How to Build an FCA Compliance Monitoring Plan
A practical guide to building an FCA compliance monitoring plan that combines risk priorities, FCA Register checks, Companies House data, watchlists and alerts.
An FCA compliance monitoring plan should not be a document that gets written once, saved in a folder and forgotten.
For firms and teams operating around UK regulated financial services, monitoring only works if it is connected to live information: firm status, permissions, appointed representatives, regulated individuals, controller changes, Companies House filings, website changes and other signals that may affect risk or require review.
This article explains how to think about an FCA compliance monitoring plan from a practical data and workflow perspective. It is not legal, regulatory or compliance advice. Firms should use official FCA materials and appropriate professional advice when deciding what their own compliance arrangements need to include.
What is an FCA compliance monitoring plan?
An FCA compliance monitoring plan is a structured way to decide what compliance risks need to be reviewed, how often they should be reviewed, who owns the checks, what evidence should be kept and what happens when something changes.
The FCA Handbook includes rules and guidance on compliance arrangements in SYSC 6.1. For relevant firms, the FCA refers to maintaining adequate policies and procedures, monitoring and assessing their effectiveness, and establishing a risk-based monitoring programme. The details depend on the type of firm, its activities and the rules that apply to it.
In practical terms, a compliance monitoring plan should help a team answer questions such as:
- What regulated activities, firms, people or relationships do we need to monitor?
- Which changes would create risk or require internal review?
- Which checks need to happen continuously, weekly, monthly, quarterly or annually?
- Who owns each check?
- What evidence do we keep?
- How do we escalate issues?
- How do we update the plan when the business, market or regulatory position changes?
For teams monitoring FCA-regulated firms outside their own organisation, the plan may also include watchlists of counterparties, appointed representatives, introducers, distributors, acquisition targets, competitors, vendors or regulated firms in a specific market segment.
Start with the risk areas you need to monitor
A useful plan starts with risk, not with a spreadsheet.
Before deciding what to track, define the areas where change would matter. For example, a compliance, legal or regtech team may need to monitor:
- Firms with specific FCA permissions.
- Firms in a particular regulated sector.
- Appointed representative relationships.
- Changes to firm status.
- Regulated individuals or Directory Persons.
- Controllers, directors or ownership structures.
- Firms entering or leaving a target market.
- High-priority counterparties or partners.
- Firms that match an internal risk profile.
The right scope depends on the use case. A compliance team inside a regulated firm may be monitoring its own controls, counterparties and regulatory obligations. A regtech vendor may be monitoring firms that use or could use its product. A legal or professional services team may be monitoring market changes for clients. A commercial intelligence team may be monitoring the same data for sales, M&A or research purposes.
The plan should make the use case explicit. Otherwise, every FCA Register change looks equally important, and the team ends up with noise instead of monitoring.
Decide what FCA Register data belongs in the plan
The FCA Register is the source of truth for checking FCA-regulated firms and individuals. For a monitoring plan, the useful question is not just “can we look this up?” It is “which fields should trigger review when they change?”
Depending on the use case, relevant FCA-derived data may include:
- Firm name.
- Firm reference number.
- Current status.
- Permissions and regulated activities.
- Appointed representative relationships.
- Principal firm relationships.
- Trading names.
- Registered or business addresses.
- Directory Persons or regulated individuals where relevant.
- Restrictions, requirements or other status indicators where available.
For example, a firm status change may matter because a counterparty, introducer or monitored market participant no longer has the same regulatory position. A permission change may matter because a firm has moved into or out of an activity that your team cares about. An appointed representative change may matter because it affects a network, principal relationship or distribution structure.
The plan should define which of these changes are simply logged and which require someone to review them.
Add Companies House and ownership monitoring
FCA Register data is important, but it is not the whole picture.
For many monitoring workflows, Companies House data adds useful context. A compliance monitoring plan may need to consider:
- Director appointments and resignations.
- Persons with significant control.
- Registered office changes.
- Company name changes.
- Group or ownership structure.
- Filing events.
- Dissolution, liquidation or other company status changes.
These changes do not automatically prove compliance risk. A director change does not, by itself, mean something is wrong. A new PSC does not, by itself, mean a firm is unsuitable. But these events may be useful prompts for review, especially when combined with FCA Register data and the team’s own risk priorities.
This is where a monitoring plan becomes more useful than a one-off check. A one-off check tells you what a firm looked like at one point in time. Monitoring tells you when the picture changes.
Define your watchlists
A watchlist is a defined set of firms, people or relationships that your team wants to monitor over time.
Useful watchlists might include:
- All firms with a specific FCA permission.
- All firms in a target sector, such as advice, wealth, lending, payments or insurance.
- All appointed representatives connected to a principal firm.
- All firms in a region or market segment.
- Key counterparties, partners or vendors.
- Firms that have recently changed status.
- Firms that match an internal risk review profile.
The important thing is that each watchlist should have a reason. A watchlist called “all FCA firms” is rarely useful by itself. A watchlist called “directly authorised advice firms in target regions with relevant permissions” is much easier to monitor, review and explain.
For each watchlist, define:
- Why the list exists.
- Who owns it.
- Which data fields matter.
- Which changes trigger review.
- How often the list is refreshed.
- Where evidence is stored.
Set a monitoring cadence
Not every check needs the same cadence.
Some changes may justify alerts as soon as they are detected. Others may only need a weekly, monthly, quarterly or annual review. The cadence should reflect risk, operational importance and the team’s ability to act on the information.
An illustrative cadence might look like this:
|
Cadence |
Example checks |
|---|---|
|
Real-time or alert-based |
Firm status changes, permission changes, appointed representative changes, controller/director changes for high-priority watchlists |
|
Weekly |
Review newly detected changes, triage alerts, update internal notes |
|
Monthly |
Check watchlist coverage, review unresolved changes, refresh priority segments |
|
Quarterly |
Review whether the monitoring scope still matches risk priorities |
|
Annually |
Reassess the plan, owners, evidence standards and escalation process |
This table is not a regulatory requirement. It is a practical structure. Each firm or team needs to decide what cadence is appropriate for its own activities, obligations and risk profile.
Decide what triggers review or escalation
Monitoring is only useful if the team knows what happens next.
For each watchlist, define what should happen when a relevant change appears. Examples might include:
- Log the change only.
- Add the firm to a review queue.
- Assign the change to a named owner.
- Request more information.
- Review the firm’s website and Companies House profile.
- Check whether the change affects an internal relationship or risk rating.
- Escalate to compliance, legal, risk or senior management.
Possible trigger events include:
- A firm becomes no longer authorised.
- A firm gains or loses a relevant permission.
- A firm adds or loses appointed representatives.
- A principal relationship changes.
- A director or controller changes.
- The firm changes name, address or trading style.
- The firm appears to move into a new activity or sector.
- A monitored firm enters a formal company process such as dissolution or liquidation.
The goal is not to treat every change as a problem. The goal is to make sure the right changes are seen by the right person at the right time.
Keep an evidence trail
Compliance monitoring often needs evidence, not just awareness.
A practical evidence trail may include:
- The date a check was performed.
- The data source used.
- The firms or watchlists checked.
- The changes detected.
- Notes on review decisions.
- Exports or snapshots.
- The person or team responsible for follow-up.
- The date the issue was closed or escalated.
This is another reason manual checks become difficult over time. If a team checks the FCA Register by hand, copies details into a spreadsheet and repeats the process later, it can be hard to prove what changed, when it changed and who reviewed it.
A good monitoring workflow should make repeatable checks easier. It should also make it easier to explain why a change was reviewed, ignored, escalated or added to a future watchlist.
Where FCA Register data is enough, and where enrichment helps
For regulatory status, the FCA Register is the authoritative source. Any compliance monitoring workflow should respect that.
But teams often need more than raw FCA Register data. They may need to join FCA data to Companies House data, website intelligence, ownership signals, categories, people data and internal notes. They may need to filter thousands of firms into a smaller watchlist. They may need to identify which firms match a segment before they can monitor them.
That is where enrichment helps.
For example, a team may want to monitor:
- FCA-regulated firms with specific permissions.
- Firms that appear to operate in a particular market segment.
- Firms connected to appointed representative networks.
- Firms with recent director or controller changes.
- Firms that have changed status, website positioning or company structure.
The FCA Register can answer some of these questions. Companies House can answer others. Websites and classification data can add context. The monitoring value comes from joining the sources into a workflow that the team can actually use.
How Distos supports FCA compliance monitoring
Distos helps teams turn FCA-regulated firm data into searchable, enriched and monitored commercial intelligence.
For compliance, legal, regtech and monitoring teams, Distos can support workflows such as:
- Searching across FCA-regulated firms.
- Segmenting firms by category, status, permissions and other attributes.
- Monitoring appointed representative relationships.
- Combining FCA Register data with Companies House information.
- Reviewing owners, controllers and directors where available.
- Building watchlists around firm segments or risk priorities.
- Tracking changes over time.
- Creating alerts and exports for review workflows.
Distos does not replace compliance judgement, legal advice or a firm’s regulatory responsibilities. It helps teams reduce manual data work and monitor the FCA-regulated market more systematically.
If your team is building a compliance monitoring plan, bring a watchlist, firm segment or monitoring workflow to a Distos demo. Distos can help you see how FCA Register data, enrichment, alerts and exports can support the way your team monitors change.
