If you’re a firm wanting to provide regulated financial services, you need to apply directly through the applicable UK regulatory bodies and complete the established application process. This also includes applications from regulated firms seeking to change the range of services (Variation of Permissions or ‘VOP’) for which they already have authorisation or appoint individuals into new, key roles.
The FCA has a dedicated authorisations function, which is part of their wider supervision function. This works across all areas of the FCA and with other stakeholders such as the PRA.
Likewise, the PRA has a similar structure and approach, managing firms based on the category of banks, credit unions, insurers, or Lloyd’s Syndicate managing agents.
Both regulators can also operate a pre-authorisation engagement stage, whereby they meet with firms to understand the authorisation process and explain what happens at those various stages.
The regulators make a thorough assessment of your firm’s application, taking into consideration your readiness and organisational arrangements. This includes people, expertise, systems, controls, risks and capital adequacy, and all elements that support you meeting and continuing to comply with all threshold conditions, principles, rules, and obligations.
Preparation is key – this means full understanding and articulation of your regulatory footprint, impacts and risks, and placing the customer at the heart of considerations for good customer outcomes. Demonstration of readiness can include provision of quality evidence and documentation that gives confidence and clarity to the regulator on how well your firm is prepared. It should also have all associated assessed and mitigated risks to an acceptable level, covering any potential for risk of harm to the consumer with adequate capital measures to protect them in the event of crystallisation of a risk. In addition, as there are usually aspects that cannot be fully addressed until post authorisation (e.g. recruitment), outlining openly and with clarity on the plans, the contingency, and the actions required to the regulator often helps to ensure confidence can be established to underpin the relationship with the regulator and the continuation of the permissions process.
What is absolutely critical is transparency, willingness, and capability to provide information to the regulators and evidence of your business model, processes and controls, systems and activities. This should be supported by the ability to evidence and demonstrate governance, control, and oversight of your go-to-market plans and timeframes.
The objective for the regulators in this process is to be able to interact with firms, to ensure they are ready, willing, and organised to comply with the standards of the regulatory system.
The process can be lengthy and involve further interview, questions, and requests for further information as considered necessary to enable decisions over the application. If substantive changes are made to an application after it has been submitted that are deemed to indicate that you are not ready, willing and/or organised, you may be asked to consider withdrawing the application and re-applying to provide you with an opportunity to address the issues raised. This can very quickly create unnecessary delays to authorisation and complexity, challenge and stress.
Grath are fully licensed by the FCA for rules ingestion, making it straightforward for you to map from the obligations and rules you’ll be exposed to – from your risks and controls right through to your processes – giving your 1st line of defence structure, defined workflow with purpose-built resilience, and strength to their daily routines. 2nd and 3rd line functions also have oversight through the Grath assurance and document repository. All 3 lines of defence have:
At Grath, we’re not in the business of telling firms what they already know, but we do partner with firms going through authorisation (or variation of permissions), giving them unparalleled ability within Grath’s platform to manage the entire application process to underpin readiness, including:
Automation of the process enables firms to produce purpose-built assurance reporting for the regulator as well as its own board and management team, helping to govern the process through the intuitive dashboards, escalation notification, and auditable attestations, documentation and timelines.
It‘s not unusual for regulators to fully dissect and consider the firm’s governance, risk and control environment. They put focus on the robustness of the organisational arrangements, including responsibilities, management, and the degree of automation – having technology within the reg-tech space can be an added benefit to the process.
As mentioned previously, the key is preparation – objectively assessing yourself against risk of harm to the firm, the market and consumers, and being candid on the risks. There should also be a fully documented assessment against impact and likelihood for ease of discussion with the regulators and for you to clearly demonstrate how well you have mitigated such impacts.
Grath can help you with this process, with the technology for your teams and with business readiness – we even have a licence agreement that allows you time to prepare before your permissions are granted without eating into your yearly subscription terms. As practitioners we know just how important the permissions process is and we partner with our clients to help them meet the challenge head on and future proof their business to empower growth in a controlled manner.
If you’d like to know how Grath’s technology can help with authorisation, improve your regulatory compliance and bolster your risk management process, then we’d love to talk.
Get in touch with us at grath.com/contact