Study fca and pra authorisation of firms and individuals for CISI UK Regulation and Professional Integrity, with a UK-specific reading frame built around the official chapter structure and exam weighting.
This is one of the most operationally useful chapters on the paper. It tests who needs authorisation, what activities sit inside the perimeter, how firms and individuals are approved or recorded, and why competence, ethics, and governance matter before business is carried on. The strongest answer usually starts with the regulated activity itself. If the candidate misclassifies the activity or the person’s role, every later conclusion about permissions, notifications, approvals, or the Directory becomes unstable.
| Check | What matters |
|---|---|
| Official topic weighting | 12% |
| Core distinction under pressure | decide whether the activity, firm, or individual is inside the regulatory perimeter and what permissions, approvals, competence, and governance standards follow from that. |
| Strongest use of this page | read it before timed sets so you can recognise the real route, rule, or conduct problem being tested |
| UK note | Keep UK framing active: FCA, PRA, Bank of England, HM Treasury, FOS, FSCS, FSMA, SM&CR, COBS, CASS, DISP, COMP, JMLSG, UK MAR, and GBP where a sterling amount matters. |
The exam often tests perimeter judgement and authorisation logic: is the person or firm doing something regulated, exempt, prohibited, or subject to approval and oversight? It also tests whether you understand that competence and ethics are not optional extras once a firm is inside the perimeter.
It also rewards clear thinking about the Senior Managers Regime and the distinction between firm-level authorisation and individual-level accountability.
| Section | Main exam angle |
|---|---|
| High-level standards for firms | If the stem suggests weak governance or weak systems, high-level standards are already in issue before any specific sales event occurs |
| Regulated and prohibited activities | If the question asks whether the activity may be carried on, think perimeter and permission first |
| Authorisation, permissions, and exempt persons | If the stem points to a firm acting under limited scope or exemption, read carefully before assuming full authorisation is required |
| Record-keeping and notifications | If the issue is change, reporting, or evidencing what happened, think records and notifications |
| Approval of individuals and the Directory | If the stem focuses on a named individual’s status, move from firm authorisation into individual accountability and records |
| Training, competence, and professionalism | If the person lacks the knowledge or competence for the role, that is an authorisation-quality problem, not just a learning issue |
| Ethical principles and professional conduct in authorisation | If a firm withholds material information from the regulator, the issue is not merely procedural; it is ethical and regulatory |
| Governance and business risk under SMR | If the firm cannot identify who owns a risk area, that is a governance weakness |
For exam purposes, do not start with the application form. Start with the business activity and then work toward the firm and individual consequences.
| Standard or source | Main exam use | Typical clue |
|---|---|---|
| PRIN | Principles for Businesses and broad conduct expectations | A firm behaves unfairly, without due skill, or with poor regard for clients |
| SYSC | Systems, controls, governance, and responsibility allocation | Weak oversight, poor escalation, unclear ownership, or control failure |
| COND | Threshold conditions for authorisation | Whether the firm is fit to be or remain authorised |
| FIT | Fitness and propriety of individuals | Honesty, competence, capability, or financial soundness of a person |
| SM&CR | Senior-manager accountability and conduct standards | Unclear responsibility map, weak senior ownership, or named role accountability |
| Training and Competence | Competence before and during regulated activity | Client-facing employee lacks relevant knowledge, assessment, or CPD |
| Question focus | Think about | Do not confuse with |
|---|---|---|
| Whether business may be conducted | Firm authorisation, permissions, exclusions, or exempt-person route | Whether one employee is competent |
| Whether a named person can perform a controlled or senior role | Individual approval, fitness, propriety, competence, and SM&CR status | Whether the firm’s whole permission set is valid |
| Whether the public record is accurate | Directory and relevant individual information | Internal HR records only |
| Whether a firm can add a new activity | Scope of permission and possible variation | A general right to do all regulated business |
| Whether a senior manager owns a risk area | SM&CR responsibility allocation | Committee discussion without accountability |
| Trap | Better exam response |
|---|---|
| Assuming any financial activity is automatically regulated | Classify the activity and investment under the perimeter first. |
| Assuming authorisation covers every business line | Check the specific permission, not just the firm’s authorised status. |
| Treating an exemption as a full authorisation | Exempt-person or exclusion routes are limited and fact-specific. |
| Ignoring controllers and ownership changes | Controller approval and notifications can matter even without a client complaint. |
| Treating poor competence as just a training problem | Competence affects authorisation quality, supervision, and fair client outcomes. |
Before permissions and forms, the regulator expects firms to meet high-level standards around governance, systems, integrity, and sound operation. The exam often uses this section to test whether a firm is ready to operate at all.
This section is about the perimeter itself. A candidate must recognise when an activity requires authorisation and when a person or firm is straying into business it should not conduct.
Once the activity is recognised, the question becomes what permission or exemption applies. This is where the exam expects you to differentiate properly authorised business from reliance on exemption or another route inside the framework.
Ongoing authorisation is supported by record-keeping and notification duties. Questions here usually test whether the firm understands that being authorised creates continuing obligations, not a one-time approval event.
This section moves the analysis from firms to named people. The exam is often about whether the individual holds an approved or relevant role and how the public record of that role matters.
Authorised business depends on competent people. The exam expects you to see that training, competence, and professionalism are integral to the permission framework, especially in client-facing roles.
The authorisation framework assumes more than technical adequacy. It also assumes honest and ethical behaviour by firms and individuals seeking or maintaining regulated status.
Senior Managers Regime thinking asks who is accountable for the area of risk and whether responsibilities are genuinely owned. The exam normally tests responsibility and governance logic at a practical level.
flowchart TD
A["Proposed business activity"] --> B{"Is it inside the regulated perimeter?"}
B -->|"Yes"| C["Check firm permission or exemption route"]
C --> D["Check records, notifications, and controls"]
D --> E["Check relevant individuals, competence, and accountability"]
B -->|"No or prohibited"| F["Do not proceed on an unauthorised basis"]
A firm wants a new employee to begin a client-facing role immediately even though the person has not yet met the required competence standard for that role. Which concern is strongest?
Answer: D.
The framework expects firms to use competent individuals in relevant roles. Competence is part of the regulatory standard, not just a matter of confidence or later complaint handling.