When a firm regulated by the Financial Conduct Authority loses its permissions, the effects are rarely contained to that firm alone. Every business that relies on that firm — whether as a counterparty, distributor, appointed representative, or service provider — is potentially exposed to regulatory, legal, and reputational risk.
For compliance teams, awareness of permission changes is not optional. It is a fundamental part of ongoing due diligence and third-party risk management. Yet many organisations still rely on periodic manual checks of the FCA Register, leaving dangerous gaps between when a change occurs and when it is detected.
This article explains the types of permission changes the FCA can make, how they affect your organisation, and what practical steps compliance teams should take to manage this risk effectively.
Understanding FCA Permissions and How They Change
Every FCA-authorised firm holds a set of Part 4A permissions that define the regulated activities it is allowed to carry out. These permissions are the legal foundation for the firm's operations — without them, carrying on regulated activities is a criminal offence under the Financial Services and Markets Act 2000 (FSMA).
Permissions are not static. They can be altered through several mechanisms, each with different implications.
Voluntary Variation of Permission (VVOP)
A firm may choose to voluntarily give up or narrow its permissions. This often happens during business restructuring, when a firm exits a particular market, or when it no longer wishes to carry on certain regulated activities. While voluntary, a VVOP still changes the scope of what the firm is legally permitted to do — and any business relying on those permissions needs to know immediately.
Own-Initiative Variation of Permission (OIVOP)
The FCA has the power to vary a firm's permissions on its own initiative. This is typically a supervisory or enforcement action, triggered when the FCA believes the firm is not meeting its threshold conditions, poses a risk to consumers, or is otherwise failing to comply with regulatory requirements. An OIVOP is a serious regulatory signal and often precedes further enforcement action.
Imposition of Requirements
Rather than removing permissions outright, the FCA may impose requirements on a firm. These can restrict how the firm exercises its permissions — for example, preventing it from taking on new clients, handling client money, or operating in certain markets. Requirements can be imposed with immediate effect in urgent cases, making timely detection critical.
Cancellation of Permissions
In the most severe cases, the FCA can cancel a firm's Part 4A permissions entirely. This effectively removes the firm's authorisation to carry on any regulated activities. Cancellation may be initiated by the FCA as an enforcement measure, or it may follow a firm's request — for example, when a firm ceases trading. Regardless of the trigger, cancellation has immediate and far-reaching consequences.
How a Firm Losing Permissions Affects Your Organisation
If a firm you work with loses or has its permissions varied, the consequences for your own organisation can be significant. Understanding these risks is essential for any compliance function managing third-party relationships.
Contractual and Legal Exposure
Many agreements with FCA-regulated firms include clauses that require the counterparty to maintain its regulatory authorisations. When a firm loses permissions relevant to the services it provides to you, those contractual provisions may be triggered — potentially rendering agreements voidable or requiring immediate termination.
Beyond contract law, there are direct regulatory implications. If your organisation continues to rely on a firm that no longer holds the necessary permissions, you may be facilitating unauthorised activity, which carries its own legal and regulatory risks.
Regulatory Risk to Your Firm
Under the FCA's rules, regulated firms are expected to conduct appropriate due diligence on their counterparties and maintain adequate oversight of outsourcing and third-party arrangements. If a firm you depend on loses its permissions and you fail to identify this promptly, your own firm may be seen as falling short of its regulatory obligations.
The Senior Managers and Certification Regime (SM&CR) places personal accountability on senior individuals for the areas they oversee. A failure to detect a material change in a counterparty's regulatory status could raise questions about the adequacy of your firm's systems and controls — and, by extension, the discharge of individual senior management responsibilities.
Reputational Damage
Association with a firm that has had its permissions restricted or cancelled can carry reputational consequences, particularly if the FCA's action is linked to consumer harm, financial crime, or serious compliance failings. Even where your own firm has done nothing wrong, the association may attract unwanted scrutiny from regulators, clients, and the press.
Disruption to Business Operations
On a purely operational level, a counterparty losing its permissions can disrupt your business. If the firm can no longer provide the regulated services you depend on, you may need to find alternative arrangements quickly — often under time pressure and with limited options.
What Compliance Teams Should Do
Managing the risk of counterparty permission changes requires a structured, proactive approach. The following steps represent good practice for compliance teams in regulated firms.
Maintain an Up-to-Date Register of Regulated Counterparties
Every firm you deal with that holds FCA permissions should be recorded, along with the specific permissions relevant to your relationship. This register forms the basis for effective monitoring and should be reviewed regularly.
Monitor the FCA Register Continuously
Periodic checks — whether quarterly, monthly, or even weekly — are not sufficient to catch permission changes in a timely manner. The FCA can impose variations or requirements with immediate effect, and delays in detection increase your exposure.
Continuous or at least daily monitoring of the FCA Register for changes to the firms on your counterparty list is the standard compliance teams should aim for. This is where FRN monitoring becomes essential — it replaces manual spot checks with systematic, ongoing surveillance.
Establish a Response Process
When a permission change is detected, your team needs to know exactly what to do. A documented response process should cover:
- Initial assessment — determining which permissions have changed and whether they affect your business relationship
- Escalation procedures — who needs to be informed, including senior management, legal counsel, and affected business lines
- Risk evaluation — assessing the impact on contracts, regulatory compliance, and ongoing operations
- Action steps — whether the relationship can continue, needs to be modified, or must be terminated
- Communication — notifying affected stakeholders, both internally and externally where appropriate
Document Everything
Regulators expect to see evidence of your firm's oversight activities. Every check, alert, decision, and action taken in response to a counterparty permission change should be fully documented. A robust audit trail demonstrates to the FCA that your firm takes its regulatory obligations seriously and has effective systems and controls in place.
Review Appointed Representative Relationships
If your firm is a principal with appointed representatives (ARs), monitoring their permissions and regulatory status is especially important. As the principal, your firm bears regulatory responsibility for the activities of its ARs. Any change to an AR's status on the FCA Register demands immediate attention.
How Automation Transforms Permissions Monitoring
The challenge with manual monitoring is straightforward: it does not scale, and it leaves gaps. Compliance teams managing dozens or hundreds of regulated counterparties cannot realistically check the FCA Register for each one with the frequency required to catch changes promptly.
Automated permissions monitoring solves this problem by continuously tracking the regulatory status of every firm on your watchlist. When a change is detected — whether a variation of permission, the imposition of a requirement, or a cancellation — your team is notified immediately through regulatory alerts.
FRN Watch is purpose-built for this task. It monitors FCA-regulated firms by their Financial Reference Number (FRN), tracks changes to their permissions and regulatory status, and delivers alerts directly to your compliance team. Every change is logged automatically, creating the documentary evidence your firm needs to demonstrate effective oversight.
Key benefits include:
- Immediate detection of permission changes, variations, and cancellations
- Automated alerts delivered to the right people in your team as soon as changes occur
- Full audit trail of all monitored changes, alerts, and actions taken
- Centralised counterparty oversight across your entire portfolio of regulated relationships
- Reduced operational risk by eliminating the gaps inherent in manual checking
Take Control of Counterparty Monitoring
When an FCA firm loses its permissions, the firms that suffer most are those that find out too late. Proactive, automated monitoring ensures your compliance team is always informed and always ready to act.
FRN Watch gives compliance teams the tools to monitor FCA-regulated counterparties continuously, detect permission changes as they happen, and maintain the audit trail regulators expect.
Start your free trial today and ensure your organisation is never caught off guard by a counterparty's regulatory changes.