Back to Resources

FCA Authorisation for Fintechs: Timeline, Cost and What to Expect

Raymond Shuai 2 October 2024 8 min read Sources: FCA Authorisation Gateway Statistics 2024 · FCA Consumer Investments Data Review · KPMG Regulatory Readiness Report

FCA & Regulatory

Share
Executive summary. FCA authorisation is a prerequisite for most fintech business models. The official target determination period is six months, but founders should budget 12 to 18 months from submission to authorisation for any PI, EMI or consumer credit application. Total preparation costs, including legal, compliance and systems, typically range from £50,000 to £200,000 before a single FCA fee is paid. Applications fail not because the business model is wrong, but because the compliance framework documentation is incomplete.

Why Authorisation Is Non-Negotiable

Most fintech business models require FCA authorisation before they can operate legally in the UK. This is not a technicality to work around through creative structuring; it is a fundamental gate that determines whether the business can trade. Operating a regulated activity without authorisation is a criminal offence under section 23 of the Financial Services and Markets Act 2000, carrying a maximum penalty of two years' imprisonment and an unlimited fine.

The range of regulated activities that catch fintech businesses is broader than most founders initially expect. Payment processing, issuing electronic money, providing consumer credit, arranging investments, operating a cryptoasset exchange and providing investment advice all require specific permissions. If your product touches any of these activities, even incidentally, the FCA authorisation question must be answered before launch, not after.

The good news is that the FCA's authorisation regime is a well-defined process with clear documentation requirements. The challenge is not the existence of the regime; it is the time and resource required to navigate it properly. This article sets out what you can expect at each stage, the realistic costs, and how to maximise the probability of a first-time, clean determination.

Authorisation Types Most Relevant to Fintechs

Before entering the authorisation process, you need to identify precisely which permission or permissions your business requires. The most common authorisation types for UK fintechs in 2024 are as follows.

Payment Institution (PI)
Authorised PI or Small PI. Required for businesses processing payments, executing transfers, or operating payment accounts. Fee: £5,000 to £15,000.
E-Money Institution (EMI)
Authorised EMI or Small EMI. Required for businesses issuing stored value (prepaid cards, digital wallets). Fee: £10,000 to £25,000.
Consumer Credit
Required for BNPL, lending, credit broking. Fee varies by activity type. Among the highest-volume applications at the FCA.
Cryptoasset Business
Registration under the MLRs for cryptoasset exchange and custody. Separate from FSMA authorisation. Increasingly complex given FCA scrutiny.

A key distinction within the Payment Institution and E-Money Institution categories is between the "small" and "authorised" variants. Small PIs and Small EMIs benefit from lighter obligations but face volume caps: Small PIs are restricted to average monthly payment transaction volumes below £3m; Small EMIs face a cap on average outstanding e-money below €5m. Most venture-backed fintechs with growth ambitions will need full authorisation rather than the small variant, and should plan accordingly.

For businesses combining multiple activities (for example, a BNPL provider that also wants to operate a credit broker arrangement), the FCA may require separate permissions for each activity. This adds complexity to the application and typically requires a more detailed programme of operations document to explain how the permissions interact.

The Authorisation Process: Connect to Determination

All FCA authorisation applications are submitted through the Connect online portal. Connect is the FCA's case management system, and once your application is submitted, it becomes the primary communication channel between you and the FCA throughout the process. Understanding how the process works at each stage allows you to anticipate pressure points and manage your internal resources accordingly.

Pre-application
Pre-Application Preparation (3 to 6 months)
Draft programme of operations, compliance manual, financial projections, risk framework. Appoint compliance officer and legal advisers. Ensure regulatory capital is in place. Brief board and senior managers on SMCR obligations.
Submission
Application Submission via Connect
Complete the relevant Connect application form. Attach all supporting documents. Pay the application fee. The FCA has 10 business days to confirm completeness and assign a case officer.
Assessment
Case Officer Assessment (weeks 1 to 12+)
Case officer reviews the application against the FCA's threshold conditions and conduct of business requirements. If documentation is incomplete or insufficiently detailed, an RFI letter is issued. Most applications receive at least one RFI.
RFI & Interview
Request for Further Information and Possible Interview
RFI letters pause the statutory determination clock until responded to. Response time is typically 10 business days. For complex applications or governance concerns, an interview of senior managers may be required.
Determination
Final Determination: Grant or Refuse
FCA statutory target: 6 months from receipt of complete application. Realistic range for complex applications: 12 to 18 months. The FCA publishes a Decision Notice for refusals. Authorisation is confirmed in writing and the firm appears on the Financial Services Register.

The statutory determination period is six months from the date on which the FCA receives a "complete" application. The critical word is "complete." Incomplete applications do not start the clock. In practice, the FCA often considers an application incomplete for reasons that are not immediately obvious to applicants: missing pro-forma balance sheets, insufficient detail in the compliance officer job description, or financial projections that do not cover the full range of stressed scenarios required. Engaging an experienced compliance consultant before submission materially reduces the risk of an incompleteness finding.

The Realistic Timeline: 12 to 18 Months

The FCA's published target is to determine applications within six months of receiving a complete application. This target is genuinely aspirational. The FCA Authorisation Gateway Statistics published in 2024 indicate that the median determination time for full PI and EMI applications is consistently above the six-month target, with complex applications taking 12 months or more from submission. Budget 18 months from the date you submit the application to the date you expect authorisation to be confirmed. If it comes sooner, treat it as a positive surprise.

"The most dangerous assumption founders make is that FCA authorisation is a three-month exercise. Plan for 18 months, fund accordingly, and treat any faster outcome as a bonus. The businesses that run into trouble are those whose runway assumptions depend on authorisation arriving on the FCA's published target timeline."

The principal drivers of delay are within the applicant's control. Applications that contain complete, well-evidenced documentation — a robust programme of operations, a detailed compliance manual, realistic and internally consistent financial projections, and credible governance arrangements — progress materially faster than those that are submitted with the intention of "filling in the gaps" during the process. The FCA does not view the application stage as a consultative dialogue; it expects a complete picture at submission.

One timing factor that is entirely outside the applicant's control is the background check process for senior managers and controllers. Fit and proper assessments for individuals involve cross-referencing against regulatory databases internationally, and for applicants with international backgrounds or complex business histories, this can take three to four months in its own right. Begin compiling fit and proper documentation for all SMF holders and 10%-plus shareholders at the earliest possible stage.

Application Cost: The Full Picture

FCA application fees are published on the FCA website and represent only a fraction of the total cost of obtaining authorisation. For a PI or EMI application in 2024, the FCA fee itself is between £5,000 and £25,000 depending on the category of firm. The total cost of obtaining authorisation, once legal advisers, compliance consultants, and internal management time are included, typically falls between £50,000 and £200,000 for a PI or EMI application.

#
Cost Component
Typical Range
1
FCA Application Fee Paid at submission PI: £5,000 to £15,000 by type. EMI: £10,000 to £25,000. Consumer Credit: varies by activity. Non-refundable if refused.
£5k–£25k
2
Legal Advisers Regulatory law firm Advice on permissions, drafting the programme of operations, reviewing the compliance manual, advising on threshold conditions. Senior partner time is billable at £600 to £900 per hour.
£20k–£80k
3
Compliance Officer / Consultant Dedicated compliance function Drafting the compliance manual, policies, procedures, AML/CFT framework. May be an employee or a fractional/contracted resource. Compliance officer must be approved as SMF16.
£15k–£60k
4
Systems Evidence Technology and operational documentation Screenshots, architecture diagrams, data flow maps demonstrating that your technology supports the programme of operations. Penetration test reports and data protection impact assessments where relevant.
£5k–£20k
5
Regulatory Capital Must be in place at submission PI minimum own funds: €20,000 to €125,000 by service type. EMI minimum own funds: €350,000. Must be demonstrably paid up and unencumbered at the date of application. Not a cost per se, but a capital commitment.
£20k–£300k+

The regulatory capital requirement deserves particular attention. The FCA will not grant authorisation unless the firm can demonstrate that it holds the minimum regulatory capital as at the date of application. For an Authorised PI providing account information and payment initiation services, the minimum own funds requirement is €50,000. For an Authorised EMI, it is €350,000. These amounts must be liquid, unencumbered, and clearly on the company's balance sheet. Founders who have not raised sufficient equity before commencing the authorisation process will face the choice of delaying the application or conducting a capital raise mid-process, both of which add to the total timeline.

The Most Common Reasons for Delay

The FCA publishes limited data on the reasons for application delays, but experienced regulatory practitioners consistently identify the same failure modes. Avoiding these is the single most effective way to accelerate a determination.

  • Incomplete application at submission: the programme of operations does not cover all intended activities; financial projections do not include stress scenarios; supporting documents are missing or unsigned. The FCA will issue an incompleteness finding, the clock does not start, and the applicant must resubmit.
  • Inadequate compliance framework documentation: a compliance manual that is generic and not tailored to the specific business model; policies that are clearly templates without adaptation; an AML/CFT framework that does not address the specific customer risk profile of the business.
  • Insufficient regulatory capital at application: the company cannot demonstrate that the minimum own funds requirement is met as at the date of submission. This is an absolute blocker: the FCA will not proceed until capital is confirmed.
  • Governance weaknesses: the board does not have sufficient independent oversight; the non-executive director or chair does not meet the FCA's experience expectations; the SMCR allocation of responsibilities is unclear or does not cover all required SMFs.
  • Slow fit and proper checks on senior managers: individuals who have lived or worked in multiple jurisdictions, have complex business histories, or who have any prior regulatory or criminal matters will take longer to clear. This is mechanical and largely unavoidable, but can be mitigated by starting the fit and proper pack early.
  • Poorly evidenced business model: the financial projections are not internally consistent with the programme of operations; the revenue model cannot be reconciled to the stated customer acquisition assumptions; the unit economics are implausible.

How to Prepare a High-Quality Application

The five documents that form the core of any PI or EMI authorisation application are: the programme of operations, the compliance manual, the business plan and financial projections, the risk framework, and the individual fit and proper packs for all SMF holders. Each of these requires meaningful investment of time and expertise. Here is how to approach each one.

Programme of Operations

The programme of operations is the most important document in the application. It is a comprehensive description of how the firm will conduct the regulated activities it is applying for. It must cover: the services to be provided and the customer segments to be served; the geographic scope; the organisational structure and governance; the outsourcing arrangements; how the firm will safeguard customer funds (for PIs and EMIs, this is a detailed and evidence-heavy requirement); the business continuity and disaster recovery arrangements; and the complaints handling process. A well-drafted programme of operations is 40 to 80 pages for a PI or EMI application.

Compliance Manual

The compliance manual must be tailored to the firm's specific business model, not a generic template. It should include: the compliance monitoring programme; the AML/CFT policy and customer risk appetite statement; the sanctions screening policy; the data protection and information security policy; and the conflicts of interest policy. The FCA case officer will read the compliance manual closely, and a generic or incomplete document is one of the most common triggers for an RFI.

Financial Projections

The financial projections must cover at least three years from authorisation and must include a base case and a stress scenario. The stress scenario should model the impact of materially lower revenue than projected: what happens to cash flow if customer acquisition is 50% slower than planned? Does the firm remain above its minimum own funds requirement throughout? The FCA is looking for evidence that the founders have thought seriously about the downside, not just the base case. Financial projections that show a smooth J-curve without any stressed scenario are a red flag.

A practical tip on RFI management: when you receive an RFI letter, read every question carefully before drafting any response. Many RFI letters contain between 10 and 30 questions across multiple sections. Respond to every question specifically and provide documentary evidence where requested. A partial response to an RFI triggers a follow-up RFI, which adds further time to the process. Treat the RFI as a second chance to make a complete submission, not as a bureaucratic exercise.

Key Takeaways

  • FCA authorisation is a legal prerequisite for most fintech business models. Operating a regulated activity without authorisation is a criminal offence.
  • The most common authorisation types for fintechs are Payment Institution (PI), E-Money Institution (EMI), Consumer Credit, and Cryptoasset Business registration.
  • The FCA's published determination target is six months, but realistic planning should assume 12 to 18 months from submission to authorisation.
  • Total preparation costs, excluding the regulatory capital requirement, typically range from £50,000 to £200,000 for a PI or EMI application.
  • Regulatory capital must be demonstrably in place at the date of submission. For Authorised EMIs, the minimum is €350,000.
  • The most common causes of delay are incomplete applications, inadequate compliance documentation, and slow fit and proper checks on senior managers. All three are within the applicant's control.
  • The programme of operations is the most important document. Invest the most time there, and ensure it is tailored to your specific business model, not a generic template.

Work Together

Need this applied to
your business?

FCA authorisation preparation requires robust financial projections, demonstrated regulatory capital and a credible programme of operations. CrunchSpark provides CFO-level support at every stage of the process.

Book a Free Discovery Call →