Introduction: The Purpose and Power of Section 166
Under Section 166 of the Financial Services and Markets Act 2000, UK financial regulators are empowered to assign independent third parties to deeply investigate specific operational areas within a regulated firm. This statutory mechanism gives supervisory bodies an objective, granular view of an institution’s systems, conduct and risk management frameworks when day-to-day supervision proves insufficient.
Section 166 and 166A FSMA (as updated by the Financial Services Act 2012) act as an intermediate supervisory step between standard monitoring and punitive enforcement. While not a disciplinary action in isolation, a Skilled Person review is an intensive diagnostic tool used to identify system vulnerabilities, measure compliance and mandate proportionate, enforceable remediation plans.
The sharp acceleration from 47 to 83 commissioned reviews signals that firms must proactively understand this process. When navigating an active intervention, institutions are expected to strictly adhere to the guidelines established in SUP 5 of the FCA Handbook to ensure compliant governance and efficient appointment procedures.
Who Can Be Appointed? The Role of the Skilled Person Panel
The term “Skilled Person” represents a broad classification of independent professionals, including major advisory practices, specialised regulatory consultancies, legal practices and actuarial firms. To streamline this process, the FCA and PRA maintain a formal Skilled Person Panel, which pre-vets external suppliers based on their technical capacity, past performance, resources and conflict-of-interest management.
The panel is structured into 12 distinct subject-matter categories known as “lots,” covering core areas such as financial crime, market conduct, prudential risk and cyber resilience. The current panel iteration is bound by a fixed procurement cycle, running from 1 April 2026 until 31 March 2030.
As a consultancy holding 8 active Regulatory Category Lots on the official panel, Complyport’s technical depth across conduct, governance, prudential frameworks and financial crime is fully pre-vetted by UK regulators.
Two Paths to Appointment
The selection of an expert follows one of two distinct structural routes:
- Regulator-Led: The FCA or PRA contracts directly with the expert, often launching an accelerated mini-tender among pre-approved panel firms within the designated lot.
- Firm-Led: The regulated business is instructed to nominate a preferred candidate. While firms frequently select from the pre-vetted panel list, they are legally permitted to propose off-panel experts, provided the candidate passes strict regulatory vetting regarding independence, capability and freedom from conflicts.
Deconstructing the Review Lifecycle
Unlike standard data-gathering exercises, a Section 166 review functions as a deep forensic compliance audit. It requires complete control sampling, transaction testing, data analytics, document reviews and structured executive interviews. The typical lifecycle moves through five distinct phases:
- Scoping and Terms of Reference: Aligning with the regulator on precise testing parameters to minimise unnecessary scope creep.
- Forensic Data Analysis: Deep-dive extraction and analysis of relevant corporate materials and operational systems.
- Interviews and Control Testing: Assessing personnel understanding while fostering collaboration and capacity building within the firm.
- Draft Findings and Factchecking: Giving senior management a formal opportunity to review and challenge preliminary observations.
- Final Report Delivery: Submitting the formal independent report simultaneously to the firm and the regulator to dictate subsequent supervisory actions.
Common Triggers and Subject Matter
Regulators typically deploy Section 166 powers when standard supervision highlights escalating risks, repeated compliance failures, or data anomalies in regulatory returns. Common catalysts include whistleblowing allegations, poor outcomes highlighted by thematic market reviews, material IT or operational resilience disruptions, or systemic risk management failures.
In the retail space, triggers focus on potential Consumer Duty breaches, poor outcomes for vulnerable clients, widespread complaints, or product misselling. In wholesale markets, scrutiny lands on market abuse surveillance, transaction reporting precision and conflict management.
The Financial and Operational Burden
Firms are legally responsible for all direct costs associated with an s166 review, regardless of whether the expert was selected by the regulator or the firm. Driven by broader, more complex scopes, average costs have risen significantly over recent cycles, climbing from roughly £534,000 to nearly £992,000, with complex or multi-jurisdictional financial crime investigations routinely exceeding £3,000,000.
Beyond direct fees, firms must navigate severe non-monetary burdens, including the redirection of senior management time, intense data extraction demands and parallel remediation workloads. Poorly managed reviews can also result in costly business restrictions, such as client onboarding freezes via Voluntary Requirements (VREQs), or formal enforcement actions like financial penalties and prohibition orders. Throughout this process, protecting legal privilege is critical to safeguard confidential legal advice from disclosure.
How Complyport Supports Your Business
Complyport provides expert support on both sides of the Section 166 lifecycle:
- As the Appointed Skilled Person: Leveraging our 8 active panel lots to deliver balanced, independent and evidence-based reports that satisfy regulatory mandates.
- As a Dedicated Defense and Shadow Team: Supporting firms facing a review led by an alternative provider. We manage scope negotiations, coordinate data compilation, brief staff for interviews and design auditable remediation frameworks.
- Pre-Emptive Readiness Assessments: Conducting voluntary, confidential health checks in high-risk areas to locate and resolve vulnerabilities before they escalate to an official Section 166 notice. (Note: Separate legal advisors must be engaged for formal legal advice, Complyport delivers expert regulatory consultancy support).
Frequently Asked Questions
How long does a standard Section 166 review take?
Most s166 interventions span 3 to 9 months from the initial Requirement Notice to final report submission. Complex, multi-site projects or historical file reviews can easily extend beyond 12 months, depending heavily on data quality and the firm’s speed of response.
Can a firm negotiate the boundaries of a review?
Yes. When a firm receives a Draft Requirement Notice, there is a vital, time-sensitive window to engage constructively with the regulator. Firms can propose scope clarifications, stage the work, or prioritise higher-risk business units to keep the review focused.
Does an s166 review always result in punitive enforcement?
No. Many reviews are successfully resolved via structured remediation programmes, enhanced supervision, or temporary operational adjustments. Formal enforcement actions are typically reserved for firms that display systemic misconduct, severe consumer detriment, or poor cooperation during the review.
Are you facing heightened supervisory scrutiny or looking to secure an independent partner for an upcoming mandate? Contact Complyport’s specialist advisory team today for confidential, strategic guidance.
- Email: info@complyport.com
- Phone: +44 (0)20 7399 4980
