A practical guide to preparing for FCA supervisory visits, skilled person reviews, and internal compliance audits — with checklists, common findings, and response strategies.
FCA supervisory engagement takes many forms: desk-based reviews, on-site visits, thematic reviews, section 166 skilled person reports, and formal investigations. For insurance firms, the prospect of any of these can cause significant disruption — particularly if the firm has not maintained a state of ongoing audit readiness. The FCA provides limited advance notice, and the volume of information requested can be overwhelming if records and processes are not well-organised.
The FCA's supervision model is increasingly data-driven. Before a visit, the regulator will have already analysed your complaints data returns, financial statements, SM&CR filings, and any intelligence from the FOS or other sources. They arrive with specific hypotheses to test. Firms that are well-prepared can engage constructively and demonstrate compliance; firms that scramble to find documents and brief unprepared staff create a negative impression that is difficult to recover from.
Common supervisory findings in insurance firms include gaps in SM&CR accountability mapping, inadequate complaints root cause analysis, weak product governance, insufficient Consumer Duty evidence, and poor record-keeping. Each of these is preventable with the right framework and ongoing attention to compliance fundamentals.
True audit readiness is not a project you undertake when notified of a visit — it is a permanent state that results from strong compliance foundations. The framework covers three dimensions: documentation readiness (can you produce what the FCA asks for?), operational readiness (do your processes actually comply?), and people readiness (can your staff explain what you do and why?).
The framework should include a standing audit preparation pack: a pre-assembled collection of the documents and data that the FCA most commonly requests. This pack should be reviewed and refreshed quarterly, so it is always current. When a supervisory engagement is announced, the firm can respond quickly and confidently rather than entering crisis mode.
Beyond the practical preparations, the framework should also cover your engagement strategy: who will lead interactions with the FCA, how information requests will be managed, how findings will be tracked and addressed, and how the firm will follow up after the visit. A well-managed regulatory engagement can actually strengthen the FCA's confidence in your firm.
Follow these steps to establish ongoing audit readiness and prepare effectively when a specific supervisory engagement is announced.
Create and maintain a pack of documents that the FCA commonly requests. This typically includes: your firm's regulatory permissions and authorisation history, the Management Responsibilities Map and all current SoRs, the compliance monitoring plan and recent monitoring reports, the complaints root cause analysis and MI reports, Consumer Duty board reports and outcomes assessments, product governance documentation, the risk register, training records, financial promotions register, and business continuity plans. Keep this pack in a secure, accessible location and update it quarterly.
At least annually — and immediately when a supervisory visit is announced — conduct a thorough self-assessment against the FCA requirements most relevant to your firm. Walk through each area the FCA is likely to examine: SM&CR compliance, complaints handling, product governance, Consumer Duty implementation, financial promotions, record-keeping, and client money (if applicable). Identify gaps and either remediate them or prepare explanations for why they exist and what you are doing about them.
Identify the key individuals who will interact with FCA supervisors — typically Senior Managers, the Compliance Officer, the Head of Operations, and relevant department heads. Brief them on what to expect, how to respond to questions (honestly and precisely, without volunteering unnecessary information), and the areas the FCA is likely to focus on. Conduct mock interview sessions for anyone who has not been through a supervisory visit before.
Define a clear protocol for managing the supervisory engagement. This should cover: a single point of contact for the FCA relationship (usually the Compliance Officer or a Senior Manager), a process for logging and tracking all information requests, an escalation procedure for unexpected or sensitive requests, a protocol for reviewing documents before they are provided to the FCA, and a communications plan for keeping the board informed throughout the engagement.
If the FCA is conducting an on-site visit, prepare a suitable meeting room with access to relevant systems and documents. Ensure that any confidential or privileged documents that should not be accessible are appropriately secured. For desk-based reviews, ensure you can provide documents electronically in a well-organised, clearly labelled format. First impressions matter — a well-organised response signals a well-run firm.
Review recent FCA publications, Dear CEO letters, thematic review findings, and enforcement actions in your sector to anticipate the areas the FCA is currently focused on. For insurance firms in 2025, likely focus areas include Consumer Duty implementation evidence, fair value assessments, vulnerable customer treatment, complaints handling, and product governance. Prepare additional material in these areas beyond what is in your standing audit pack.
After any supervisory engagement, the FCA may issue findings, recommendations, or requirements. Establish a process for logging these, assigning ownership, setting deadlines, and tracking remediation to completion. Respond to FCA correspondence within the requested timeframe, and keep a record of all actions taken. The quality and timeliness of your response to findings significantly influences the FCA's ongoing assessment of your firm.
After the engagement concludes, conduct an internal debrief. Identify what went well, what could be improved, and any recurring themes that indicate underlying compliance weaknesses. Update your compliance monitoring plan, training programme, and audit pack based on the lessons learned. Share relevant insights with the board and senior management.
Conduct internal compliance audits with the same rigour as an FCA visit. This builds the organisational muscle for dealing with regulatory scrutiny and ensures that internal audits genuinely test your compliance posture rather than confirming what you already know.
The FCA values firms that have a clear-eyed view of their own performance, including areas of weakness. MI that paints an unrealistically positive picture is a red flag to supervisors. Present data honestly, acknowledge challenges, and show what you are doing about them.
Briefing staff is essential; scripting their answers is counterproductive. FCA supervisors are experienced at detecting rehearsed responses. Staff should understand what the FCA is likely to ask about and have access to relevant documents, but their answers should be natural, honest, and based on their genuine understanding of the business.
Firms that engage openly and constructively with the FCA tend to achieve better outcomes than those that are defensive or obstructive. If the FCA identifies a genuine issue, acknowledge it, explain what you are doing about it, and provide a realistic timeline for remediation.
The FCA will often review board minutes as evidence of governance quality. Minutes that simply record decisions without capturing the discussion, challenge, and dissent are weak evidence. Ensure minutes reflect the substance of board deliberations on compliance matters.
Key regulatory documents, MI reports, and governance records refreshed quarterly.
Senior Managers, Compliance Officer, and department heads prepared.
Findings logged, owners assigned, deadlines set, and progress monitored.
Identify potential gaps in your fca compliance processes with our free self-assessment tool. Not a substitute for professional advice.
Try these related tools — no sign-up required.
Map, document, and maintain clear accountability structures under the Senior Managers and Certification Regime to meet FCA expectations and avoid enforcement action.
fca complianceA definitive guide to meeting FCA record-keeping obligations under SYSC 9, COBS, ICOBS, and DISP — with practical retention schedules and storage recommendations.
complaints handlingAutomated deadline monitoring ensures every complaint receives a final response within the FCA's mandatory 8-week timeframe, reducing FOS referral risk and regulatory exposure.
SwiftCase helps insurance firms maintain continuous compliance readiness with centralised documentation, automated monitoring, and board-ready MI — so you are never caught off guard.
