulated activity is a criminal offence under FSMA. We provide clear, documented perimeter analysis before you launch, before you add a product line, before you enter the UK market. The analysis is typically faster and less expensive than most firms expect.
"Our FCA authorisation application keeps stalling"
Applications almost never stall because the business model is flawed. They stall because the governance evidence is thin, the regulatory business plan is vague, or the senior managers named in the application cannot convincingly describe their individual responsibilities. We identify which of these is causing the delay and fix it — then re-engage the FCA from a position of strength.
"The FCA has contacted us and we're not sure what to do"
Regulator contact is unsettling even when a firm has done nothing wrong — and how you respond in the first days shapes everything that follows. The instinct to manage down the seriousness of the contact, or to respond without a clear strategy, tends to make a manageable situation more complicated. We help firms understand what the contact means and how to respond constructively.
"Our governance looks right on paper but we know it isn't working"
This is one of the most honest things a senior executive can say — and it is the right starting point for a productive conversation. The FCA's supervision increasingly looks past documentation to what actually happens in firms. If your governance framework exists in documents rather than in practice, a supervisory review will find that gap. We help you close it before the FCA does.
"We're not sure our AML controls would survive a supervisory review"
They might be right to be uncertain. AML is one of the FCA's most active enforcement areas, and the gap between an AML policy that looks compliant and controls that actually work is often wider than firms realise. We assess what you have, identify the genuine risk, and build frameworks that would withstand scrutiny — not frameworks that pass a reading.
"We need to expand our FCA permissions but don't know how to approach it"
A variation of permissions is not just a form — it is an opportunity to strengthen the firm's regulatory relationship if managed well, or to invite scrutiny if managed poorly. We design the variation strategy, prepare the application and manage the FCA dialogue throughout, ensuring the process moves cleanly and the firm's standing with the regulator is enhanced, not complicated.
Ready to Talk?
No obligation. No sales pitch. Just a direct conversation.
FREQUENTLY ASKED QUESTIONS
Straight Answers to the Questions We Hear Most
No boilerplate. No hedged non-answers. These are the questions we are asked most often by founders, compliance officers and boards — answered plainly.
Q1. Do I need FCA authorisation to run a financial services business in the UK?
It depends on what your business actually does. The FCA’s regulatory perimeter covers a wide range of activities — payment services, investment advice, insurance distribution, consumer credit, financial promotions and, increasingly, cryptoassets. Operating a regulated activity without FCA authorisation is a criminal offence under FSMA 2000. The good news is that a structured perimeter assessment is usually faster and more straightforward than most firms expect — and it gives you a clear answer.
Q2. How long does FCA authorisation actually take — and what affects the timeline?
The FCA’s statutory target is six months for a complete application, and twelve months if the application is deemed incomplete. In practice, well-prepared applications with credible governance and clear operating models typically move within the six-month window. What slows applications down: thin governance evidence, a regulatory business plan that does not hold up to scrutiny, and senior managers who cannot convincingly demonstrate they understand their own responsibilities. Preparation quality is the single biggest driver of timeline.
Q3. What is SM&CR and what does it actually require firms to do?
SM&CR — the Senior Managers and Certification Regime — places individual accountability at the centre of regulated firms. In practice, this means: mapping which individuals hold named Senior Management Functions, preparing a Statement of Responsibilities for each, certifying that certain staff are fit and proper, and ensuring the whole framework reflects how the firm actually operates. The FCA uses SM&CR as a lens through which to assess governance quality — and when things go wrong, it investigates whether the regime genuinely allocated accountability or just documented the appearance of it.
Q4. What happens when the FCA opens a regulatory investigation?
FCA investigations typically begin with an information request — the FCA asks a firm to provide documents, data or written responses on a specific issue. From there they may escalate through supervisory data requests, skilled person reviews (Section 166), voluntary requirements and, in serious cases, formal enforcement action. The critical factor is how the firm responds from the very first contact. Firms that engage experienced advisers immediately, respond transparently and approach the process constructively consistently achieve better outcomes than those that react defensively or without a strategy.
Q5. Do UK financial services regulations apply to UAE-based firms operating in the UK market?
Yes, in many circumstances. The FCA’s regulatory perimeter applies to activities conducted with UK persons — regardless of where the firm is based. UAE-based financial services businesses, digital asset firms and payment institutions that conduct regulated activities with UK clients, promote financial products to UK audiences, or establish UK-facing digital platforms need to assess their UK regulatory obligations carefully. Cambitas advises on the intersection of UK and UAE regulatory frameworks regularly — including firms navigating both FCA requirements and VARA licensing simultaneously.
FREE DOWNLOAD
FCA Authorisation Guide 2026
A practical guide to FCA authorisation — what the process involves, what the FCA actually assesses, why applications stall and how to prepare effectively. Written for founders, GCs and compliance officers.
No obligation. No sales call unless you ask for one.
A conversation costs nothing. Not having one might.
Whether you are preparing for FCA authorisation, managing a supervisory relationship, or simply unsure where your firm's regulatory exposure lies — the best starting point is a direct conversation with someone who has seen these situations from both sides.
Cambitas principals bring decades of in-house regulatory experience to every conversation. No juniors. No associates. The people you speak to are the people who do the work.
DOWNLOAD FREE GUIDE
FCA Authorisation Advisory Guide
DOWNLOAD FREE GUIDE
SMCR & Senior Manager Accountability Guide
Cambitas
- +62 812 3456 7890
- 123 Corporate Avenue, Jakarta, Indonesia
- contact@lawfirm.com