FCA Supervisory Reviews of EMIs: What Inspectors Look For and How to Prepare

FCA supervisory reviews of EMIs and payment institutions have become considerably more structured and intensive since the regulator launched its Payment Firms Supervisory Strategy in 2020 and updated its approach to risk-based supervision in subsequent years. Understanding how the FCA approaches supervision — what triggers a review, what format it takes, and what areas receive the most scrutiny — allows firms to prepare effectively and to demonstrate the quality of their controls rather than scrambling to address gaps in real time.

Types of FCA Supervisory Engagement

The FCA engages with payment firms and EMIs through several mechanisms, each with different characteristics:

Desk-Based Reviews

The most frequent form of engagement is a desk-based review — an information-gathering exercise conducted primarily through written information requests. The FCA will send a detailed questionnaire or information request (IR) covering specific aspects of the firm's operations: AML controls, safeguarding arrangements, capital adequacy, or governance. Responses are reviewed by the FCA case team, and follow-up information requests or calls may result. Desk-based reviews do not require on-site presence and can be completed without the firm ever meeting the supervisor in person.

Skilled Person Reviews (Section 166)

Where the FCA has specific concerns about a firm's controls or compliance, it can require the firm to commission a skilled person review under section 166 of the Financial Services and Markets Act 2000. A skilled person is an independent expert (typically a Big 4 or specialist compliance firm) approved by the FCA, who reviews the specific area of concern and reports to both the firm and the FCA. Section 166 reviews are resource-intensive and expensive — they signal that the FCA has material concerns about the firm and is considering supervisory or enforcement action if issues are confirmed.

Supervisory Visits

For higher-risk or more complex firms, the FCA may conduct an on-site supervisory visit. These typically involve the FCA team spending one to three days at the firm's premises, meeting with SMF holders and key compliance staff, reviewing documentation, and conducting transaction file reviews. On-site visits allow the FCA to assess the quality of management, the culture of compliance, and whether the documented procedures are actually being followed in practice.

What FCA Supervisors Assess

AML/CTF Framework

Consistently the highest priority area. Supervisors will review the AML risk assessment for current relevance and business-specificity; the AML policy for completeness and calibration against the firm's actual risk profile; transaction monitoring rules and evidence of threshold calibration rationale; SAR volumes and quality of internal escalation documentation; EDD file quality for high-risk clients; and MLRO oversight records (board reporting, audit trail of decisions).

Safeguarding

The FCA will review the safeguarding account documentation (acknowledgment letters, account designations), daily reconciliation records, and the annual safeguarding audit report. Any shortfall between relevant funds and safeguarded funds at any point in the review period will be scrutinised closely. The FCA is specifically looking for systematic reconciliation processes, not ad hoc manual calculations.

Governance and Board Oversight

Board minutes from the prior 12 months; evidence of risk appetite review; MLRO annual reports to the board; internal audit reports and management responses; and evidence of board engagement with regulatory capital reporting. The FCA wants to see that governance documents are live documents that drive behaviour, not simply filed records.

Capital Adequacy

Regulatory capital calculation methodology, own funds components, and compliance with ongoing requirements at each quarter end. The FCA may also review the firm's capital planning process and stress testing approach.

Common Findings and How to Prepare

Published thematic reviews and decision notices reveal recurring findings across the EMI sector: inadequate or outdated AML risk assessments; transaction monitoring thresholds that have not been reviewed since initial setup; safeguarding reconciliation weaknesses; and governance documentation that does not reflect genuine board engagement. The most effective preparation for a supervisory review is not a pre-review scramble to update documentation, but a continuous compliance management programme that keeps controls current and well-documented throughout the year. Firms that treat regulatory compliance as an ongoing operational function rather than a periodic exercise for supervisory consumption are consistently better positioned to withstand FCA scrutiny.