Public launch · September 2028 · Design partners onboarding now Founders Programme is invite-only Join the waitlist
About Features Pricing Contact Sign in Book a demo
13 FCA rules · cross-linked from every page

FCA rules, returns & acronyms.

Plain-English definitions for the FCA references that appear across this site and the Amaea platform. Senior compliance officers won't need it. Anyone reading the case for them might.

Last updated: 21 May 2026 · 13 entries

If you spot a missing entry or want a definition expanded, email hello@amaea.co.uk. This page is maintained alongside the Amaea product and updated when FCA rules change.

COBS 9.5: Annual reviews

The FCA Handbook chapter governing the suitability of ongoing advice services. Requires firms providing ongoing advice to assess the suitability of the advice at least once a year.

The "sufficiency test" (COBS 9.5.6R and the guidance at 9.5.7G) sets out the narrow circumstances in which a scheduled annual review may be omitted: bereavement, serious illness, or the client being uncontactable despite documented reasonable efforts. Each omission needs a written justification on file.

Why it matters: a missed annual review without a documented sufficiency reason is a clear-cut breach. It's the most common COBS finding in FCA enforcement letters to IFA firms.

FCA Handbook: COBS 9.5 →

PS22/9: Consumer Duty

FCA Policy Statement, published July 2022, introducing the Consumer Duty: a higher standard of consumer protection for retail customers. Enforced from 31 July 2023 for existing products and services; from 31 July 2024 for closed products.

The Duty has four cross-cutting outcomes that firms must evidence per customer cohort:

  • Products & services: designed to meet identified target-market needs.
  • Price & value: the price reasonable relative to the benefit.
  • Consumer understanding: communications support informed decisions.
  • Consumer support: help that meets the customer's needs over the lifecycle.

Why it matters: Consumer Duty assessments are now an annual board-level obligation. Most IFA firms still don't have a system that produces auditable per-client outcome records on demand: this is the gap most enforcement is finding.

FCA PS22/9 →

FG21/1: Vulnerable customers

FCA Finalised Guidance on the fair treatment of vulnerable customers, published February 2021. Sets expectations on identifying, supporting, and monitoring vulnerability across all FCA-regulated sectors.

The guidance defines four "drivers" of vulnerability: health, life events, resilience, and capability. Firms are expected to record vulnerability indicators against each driver and re-assess on a defined cadence (commonly 12 months).

Why it matters: a single vulnerable client whose vulnerability isn't recorded, monitored, and adjusted-for is a Consumer Duty breach and an FG21/1 breach. The pair is the most-cited combination in 2025 supervisory letters.

FCA FG21/1 →

SYSC 9: Record-keeping

FCA Handbook chapter (Senior Management Arrangements, Systems and Controls) governing record-keeping. SYSC 9.1.1R requires firms to keep orderly records sufficient for the FCA to monitor compliance with regulatory requirements.

Retention periods vary by activity: typically 5 years for general business, indefinite or pension lifetime for pension-transfer advice, and at least the lifetime of any obligation for client agreements.

Why it matters: if a record exists but cannot be produced on request, the FCA treats it as if it doesn't exist. SYSC 9 is the foundation under every other compliance obligation: every COBS, PS, and DISP breach starts with a SYSC 9 failure.

FCA Handbook: SYSC 9 →

DISP 1.6: Complaint handling

FCA Handbook chapter on dispute resolution, specifically the timeline firms must follow when handling a complaint.

  • Acknowledgement: a written acknowledgement to the complainant within 5 business days of receipt.
  • Updates: the complainant kept informed of progress.
  • Final response: a final response within 8 weeks. If a final response isn't possible, the firm must explain why and the complainant gains the right to escalate to the Financial Ombudsman Service (FOS).

Why it matters: firms with weak complaint-acknowledgement workflows accrue DISP 1.6 breaches one at a time. RMAR Section H reports complaints data publicly; persistent late-acknowledgement patterns show up in the FCA's portfolio reviews.

FCA Handbook: DISP 1.6 →

RMAR: Retail Mediation Activities Return

The FCA's twice-yearly regulatory return for firms engaged in retail mediation: financial advice, mortgage advice, and insurance mediation. Submitted via the FCA's reporting system (formerly GABRIEL, now RegData).

RMAR has 11 sections, lettered A through K:

  • A: Firm details
  • B: Profit & loss
  • C: Client assets
  • D: Regulatory capital
  • E: Professional indemnity insurance (PII)
  • F: Threshold conditions
  • G: Training & competence (T&C)
  • H: Complaints data
  • J: Persistency & retention
  • K: Revenue analysis

The reporting requirement is set out in SUP 16.12.

Why it matters: RMAR is the FCA's primary risk-segmentation tool for retail firms. Persistent gaps (especially in Section H complaints data) trigger supervisory engagement; missed deadlines incur late-filing penalties.

RegData: FCA reporting platform

The FCA's regulatory data collection system, the successor to GABRIEL. Firms file RMAR, FSA017 (annual financial returns), FSA042 (complaints data), and other returns through RegData.

Older documentation still refers to "GABRIEL": the name persists in common use among compliance officers.

Why it matters: any RMAR, FSA017, or FSA042 filing failure surfaces in RegData first. The FCA's view of your firm's compliance state starts from what you submit here.

Article 9 UK GDPR: Special category personal data

The article of the UK General Data Protection Regulation governing special category personal data: data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.

Processing requires both an Article 6 lawful basis (the standard one) and an Article 9 condition. The most common Article 9 conditions for financial-advice firms are 9(2)(g) substantial public interest (used for FCA-regulated activity) or 9(2)(a) explicit consent.

Why it matters: a vulnerable-client record under FG21/1 typically includes health indicators. That makes it Article 9 data. Most firms haven't formally identified the Article 9 condition they're relying on; the FCA treats this as a Consumer Duty risk and the ICO treats it as a UK GDPR risk.

ICO: Special category data →

FOS: Financial Ombudsman Service

The independent UK body that resolves complaints between consumers and FCA-regulated firms when the firm and customer can't agree. Free for the consumer; firms pay a case fee per complaint accepted.

FOS may award up to £430,000 (2025 limit, adjusted annually for inflation) plus reasonable costs and a sum for distress and inconvenience. FOS decisions are binding on the firm; the consumer may accept or reject.

Financial Ombudsman Service →

FCA: Financial Conduct Authority

The UK regulator for retail financial services firms, including independent financial advisers (IFAs), mortgage advisers, and insurance intermediaries. Authorises new firms, supervises existing ones, and takes enforcement action where rules are breached.

Based at 12 Endeavour Square, Stratford, London E20 1JN. Funded by fees levied on the firms it regulates.

FCA →

ICO: Information Commissioner's Office

The UK regulator for data protection and information rights. Enforces UK GDPR, the Data Protection Act 2018, and PECR (cookie / direct-marketing rules). Independent of the FCA.

Firms must register with the ICO (paying a data-protection fee) and respond to ICO requests within 28 days. The ICO can issue enforcement notices and monetary penalties (up to £17.5m or 4% of global turnover, whichever is greater).

Information Commissioner's Office →

AR firm: Appointed Representative

A firm that conducts FCA-regulated activities under the FCA authorisation of a "principal" firm (the network). The principal firm is responsible for the regulatory compliance of all its ARs.

The AR model is common in financial advice: many small advice practices operate as ARs of a larger network (e.g., Quilter, St. James's Place, True Potential, Openwork). The principal firm typically provides compliance oversight, technology, and PII cover; the AR keeps its own brand and client relationships.

Why it matters: the principal firm's compliance officer needs visibility across all ARs in the network simultaneously. A breach by one AR is the principal's regulatory liability.

Section 166: Skilled Person Review

The FCA's statutory power under section 166 of the Financial Services and Markets Act 2000 (FSMA) to require an FCA-regulated firm to commission an independent expert (the "skilled person") to review specific aspects of the firm's business. The skilled person's report goes to both the firm and the FCA.

Section 166 is used when the FCA has serious supervisory concerns but is not yet at the formal enforcement stage. The firm pays for the skilled person's work, which routinely runs into hundreds of thousands of pounds. Scope is set by the FCA in the appointment letter (the "requirement notice").

Why it matters: for network principal firms, a single member firm receiving a Section 166 expands into questions about the principal's oversight framework. Demonstrating consistent oversight across all member firms becomes a 5-day project, not a 12-week one, if the data is already structured by the platform.

FCA: Skilled persons reviews →

Have a question about an FCA rule that isn't here? Email hello@amaea.co.uk. We add definitions as they come up in design-partner conversations.