Key Takeaways
- A skilled person review (often called an s166) is an independent, regulator-mandated review of a regulated firm’s activities under the Financial Services and Markets Act 2000 (FSMA).
- The Financial Conduct Authority FCA and PRA can require a skilled person review where they have concerns about risks, systems and controls, market abuse, or consumer duty outcomes.
- The skilled person is an external expert, lawyers, accountants, consultants, actuaries, or sector specialists, whose report can drive remediation, restrictions on business, or enforcement action.
- In 2023/24, the FCA commissioned 83 skilled person reviews, up from 47 in 2022/23, indicating a trend towards more proactive regulatory oversight.
- Most skilled person reviews focus on areas such as retail investments, governance, risk management and controls.
- Skilled person reviews are expensive and resource-intensive, so early engagement on scope, planning and delivery is critical to keep them proportionate.
- Complyport sits on the FCA Skilled Person Panel and is appointed on 8 Regulatory Categories (Lots), enabling us to deliver or support a broad range of skilled person reviews.
What Is a Skilled Person Review?
A skilled person review under section 166 FSMA is an independent, expert review of specific aspects of a regulated firm’s business ordered by the FCA or PRA. The regulator issues a formal Section 166 Requirement Notice to the firm, outlining the defined scope, objectives and timeframes of the investigation. Under section 166 of the Financial Services and Markets Act 2000, the FCA can appoint a third party to review and report on areas of concern in a regulated firm, producing written reports that inform FCA supervision.
The power sits in sections 166 and 166A FSMA (as amended by the Financial Services Act 2012) and is used where regulators need deeper analysis than routine supervision provides. Depending on the nature of the regulatory concerns, a skilled person review focuses on clearly defined topics such as governance, systems and controls, financial crime, market abuse, prudential risk, or regulatory compliance.
The typical parties involved include the regulator, the regulated firm and the skilled person who must be independent and approved by the regulator. The skilled person produces a skilled person report and often follow-up implementation or validation reports, that informs the regulator’s supervisory strategy and any potential enforcement action. Skilled person reviews are a key tool for ensuring firms comply with evolving regulation.
Legal Basis and Regulatory Context
Skilled person reviews derive from the Financial Services and Markets Act 2000 (FSMA) and are now a core FCA and PRA supervisory tool. Section 166 FSMA empowers regulators to require a firm (or member of its group) to appoint a skilled person to provide a report on matters specified by the regulator.
A Skilled Person Review operates similarly to a targeted compliance audit and follows a structured lifecycle. This mechanism was strengthened by reforms around 2012–2013 and continues to evolve alongside newer priorities such as consumer duty and wholesale market integrity. Skilled person reviews sit between day-to-day supervision and formal enforcement, they are not disciplinary action themselves, but their findings can underpin enforcement.
The process differs from data-gathering exercises under other FSMA provisions, as s166 demands full forensic testing including document reviews, data analytics, staff interviews and control sampling. The review process may involve multiple reports to thoroughly evaluate different aspects of a firm’s compliance and operations.
Who Can Be Appointed as a Skilled Person?
The term “skilled person” is deliberately broad, covering appropriately qualified and experienced independent experts. The reviewer must be an independent expert, typically from a major advisory firm, accounting practice, or industry specialist. Independent third-party experts are typically senior consultants from professional service firms or specialized regulatory consultants.
Types of organisations that act as skilled persons include:
- Compliance and regulatory consultancies
- Law firms with regulatory practices
- Accounting and audit firms
- Actuarial practices
- Sector-specific specialists
The FCA and PRA maintain Skilled Person Panels, grouping firms by subject-matter lots. The FCA and PRA can directly appoint a skilled person or require an authorized person to appoint one, particularly when there are concerns regarding a firm’s risk framework and effectiveness of its systems and controls.
Complyport is appointed on 8 Regulatory Categories (Lots) on the FCA Skilled Person Panel, meaning we can be selected for conduct, prudential, governance and financial crime reviews. Independence, capability and freedom from conflicts of interest remain critical in all appointment routes.
Appointing a Skilled Person and the Skilled Person Panel
There are two main approaches to appointment: regulator-led (direct selection from the Skilled Person Panel) and firm-led (firm proposes a candidate, subject to regulatory approval). The FCA and PRA can directly appoint a skilled person or require an authorized person to appoint one, particularly when there are concerns regarding a firm’s risk framework and the effectiveness of its systems and controls. The subject matter of a Skilled Person Review typically falls under specific thematic categories defined by the regulator, known as ‘Lots’.
The current FCA Skilled Person Panel (from 1 April 2026 to 31 March 2030) is structured into twelve subject categories covering areas such as governance, conduct, market abuse, prudential risk and IT & cyber. When a review is regulator-commissioned, the regulator usually selects a firm from the panel based on the required lot, experience and capacity. Throughout the appointment process, it is important for regulated firms to communicate effectively with both the regulator and the skilled person, including discussing the scope of the review, conducting tenders and assessing technical and commercial details.
Key factors a regulated firm should assess when nominating a skilled person include:
| Factor | Consideration |
| Expertise | Relevant material knowledge in the review area |
| Track record | Prior s166 delivery success |
| FCA understanding | Knowledge of regulatory expectations |
| Resources | Capacity to deliver within timescales |
| Conflicts | Independence verification |
Regulators expect firms to follow guidance in SUP 5 of the FCA Handbook when engaging a skilled person, including cooperation, access and information provision requirements.
What Does a Skilled Person Review Cover?
The scope of a skilled person review is tightly defined in the Requirement Notice but can be broad and detailed in practice. The thematic categories for review may include financial crime, governance and culture, prudential adequacy and conduct of business.
Common thematic areas include:
- Governance and senior management arrangements
- Risk management frameworks
- Systems and controls
- Financial crime (AML/CTF, sanctions)
- Market abuse controls
- Prudential risk
- Operational resilience
Skilled person reviews assess the adequacy and effectiveness of a firm’s control frameworks and may include recommendations for improvements. Consumer duty reviews often focus on product design, pricing, fair value assessments, vulnerable customer treatment and outcome testing in retail markets. Wholesale conduct themes such as market abuse surveillance, conflicts of interest management and transaction reporting also feature.
Factors considered by regulators when determining scope include firm culture, history of compliance, systems and controls quality, consumer detriment and technical expertise. The scope may include diagnostic work and pre- or post-implementation validation of remediation.
Key Stages of a Skilled Person Review
A Skilled Person Review operates similarly to a targeted compliance audit and follows a structured lifecycle. The regulator issues a formal Section 166 Requirement Notice to the firm, which outlines the defined scope, objectives and timeframes of the investigation.
The main stages involve:
- Scoping and terms of reference: Detailed planning with the regulator
- Document review and data analysis: Involve examining relevant material and controls, often through detailed forensic analysis
- Interviews and testing: Involve personnel interviews, control sampling and may include the transfer of expertise to relevant parties to support collaboration and capacity building
- Draft findings and management fact-check: Opportunity to respond to preliminary findings
- Final report to the regulator: Formal skilled person report delivery
Good governance, clear internal project leadership, issue logs, milestone plans and communication protocols, helps contain cost, avoid scope creep and deliver consistent responses. Some reviews are delivered in phases, particularly for complex financial crime or consumer duty projects requiring further analysis.
Triggers and Use Cases: When Do Regulators Order a Review?
Regulators typically commission skilled person reviews where they identify heightened risk, evidence of failings, or insufficient comfort from standard supervisory tools. The nature of regulatory actions or issues, such as their characteristics, scope, or seriousness, can trigger a skilled person review to ensure consumer interests are protected.
Common triggers include:
- Serious regulatory concerns or repeated supervisory findings
- Whistleblowing allegations
- Thematic review outcomes
- Data anomalies in regulatory returns
- Concerns regarding a firm’s risk management and internal control failures
If there are suspicions of market abuse or misconduct, regulators may initiate a skilled person review to confirm that no malpractice is occurring. Prudential triggers include weaknesses in capital and liquidity risk management, operational resilience incidents, or material IT disruptions, where the consequences of failures in digital systems can be far-reaching and may lead to further regulatory reviews or sanctions.
In the year 2022-2023, the FCA used section 166 powers in 44 cases, primarily related to concerns in the retail investments sector, indicating a trend towards more proactive regulatory intervention. Consumer-facing triggers include potential consumer duty breaches, widespread complaints, mis-selling risk, or poor outcomes for vulnerable customers in retail banking, retail investments, or insurance.
Costs, Burden and Typical Outcomes
Skilled person reviews can be significant in both direct fees and internal opportunity cost. The regulated firm is financially responsible for all costs associated with the Skilled Person Review, regardless of whether the expert is firm-appointed or regulator-appointed.
In 2023/24, the FCA commissioned 83 skilled person reviews, a significant increase from 47 in 2022/23, indicating a rising trend in costs associated with these reviews. The costs have increased significantly, with average costs rising from approximately £534,000 in 2019/20 to around £992,000 in 2021/22, with many reviews now costing firms around £500,000 and larger investigations exceeding £3,000,000.
The financial burden can be exacerbated by scope creep, missing datasets and ineffective collaboration with the skilled person and the FCA, leading to increased costs and potential follow-on reviews. Failure to adequately address findings or implement effective remediation can result in further reviews and potential sanctions from the regulator.
Typical non-monetary burdens include intensive data requests, staff interviews, management time and parallel remediation projects. The outcomes of skilled person reviews can lead to enforcement action by the FCA, including financial penalties, prohibition orders, or the imposition of requirements on the firm. The FCA may use preliminary findings to request a firm to submit to a Voluntary Requirement (VREQ), which can significantly impact operations and cash flow.
A well-managed review can also yield positive outcomes: a clearer risk profile, strengthened controls, improved consumer duty outcomes and restored regulatory confidence.
Practical Steps for Regulated Firms Facing a Skilled Person Review
Early, structured action can reduce cost and regulatory risk once a Draft Requirement Notice or formal Requirement Notice is received. Firms should rapidly assemble an internal response team including compliance, risk, legal and senior management, with a single accountable executive owner.
Engage constructively with the regulator to clarify objectives, refine scope, agree realistic timelines and ensure proportionate terms of reference. Practical project disciplines help significantly:
- Central document repository
- Clear communication protocols with the skilled person
- Version control for submissions
- Regular status updates to the board
Consider legal privilege and interact appropriately with external legal and regulatory advisors to protect the firm’s interest while remaining fully cooperative. Complyport can assist with scope negotiations, data preparation, response coordination and remediation planning from the outset.
How Complyport Supports Skilled Person Reviews
Complyport is an experienced regulatory consultancy that sits on the FCA Skilled Person Panel and is appointed on 8 Regulatory Categories (Lots). We can act as the skilled person where selected, delivering independent, evidence-based reports in governance, conduct risk, consumer duty, financial crime and market abuse controls.
We also support firms subject to skilled person reviews led by other providers, helping with scope negotiations, data preparation, response coordination and remediation planning. Our experience includes designing and validating remediation programmes, customer redress exercises, control enhancements and cultural change initiatives linked to s166 findings.
Early engagement is often the preferred choice for firms seeking cost effective outcomes. Contact Complyport to discuss how we can support your skilled person review:
- Email: info@complyport.com
- Phone: +44 (0)20 7399 4980
- Web: https://complyport.co.uk
FAQ
The following questions address common concerns regulated firms have about skilled person reviews not fully covered above.
How long does a skilled person review usually take?
Most skilled person reviews run for several months from Requirement Notice to final report. Simpler, focused reviews sometimes complete in 3-4 months, while complex, multi-phase projects take 9-12 months or more. Key drivers include scope breadth, data quality, the number of sites and systems involved and how quickly the firm can respond to information requests. Firms can influence timelines at the scoping stage by discussing realistic milestones with the regulator.
Can a firm negotiate the scope of a skilled person review?
While the regulator ultimately sets requirements, firms can and should engage constructively on scope when receiving the Draft Requirement Notice. It is common to propose clarifications, prioritisation of higher-risk areas and staging of work. Informed input, supported by advisors such as Complyport, can help avoid overly broad work while meeting supervisory objectives.
Do all skilled person reviews lead to enforcement action?
Not every skilled person review result in enforcement. Many lead to agreed remediation programmes, enhanced supervision, or temporary restrictions rather than formal penalties. Enforcement is more likely where reviews uncover serious failings, evidence of misconduct, significant consumer detriment, or poor cooperation. Proactive engagement and credible remedial action planning can materially influence outcomes.
Can a firm choose its own skilled person?
In some cases, the firm may propose its preferred skilled person, typically from the FCA Skilled Person Panel, but the regulator must approve. The regulator assesses suitability based on expertise, independence, prior performance and capacity. Early dialogue with potential providers helps firms understand how experience matches the likely scope and which panel lots can be covered.
What is the difference between a skilled person review and an internal audit?
An internal audit or voluntary consultancy review is commissioned by the firm and normally confidential, whereas a skilled person review is mandated under FSMA and formally reported to the FCA or PRA. Internal reviews can proactively identify issues before escalation to a section 166 review. Firms often engage external support like Complyport for pre-emptive reviews in high-risk areas to reduce the likelihood of future regulatory action. Note that giving legal advice requires separate legal advisors, Complyport provides regulatory consultancy support.
