Firms regulated by the Financial Conduct Authority have a clear obligation: know who you are doing business with, and keep knowing. Whether it is an appointed representative, a key outsourcing partner, or a firm in your distribution chain, the FCA expects you to conduct meaningful and ongoing due diligence on the third parties within your regulatory perimeter.
Yet for many compliance teams, third-party monitoring remains one of the most resource-intensive and error-prone areas of their work. This guide sets out a practical framework for monitoring FCA permissions across your third-party relationships, and explains how modern tooling can transform what has traditionally been a manual, periodic exercise into a continuous and reliable process.
Why Third-Party Monitoring Matters
The FCA's expectations around third-party oversight have sharpened considerably in recent years. Principles 3 (management and control) and 11 (relations with regulators) both place responsibility on firms to understand and manage the risks introduced by their external relationships. The Senior Managers and Certification Regime reinforces this by making individuals personally accountable for the oversight of delegated or outsourced activities.
The consequences of getting this wrong are significant. If a firm in your distribution chain loses its authorisation, or has its permissions varied, you could find yourself facilitating regulated activity through an entity that is no longer permitted to carry it out. The reputational and regulatory consequences of this can be severe, regardless of whether the failure originated with your firm or a third party.
Beyond enforcement risk, robust third-party monitoring is simply good practice. Regulators increasingly view a firm's approach to third-party oversight as a proxy for the quality of its broader compliance culture.
Who Needs Monitoring?
Not every supplier relationship requires FCA-specific due diligence, but the following categories almost certainly do:
- Appointed representatives and introducer appointed representatives — you are directly responsible for their conduct
- Firms in your distribution chain — including those who distribute your products or refer clients to you
- Outsourced service providers carrying out regulated activities on your behalf
- Key suppliers whose failure could impact your ability to meet regulatory obligations
- Joint venture partners and firms with whom you share clients or data
Current Approaches and Their Limitations
Most compliance teams currently monitor third-party FCA permissions through a combination of manual processes:
Manual FCA Register Checks
The FCA Register is publicly available, and checking a firm's status is straightforward enough for a one-off exercise. However, when you are responsible for monitoring dozens or hundreds of third-party relationships, manual register lookups become impractical. Each check requires navigating to the register, searching for the firm, reviewing its current permissions, and comparing them against the permissions you last recorded. Multiply this by 50 firms on a quarterly basis and you have a significant administrative burden.
Spreadsheet Tracking
Many teams maintain spreadsheets listing their monitored firms alongside key details such as FRN, authorisation status, and last-checked date. Spreadsheets are better than nothing, but they introduce several risks: data quickly becomes stale, version control is difficult to maintain, and there is no mechanism to alert you when something changes between review dates.
Periodic Reviews
Quarterly or annual reviews are the most common approach. However, the FCA Register can change at any time. A firm's permissions might be varied, a regulatory warning might be issued, or an enforcement action might be published between your scheduled review dates. Periodic reviews create blind spots that increase your exposure to regulatory risk.
What to Monitor
Effective third-party due diligence requires monitoring several dimensions of a firm's regulatory standing. Understanding what to look for is just as important as how often you look.
Firm Authorisation Status
The most fundamental check: is the firm still authorised by the FCA? Authorisation can be cancelled, suspended, or allowed to lapse. Any change in authorisation status should trigger an immediate review of your relationship with that firm.
Part 4A Permissions
A firm's Part 4A permissions define the specific regulated activities it is allowed to carry out. These permissions can be varied by the FCA, or the firm may apply to have them changed. It is essential that you monitor not just whether a firm is authorised, but whether it holds the specific permissions relevant to your commercial relationship. For example, a firm that loses its permission to arrange deals in investments can no longer lawfully perform that activity, even if it remains authorised for other purposes.
With permissions monitoring, you can track the specific Part 4A permissions that matter to each of your third-party relationships.
Regulatory Warnings and Enforcement Actions
The FCA publishes warnings about unauthorised firms and enforcement actions against regulated firms. Monitoring these publications helps you identify emerging risks before they crystallise into direct problems for your business.
Setting up regulatory alerts ensures your team is notified promptly when relevant warnings or actions are published.
Appointed Representative Status
If you work with firms that are themselves appointed representatives of another principal, their regulatory standing depends on that principal relationship. If the principal withdraws its appointment, the appointed representative may no longer be authorised to carry out the activities you rely on it for.
Disciplinary History and Regulatory Actions
Past enforcement actions, fines, and requirements imposed by the FCA can provide early warning signals about a firm's compliance culture and future risk profile.
Building a Monitoring Process
Having established what to monitor, the next step is building a process that is proportionate, auditable, and sustainable.
Establish Monitoring Frequency
The appropriate frequency depends on the nature and risk profile of each relationship:
- Appointed representatives: continuous or daily monitoring is appropriate given your direct regulatory responsibility
- Key distribution partners: at minimum monthly, with real-time alerting for material changes
- Other regulated third parties: quarterly reviews may suffice for lower-risk relationships, provided you have alerting in place for critical changes
The FCA does not prescribe specific frequencies, but your approach should be proportionate to the risk each third party presents.
Assign Clear Responsibility
Every monitored relationship should have a named owner within your compliance team. Under SM&CR, accountability for third-party oversight typically sits with the SMF16 (Compliance Oversight) or SMF17 (Money Laundering Reporting Officer), depending on the nature of the relationship. Ensure that responsibilities are clearly documented and that cover arrangements are in place for absences.
Define Escalation Procedures
Not every change requires the same response. Establish a tiered escalation framework:
- Critical: loss of authorisation, suspension, or removal of a relevant Part 4A permission — requires immediate escalation to senior management and potential suspension of the commercial relationship
- Significant: new enforcement action, regulatory warning, or material change in permissions — requires review within 24-48 hours
- Routine: minor permission variations, change of name or address — review at next scheduled assessment
Document Everything
The FCA expects firms to be able to demonstrate their oversight activities. Maintain a clear audit trail of every check performed, every change identified, every decision taken, and the rationale behind it. Good record-keeping is not just a regulatory expectation — it protects your firm and your senior managers if questions are raised later.
Tools and Automation
The limitations of manual monitoring have driven a growing shift towards automated solutions. For compliance teams managing more than a handful of third-party relationships, automation is no longer a luxury — it is a practical necessity.
Continuous vs Periodic Monitoring
The most significant advantage of automated monitoring is the move from periodic to continuous oversight. Rather than checking the FCA Register on a quarterly schedule, automated FRN monitoring tools check your monitored firms daily or even more frequently, and alert you immediately when something changes.
This shift from periodic to continuous monitoring closes the blind spots that quarterly reviews inevitably create. It also reduces the overall administrative burden, because your team spends less time performing routine checks and more time responding to genuine changes that require attention.
What Automation Provides
Modern monitoring platforms offer several capabilities that are difficult or impossible to replicate manually:
- Real-time change detection — immediate notification when a firm's authorisation status, permissions, or regulatory standing changes
- Centralised monitoring — all your monitored firms and their current status visible in a single dashboard, replacing fragmented spreadsheets
- Automated record-keeping — every change detected and every alert generated is logged automatically, providing a comprehensive audit trail
- Structured alerting — notifications routed to the right people based on the type and severity of the change
- Historical tracking — the ability to see how a firm's regulatory standing has changed over time, supporting trend analysis and risk assessment
Reducing Operational Risk
Manual processes are inherently vulnerable to human error: a firm might be missed in a review cycle, a change might be overlooked, or a spreadsheet might not be updated. Automated monitoring removes these failure points by ensuring that every firm in your portfolio is checked consistently and that no change goes undetected.
Getting Started
If your current third-party monitoring process relies on manual register checks and spreadsheet tracking, transitioning to an automated approach does not need to be complex. Start by identifying your highest-risk third-party relationships and the specific permissions you need to monitor for each.
FRN Watch is purpose-built for compliance teams who need to monitor FCA-regulated firms reliably and continuously. You can import your existing portfolio of monitored firms, configure the specific permissions and status changes you want to track, and begin receiving alerts within minutes.
Start your free trial and see how continuous FCA monitoring can strengthen your third-party due diligence process.