FCA Supervisory and Enforcement Action Explained

FCA Supervisory and Enforcement Action Explained

For owners, boards and senior leaders of FCA-regulated firms, the regulator’s interventions come with a vocabulary that can be hard to decode at the moment it matters most — usually when a letter has just arrived. Section 165 requests, feedback letters, requirements, voluntary and own-initiative measures, attestations, skilled-person reviews, Warning Notices, Decision Notices, Final Notices, censures, prohibitions, the Regulatory Decisions Committee, the Upper Tribunal: each is a distinct step with distinct consequences, and confusing one for another can lead a board to over-react or under-react. This guide maps the whole spectrum in plain English — what each tool is, where it sits, how common it is, and what it means for the firm and the people who run it.

The single most important thing to understand at the outset is that supervision and enforcement are not the same thing, and most regulatory action never reaches enforcement at all. The overwhelming majority of the FCA’s interventions are supervisory and, increasingly, resolved voluntarily. Enforcement — investigations, fines, bans — is the rare, high-impact escalation, not the norm. Knowing where a given measure sits on that spectrum is the first step to responding proportionately.

This is general guidance for the strategic reader, not legal or regulatory advice. The specifics of any actual matter should be handled with your own legal counsel and compliance advisers; our focus is helping boards understand the landscape and making sure the right senior people are in place to respond to it.

The shape of FCA intervention: supervision versus enforcement

It helps to picture the FCA’s powers as a spectrum that runs from light-touch supervision to formal enforcement. At the supervisory end sit information requests, feedback letters, requirements on a firm’s permission (voluntary or imposed), attestations and skilled-person reviews. These are the tools the regulator uses to understand a concern and get a firm to fix it while continuing to operate. At the enforcement end sit formal investigations and, where they proceed, financial penalties, public censures, bans and — in the most serious cases — criminal prosecution. Enforcement is a distinct process with a different purpose: not to fix a firm, but to hold a firm or individual to account and to deter others.

Most firms that encounter the FCA in a difficult context are dealing with the supervisory end of the spectrum. A matter can move from supervision towards enforcement, but the great majority do not, and the regulator’s stated approach in recent years has been to engage early and encourage firms to put things right voluntarily rather than escalate.

How most action is actually resolved — the numbers

The data bears this out. In the FCA’s most recent published enforcement data, covering the year to 31 March 2025, voluntary requirements ran to around 119, up from 106 the year before, while the regulator’s use of imposed, own-initiative powers fell to single figures — roughly seven to ten. In other words, agreed, voluntary outcomes outnumbered imposed ones by something like ten to one, and the FCA itself attributed this to a strategy of early engagement and encouraging firms to address concerns voluntarily.

Enforcement, by contrast, is rare. Against a population of tens of thousands of authorised firms, the FCA opened only around 23 new enforcement investigations in that year, and had roughly 130 open at the year end, down from 188. It issued in the region of 37 Final Notices and secured a handful of criminal convictions, with financial penalties totalling over £186m — a figure inflated by a small number of large legacy cases rather than a surge in volume, since the prior year’s total had been unusually low at around £42.5m. Historically, roughly two-thirds of enforcement cases have closed with no further action at all. The headline message for a board is that enforcement is uncommon, slow and high-impact, while supervisory engagement — especially the voluntary kind — is where the vast majority of firms actually find themselves.

Stage one: information gathering

Most supervisory matters begin quietly, with the regulator gathering information. It may issue a request for documents and explanations — often referred to by its statutory basis as a section 165 request — prompted by a regulatory return, a complaint, a whistleblowing report, a thematic review or a market event. This is frequently followed by a feedback letter setting out the FCA’s concerns and its expectations. At this stage nothing has been decided; the regulator is forming a view. A firm that responds promptly, completely and credibly — and that can show it has competent senior people engaged — often resolves matters here without anything further.

Stage two: requirements and attestations

Where the FCA’s concerns are more material, it may look for a requirement on the firm’s permission to contain a risk while it is addressed. A requirement obliges the firm to do something, stop doing something, or refrain from acting without the regulator’s prior agreement. There are two routes, and the distinction matters:

• Voluntary requirement (VREQ), and the related VIVOP. The firm agrees to the requirement, typically by applying to vary its permission. A voluntary imposition of a variation of permission is sometimes labelled a VIVOP. The voluntary route signals cooperation and lets the firm negotiate scope and duration.
• Own-initiative requirement (OIREQ), and the related OIVOP. The FCA imposes the requirement, or varies the permission, using its own powers, without the firm’s agreement. This carries more weight and is used far less often.

A lighter-touch tool in the same family is the attestation, where a named senior individual personally confirms to the regulator that a specified action has been taken or a state of affairs exists. Attestations put personal accountability front and centre, which is why who holds the relevant Senior Manager Function matters so much. For a fuller treatment of voluntary requirements specifically, see our companion explainer, What Is an FCA VREQ?

Stage three: skilled-person reviews

Where the FCA wants an independent, expert assessment of part of a firm, it can commission a skilled-person review — known by its statutory basis as a section 166 review. An independent third party, the skilled person, reports to the regulator on defined aspects of the firm, such as its governance, systems and controls or financial-crime framework. The firm bears the cost, which can be substantial, and the report informs how the FCA handles the firm thereafter. A skilled-person review is a supervisory tool, not an enforcement outcome, but its findings can shape both the supervisory relationship and any decision to escalate. Because these reviews almost always drive significant remediation work, they are a major source of demand for senior compliance and financial-crime resource. Our sister firm FD Capital covers the mechanics in depth in its Section 166 Skilled Person Reviews guide.

Stage four: enforcement investigations

If the regulator decides a potential breach or offence warrants formal investigation, it opens what it calls an Enforcement Operation and appoints investigators. Opening an investigation is not a finding of wrongdoing — the FCA is explicit that it does not prejudge the outcome, and a large proportion of investigations close without action. Cases are categorised as regulatory, civil or criminal, and where the right route is unclear at the outset, a case may be opened on a dual-track basis. Investigations are often lengthy, though the FCA has recently emphasised speeding them up.

The enforcement notice sequence

If an investigation does lead the regulator to propose action, the matter moves through a defined sequence of notices:

• Warning Notice. The FCA’s initial notice setting out the action it proposes to take and why. It is not a final decision, and the recipient has the right to make representations.
• Decision Notice. The notice given after those representations have been considered, setting out the action the regulator has decided to take. The recipient can refer a Decision Notice to the Upper Tribunal.
• Final Notice. The notice confirming the action once the process is complete. Final Notices are generally published, which is a large part of their deterrent and reputational effect.

Decisions on contested cases are taken by the Regulatory Decisions Committee (RDC), a committee operationally independent of the FCA’s executive. A firm or individual that disagrees can refer the matter to the Upper Tribunal, an independent judicial body that can uphold, vary or overturn the regulator’s decision. Many cases never reach that stage because they are resolved by settlement, often with a discount on the financial penalty for early agreement.

Enforcement outcomes

Where enforcement action is taken, the outcomes available to the regulator include:

• Financial penalties (fines) against firms or individuals.
• Public censure — a published statement of misconduct without a fine.
• Prohibition orders banning an individual from performing specified functions in the industry, in part or in full.
• Cancellation or withdrawal of permission or authorisation, stopping the firm from carrying on regulated activity. Many cancellations are in practice administrative — for example where a firm has repeatedly failed to pay fees or file returns — rather than the product of a contested case.
• Restitution and redress, requiring firms to compensate customers.
• Injunctions obtained through the courts to stop conduct or freeze assets.
• Criminal prosecution in the most serious cases, such as insider dealing or unauthorised business.

How common is enforcement, really?

It is worth restating, because boards often assume the worst: enforcement is the exception. With only a couple of dozen new investigations opened in a typical year against a regulated population in the tens of thousands, and with a substantial share of investigations closing without action, the statistical likelihood of any given supervisory concern ending in a fine or a ban is low. That is not a reason for complacency — the consequences when enforcement does land are severe and public — but it is a reason to respond to supervisory attention proportionately and constructively rather than defensively, and to focus energy on resolving matters at the supervisory stage where most firms have the agency to do so.

What it all means for senior managers

Across the whole spectrum, the Senior Managers and Certification Regime puts named individuals in the frame. Compliance oversight (SMF16), money-laundering reporting (SMF17) and other senior functions carry personal accountability, and the more serious the regulator’s attention, the more that accountability is tested. This is why supervisory and enforcement events so often coincide with senior compliance resignations — the personal exposure is real — and why a firm under scrutiny must keep those functions credibly filled. A vacancy at exactly the moment the regulator is assessing the firm’s management and control is one of the worst signals a firm can send.

What it means for boards and owners

For a board or owner, the practical takeaways are consistent whatever the stage. Read the situation accurately and proportionately. Engage early and constructively rather than defensively. Take credible legal and compliance advice and let it lead the regulatory strategy. Resource the response properly — including, critically, keeping the senior compliance and MLRO functions in credible, accountable hands. And recognise that for owners and investors there is a value dimension: an unresolved matter or a restrictive requirement can affect financing, transactions and counterparty relationships, so investing early in the right people and a clear plan protects the asset as well as the regulatory relationship.

Where the senior-hiring question fits — and how Exec Capital helps

At every stage of this spectrum, the same practical need recurs: credible, regulator-acceptable senior people to lead the response. At the supervisory stage that usually means interim or permanent SMF16 and SMF17 cover; during a skilled-person review or remediation it means experienced compliance, financial-crime and file-review resource; and after enforcement it can mean rebuilding a function and replacing individuals who have left or been prohibited. Exec Capital maintains a live network of FCA-experienced compliance, MLRO and financial-crime professionals — many immediately available and experienced in live supervisory, skilled-person and enforcement contexts — and can find candidates at short notice with the right experience, verify their FCA Register status, and help structure the cover sensibly. Every mandate is led personally by Adrian Lawrence FCA. For the practical hiring detail, see our guides on interim SMF16/SMF17 cover during an FCA VREQ and compliance hiring during an FCA investigation or enforcement.

Frequently asked questions

What is the difference between FCA supervision and enforcement?

Supervision is about understanding and fixing concerns while a firm keeps operating, using tools such as information requests, requirements and skilled-person reviews. Enforcement is a separate, more serious process aimed at holding a firm or individual to account through penalties, bans or prosecution. Most regulatory action stays at the supervisory stage.

Are most FCA actions voluntary?

Yes. In the most recent data, voluntary requirements outnumbered imposed, own-initiative ones by roughly ten to one, reflecting the FCA’s strategy of early engagement and encouraging firms to address concerns voluntarily.

What is the difference between a VREQ and an OIREQ?

A VREQ (voluntary requirement) is agreed to by the firm; an OIREQ (own-initiative requirement) is imposed by the FCA using its own powers. The voluntary route signals cooperation, can be negotiated, and is more common and generally preferable.

What is an attestation?

An attestation is a personal confirmation by a named senior individual to the regulator that a specified action has been taken or a state of affairs exists. It places personal accountability on the relevant senior manager.

What is a section 166 skilled-person review?

It is an independent review, carried out by a qualified third party (the skilled person) who reports to the FCA on defined aspects of a firm. It is a supervisory tool, the firm bears the cost, and it usually drives significant remediation. FD Capital’s section 166 guide covers the mechanics in detail.

What is a Warning Notice, Decision Notice and Final Notice?

They are the three stages of the enforcement notice process: a Warning Notice proposes action and invites representations; a Decision Notice sets out the decision after those representations; and a Final Notice confirms the action, and is usually published.

What is the Regulatory Decisions Committee?

The RDC is a committee, operationally independent of the FCA’s executive, that takes decisions on contested enforcement cases — for example whether to issue a Decision Notice.

Can you appeal an FCA enforcement decision?

Yes. A Decision Notice can be referred to the Upper Tribunal, an independent judicial body that can uphold, vary or overturn the regulator’s decision. Many cases are instead resolved by settlement, often with a discount for early agreement.

What is a prohibition order?

A prohibition order bans an individual from performing specified functions in the financial services industry, in part or entirely. It is one of the most serious outcomes for an individual and often creates an urgent need for the firm to replace the person.

Does an FCA investigation mean the firm has done something wrong?

No. Opening an investigation is not a finding of wrongdoing — the FCA does not prejudge the outcome, and a large proportion of investigations close with no further action.

How common are FCA fines?

Relatively rare. The regulator issues a few dozen Final Notices a year against a regulated population in the tens of thousands. Total fine values can swing sharply year to year because a single large legacy case can dominate the figures.

What happens to senior managers when a firm is under FCA action?

Under SMCR, named senior managers carry personal accountability, and their conduct and competence come under scrutiny. Resignations are common, which is why firms under scrutiny need to keep functions such as SMF16 and SMF17 credibly filled throughout.

Related reading

• What Is an FCA VREQ? Voluntary Requirements Explained
• Interim SMF16/SMF17 Cover During an FCA VREQ
• Compliance Hiring During an FCA Investigation or Enforcement
• What Is Fitness and Propriety? The FCA SMCR Guide
• FD Capital: Section 166 Skilled Person Reviews
• FCA-Regulated Firm Recruitment Hub

This article is general information and does not constitute legal, compliance or regulatory advice. The figures cited reflect the FCA’s published enforcement data for the year to 31 March 2025 and will change over time. Any actual supervisory or enforcement matter should be handled with your own legal counsel and compliance advisers.