FCA Compliance for Investment Firms, Wealth Managers and Payment Institutions in 2026

Posted on by admin

FCA Compliance for Investment Firms, Wealth Managers and Payment Institutions in 2026

By Adrian Lawrence FCA, Founder, FD Capital Recruitment Ltd — ICAEW Registered Practice

The FCA’s regulatory framework covers an extraordinarily wide range of firm types, and the compliance obligations that matter most vary significantly depending on what a firm actually does. An investment manager’s priority compliance concerns are materially different from those of a payment institution, a wealth manager or a consumer credit firm. Yet certain themes cut across all of them: the adequacy of governance and control frameworks, the quality of client protection arrangements, and the FCA’s increasingly assertive approach to firms that fall short of the standards it has set. This article covers the principal compliance obligations for investment firms, asset managers, wealth managers, payment institutions and consumer credit lenders in 2026 — drawing on the specific regulatory frameworks applicable to each sector.

Financial Promotions: Section 21, the Gateway and Cryptoasset Rules

The financial promotions regime has undergone significant tightening since 2023, and the pace of FCA enforcement in this area reflects the regulator’s view that unauthorised and non-compliant financial promotions remain one of the most significant sources of consumer harm in the market.

The Financial Promotions Gateway requires FCA-authorised firms that approve financial promotions on behalf of unauthorised persons to hold a specific gateway permission. This requirement, which came into force in February 2024, has significantly raised the bar for firms acting as Section 21 approvers. Firms that have been approving promotions for unauthorised businesses without the gateway permission, or whose processes for assessing the compliance of promotions before approval are not robust, face material enforcement exposure.

The cryptoasset financial promotions regime, which came into force in October 2023, has generated significant FCA enforcement activity. The regime requires cryptoasset promotions to be either communicated by a registered or authorised firm or approved by an FCA-authorised firm with gateway permission. The FCA’s approach to non-compliant cryptoasset promotions has been notably aggressive, with a high volume of alerts, takedowns and enforcement cases in the period since the regime’s introduction. Firms in the cryptoasset space that have not fully reviewed their promotion communications — including social media content, influencer partnerships and email campaigns — against the applicable rules are operating with unquantified regulatory risk.

For consumer credit firms, the Consumer Credit Sourcebook (CONC) governs not just the content of credit promotions but the full conduct of consumer credit business — from affordability assessment and creditworthiness to arrears management and default. The Consumer Duty’s overlay on CONC has raised the standard in several areas, particularly around fair value in credit products and the treatment of customers in financial difficulty. Consumer credit firms whose compliance frameworks predate the Consumer Duty and have not been reviewed against CONC’s current requirements are likely to have gaps.

Payment Institutions: E-Money, SCA and the PSR Framework

For e-money institutions, the compliance landscape in 2026 is shaped primarily by the ongoing evolution of the FCA’s safeguarding expectations, the interaction between the UK and EU payment services frameworks post-Brexit, and the FCA’s heightened supervision of the payment institution sector following a period of rapid growth and several high-profile firm failures.

Strong Customer Authentication represents one of the most operationally demanding ongoing compliance obligations for payment firms. The UK SCA requirements under the PSRs mandate two-factor authentication for most electronic payment transactions, with a defined set of exemptions — including transaction risk analysis exemptions — that require specific implementation and ongoing monitoring to apply correctly. Firms whose SCA implementation was built for the original compliance deadline and has not been reviewed against the FCA’s subsequent guidance and enforcement activity may find that their exemption usage is not adequately documented or that the conditions for certain exemptions are not being consistently met in practice.

Investment Firms: AIFMD, PRIIPs and the Client Assets Framework

Alternative investment fund managers operating in the UK face a specific regulatory framework under the UK’s retained version of the AIFMD. The AIFMD imposes requirements around authorisation, the use of depositaries, leverage limits, remuneration, transparency and reporting that go beyond the standard FCA SYSC and COBS obligations. UK AIFMs managing funds with EU investors face additional complexity from the ongoing divergence between UK and EU regulatory frameworks, and the absence of an agreed UK-EU equivalence arrangement for alternative funds means that UK managers marketing to EU investors must navigate the national private placement regimes of each relevant EU jurisdiction.

The PRIIPs regime requires manufacturers of packaged retail and insurance-based investment products to produce a Key Information Document — a standardised disclosure document designed to allow retail investors to compare products across providers. The UK’s post-Brexit PRIIPs framework has diverged from the EU approach in a number of respects, and the FCA’s ongoing review of the retail disclosure framework means that the rules in this area will continue to evolve. Firms that have produced PRIIPs KIDs for their products and have not reviewed them against the FCA’s more recent guidance and data updates are likely to be working from stale disclosure documents that do not meet the current standard.

Client Assets: CASS, Prime Brokerage and Insolvency Protection

Client asset protection is one of the most consequential compliance obligations for investment firms and custodians. The CASS framework — covering both custody assets under CASS 6 and client money under CASS 7 — creates a segregation and reconciliation obligation designed to ensure that client assets remain identifiable and returnable in the event of the firm’s insolvency. The FCA has been consistently clear that it views CASS deficiencies as among the most serious compliance failures it encounters, precisely because they create direct risk of client harm in insolvency scenarios.

For investment firms with prime brokerage arrangements, the CASS 11 framework creates a more complex set of obligations than the standard CASS 6 custody rules. The use of rehypothecation and title transfer collateral arrangements — under which prime brokers have the right to use client securities for their own purposes — creates client exposure that must be clearly disclosed, carefully governed, and reconciled daily. Firms that operate prime brokerage arrangements and have not conducted a recent CASS 11 compliance review are likely to find that their disclosure documentation, rehypothecation governance, and daily reconciliation processes have evolved out of alignment with the current regulatory expectations.

Understanding what happens to client money and custody assets in an insolvency scenario is important not just for compliance purposes but for the board’s governance of the CASS function. Directors who do not understand the CASS pooling mechanism, the role of the CASS administrator, or the interaction between client money protection and the FSCS compensation scheme cannot effectively oversee the adequacy of the firm’s client asset arrangements.

Climate Risk and ESG: TCFD and the UK Disclosure Framework

The FCA’s mandatory climate-related financial disclosure rules, implemented through the TCFD framework, require a growing population of FCA-regulated firms to publish entity-level reports covering the four TCFD pillars: governance of climate-related risks and opportunities; strategy; risk management; and metrics and targets. The FCA’s supervisory focus in 2026 has shifted from whether firms are producing TCFD disclosures to whether those disclosures are of adequate quality — sufficiently specific, evidence-based, and forward-looking to provide the information investors and stakeholders need to assess the firm’s climate risk exposure.

The quality threshold for TCFD disclosures has risen significantly as the regime has matured. Early TCFD reports that described governance arrangements in general terms and noted that climate risk was “considered” in the firm’s risk management process are no longer adequate. The FCA expects firms to demonstrate specific climate risk identification, scenario analysis against well-defined warming scenarios, and disclosure of transition and physical risk metrics that are meaningful for the firm’s specific business activities. The interaction between TCFD and the UK SDR — which imposes additional sustainability disclosure requirements on asset managers — creates a combined disclosure obligation that requires careful coordination across the firm’s sustainability, compliance and communications functions.

Governance Frameworks: Three Lines, Operational Resilience and Wind-Down

Three governance frameworks are generating particular FCA supervisory attention in 2026: the three lines of defence model, operational resilience, and wind-down planning.

The three lines of defence framework — operational management as the first line, risk and compliance as the second, internal audit as the third — is the governance model through which the FCA expects firms to organise their risk management and control functions. The FCA’s consistent finding is that the model is widely adopted in name but inconsistently implemented in practice. Second-line functions that lack the independence to challenge first-line decisions, internal audit functions that are resourced from within management rather than independently, and governance structures where the lines blur in practice rather than on paper all represent failures of the model’s intent. The FCA’s SYSC governance requirements mandate genuine independence at each line, not nominal structural separation.

The operational resilience framework, introduced in March 2022 with a compliance deadline of March 2025, requires firms to identify their important business services, set impact tolerances, and demonstrate that they can remain within those tolerances following severe but plausible operational disruption. By 2026, the FCA expects firms to have genuinely tested their resilience against realistic scenarios — not just tabletop exercises but genuine simulation of the operational conditions that would arise in a significant outage. Firms that completed their initial operational resilience mapping for the compliance deadline but have not subsequently developed their scenario testing or updated their assessments for new business activities are likely to be behind the curve on this obligation.

Wind-down planning remains one of the most commonly underdeveloped governance obligations, despite the FCA’s clear expectations in FG20/1. A credible wind-down plan identifies the conditions that would trigger wind-down, the resources required to execute it in an orderly manner, the capital and liquidity needed to fund it, and the operational steps required to return client assets and complete or transfer outstanding regulated business. Firms that have produced a wind-down plan document without the underlying capital adequacy analysis, tested wind-down timeline, and embedded governance trigger review process have not met the FCA’s standard.

SMCR: The Conduct Rules in Practice

The two tiers of SMCR conduct rules apply across all employees of FCA-regulated firms, but their practical application varies significantly between those subject only to the Individual Conduct Rules and those — SMF holders — who are also subject to the Senior Manager Conduct Rules. Understanding the distinction between Tier 1 and Tier 2 conduct rules, and the specific obligations each creates, is foundational to the firm’s conduct rules training and certification programme.

The conduct rules are only as effective as the training that embeds them. The FCA’s expectation is that all staff subject to the conduct rules understand not just the abstract rule text but how each rule applies to their specific role and the activities they carry out. Generic e-learning modules that walk employees through the five Individual Conduct Rules without connecting them to the employee’s day-to-day work do not satisfy this standard. Role-specific training that uses realistic scenarios drawn from the firm’s own activities — and that is updated when the firm’s activities or the regulatory framework change — is the standard the FCA expects.

Vulnerable Customers: The Ongoing Obligation

The FCA’s vulnerable customer guidance under FG21/1 creates a continuous obligation for regulated firms: to understand the characteristics of vulnerability in their customer base, identify vulnerable customers in practice, and adapt their products, services and communications accordingly. This obligation does not end at the point of initial customer identification. Vulnerability is dynamic — customers who were not vulnerable at onboarding may become vulnerable following a life event, a health change, or a significant financial difficulty — and the firm’s processes must be designed to identify and respond to emerging vulnerability throughout the client relationship.

For wealth managers and investment advisers whose clients are predominantly in later life, the vulnerability identification challenge is particularly acute. Cognitive decline, bereavement and sudden income reduction are all significantly more prevalent in older client populations, and the high-value financial decisions these clients are asked to make — investment strategy changes, significant withdrawals, estate planning — create correspondingly high stakes for getting the vulnerability identification and response right. The firms that are performing best on this obligation are those whose relationship managers and client-facing staff have been genuinely trained to identify vulnerability signals in client interactions, not just those whose compliance teams have produced a vulnerability policy document.

Conclusion

The regulatory framework across investment management, wealth management, payment services and consumer credit is extensive and continuing to evolve. The firms that manage it most effectively are those that maintain active, well-resourced compliance functions capable of tracking regulatory developments, identifying compliance gaps proactively, and advising senior management and boards on the practical implications of an increasingly complex regulatory landscape.

The common thread across all the frameworks discussed above is genuine implementation: the difference between having a policy and having a compliance programme that actually operates in the way the policy describes. The FCA’s supervisory approach in 2026 is focused precisely on this distinction — looking through documentation to assess whether firms are genuinely compliant, and escalating where the gap between documented framework and actual practice is material. Closing that gap is the essential compliance challenge for FCA-regulated firms of all types in 2026.

About the author: Adrian Lawrence FCA is the founder of FD Capital Recruitment Ltd, an ICAEW Registered Practice (Co. No. 13329383) specialising in the placement of CFOs, Finance Directors, compliance officers and SMF holders at FCA-regulated financial services firms. Adrian holds an ICAEW practising certificate as a Fellow Chartered Accountant. Further regulatory guides covering investment regulation, CASS, ESG, operational resilience and the full FCA compliance framework are available at FD Capital’s regulatory knowledge centre.

Leave a Reply