What to expect from an FCA Skilled Person Review – and how to prevent one in the first place

Share this post

Many payment, e-money and cryptocurrency providers have grown exponentially over the last 10 years and some more so since the pandemic pushed more people to digital financial services, but on accasion their compliance operations have not kept pace. As a result, the UK regulators have increasingly used Skilled Person reviews to investigate their compliance in key areas like risk management, onboarding and financial crime.

A webinar with Philip Creed, fscom’s Director and Head of Financial Crime was recently held, to help firms understand and respond to this development – and this blog captures some of the highlights. We will unpick the Financial Conduct Authority’s (FCA) approach to Skilled Person reports, explain why your firm might be reviewed, and advise how best to approach one – or better yet, to avoid it happening in the first place.

What is a Skilled Person report?

A Skilled Person report is one of the tools available to the FCA and Prudential Regulation Authority (PRA). The Financial Services and Markets Act 2000 gives them power to instruct an independent third party to investigate certain aspects of a firm’s activities, such as their anti-financial crime framework, and to provide a view on how the firm is managing that area. The regulator can appoint an accredited Skilled Person or ask the firm to appoint one. Either way, the firm must cover the costs.

Why would a review be commissioned?

The main reasons for a regulator to initiate a review are to diagnose risks, to monitor them, to reduce identified risks or prevent them from developing, and to take remedial action when a risk has crystallised. These risks often can be self-reported by companies.

Regulators can commission a report into “any matter” related to the aforementioned regulation. Section 166A states that a report can be commissioned if an authorised firm “has contravened a requirement to collect, and keep up to date, information of a description specific in the rules”.

A useful indication for where firms might be vulnerable to a review comes from “lots”, which are areas in which regulators have previously commissioned reports. The most frequent lots in the past five years concern financial crime, conduct of business, and client assets. In fact, more than a fifth of all Skilled Person reviews focused on financial crime.

What should you expect from a Skilled Person report?

A Skilled Person report is similar to a compliance audit. The FCA issues a requirement notice with the scope of the review. The firm then needs to submit three proposals for appointing a Skilled Person from a panel approved by the regulator, or bring in an expert external firm. A contract is then negotiated and timeframes for the draft and final reports agreed. The Skilled Person must be available for communication with the FCA throughout the process.

Reviews usually follow five stages:

Pre-audit documentation review ­­– The Skilled Person gathers information from the company on its processes beforehand.
Walkthrough ­– They ensure they understand how the company’s systems and processes work in practice and carry out interviews with people like board members and senior management.
Testing ­– The Skilled Person tests the firm’s controls are working as they should be by collecting data.
Draft report ­– They share their preliminary findings with the FCA and the company.
Final report ­– This may lead to the FCA completely or partially removing sanctions, or a move in the other direction to formal enforcement action.

While a firm is undergoing a Skilled Person review, the regulator will often ask them to agree to be placed under a “Vreq”, or “voluntarily application for the implication of directions”. This gives time for the review to happen, for the firm to remediate their problems, and for this remediation to subsequently be assessed. During this time, the company often agrees not to take on new customers, or to cease certain activities. While this is technically voluntary, the alternative is usually enforcement action so firms do need to comply.

A Skilled Person review in action

A typical example of a Skilled Person review was recently carried out on a UK-based electronic money institution offering digital services to retail clients. Their customer list mushroomed from thousands to hundreds of thousands during the pandemic, which increased the number of suspicious transactions and created backlogs in their compliance unit.

The firm informed the FCA and a Skilled Person review was announced. The firm appointed fscom to work with their internal team to redesign their AML programme and hire new senior staff and analysts to reduce backlogs. The firm then appointed a Skilled Person and fscom acted on the firms behalf during this review.

The whole process took 18 months, during which time the firm could not take on new customers due to a Vreq, and the company must still provide regular information and updates to the regulator. So even when the firm takes all the right steps, reviews can be very damaging to firms.

fscom’s top tips for regulatory compliance

Build frameworks and processes for where you want to be, not where you are. Many firms were caught out by their success during the pandemic because they had not developed redundancy to scale up their AML processes and onboarding approach if required.
Prevention is better than cure. A Skilled Person review will only be initiated if a firm has weaknesses in its financial crime framework. Firms should start with a business-wide risk assessment and build their operations from there, while reviewing them regularly to account for changes.
Approach a review seriously. If the regulator does initiate a review, you should engage legal counsel and advisors as early as possible. All communications with the regulator should be clear, concise and truthful throughout.

FinTech is a rapidly changing field, with some firms exploding into the stratosphere and others going in the opposite direction. If you put time, resource and thought into where the firm is heading and how to ensure your compliance operation can match these ambitions, you could save yourself the headache of a Skilled Person review – or even enforcement action – in the long run.

fscom can help companies to improve their regulatory compliance and anti-financial crime framework. Contact us today for a free consultation.

Article by fscom

More To Explore


Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?