A Section 166 skilled person review is one of the FCA's most important and frequently used supervisory tools. Under Section 166 of the Financial Services and Markets Act 2000 (FSMA), the FCA can require a regulated firm to commission a report by an independent skilled person on any matter relevant to the firm's compliance with regulatory requirements. The review is conducted at the firm's expense, and the findings are reported directly to the FCA. For firms on the receiving end, a s166 review is a significant event that requires careful management. This article explains the process, common triggers, practical implications and how firms should respond.
What Is a Section 166 Review?
A Section 166 review is a formal direction from the FCA requiring a firm to appoint an independent third party — the skilled person — to investigate and report on specified aspects of the firm's operations, controls or compliance. The skilled person is typically a professional services firm (a Big Four accounting firm, a specialist compliance consultancy or a forensic investigation firm) with relevant expertise. The skilled person's mandate is defined by the FCA in a scope of work document, and the skilled person reports directly to the FCA. The firm is required to cooperate fully and to provide the skilled person with unrestricted access to documents, systems, data and personnel.
Section 166 reviews are distinct from enforcement investigations (which are conducted under the FCA's own powers) and from voluntary compliance audits (which are commissioned by the firm itself). A s166 is a supervisory — not enforcement — tool, although the findings may inform subsequent enforcement action if serious breaches are identified.
What Triggers a Section 166 Review?
The FCA uses s166 reviews when it needs an independent, expert assessment of a specific area of concern. Common triggers include:
Safeguarding concerns. The FCA's recent Dear CEO letters and supervisory activity have focused heavily on safeguarding arrangements for payment institutions and EMIs. Firms with identified safeguarding weaknesses — reconciliation failures, inadequate segregation, unclear safeguarding models — are prime candidates for s166 review. With PS25/12 introducing enhanced safeguarding requirements, the FCA is likely to commission s166 reviews to assess firms' transition readiness.
AML control weaknesses. Where the FCA identifies concerns about a firm's anti-money laundering framework — through periodic reporting, whistleblower reports, law enforcement intelligence or its own supervisory activity — a s166 review may be commissioned to conduct a comprehensive assessment of the firm's AML controls, transaction monitoring effectiveness and suspicious activity reporting quality.
Financial resilience. Firms exhibiting signs of financial stress — declining capital ratios, missed regulatory reporting deadlines, qualified auditor opinions or adverse market intelligence — may be subject to s166 review to assess their ongoing viability and the accuracy of their financial reporting.
Governance failures. Where the FCA has concerns about the effectiveness of a firm's board, senior management or control functions, a s166 review can assess governance structures, decision-making processes and the quality of management information.
Thematic reviews. The FCA sometimes uses s166 reviews as part of thematic supervisory work — reviewing a cohort of firms in a specific sector to assess industry-wide compliance with particular requirements.
The Section 166 Process
Step 1 — Notification. The FCA writes to the firm setting out its intention to require a s166 review, the proposed scope and the reasons. The firm has the opportunity to make representations — but in practice, the FCA rarely withdraws a s166 direction.
Step 2 — Skilled person appointment. The FCA provides a panel of approved skilled persons, and the firm selects from the panel (or proposes an alternative, subject to FCA approval). The skilled person must be independent of the firm — firms cannot appoint their existing auditor or compliance consultant.
Step 3 — Scoping. The FCA, the skilled person and the firm agree the detailed scope of work. The firm may request amendments to the scope, but the FCA has the final say. The scope document defines the matters to be reviewed, the information to be examined and the reporting requirements.
Step 4 — Fieldwork. The skilled person conducts the review, which typically involves document review, data analysis, interviews with key personnel, process walkthroughs and testing of controls. The firm must cooperate fully and provide timely access to all requested information. Fieldwork typically takes 8–16 weeks depending on scope.
Step 5 — Draft report. The skilled person provides a draft report to the FCA and the firm simultaneously. The firm has the opportunity to comment on factual accuracy — but not on the skilled person's conclusions or recommendations.
Step 6 — Final report. The skilled person finalises the report, incorporating any factual corrections. The final report is submitted to the FCA and shared with the firm.
Step 7 — FCA response. The FCA reviews the report and determines its supervisory response. This may range from requiring a remediation plan to imposing conditions on the firm's authorisation, requiring a Voluntary Requirement (VREQ), or — in serious cases — referring the matter for enforcement investigation.
Cost and Duration
Section 166 reviews are conducted at the firm's expense. Costs vary significantly based on scope, complexity and the identity of the skilled person. Typical costs for mid-sized payment institutions and EMIs range from £150,000 to £500,000. Complex reviews involving multiple jurisdictions, large transaction datasets or forensic analysis can exceed £1 million. The total process — from notification to final report — typically takes 4–8 months.
How Firms Should Respond
Cooperate fully and promptly. The firm's level of cooperation is closely observed by the FCA and influences subsequent supervisory decisions. Delays in providing information, obstructive behaviour or attempts to manage the skilled person's access will be viewed very negatively.
Appoint an internal project lead. Designate a senior individual to coordinate the firm's engagement with the skilled person — managing information requests, scheduling interviews and ensuring timely responses.
Engage legal counsel early. The findings of a s166 review may have enforcement implications. Firms should take legal advice from the outset on privilege, self-incrimination risk and the appropriate level of cooperation.
Begin remediation before the final report. Where the review identifies clear deficiencies, firms should not wait for the final report to begin remediation. Demonstrating proactive corrective action significantly improves the FCA's view of the firm.
Comment constructively on the draft report. Use the factual accuracy review period to correct genuine errors — but do not attempt to challenge the skilled person's professional judgement or recommendations, as this will not be well received.
What Firms Should Do Now
- Assess your vulnerability to s166 review — are there known areas of concern that could attract FCA attention (safeguarding, AML, financial resilience, governance)?
- If you are aware of compliance gaps, remediate proactively rather than waiting for supervisory intervention.
- Ensure your document management and record-keeping are robust — a s166 review involves extensive document requests, and an inability to produce records quickly creates a negative impression.
- Review your board and senior management governance — is decision-making documented? Is management information adequate?
- Consider a voluntary compliance audit in high-risk areas to identify and address issues before the FCA does.
Regulatory Context and Outlook
The FCA has increased its use of s166 reviews in recent years as part of its more assertive supervisory approach. The payments sector — particularly EMIs and PIs — has been a focus of s166 activity, with safeguarding and AML controls the most common review topics. With the PS25/12 safeguarding regime taking effect in May 2026, firms should expect continued supervisory intensity and an increased likelihood of s166 reviews for firms that fail to demonstrate compliance readiness.
Regulatory Counsel helps firms prepare for and manage FCA Section 166 reviews, including pre-review readiness assessments, project coordination and remediation planning. Contact us for a free initial consultation.
Frequently Asked Questions
A formal FCA direction requiring a firm to appoint an independent skilled person to investigate and report on specified compliance matters. The review is conducted at the firm's expense.
Typically £150,000–£500,000 for mid-sized firms, though complex reviews can exceed £1 million. The firm bears the full cost.
The firm can make representations to the FCA, but in practice s166 directions are rarely withdrawn. Non-cooperation can result in enforcement action.
No. Many s166 reviews result in remediation plans rather than enforcement. The firm's cooperation and remediation response significantly influence the outcome.