An FCA Skilled Person review under section 166 examines a firm's systems, controls, and decisions against a defined scope set by the regulator. The Skilled Person tests whether the firm's actual practice matches its stated practice, whether its decisions were supported by evidence at the time they were made, and whether the governance around those decisions was real or theatrical. The output is a report the FCA reads alongside its supervisory file.
Most firms only encounter a Skilled Person review once, if at all. By the time they do, the period the reviewer is looking at is already in the past, the people involved have often moved on, and the documents the reviewer needs are scattered across systems that were never designed to support an external evidential process.
The review is not adversarial. The Skilled Person is not the regulator. They are a third party, usually a partner-grade professional services firm, instructed by the FCA to look at a defined area and report what they find. The firm pays for the review. The firm has rights to engage with the process. The firm's cooperation is required, not optional.
Understanding what the Skilled Person actually does is the difference between a review that is uncomfortable and one that is catastrophic.
Section 166 of the Financial Services and Markets Act 2000 gives the FCA the power to require a firm to commission a report from a Skilled Person on a defined area of concern. The scope is set out in a notice the firm receives, often after a period of supervisory engagement during which the FCA has formed a view that something needs independent examination.
Common scopes include financial crime systems and controls, customer redress and remediation, governance and senior management arrangements, and the integrity of regulatory reporting. The scope can be narrow, focused on a single product area or a single failure, or broad, covering the entirety of a firm's compliance function.
The Skilled Person is selected from a panel maintained by the FCA, or in some cases proposed by the firm and approved by the regulator. The Skilled Person reports to the FCA, not to the firm, although the firm receives the report and is given the opportunity to respond.
A Skilled Person review is an evidential exercise. The reviewer is looking for what was actually done, not what the firm now says was done. That distinction is the entire structure of the engagement.
The first thing the reviewer asks for is the relevant documentation. Policies, procedures, methodologies, training materials, governance committee minutes, decision records, and the systems data underlying the activity in scope. The reviewer reads all of it, not selectively, looking for the version that was in force during the period under review and the evidence that the documented framework was the framework actually being applied.
The second is sample testing. A defined sample of files, transactions, decisions, or cases is pulled and tested against the firm's stated framework. The reviewer is not asking whether the outcome was right. They are asking whether the process produced an outcome the firm can defend, given the evidence on the file at the time the decision was made.
The third is interviews. Senior staff, MLROs, compliance officers, and front-line analysts are interviewed individually. The Skilled Person is calibrating whether what the policy says is what the staff understand, whether the systems work the way the staff describe, and whether the firm's stated culture is the firm's actual culture.
The fourth is comparison. The reviewer is benchmarking the firm against published regulatory expectations, against industry practice for firms of similar size and risk, and against what the FCA has told other firms in similar situations.
The fifth, which firms often overlook, is the reviewer's assessment of the firm's response to the review itself. Cooperation, transparency, and the quality of the firm's evidence retrieval all feed into the report. A firm that cannot produce documents, that produces inconsistent versions of the same document, or that produces documents only when pressed, has already told the reviewer something about the underlying control environment.
The first failure pattern is the documentation gap. The policy that was in force during the review period cannot be located. There is a current policy. There is an older policy. The transition between them is undocumented. The reviewer has to make a judgement, and judgements made under those conditions tend to be unfavourable.
The second is the methodology drift problem. The system was set up against one methodology. The methodology was updated. The system was not. For a period, the system was producing outputs against rules that were no longer the firm's rules, and nobody noticed. When the reviewer notices, the entire output of the system during that period is in question.
The third is governance theatre. Committee minutes show that a decision was reviewed. The minutes do not show what the committee considered, what alternatives were discussed, or what the decision rationale was. A signature without a standard tells the reviewer the governance was procedural, not substantive.
The fourth is the reverse-engineered defence. The firm produces evidence after the fact that, at the time, the decision was correct. The evidence is plausible, but the file does not show that the evidence was relied upon at the time. The reviewer cannot use after-the-fact evidence to validate a decision the file does not support.
The fifth is the system that nobody owns. The CDD platform, the screening tool, the case management system. Each was bought at a different time, by a different team, configured by people who have left. The firm cannot answer questions about the configuration because the firm does not know how the system is configured. The reviewer is now investigating not just the original concern, but the broader question of how the firm has visibility over its own controls.
Files survive when they show evidence of thinking. Decisions survive when they are supported by contemporaneous documentation. Methodologies survive when they are versioned and the version is recorded against the decision. Governance survives when it is bounded, recorded, and challengeable.
The work that produces this is structural. It is the difference between systems that capture decisions for the firm's own use and systems that capture decisions in a form that an external reviewer can follow. The two are not the same. Most firms have built the former, often without realising they need the latter.
| Test area | What the reviewer is looking for |
|---|---|
| Documentation | Policies in force at the time, version controlled, retrievable |
| Sample files | Decisions supported by contemporaneous evidence |
| Staff interviews | Consistency between policy, system, and operational practice |
| Governance records | Bounded, recorded, challengeable decisions |
| Firm cooperation | Speed, completeness, and consistency of evidence retrieval |
The Skilled Person is not the worst thing that can happen to a firm. The Final Notice that follows a Skilled Person review where the firm could not defend its decisions is. The work to be ready for the former is the same work that prevents the latter.
Veratum is a specialist remediation review engine for Past Business Reviews, section 166 reviews, consumer redress schemes, and Consumer Duty exercises. Rules-in-force logic, proportionate QA routing, and a full audit trail built for Skilled Person-grade scrutiny.