Building a Compliance Monitoring Programme — FCA Requirements & Best Practice

The Regulatory Requirement

Under SYSC 6.1 of the FCA Handbook, every authorised firm must establish, implement and maintain adequate policies and procedures to detect any risk of failure to comply with its regulatory obligations. The firm must also employ appropriate compliance resources — including a compliance officer with the necessary authority, resources, expertise and access to all relevant information.

For firms subject to the Senior Managers and Certification Regime (SM&CR), the SMF16 (Compliance Oversight) holder is personally accountable for the effectiveness of the compliance function. This creates a direct link between the quality of compliance monitoring and individual regulatory accountability.

What Compliance Monitoring Involves

Compliance monitoring is the systematic process of testing whether a firm's policies, procedures and controls are: - Designed effectively — do they address the relevant regulatory requirements and risks? - Operating effectively — are they being followed in practice? - Producing good outcomes — are they achieving the intended regulatory and customer outcomes?

This is distinct from internal audit (which provides independent assurance) and risk management (which identifies and manages risks). Compliance monitoring sits between the two — it is a second-line function that proactively tests compliance on an ongoing basis.

Designing the Monitoring Programme

Step 1 — Regulatory obligations mapping: Create a comprehensive register of all regulatory obligations applicable to the firm. This should cover: - FCA Handbook requirements (PRIN, SYSC, COBS, CONC, SUP, CASS, etc.) - Sector-specific regulations (PSRs 2017, EMRs 2011, MLR 2017, CCA 1974) - The Consumer Duty and its four outcome areas - SM&CR obligations - Financial promotions rules - Data protection requirements (GDPR, DPA 2018)

Step 2 — Risk assessment: Not all obligations carry equal risk. Assess each area against: - Inherent risk — the likelihood and impact of non-compliance given the nature of the activity - Control environment — the maturity and effectiveness of existing controls - Residual risk — the remaining risk after controls are applied - Regulatory focus — areas of current FCA supervisory priority (e.g., Consumer Duty implementation, financial crime controls, operational resilience)

This assessment drives the allocation of monitoring resources — high-risk areas receive more frequent and intensive testing.

Step 3 — Monitoring plan: Develop an annual monitoring plan that specifies: - The compliance areas to be tested - The frequency of testing (quarterly, semi-annually or annually) - The testing methodology (file reviews, transaction sampling, process walkthroughs, interviews, data analytics) - The sample sizes and selection criteria - The responsible compliance team member - The expected completion dates

The plan should be approved by senior management (or the board compliance committee) and reviewed quarterly to accommodate emerging risks, regulatory developments or findings from previous reviews.

Testing Methodologies

File reviews: Selecting a sample of customer files, transactions or decisions and assessing compliance against relevant requirements. For example: - Reviewing a sample of new customer onboarding files to test CDD compliance - Reviewing a sample of financial promotions to test compliance with FCA rules - Reviewing a sample of complaint files to test compliance with DISP requirements

Transaction sampling: Analysing a sample of transactions to identify potential regulatory issues — such as transactions that may indicate inadequate affordability assessment, potential market abuse or suspicious activity that was not escalated.

Process walkthroughs: Walking through a specific business process from end to end with the relevant operational team, testing each control point against the documented procedure. This is particularly effective for testing operational controls that are difficult to assess from documentation alone.

Data analytics: Using data analysis to identify patterns, trends or outliers that may indicate compliance issues. For example: - Analysing complaint volumes and themes to identify systemic issues - Analysing SAR filing data to assess whether the firm's detection rate is consistent with its risk profile - Analysing transaction data to identify potential breaches of sanctions or financial promotions rules

Thematic reviews: Conducting a deep-dive review of a specific compliance area — often prompted by regulatory developments, emerging risks or previous findings. For example, a thematic review of Consumer Duty implementation across all products and services.

Reporting and Escalation

Compliance monitoring findings must be:

Documented clearly: Each finding should include: - A description of the issue identified - The relevant regulatory requirement or policy - The root cause of the non-compliance - An assessment of the severity (high, medium, low) - The potential impact on customers, the firm or market integrity - Recommended remedial action with a realistic deadline - The responsible owner for remediation

Reported to senior management: The compliance function must provide regular reports to senior management and the governing body. Reports should include: - A summary of monitoring activity completed in the period - Key findings and their severity ratings - The status of remedial actions from previous monitoring cycles - An assessment of emerging regulatory risks - Any recommendations for changes to policies, procedures or controls

Escalated appropriately: Material compliance failures must be escalated immediately to: - The SMF16 holder (Compliance Oversight) - The SMF1 holder (CEO) for significant issues - The board or risk committee for systemic issues - The FCA (via a Principle 11 notification) where required by SUP 15

Common Compliance Monitoring Failures

The FCA has identified recurring weaknesses in firms' compliance monitoring programmes:

• Coverage gaps — failing to monitor all relevant regulatory obligations, particularly newer requirements (e.g., Consumer Duty, operational resilience)
• Insufficient depth — monitoring that checks whether a policy exists but does not test whether it is being followed in practice or producing good outcomes
• Weak root cause analysis — identifying symptoms of non-compliance without diagnosing the underlying cause, leading to repeated findings in successive monitoring cycles
• Slow remediation — remedial actions that are agreed but not completed within reasonable timescales, or that are closed without adequate evidence of implementation
• Poor independence — compliance monitoring conducted by individuals who are responsible for the activities being tested, undermining objectivity
• Inadequate reporting — reports that are overly technical, lack risk prioritisation or do not provide senior management with a clear picture of the firm's compliance posture

The Consumer Duty and Compliance Monitoring

The Consumer Duty has significantly expanded the scope of compliance monitoring. Firms must now monitor and evidence that they are delivering good outcomes across all four outcome areas:

• Products and services — are products designed for their target market? Are distribution strategies appropriate?
• Price and value — do products represent fair value? Are there cross-subsidies or features that cause foreseeable harm?
• Consumer understanding — do communications enable customers to make informed decisions?
• Consumer support — can customers access support when needed? Are there sludge practices that create barriers?

The FCA expects firms to use outcome-based metrics — not merely process compliance checks — to monitor Consumer Duty compliance. This requires data on customer outcomes (complaint rates, cancellation rates, vulnerability identification, service levels) in addition to traditional compliance testing.

Building Compliance Monitoring Capability

Invest in compliance technology. Regulatory technology (RegTech) can significantly improve the efficiency and effectiveness of compliance monitoring — particularly for transaction monitoring, financial promotions screening and regulatory change management. However, technology must supplement, not replace, human judgement.

Develop compliance staff. Compliance monitoring requires individuals with technical regulatory knowledge, analytical skills and the confidence to challenge operational practices. Invest in training and professional development for compliance team members.

Establish clear escalation protocols. Define exactly what constitutes a material finding, who must be notified, within what timeframe and through what channel. Ambiguity in escalation protocols is a common cause of delayed response to significant compliance issues.

Create a compliance culture. The most effective compliance monitoring programmes operate within a culture where compliance is valued — not merely tolerated. This requires visible support from senior management, fair treatment of employees who raise concerns and consequences for deliberate non-compliance.

Regulatory Outlook

The FCA's supervisory approach increasingly emphasises outcomes-based regulation. This means compliance monitoring must evolve from a rules-based, checkbox approach to one that genuinely assesses whether the firm is delivering good customer outcomes and managing its regulatory risks effectively. Firms that invest in sophisticated, risk-based compliance monitoring programmes will be better positioned for the FCA's evolving expectations.