A section 166 notice rarely arrives out of nowhere. By the time it lands, the FCA has usually been forming a view of your firm for months. Knowing what puts you in the regulator’s line of sight, and acting before a notice lands, matters far more than most firms assume.
What the data tells us
The FCA commissioned 83 skilled person reviews in 2023/24. That was up sharply from 47 the year before, then back to 48 in 2024/25. The variation reflects shifting supervisory priorities as much as the state of the market. The point is simple: section 166 is an active tool, not a theoretical one, and the FCA uses it when it has concerns.
Recent reviews cluster in retail banking, retail lending and retail investments. Financial crime controls, particularly anti-money laundering (AML) and sanctions, have been a consistent driver. Governance, oversight and consumer outcomes have grown in prominence as Consumer Duty has embedded. Prudential concerns feature regularly, especially for smaller and newer solo-regulated firms.
What puts a firm in the FCA's sights
Reviews are not random. They follow supervisory intelligence building over time: a theme emerging in the data, a regulatory return that raises questions, a Dear CEO letter that gets an inadequate response or a whistleblower complaint. The FCA also uses multi-firm reviews to find outliers, and those outliers may face a follow-up section 166. A firm that has agreed a voluntary requirement (VREQ) to restrict part of its business is already a firm the FCA has concerns about, and a section 166 review often runs alongside or follows one.
Financial crime is the most common trigger. Firms in payments, e-money, crypto and lending are particularly exposed. The FCA has repeatedly found systemic weaknesses in AML controls and transaction monitoring across these sectors. If your firm has had a Dear CEO letter, a visit that raised concerns, or sits in a sector the FCA has flagged as higher risk, the probability is not theoretical.
Controls and governance failures are the second most common driver. This covers weaknesses in the three lines of defence, inadequate board oversight of compliance, or a gap between a firm’s stated risk appetite and how it actually operates.
Prudential concerns tend to be more specific: firms under capital stress, firms operating close to their regulatory capital requirements, or firms with issues in their ICARA or regulatory returns. Solo-regulated firms in investment management and advice are the primary focus here.
What good preparation looks like
The firms that come through a S166 review in the best shape are not always those with the fewest issues. They are the ones that knew where their issues were, had been working on them, and could show that to the skilled person and the FCA.
That means honest self-assessment. It means a realistic view of where your controls are genuinely strong and where they are patchy. It means looking before the FCA tells you to. It also means knowing who to call if a notice arrives tomorrow. A skilled person you trust, who knows your sector and already sits on the FCA’s approved panel, puts you in a far stronger position than searching under pressure.
Who should be paying attention now
If you operate in payments, e-money, crypto or digital assets, financial crime controls remain the FCA’s primary concern. AML, sanctions screening and transaction monitoring are where reviews are most likely to land.
If you are in retail investments or financial advice, Consumer Duty outcomes, suitability and governance are in focus. The FCA has been clear it will use its supervisory tools where firms fall short.
If you are a smaller solo-regulated firm, prudential adequacy is under increasing scrutiny. Whether you hold enough capital and liquid resources to meet your obligations matters more as the FCA updates its approach to ICARA assessments.
In each case, a section 166 notice is not the worst outcome. The worst outcome is being unprepared for one.
Why fscom
fscom’s 2026 Compliance Maturity Benchmarking Report draws on 86 firm self-assessments, so we know what good looks like and where the common weaknesses also sit.
fscom sits on the FCA Skilled Persons Framework 2026–2030 across Lot C (Controls and Risk Management Frameworks), Lot E (Financial Crime) and Lot I (Prudential Risk). We are sector specialists. We know where these reviews land, what good looks like, and how to demonstrate it to the FCA.
Not sure where your firm sits? Take our free Compliance Maturity Self-Assessment today. It will give you a quick review of your strengths and gaps. Then, if you want a realistic conversation about your firm’s risk profile, or you have received a notice and need support, contact us today.
