Surviving a Section 166 review: a CFO/COO action plan

A Section 166 skilled person review is one of the most significant regulatory interventions an FCA-regulated firm can face. Unlike a routine supervisory visit or a request for information, a Section 166 review under the Financial Services and Markets Act 2000 brings an independent expert — approved by the FCA — into the firm to assess a specific area of its business. The results go directly to the FCA. For the CFO or COO holding SMF responsibility for the area under review, the process is both professionally demanding and personally consequential. Understanding what a skilled person review involves, how to prepare for one, and how to demonstrate the right level of governance engagement is essential for any senior manager in an FCA-regulated firm.

What triggers a Section 166 review

The FCA can require a skilled person review at any point where it has concerns about a firm that it wants to investigate through an independent expert rather than its own supervisory team. Common triggers include: a material operational failure or IT outage that affected clients; a significant financial crime or AML control failure; concerns about the adequacy of a firm’s prudential capital or liquidity management; persistent complaints data suggesting systematic client treatment failures; a whistleblower report that has raised governance concerns; a problematic regulatory return or set of returns that suggest control weaknesses; and situations where the FCA wants an independent view of whether remediation following an earlier supervisory finding has been effective.

Not all Section 166 reviews are initiated by a crisis. Some are pre-emptive — the FCA may require a review of a specific area because it has concerns about a category of firm or a particular business model, rather than a firm-specific event. Investment firms using complex algorithmic trading strategies, payment institutions with high-risk client bases, and firms operating in the cryptoassets space have all been subject to Section 166 reviews that were sector-wide in their origin rather than firm-specific.

The first indication a firm receives of a potential Section 166 review is typically a letter from the FCA’s supervisory team. The letter will identify the area or areas of concern and invite the firm’s response — including, in some cases, the firm’s own proposal for how it would address the concern. If the FCA is not satisfied with the firm’s response, or if it was always intending to require a skilled person review, the formal requirement to commission one will follow.

The CFO and COO’s specific exposure

The CFO and COO are the senior managers most frequently at the centre of Section 166 reviews because the areas the FCA most commonly reviews — financial controls, operational resilience, AML frameworks, prudential management, and outsourcing arrangements — sit within their portfolios. Under the SMCR, the CFO typically holds the SMF2 Chief Finance Function designation, which carries personal accountability for the firm’s financial information, regulatory returns and capital adequacy. The COO, where separately designated, typically holds the SMF24 Chief Operations Function, which carries accountability for the firm’s operational infrastructure and continuity.

When the skilled person’s review covers an area within these functions, the CFO or COO is likely to be interviewed directly by the reviewer as well as by the FCA’s own team. The reviewer will assess not only the adequacy of the controls and processes in the area under review, but also the quality of the governance that the responsible senior manager was exercising over that area. A CFO who can demonstrate that they were receiving structured management information, escalating concerns appropriately and taking informed decisions about resource allocation is in a fundamentally different position from one who cannot.

The action plan: before the review begins

When a Section 166 review is formally required, the firm typically has a short period — often two to four weeks — before the skilled person engages. This is the most valuable preparation window.

Commission your own internal assessment. Before the skilled person arrives, instruct your internal audit or an external advisor to conduct a rapid assessment of the area under review. The purpose is not to remediate everything before the reviewer arrives — the reviewer will almost certainly identify what is wrong — but to ensure that you as the responsible senior manager have a current and accurate picture of the state of the area. Being able to demonstrate awareness of the issues is significantly better than appearing to be unaware of them when the reviewer asks you about them.

Assemble the documentation trail. The skilled person will want to see management information reports, committee minutes, board papers, emails and internal reports relating to the area under review. Compile the documentation that demonstrates your governance engagement: the MI packs you received, the questions you asked, the actions you directed, the escalations you made. If this documentation is thin or incomplete, that is itself information you need to know before the reviewer arrives.

Brief your team. The people who work in the area under review will be interviewed by the skilled person. Brief them — not on what to say, but on the process: who the skilled person is, what their role is, how the interview will work, and the importance of providing accurate and complete information. Staff who are unprepared for skilled person interviews sometimes provide inconsistent accounts not through dishonesty but through anxiety. Preparation reduces that risk.

Engage specialist external counsel. A Section 166 review is not a routine regulatory interaction. Instructing a firm with specific experience of skilled person reviews — both as advisors to firms under review and as skilled persons themselves — gives you access to the practical knowledge of how reviewers operate, what they focus on, and what the FCA is typically looking for from the findings. This is materially different from general regulatory legal advice.

During the review: governance in real time

The skilled person’s review typically runs for several weeks to several months, depending on scope. During this period the CFO and COO need to maintain the highest standard of governance engagement in the area under review — not only because it is the right approach, but because the reviewer is observing in real time how the firm’s senior managers respond to the review itself.

A firm whose senior managers are actively engaged — attending briefings from the skilled person, directing the provision of requested documentation promptly, making decisions about remediation in the interim — demonstrates a quality of governance that reviewers note. A firm whose senior managers are detached from the process, delegate all engagement to legal counsel, and wait passively for the report creates a different impression.

The senior manager should request regular structured briefings from the project team managing the skilled person engagement — at minimum weekly. These briefings should cover: the state of the review, which areas the skilled person is focusing on, any requests for additional documentation that have been made, any preliminary findings that have been shared informally, and the remediation actions being taken in parallel. The senior manager should be making active decisions at these briefings, not simply receiving information.

Where the review identifies issues, the instinct of some senior managers is to wait for the final report before taking action. This is the wrong approach. If the skilled person identifies a control failure in week two of a twelve-week review, the firm should begin remediating it in week three. Acting on emerging findings demonstrates the quality of governance the FCA expects. Waiting for the report to act demonstrates exactly the passivity that the FCA finds most concerning.

The findings and remediation plan

The skilled person’s final report will contain findings and, typically, recommendations. The report goes to the FCA. The firm will usually see the draft report and have the opportunity to comment on factual accuracy before it is finalised — not to edit the skilled person’s conclusions, but to correct any factual errors in the account of what the firm’s processes or controls involve.

The firm’s response to the findings is what the FCA will scrutinise most carefully. A firm that receives findings and submits a credible, specific, time-bound remediation plan — with clear senior manager ownership of each action — demonstrates the responsive governance the FCA expects. A firm that disputes the findings extensively, provides a vague remediation plan, or assigns remediation to teams without clear senior manager accountability creates ongoing supervisory concern.

The CFO or COO should personally own the remediation plan for any findings within their function. This means being identified by name as the accountable individual for specific remediation actions, maintaining a live tracking record of progress, and reporting regularly to the board on remediation status. The FCA may conduct follow-up engagement — including a second skilled person review — to assess whether remediation has been effective. A senior manager who can demonstrate that they drove remediation to completion, on time, is in a much stronger position than one whose remediation programme was delayed or incomplete.

The personal dimension: protecting your position

A Section 166 review does not automatically result in FCA enforcement action against the senior managers concerned. Many reviews lead to firm-level findings and remediation without any personal regulatory consequence for the SMF holders. But the review can become the basis for personal enforcement action where the FCA concludes that a senior manager failed to take reasonable steps to address a problem they knew about, or failed to exercise the governance oversight their function required.

The protection for a CFO or COO is contemporaneous documentation of their governance engagement. MI packs received, questions asked, actions directed, escalations made — this is the evidence that demonstrates the senior manager was exercising the oversight required. Where the documentation trail is thin because the governance process was inadequate, the senior manager needs to understand that as a personal risk, not merely as a finding about the firm’s systems and controls.

FD Capital places CFOs and COOs in FCA-regulated firms where Section 166 governance obligations are a live consideration. The combination of financial expertise and regulatory accountability that the SMF2 and SMF24 functions require is a specific and demanding capability set that not every senior finance or operations professional has developed.

Related Guides

• How to Choose a Skilled Person Under Section 166
• SMF2 vs CFO: When the FCA Function Differs from the Title
• SMF2 — Chief Finance Function Guide
• SMF24 — Chief Operations Function Guide
• Section 166 Skilled Person Reviews: A Complete Guide