Post-Acquisition Compliance Integration for FCA-Regulated Firms

Why Integration Planning Matters

The period immediately following completion of an acquisition is one of the highest-risk phases for an FCA-regulated firm. Governance structures change, key personnel may depart, policies and systems need to be aligned, and the FCA is watching closely to ensure that the firm continues to meet its regulatory obligations throughout the transition.

Firms that treat integration as an afterthought — or attempt to address it reactively — are far more likely to experience compliance failures, operational disruptions and adverse FCA engagement. Successful integration requires detailed planning before completion and disciplined execution afterwards.

Governance and SM&CR Integration

The first priority post-acquisition is establishing clear governance arrangements:

Board composition. Confirm the post-acquisition board composition, including any new non-executive directors or committee structures. Ensure the board has adequate regulatory knowledge and experience.

SM&CR appointments. Submit FCA approval applications for any new senior management function (SMF) holders as early as possible — ideally before completion. The FCA's approval process typically takes 8–12 weeks, during which the proposed individual cannot perform the function. Plan interim arrangements to ensure all SMFs remain covered during the transition.

Statements of responsibilities. Update all statements of responsibilities (SoRs) and the management responsibilities map (MRM) to reflect the post-acquisition governance structure. Ensure there are no gaps in prescribed responsibility allocation.

Certified persons. Review the certification regime for all certified persons. Conduct fitness and propriety assessments for any individuals taking on new certification functions. Update the certification register accordingly.

Conduct rules training. Provide Conduct Rules training to any new staff brought into the regulated firm as part of the acquisition. Existing staff may also need refresher training if policies or reporting lines have changed.

Policy Harmonisation

Post-acquisition, the acquirer typically needs to harmonise the target firm's compliance policies with its own (or vice versa). This process should be risk-based and prioritised:

Phase 1 — Immediate (0–30 days). Address any critical policy gaps identified during due diligence. Ensure the firm has adequate policies in place for:

• Anti-money laundering and counter-terrorist financing
• Safeguarding (for PIs and EMIs)
• Complaints handling
• Financial promotions
• Conflicts of interest
• Data protection and information security

Phase 2 — Short-term (30–90 days). Harmonise policies across the combined entity, ensuring consistency of approach where the acquirer and target have different standards. Key areas include:

• Risk appetite and risk management framework
• Consumer Duty implementation
• Conduct of business rules
• Training and competence requirements
• Outsourcing and third-party management
• Business continuity and operational resilience

Phase 3 — Medium-term (90–180 days). Complete full policy integration, including:

• Aligned compliance monitoring programme
• Unified internal audit plan
• Consolidated regulatory reporting processes
• Harmonised staff handbooks and code of conduct

Throughout this process, the guiding principle should be to adopt the higher standard where the acquirer and target have different requirements. Weakening the target's compliance standards to match a less rigorous acquirer framework creates regulatory risk.

Systems Integration

Systems integration is typically the most complex and risk-prone element of post-acquisition compliance integration. Key considerations include:

Core systems migration. If the target firm's core systems (payment platform, banking system, CRM) are being migrated to the acquirer's platform, this must be carefully phased. Plan for parallel running of both systems during the transition, with reconciliation processes to ensure data integrity.

Transaction monitoring. AML transaction monitoring systems must be maintained throughout the integration. If the monitoring platform is changing, ensure the new system is calibrated to the target firm's risk profile before migration. Avoid gaps in monitoring coverage.

Regulatory reporting. Ensure that regulatory reporting processes remain functional throughout integration. If reporting systems are changing, run parallel reporting for at least one cycle to validate data accuracy.

Safeguarding systems (PIs and EMIs). Safeguarding systems and bank account arrangements must remain fully operational throughout integration. Any changes to safeguarding banks, accounts or processes should be carefully planned and tested before implementation. The FCA takes an extremely dim view of safeguarding failures during integration.

Data migration. Customer data migration must comply with data protection requirements. Conduct a data protection impact assessment (DPIA) before migrating personal data. Ensure customer consent or other lawful basis for processing is in place.

Customer Communication

Depending on the nature of the acquisition and its impact on customers, the firm may need to communicate with customers about:

• Changes to the firm's ownership or corporate name
• Changes to terms and conditions
• Changes to products or services
• Changes to how complaints are handled
• Data protection implications (updated privacy notice)

For payment service users, specific notification requirements may apply under the PSRs 2017 — particularly if there are changes to the framework contract terms.

Regulatory Engagement

Maintaining open communication with the FCA throughout the integration process is essential:

• Proactive updates. Provide the FCA with regular updates on integration progress, particularly in relation to governance changes, SM&CR appointments and any material operational changes.
• Issue escalation. If integration issues arise that could affect the firm's compliance — such as system failures, staff departures or safeguarding disruptions — notify the FCA promptly. The FCA responds more favourably to firms that self-report issues than to those where problems emerge during supervisory review.
• Regulatory return continuity. Ensure all regulatory returns continue to be submitted accurately and on time during the integration period. The FCA will not accept integration as an excuse for late or inaccurate reporting.

Common Integration Failures

The most common post-acquisition compliance integration failures include:

• Governance gaps. Failure to appoint SMF holders before existing holders depart, leaving critical functions uncovered.
• Policy conflicts. Operating with two conflicting compliance frameworks during the integration period, creating confusion for staff and inconsistent customer outcomes.
• System failures. Rushing system migration without adequate testing, resulting in data loss, monitoring gaps or reporting errors.
• Staff attrition. Losing key compliance staff during the integration period without adequate succession planning.
• Customer neglect. Failing to communicate material changes to customers, resulting in complaints, FOS referrals and potential Consumer Duty failures.
• Regulatory silence. Not engaging with the FCA during integration and only contacting them when problems arise.

Integration Timeline Template

A typical post-acquisition compliance integration follows this timeline:

• Pre-completion: Submit s178 Notice; prepare SMF applications; draft integration plan; brief key staff
• Week 1–2: Announce governance changes; submit SMF applications; update SoRs and MRM; notify FCA of completion
• Month 1: Address critical policy gaps; establish interim governance arrangements; begin policy review
• Month 1–3: Harmonise priority policies; begin systems assessment; plan customer communications
• Month 3–6: Complete policy harmonisation; execute phased system migration with parallel running; complete customer notifications
• Month 6–12: Full integration; consolidated compliance monitoring; first integrated compliance audit; refined regulatory reporting

Regulatory Outlook

The FCA's supervisory approach to post-acquisition integration has become increasingly proactive. The regulator recognises that the integration period presents heightened risk and expects firms to demonstrate that they have planned for it. Firms that can evidence a structured integration plan, with clear milestones and accountability, will find their supervisory relationship significantly smoother than those that approach integration ad hoc.