FCA Perimeter: When Unauthorised Activity Triggers Risk

The regulatory perimeter is the boundary between activities that require FCA authorisation and those that do not. For businesses operating near that boundary — whether through deliberate product design, rapid growth or genuine uncertainty about the applicable rules — crossing it without authorisation creates serious legal and regulatory risk. The FCA takes perimeter issues seriously and has significant enforcement powers when the line is crossed.

The general prohibition in Section 19 of FSMA 2000 provides that no person may carry on a regulated activity in the United Kingdom unless they are either FCA-authorised or exempt. Breach of the general prohibition is a criminal offence, punishable by up to two years’ imprisonment and an unlimited fine. The FCA also has civil enforcement powers to take action against unlawful activities, and can seek injunctions, restitution orders and other remedies against individuals and businesses that carry on regulated activities without authorisation. Understanding where the perimeter falls — and what the consequences are of inadvertently crossing it — is not just a compliance matter. It is fundamental to the legal operation of any business in or adjacent to the financial services sector.

What Is a Regulated Activity?

A regulated activity is an activity of a specified kind carried on by way of business in relation to an investment, specified product or specified service of a specified kind. This sounds circular and it is — the substance is in the specification. The Regulated Activities Order 2001 (the RAO) sets out the activities that are regulated and the investments, products and services to which the regulation applies. The principal regulated activities include: accepting deposits; effecting and carrying out contracts of insurance; dealing in investments as principal or agent; arranging deals in investments; managing investments; providing investment advice; acting as a custodian; establishing collective investment schemes; and a number of activities in consumer credit, payment services and consumer hire.

The RAO also defines the scope of each activity precisely. “Dealing in investments as principal” means buying, selling, subscribing for or underwriting investments as principal — but only if the investment falls within the specified investment categories listed in the RAO. A business that buys and sells interests in property companies may or may not be dealing in investments as principal, depending on whether those interests fall within the specified investment definition. A software company that provides a marketplace connecting investors with opportunities may or may not be arranging deals in investments, depending on how its platform functions and what role it plays in the transaction. The analysis is always fact-specific, and the fact-specific nature of the RAO definitions is precisely what creates perimeter uncertainty for new and innovative business models.

Exclusions and Exemptions: The Other Side of the Perimeter

The RAO not only specifies regulated activities — it also provides exclusions from those activities that effectively move businesses back outside the perimeter. The exclusions are critically important because many businesses that would otherwise carry on regulated activities fall within them. Common exclusions include: the own account exclusion (which excludes certain dealing activities carried on by businesses that are dealing only for themselves); the group exclusion (which excludes certain activities between companies in the same group); the professional firm exclusion (which allows certain firms like law firms and accountants to carry on limited regulated activities without FCA authorisation); and various other exclusions specific to particular activity types.

Exemptions operate differently from exclusions. Exemptions are granted to specific categories of person — the Bank of England, Lloyd’s of London, certain government bodies, Appointed Representatives of authorised firms — and remove those persons from the FCA authorisation requirement entirely. The Appointed Representative regime is the most commercially significant exemption: it allows businesses to carry on regulated activities under the umbrella of an authorised principal firm, without themselves being directly authorised, provided the principal accepts responsibility for the AR’s regulated activities.

The practical consequence of the exclusions and exemptions regime is that perimeter analysis is never simply a question of whether an activity is regulated. The question is always whether the activity is regulated and whether an exclusion or exemption applies. Many businesses that appear to be carrying on regulated activities are in fact excluded or exempt. Equally, many businesses that believe they fall within an exclusion or exemption do not — because they have not analysed their activities precisely against the relevant RAO provisions, or because their business model has evolved beyond the scope of the exclusion they relied on.

The Financial Promotions Perimeter: A Separate but Connected Issue

The general prohibition operates alongside — but is separate from — the financial promotions restriction in Section 21 of FSMA. Section 21 restricts communications that invite or induce the making of investments or agreements to make investments unless the communication is made by or approved by an FCA-authorised person. The financial promotions perimeter is conceptually related to but legally distinct from the regulated activities perimeter.

A business that is not carrying on any regulated activity may nonetheless be restricted under Section 21 if it is communicating a financial promotion — for example, a marketing campaign for a property investment scheme or a crowdfunding opportunity. Equally, a business may be carrying on regulated activities without communicating any financial promotion. Understanding both perimeters — the regulated activities perimeter and the financial promotions perimeter — is necessary for a complete analysis of a business’s regulatory position.

The FCA’s enforcement approach to financial promotions perimeter breaches has become increasingly rigorous, particularly in relation to cryptoasset and high-risk investment promotions. The introduction of the Financial Promotions Gateway in 2024 created a new gateway requirement for authorised firms approving financial promotions — and the FCA has signalled clearly that it will pursue both unauthorised promotions and authorised firms that approve promotions without adequate due diligence on the promotion’s compliance with applicable rules.

How the FCA Identifies Perimeter Issues

The FCA has several mechanisms through which it identifies potential perimeter breaches. Consumer complaints are a primary source: where consumers report being sold financial products or services by unlicensed entities, the FCA will investigate whether the selling firm was required to be authorised. The FCA’s ScamSmart and InvestSmart campaigns actively encourage consumers to check the FCA Register before engaging with financial services providers — and the complaints data generated by consumers who did not check, or who were deceived by unregistered clones of legitimate firms, feeds directly into the FCA’s perimeter enforcement activity.

Market intelligence is a second major source. The FCA monitors financial markets, online platforms, social media and financial press for activity by firms that appear to be carrying on regulated activities without authorisation. The rapid growth of investment promotion activity on social media — particularly through influencer marketing of high-risk investments — has significantly increased the FCA’s monitoring activity in this space. The FCA’s Consumer Investments team specifically focuses on investment fraud and unregulated activity, and it has demonstrated a willingness to use its enforcement powers aggressively against identified perimeter breaches.

Industry reporting is a third mechanism. Authorised firms have an obligation under Principle 11 and SUP 15 to report to the FCA where they become aware of activities by other parties that may constitute unauthorised regulated activities. Law firms, accountants, and other professional advisers who identify potential perimeter issues in their clients’ activities similarly have professional obligations that may lead to regulatory reporting. The FCA has therefore created a network of institutional sensors that can identify potential perimeter breaches through normal commercial activity, without requiring direct consumer complaints.

Self-referrals represent a fourth category that is underappreciated but important. Some businesses that identify potential perimeter issues in their activities proactively approach the FCA through its pre-application services or through a formal FCA contact. The FCA generally treats proactive self-referral more favourably than perimeter breaches that are identified through enforcement activity — which is a strong practical argument for seeking regulatory clarity at the outset rather than hoping the question never arises.

Common Perimeter Issues by Business Type

Fintech and payment platforms. Payment and money services businesses frequently encounter perimeter questions around the boundary between payment services (regulated under the Payment Services Regulations 2017) and non-regulated activities. E-wallets, stored value products and payment facilitation services can trigger PSR authorisation requirements depending on how the platform is structured and what happens to funds in transit. Businesses that begin as technology platforms providing payment infrastructure can cross the regulated activities perimeter as their functionality expands.

Crowdfunding and peer-to-peer platforms. Online investment platforms — including loan-based crowdfunding, equity crowdfunding and property investment platforms — sit in a complex regulatory position. Loan-based platforms operating under FCA authorisation must manage the perimeter carefully as they expand their product range. Property investment platforms that structure their products as unregulated collective investments may find that changes to their structure bring them inside the collective investment scheme regime, triggering authorisation requirements they had not anticipated.

Introducers and referral arrangements. Businesses that introduce clients to financial services providers operate on the perimeter of the “arranging deals” regulated activity. An introducer that simply passes names and contact details to an authorised firm, without providing any advice or information about the products on offer, can typically rely on the introduction exclusion. An introducer that discusses the firm’s products, provides product information, or assists in completing applications has likely moved into arranging — and the RAO exclusion no longer applies.

Restructured professional services firms. Law firms, accountants and management consultants that provide advice on transactions, investments or corporate structures frequently encounter the perimeter of investment advice and corporate finance activity. The professional firm exemption allows these firms to carry on limited regulated activities without FCA authorisation, but the exemption has specific conditions — including that the regulated activity must be incidental to the professional services being provided — and many firms that rely on it do not analyse their activities carefully enough against those conditions.

Using PERG: The Perimeter Guidance Manual

The FCA publishes the Perimeter Guidance Manual (PERG) as part of the FCA Handbook. PERG provides the FCA’s interpretation of the regulated activities framework, including guidance on specific activities and their regulated status, explanations of the exclusions and exemptions, and Q&A-style analysis of common perimeter questions. PERG is not legally binding — it represents the FCA’s view of how the legislation applies — but it is the most authoritative public source of perimeter analysis available and is widely used by legal advisers and businesses navigating perimeter questions.

Businesses that are uncertain about their regulatory position should start with PERG before seeking specialist legal advice. In many cases, PERG provides sufficient clarity to answer the perimeter question without further analysis. Where PERG does not resolve the question — typically because the business model is sufficiently novel that the guidance does not address it directly — specialist legal advice and potentially a formal FCA pre-application engagement are the appropriate next steps.

What to Do if You Think You May Be Outside the Perimeter

The most important step for any business that suspects it may be carrying on regulated activities without authorisation is to take specialist legal advice immediately. The general prohibition creates criminal liability that cannot be managed through self-assessment alone, and the consequences of continuing to operate outside the perimeter while the position is being analysed can include aggravated enforcement action and personal criminal liability for the firm’s directors.

Subject to legal advice, the options typically available to a business that identifies a potential perimeter breach include: applying for FCA authorisation to regularise the position on a prospective basis; restructuring the business model to bring it within an available exclusion or exemption; appointing an Appointed Representative of an existing authorised firm to operate under its umbrella while the business’s own authorisation is in process; seeking a voluntary requirement from the FCA to cease the regulated activity pending authorisation; and in some cases, making a voluntary disclosure to the FCA while simultaneously implementing remediation measures.

The FCA’s approach to firms that self-disclose perimeter breaches and take prompt remedial action is meaningfully different from its approach to those where the breach is identified through enforcement activity. While a self-disclosure does not guarantee leniency, and the criminal consequences of the general prohibition breach cannot be waived by the FCA alone, the regulator’s consistent messaging is that firms that identify issues and come to it proactively are treated more favourably than those that continue unauthorised activities until they are caught.

Key References

• FSMA 2000, Section 19 — The general prohibition
• FCA Handbook PERG — Perimeter Guidance Manual
• The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001