Public launch · September 2028 · Design partners onboarding now Founders Programme is invite-only Join the waitlist
About Features Pricing Contact Sign in Book a demo
Plain-English guide · ~15 min read · vendor-neutral

What is FCA compliance software?

A plain-English guide for IFA principals and compliance directors evaluating the category for the first time. What it does, why it matters now, what to look for.

Last updated: 21 May 2026

This page is for buyers and MDs whose firm doesn't yet use specialist compliance software. It's written as a category explainer, not a sales page: we've made our case for Amaea separately on features and pricing.

What FCA compliance software is

A category of business software that tracks, evidences, and reports a firm's compliance with FCA rules. For IFA firms specifically, that means watching every client record for missing documents, overdue annual reviews, expired suitability assessments, vulnerability indicators, and Consumer Duty outcome gaps: and producing an audit trail the FCA could ask for at any time.

The category is sometimes called "RegTech" (regulatory technology), "GRC software" (governance, risk and compliance), or "compliance management." For UK IFA firms the specific shape is "advice-firm compliance software." It overlaps with but is distinct from:

  • CRM software (Intelliflo, Salesforce, Curo): stores client data; doesn't track regulatory obligations.
  • Document management (SharePoint, NetDocuments): stores files; doesn't know which files are required.
  • Outsourced compliance consultancy (Bovill, ATEB, ThreeSixty): humans who review your firm periodically; not a system that runs continuously.

Compliance software sits beneath all three: reading from the CRM and document store, surfacing what's missing, and giving the consultant something concrete to review rather than something to construct.

What changed in 2023

Two FCA changes broke the standard "compliance is paperwork in folders" model:

The Consumer Duty (PS22/9): in force from 31 July 2023: requires firms to evidence good outcomes per customer cohort on a recurring basis. That means a board-level annual assessment of whether your products, prices, communications, and support are delivering for customers. Without a system producing per-client outcome data, the assessment is qualitative narrative: which the FCA increasingly treats as insufficient evidence.

Tightened vulnerability expectations (FG21/1): the FCA's Finalised Guidance on vulnerable customers, in active use as a supervisory yardstick since 2023. Firms are expected to record vulnerability indicators per client, re-assess on a defined cadence (commonly 12 months), and demonstrate that vulnerable clients receive adjusted treatment. Excel can store the indicators; Excel cannot re-prompt the adviser when re-assessment is due.

Together, these two shifts mean compliance has moved from "can you find this file?" to "can you prove this happened on this date for this client cohort?" The second question requires a system, not a folder.

Why spreadsheets stop working

Most IFA firms manage compliance in some combination of Excel sheets, CRM exports, SharePoint folders, and the compliance officer's memory. That works at small scale. It fails for predictable reasons:

  • Spreadsheets don't notify. A review due on the 15th of March needs the system to flag it on the 14th. Excel won't.
  • Spreadsheets don't evidence. A cell that says "review done" is not the same thing as a timestamped record showing who marked it done, when, and what document supported the conclusion. The FCA cares about the latter.
  • Spreadsheets don't reconcile. The CRM says the review happened on 23 June. The Excel says 3 June. SharePoint has a file dated 14 June. Which is the source of truth?
  • Spreadsheets fragment. One sheet per adviser, another per service type, another for vulnerable clients. The compliance officer holds the reconciliation in their head. When they leave the firm, the reconciliation leaves with them.

A common failure mode: the firm passes its annual SPS visit (file sample looks fine), then the FCA asks for an across-the-book report and the firm spends three weeks rebuilding what should have been a one-click export.

What compliance software actually does

The shape of the category is consistent across vendors. Variations are mostly about depth and integration breadth, not capability:

  • Reads from your CRM and document store nightly. Pulls client records, document references, review dates, suitability reports, attitude-to-risk records, vulnerability indicators.
  • Watches for rule breaches. Annual reviews coming due (COBS 9.5), Consumer Duty outcomes uncompleted (PS22/9), vulnerability re-assessments overdue (FG21/1), complaints approaching the 8-week response window (DISP 1.6).
  • Surfaces what's missing. A dashboard showing every client where a required document hasn't been filed, with the specific rule citation explaining why it matters.
  • Maintains an audit trail. Every flag raised, every flag resolved, every document filed, every override entered: with timestamp, user, and reasoning. Retained for the FCA-required period (typically 7 years; pension transfers indefinitely under SYSC 9).
  • Pre-populates regulatory returns. The big one is RMAR: the twice-yearly return that takes most firms a fortnight to complete manually. Compliance software pre-fills the sections that come from your live data (complaints, PII, adviser data, revenue) and leaves only judgment calls to the compliance officer.
  • Produces reporting. Board packs, quarterly compliance reports, network-level oversight reports, individual adviser scorecards. Built from the same data the dashboard surfaces, not constructed in PowerPoint each quarter.

More recent platforms (Amaea among them) add an AI compliance assistant trained on the FCA Handbook, capable of answering rule questions with citations. This is decision support, not regulated advice: a fast way to check "does this scenario require a fresh suitability report?" without leaving the platform.

What to look for in a vendor

Most vendors in the category look superficially similar. The differentiators that matter to a compliance buyer:

  • Specific rule citations. Every flag should name the FCA rule it's grounded in. "Annual review overdue" is weak. "Annual review overdue: 14 months elapsed, COBS 9.5.2R requires within 12 months" is what the FCA expects to see in your audit trail.
  • Audit-trail completeness. Ask: "If the FCA requested 7 years of activity for client X tomorrow, what's the export?" Some platforms produce a clean PDF audit pack in one click. Others produce a CSV the compliance team will spend two days reformatting.
  • Multi-tenant data isolation. For network principals especially: the platform should isolate each firm's data at the database layer, not in application code. Ask whether they use Row Level Security or equivalent. Application-layer isolation is a future breach.
  • Integration depth, not breadth. A vendor that integrates with 30 systems shallowly is less useful than a vendor that integrates deeply with the 3 systems you actually use. Ask for a worked example of the OAuth handshake and what data syncs in which direction.
  • The AI honesty test. If the vendor has an AI assistant, ask whether it's framed as decision support or as regulated advice. The honest answer is decision support. Any vendor positioning AI as a replacement for the compliance officer's judgment is a vendor to walk away from.
  • Data residency. For UK IFA firms specifically: client data should be hosted in the UK or EU, not the US. Ask which AWS or Azure region, ask about the UK GDPR transfer mechanism if anything sits in the US.
  • Pricing predictability. Per-active-client pricing is the norm. Watch for per-feature surcharges, "training fees," or aggressive overage clauses if you grow.
  • Onboarding time-to-value. A reasonable platform stands up its CRM integration and surfaces compliance health within a week. If onboarding is quoted as "8-12 weeks of professional services," you're buying consulting with software attached.

What it costs (and what it saves)

Based on publicly-listed prices observed across the category in Q2 2026, monthly subscription costs for UK IFA-specific compliance software typically fall in these ranges:

  • Single-firm boutique (up to 100 active clients): £400-£800/month.
  • Multi-adviser practice (100-500 clients): £1,200-£2,500/month.
  • Large firm or small network (500-2,000 clients): £2,500-£6,000/month.
  • Network principals (2,000+ clients across member firms): bespoke pricing; typically £8,000-£25,000/month.

Amaea's published rates (/pricing) sit toward the upper end of each band: Essentials at £699/mo, Professional at £1,599/mo, Scale at £2,199/mo. Cheaper options exist in the category with narrower feature coverage; more comprehensive enterprise options sit above this range.

Reference costs for context:

  • A senior compliance consultant day rate is £600-£1,500. A compliance officer salary is typically £45,000-£80,000 fully loaded. A £1,500/month subscription is roughly one day per month of consultant time.
  • A standard FCA enforcement penalty for inadequate suitability records ranges from £10,000 (smallest firms) to multiple millions (network-scale failures). The 2024-2025 enforcement actions against IFA firms averaged in the low hundreds of thousands.
  • Professional Indemnity Insurance deductibles for advice-related complaints are commonly £10,000-£50,000 per claim. A single missed annual review that escalates can exceed the deductible.

The honest framing: compliance software is cheaper than the consequence of a single material breach it would have caught. It's not cheaper than having an excellent compliance officer who manually catches everything: but no compliance officer can manually maintain coverage across hundreds of clients indefinitely. The software extends what the officer can supervise.

Vendor section · our position

Where Amaea fits in the category

Amaea is FCA compliance software for UK IFA firms specifically. It's not a general-purpose compliance platform extended to advice firms; it's built for the COBS / DISP / SYSC / Consumer Duty rules that govern UK advice. The dashboard, audit trail, and rule citations are all advice-firm-shaped.

What we built differently:

  • Every flag cites the specific FCA rule. "Annual review overdue, 14 months elapsed, COBS 9.5 breach" not "review needed."
  • The AI assistant is framed as decision support. It surfaces relevant FCA Handbook chunks for a question, with citations. It's explicitly not regulated advice. Every response logs a SHA-256 hash so you can reproduce what the model said on a given day.
  • Multi-tenant isolation at the database layer. Row Level Security enforced in Supabase Postgres; cross-firm reads are refused by the database, not by application code.
  • Data hosted in EU-West (Ireland). No US transfer of personal data.
  • Audit trail with 7-year retention by default (configurable to indefinite for pension transfers per SYSC 9 expectations).
  • RMAR pre-population for sections B, D, E, G, and H from live data, exporting as CSV ready for RegData.
  • Network principal support for AR networks and IFA groups: see the networks page for how cross-firm visibility works.

The case against Amaea right now is the same as the case against any pre-launch SaaS: we're in design-partner mode with September 2028 as our public launch. Buyers who need a fully-mature platform today should look at established vendors in the space. Buyers willing to shape the product around their firm in exchange for influence and pricing protection should book a demo or join the launch waitlist.

Have a category question this guide didn't answer? Email hello@amaea.co.uk. We update this page as the conversations come up.