Acquiring an FCA-Regulated Firm: Regulatory Due Diligence Checklist

Why Regulatory Due Diligence Matters

Acquiring an FCA-regulated firm is fundamentally different from a standard corporate acquisition. The firm's regulatory authorisation is a core asset — arguably the most valuable asset — and the acquirer inherits not just the firm's business but its entire regulatory history, including any outstanding obligations, conditions and supervisory relationships.

Inadequate regulatory due diligence can result in acquiring a firm with undisclosed compliance failures, pending enforcement actions, capital shortfalls or safeguarding deficiencies — any of which could materially affect deal value or, in extreme cases, render the acquisition uneconomic.

Regulatory Status and Permissions

The starting point for regulatory DD is a thorough review of the firm's regulatory status:

• FCA Register check: Verify the firm's authorisation status, permissions, appointed representatives and any restrictions or requirements noted on the Register.
• Permissions analysis: Review the firm's specific Part 4A permissions and identify any limitations, conditions or requirements attached. Confirm that the firm's current activities fall within its permitted scope.
• Variation of permission history: Check whether the firm has applied for or been subject to any variations of permission, including voluntary reductions in scope or FCA-imposed restrictions.
• Passporting and cross-border activity: For firms operating in multiple jurisdictions, verify the status of any passporting arrangements or overseas regulatory registrations.

Compliance History

A firm's compliance track record provides critical insight into the quality of its regulatory framework:

• FCA supervisory history: Request details of any FCA supervisory visits, themed reviews, Dear CEO letters or section 166 skilled person reviews that have involved the firm. Review any resulting actions or requirements.
• Enforcement history: Check whether the firm or any of its senior managers have been subject to FCA enforcement action, including fines, public censures, suspensions or restrictions.
• Compliance monitoring reports: Review the firm's internal compliance monitoring and audit reports for the previous three to five years. Identify any material or recurring findings that have not been adequately remediated.
• Breach notifications: Request records of any regulatory breaches notified to the FCA, including details of the breach, remediation actions and the FCA's response.
• Complaints data: Analyse the firm's complaints data, including volumes, trends, root causes and Financial Ombudsman Service outcomes. High complaint volumes or adverse FOS decisions may indicate systemic issues.

Financial Health and Capital Adequacy

Regulatory financial DD goes beyond standard financial analysis:

• Capital adequacy: Verify that the firm meets its minimum capital requirements and has adequate capital buffers. For payment institutions, confirm the correct own funds calculation method is being used. For investment firms, check IFPR compliance.
• Safeguarding (PIs and EMIs): This is critical. Review the firm's safeguarding arrangements in detail, including the value of safeguarded funds, safeguarding method, bank account details, acknowledgement letters, daily reconciliation records and any historical discrepancies. Safeguarding failures can represent a material contingent liability.
• Regulatory capital projections: Assess whether the firm will continue to meet capital requirements post-acquisition, particularly if the transaction involves debt financing or planned business changes.
• Prudential returns: Review recent regulatory returns for accuracy and timeliness. Late or inaccurate returns may indicate broader governance or resource issues.

Senior Management and Governance

• SM&CR compliance: Review the firm's SM&CR arrangements, including the allocation of senior management functions, statements of responsibilities and management responsibilities maps. Identify any gaps or ambiguities.
• Fitness and propriety: Assess the fitness and propriety of current senior managers and certified persons. Identify any individuals who may need to be replaced or re-approved as part of the transaction.
• Board effectiveness: Evaluate the quality of board MI, committee structures and decision-making processes. Weak governance often correlates with compliance weaknesses.
• Key person dependencies: Identify any critical dependencies on specific individuals — particularly where compliance or regulatory knowledge is concentrated in one person.

Financial Crime Framework

• AML/CTF framework: Review the firm's AML policies, procedures, risk assessment, customer due diligence records, transaction monitoring systems and SAR filing history.
• Sanctions compliance: Verify that the firm has adequate sanctions screening in place and has not been involved in any sanctions breaches.
• Fraud controls: Assess the firm's fraud prevention and detection capabilities, particularly for payment firms where APP fraud is a growing regulatory concern.
• MLRO effectiveness: Evaluate the competence and independence of the Money Laundering Reporting Officer and assess whether the role is adequately resourced.

Outsourcing and Third-Party Arrangements

• Material outsourcing agreements: Identify and review all material outsourcing arrangements, particularly those involving critical or important operational functions. Assess compliance with SYSC 8 requirements.
• Agent and distributor networks: For PIs and EMIs, review the firm's agent register, due diligence records, monitoring arrangements and contractual terms.
• Technology dependencies: Identify key technology providers and assess the firm's operational resilience in the event of provider failure.

Post-Acquisition Planning

• Change of control notification: Prepare the s178 Notice well in advance of completion. Ensure all documentation is ready before formal submission.
• SM&CR changes: Identify which senior management functions will change as a result of the acquisition and prepare approval applications. Allow sufficient time for FCA processing.
• Integration planning: Develop a regulatory integration plan covering policies, procedures, systems and reporting. Identify any gaps between the acquirer's and target's compliance frameworks.
• Customer communication: Plan any required customer notifications, particularly if the acquisition will result in changes to terms and conditions, products or service levels.
• Staff retention: Identify key compliance staff and develop retention plans. Loss of compliance expertise during an acquisition can create significant regulatory risk.

Red Flags

The following issues should be treated as material red flags during regulatory DD:

• Outstanding FCA enforcement investigations or skilled person reviews
• Material safeguarding deficiencies or reconciliation failures
• Persistent regulatory breaches that have not been adequately remediated
• Capital adequacy shortfalls or minimal headroom
• Absence of key compliance documentation (AML risk assessment, compliance monitoring plan, SM&CR arrangements)
• High or increasing complaint volumes, particularly involving Financial Ombudsman decisions against the firm
• Senior managers with adverse regulatory history

Practical Recommendations

• Engage specialist regulatory counsel at the outset — do not rely solely on corporate lawyers for regulatory DD
• Start FCA pre-notification engagement early in the transaction process
• Build regulatory DD findings into the deal structure (warranties, indemnities, completion conditions)
• Plan post-acquisition compliance integration before completion, not after
• Budget for remediation of any identified compliance deficiencies