UK FinTech Compliance Guide (2026)

🏦 FCA⚖️ Consumer Duty🔒 UK GDPR🏛️ AML🆓 Free Review
March 202614 min readJames Whitmore, CTO

Direct Answer

UK FinTech software must address four FCA frameworks: PS21/3 (operational resilience — each IBS independently resilient), Consumer Duty PS22/9 (fair outcomes — product design, pricing, understanding, support), COBS (conduct of business), and AML MLRs 2017 (KYC/AML). ClickMasters has built FCA-compliant software for 40+ UK FinTech clients across lending, payments, investment, and insurance.

FCA Regulatory Framework — Software Implications by Rule

FCA RuleSoftware RequirementImplementationEvidence for FCA
PS21/3 IBS resilienceEach IBS independently deployable and measurableECS Fargate per IBS, CloudWatch Synthetics per IBSQuarterly Impact Tolerance evidence — AWS FIS chaos test
Consumer Duty (PS22/9)Fair product design, transparent pricing, human supportFlesch-Kincaid readability check, pricing transparency APIAnnual Consumer Duty assessment report
COBS 9A (suitability)Suitability record for each investment recommendationAutomated suitability report generation (template-based NLG)Suitability report PDF stored 5 years (FCA requirement)
COBS 6.1B (advice disclosure)State whether advice is independent or restrictedClear disclosure in UI — independent vs restricted labelScreen recording of disclosure at point of advice
CONC 5.2A (creditworthiness)Creditworthiness assessment before credit grantedOpen Banking affordability + credit bureau checkAffordability assessment record stored per application
MLRs 2017 (AML/KYC)Identity verification + AML screening before onboardingOnfido KYC + ComplyAdvantage PEP/sanctions screeningKYC record per customer — archived 5 years
PS21/11 (renewal pricing)Renewal price ≤ new customer equivalent priceAutomated parity check at renewal generationAnnual renewal pricing return to FCA (GABRIEL)
PSD2/PSRs (Open Banking)Consent management + data deletion on revocationConsent log + 30-day deletion workflow on revocationConsent records + deletion audit trail

FCA Consumer Duty — Product Design Checklist

FCA Consumer Duty enforcement: FCA has issued multi-million pound fines for Consumer Duty failures (renewals pricing, hidden fees, inaccessible cancellations). ClickMasters Consumer Duty review is included in every FCA-regulated project. We will not build software that fails Consumer Duty — not because of regulatory risk, but because it is wrong.

AML/KYC Software Implementation

AML ComponentUK RequirementClickMasters ImplementationProvider
Identity verificationMLRs 2017 Reg 28 — verify identity before business relationshipElectronic identity verification (photo ID + liveness)Onfido or Jumio
PEP/Sanctions screeningMLRs 2017 — check against PEPs, sanctions, adverse mediaAPI screening at onboarding + ongoing monitoringComplyAdvantage or Dow Jones
Source of fundsMLRs 2017 — enhanced DD for high-risk customersAutomated SOF declaration above thresholdCustom form + manual review workflow
Transaction monitoringMLRs 2017 — monitor for suspicious activityML anomaly detection + rules-based alertsCustom ML + AWS SageMaker
SAR reportingMLRs 2017 — report suspicious activity to NCASAR workflow (internal review → NCA goAML)NCA goAML API integration
Record keepingMLRs 2017 — 5-year retentionAML records in S3 with 5-year lifecycle policyAWS S3 Intelligent-Tiering

Frequently Asked Questions

Common questions about uk fintech compliance guide (2026).

FCA authorisation timeline: (1) Full FCA authorisation (e.g., payment institution, credit broker, investment firm): 12–18 months from application submission. (2) FCA Sandbox (Regulatory Sandbox): 3–6 months (faster — restricted authorisation for testing). (3) AISP registration (for Open Banking AISP — no money movement): 4–8 weeks. (4) Credit Broker registration (introducing customers to lenders): 2–4 months. Software preparation for FCA application: ClickMasters builds compliance-ready systems before FCA submission — FCA technical review (IT questionnaire) covers PS21/3 architecture, DTAC-equivalent security controls, and AML system documentation. Poorly prepared IT systems are a top reason for FCA application delays. ClickMasters IT questionnaire preparation: 2–4 weeks, included in project scope for FCA-regulated clients.

FCA COBS (Conduct of Business Sourcebook): detailed prescriptive rules for specific business areas (COBS 4 — financial promotions, COBS 6 — advised services disclosure, COBS 9 — suitability, COBS 14 — information to clients). Consumer Duty PS22/9: overarching outcome-based standard — requires firms to deliver good outcomes across all four outcomes (products/services, price/value, understanding, support). Relationship: Consumer Duty is additional to, not a replacement for, COBS. A firm must comply with both. Software implication: (1) COBS generates specific functional requirements (suitability report field, disclosure timing, information document format), (2) Consumer Duty generates design principles (readability, accessibility, cancellation ease) that apply across the entire product. ClickMasters builds both into software design — COBS requirements as acceptance criteria, Consumer Duty as design principles.

About the Author

James Whitmore, CTO UK FinTech compliance specialist — 40+ FCA-regulated products built ClickMasters builds FCA compliance into software from Sprint 1. Compliance is not a retrofit — it is architecture.

Free FCA Compliance Review ClickMasters will...

Free FCA Compliance Review ClickMasters will review your product against FCA Consumer Duty, PS21/3, and AML requirements. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation