Regulatory Due Diligence in UK Financial Services: A Comprehensive Guide

What Is Regulatory Due Diligence?

Regulatory due diligence (DD) is the process of systematically assessing a regulated firm's compliance with its regulatory obligations, the quality of its compliance framework and the risks it presents from a regulatory perspective. Unlike commercial or financial DD, regulatory DD requires specialist knowledge of the FCA's regulatory framework, supervisory approach and enforcement practices.

Regulatory DD is typically conducted in three contexts:

• M&A transactions: Where an acquirer needs to understand the regulatory status and compliance risk profile of a target firm before completing an acquisition.
• Investment decisions: Where venture capital, private equity or strategic investors are considering investing in a regulated firm and need to assess regulatory risk as part of their investment thesis.
• Board-level assurance: Where a firm's board commissions an independent regulatory review to assess the adequacy of its compliance framework — often in response to business growth, regulatory change or supervisory engagement.

Scope of Regulatory DD

A comprehensive regulatory DD exercise should cover the following areas:

Regulatory authorisation. Verify the firm's authorisation status on the FCA Register. Confirm that its Part 4A permissions (or PSR/EMR registration) cover all activities the firm currently undertakes. Identify any conditions, requirements or limitations on the firm's permissions.

Compliance history. Review the firm's regulatory history, including FCA supervisory engagement (visits, themed reviews, Dear CEO letters, s166 reports), enforcement actions, voluntary requirements and any outstanding regulatory matters.

Governance and SM&CR. Assess the firm's governance arrangements, including board composition, committee structures, SM&CR implementation, statements of responsibilities and the management responsibilities map. Evaluate whether senior managers have appropriate experience and whether prescribed responsibilities are clearly allocated.

Compliance framework. Review the firm's compliance policies, procedures, compliance monitoring programme and audit arrangements. Assess the adequacy of the compliance function's resources, authority and reporting lines.

Financial crime. Evaluate the firm's AML/CTF framework, including risk assessment, customer due diligence procedures, transaction monitoring, sanctions screening, SAR filing processes and MLRO arrangements.

Capital adequacy. Verify that the firm meets its minimum capital requirements and has adequate capital buffers. For PIs and EMIs, confirm the own funds calculation methodology and assess safeguarding arrangements.

Safeguarding (PIs and EMIs). Conduct detailed DD on safeguarding arrangements, including the safeguarding method, bank accounts, acknowledgement letters, daily reconciliation records and the identification and resolution of discrepancies.

Consumer outcomes. Assess the firm's compliance with Consumer Duty requirements, including fair value assessments, customer outcomes monitoring, communications quality and vulnerable customer arrangements.

Complaints. Analyse complaints data including volumes, trends, root causes, outcomes and FOS referral rates. High complaint volumes or adverse FOS decisions may indicate systemic product, service or compliance issues.

Outsourcing and agents. Review material outsourcing arrangements and, for PIs, agent networks. Assess compliance with SYSC 8 outsourcing requirements and the adequacy of agent due diligence and monitoring.

Regulatory reporting. Review the timeliness and accuracy of regulatory returns. Late or inaccurate returns may indicate broader resource or governance issues.

Methodology

An effective regulatory DD methodology typically follows these steps:

Step 1: Desktop review. Collect and review documentary evidence including policies, procedures, board minutes, compliance reports, audit reports, regulatory returns, complaints data and correspondence with the FCA.

Step 2: Management interviews. Interview key individuals including the CEO, compliance officer, MLRO, finance director and other relevant senior managers. Management interviews provide context that cannot be obtained from documents alone and help identify cultural and attitudinal factors that affect compliance.

Step 3: Sample testing. For critical areas such as CDD, transaction monitoring and complaints handling, conduct sample testing to verify that processes operate in practice as described in policies. Sample testing provides a reality check on the quality of the firm's compliance.

Step 4: Gap analysis. Compare the firm's arrangements against regulatory requirements and industry best practice to identify gaps, weaknesses and areas of non-compliance.

Step 5: Risk assessment. Assess each finding in terms of its regulatory risk — the likelihood and potential impact of FCA intervention, enforcement action, customer harm or financial loss.

Step 6: Reporting. Prepare a structured DD report with risk-rated findings, root cause analysis and recommendations. The report should clearly distinguish between critical issues (deal-breakers or material price adjusters), significant issues (requiring post-completion remediation) and minor issues (operational improvements).

Key Red Flags

The following issues should be treated as material red flags:

• Pending or undisclosed FCA enforcement investigations
• Active s166 skilled person reviews
• Material safeguarding deficiencies or reconciliation failures
• Capital adequacy shortfalls or minimal headroom
• Persistent compliance monitoring findings that have not been remediated
• High or increasing complaint volumes with adverse FOS outcomes
• Absence of critical compliance documentation (AML risk assessment, compliance monitoring plan)
• Senior managers with adverse regulatory history or fitness and propriety concerns
• Significant outsourcing arrangements without adequate SYSC 8 compliance
• Evidence of regulatory arbitrage or deliberate non-compliance

Using DD Findings

Regulatory DD findings should directly inform:

• Deal pricing: Material compliance deficiencies or contingent regulatory liabilities should be reflected in the purchase price through adjustments or retention mechanisms.
• Deal structure: Warranties and indemnities should cover identified regulatory risks. Completion conditions may include FCA change of control approval and resolution of specific issues.
• Post-completion planning: DD findings form the basis of a post-acquisition compliance remediation and integration plan, with prioritised actions, timelines and resource requirements.
• Investment decisions: For investors, DD findings inform the risk assessment and may affect investment terms, governance requirements or exit planning.

Common Mistakes in Regulatory DD

• Relying solely on management representations without independent verification
• Using generalist lawyers without FCA-specific regulatory expertise
• Limiting scope to a checklist approach rather than assessing the quality and effectiveness of the firm's compliance culture
• Failing to review safeguarding arrangements in detail for PIs and EMIs
• Not requesting FCA correspondence or supervisory history
• Underestimating the time and resources required for thorough regulatory DD

Regulatory Outlook

As the FCA's supervisory approach becomes more data-driven and outcomes-focused, regulatory DD is evolving to include more sophisticated assessments of firms' compliance culture, customer outcomes and operational resilience. Acquirers and investors who invest in thorough, specialist regulatory DD will be better positioned to identify risks, negotiate appropriate protections and execute successful post-completion integration.