Insights

Key Regulatory Issues in UK Financial Services M&A

Key Regulatory Issues in UK Financial Services M&A

Jul 06, 2026
Download PDFDownload PDF
Print
Share

Summary

M&A involving FCA and PRA-regulated firms requires careful consideration of regulatory issues that can materially affect transaction timing, valuation and execution risk. Against a backdrop of heightened supervisory intensity — including the post-Consumer Duty landscape, increased use of tools like the VREQ and growing EU/UK divergence — acquirers should focus on the following five areas from the earliest stages of deal planning.

1. FCA/PRA Change in Control Approval

The UK change in control regime under Part XII, and in particular section 178, of the Financial Services and Markets Act 2000 is often the most critical regulatory workstream in a transaction. Acquirers proposing to obtain or increase control of an FCA or PRA-authorised firm must obtain regulatory approval before completion. Proceeding to completion without the required approvals constitutes a criminal offence. For complex or distressed transactions, particularly those involving PRA-regulated firms, pre-notification engagement with the regulators is often beneficial. 

The FCA and PRA have up to 60 working days to assess a complete notification, although regulators may formally stop the clock when they issue information requests, pausing the assessment period for up to 30 working days in certain circumstances. Early engagement with regulators, robust ownership and controller analysis, and careful planning around completion mechanics are therefore essential. Buyers should also understand the six statutory criteria against which regulators will assess the proposed acquisition — including the financial soundness of the acquirer, the reputation of those who will direct the business, and the risk of money laundering — as deficiencies in any of these areas can result in significant delays, completion being made subject to conditions or, in extreme cases, the transaction being blocked.

It is also critical to identify whether the target group has any licences in overseas jurisdictions, as these may trigger additional change in control processes that need to be factored into the transaction timetable and require input by local counsel. 

2. Variation of Permission

Where a transaction requires changes to the regulated activities carried on by the target or the acquiring group, a formal variation of permission (VoP) application may be required under the Financial Services and Markets Act 2000. Common triggers in an M&A context include the addition of regulated activities post-acquisition which are not covered by the target's existing Part 4A permission or the removal of activities to be discontinued post-acquisition. Buyers should conduct a careful permissions mapping exercise at an early stage, comparing the target's current permission profile against the intended post-acquisition operating model so that gaps or mismatches are identified before they affect deal planning.

VoP applications arising in the context of a change in control are frequently assessed in parallel with the section 178 notification, and regulators may link progress on one process to the other. Where both workstreams run concurrently, proactive pre-notification engagement and careful sequencing are essential, not least as the FCA can take up to six months to process complete VoP applications. Acquirers should also be alert to regulators seeking to impose new requirements or vary existing ones as a condition of granting change in control approval — a power expressly available to both the FCA and PRA under FSMA.

3. Consumer Duty Risk Assessment

Since the introduction of the Consumer Duty, regulatory due diligence has expanded well beyond traditional compliance reviews. The FCA has been clear, through thematic reviews and Dear CEO correspondence, that it expects firms to demonstrate delivery of good outcomes for retail customers in practice, not merely in policy. Buyers should assess whether the target has in place credible evidence of fair value assessments, robust product governance arrangements, accessible customer communications and effective treatment of vulnerable customers.

Particular attention should be paid to the target's legacy book: the Consumer Duty was extended to closed products and services from 31 July 2024, meaning that historic portfolios are squarely within scope. Diligence should be structured around the four Consumer Duty outcomes — products and services, price and value, consumer understanding, and consumer support — to capture the FCA’s expectations. Firms with historic Consumer Duty weaknesses may face remediation programmes, increased supervisory scrutiny and potential impacts on future profitability. Consumer Duty compliance should therefore be a key valuation and diligence consideration, and any identified weaknesses should be reflected in price adjustment, warranty and indemnity protections or conditions to completion.

4. Operational Resilience and Third-Party Dependencies

Operational resilience has become a major supervisory priority for both the FCA and PRA. Firms should have identified their important business services, set impact tolerances and, following the 31 March 2025 implementation deadline, be able to demonstrate that they can remain within those tolerances when disruption occurs. Acquirers should scrutinise resilience testing, incident management frameworks, cyber controls and critical outsourcing arrangements.

Particular attention should be paid to technology platforms and key third-party providers. Given firms’ increasing reliance on outsourced arrangements, compliance with FCA and PRA outsourcing frameworks is an important area for investigation. Weaknesses in resilience arrangements or unmanaged third-party dependencies can create significant post-acquisition integration risks, costly remediation exercises to repaper arrangements and may attract supervisory attention in the period immediately following completion.

5. Prudential Capital and Group Supervision Implications

For banks, insurers, investment firms and other prudentially regulated entities, the transaction's impact on capital requirements must be understood at an early stage. The applicable framework will differ by entity type — UK CRR for banks, Solvency UK (the successor to Solvency II) for insurers, and MIFIDPRU for investment firms — and acquirers should ensure that appropriate prudential expertise is brought to bear on each relevant regime.

Acquisitions can alter regulatory capital calculations, group structures and reporting obligations, potentially triggering additional capital requirements or enhanced supervisory oversight. The PRA may require capital adequacy evidence as part of the change in control notification process, and buyers should also consider the ICAAP and ILAAP implications for banking acquisitions and the need to update recovery and resolution planning post-completion. Buyers should therefore assess not only completion-day capital adequacy but also the ongoing prudential consequences of integration, revised business plans and the implications of any restructuring of the consolidated group.

6. Regulatory Culture, Governance and Senior Management Accountability

Regulators increasingly focus on governance, culture and accountability alongside — and sometimes above — technical compliance issues viewed in isolation. Due diligence should examine board effectiveness, risk management frameworks, regulatory relationships, past supervisory findings and the operation of the Senior Managers & Certification Regime (SMCR). Supervisory correspondence is a critical area for diligence as it allows an acquirer to assess the FCA and/or PRA’s perception of a firm’s compliance arrangements and, by extension, the likelihood of regulatory intervention. A target with a history of regulatory interventions or weak governance may present a greater long-term risk than one with few or isolated technical compliance issues.

Post-completion SMCR obligations also require careful pre-deal planning. Incoming Senior Managers will require fresh FCA or PRA approval, and Statements of Responsibilities and Management Responsibilities Maps will need to be updated. These approvals can take time and should be built into the transaction timetable, not least where a transaction is predicated on inserting a new management team. 

Conclusion

Successful financial services M&A requires regulatory considerations to be integrated into deal strategy from the outset, and treated as interdependent workstreams rather than sequential tasks. In particular, change in control approvals, Consumer Duty compliance, operational resilience and outsourcing, prudential impacts and governance standards should all be addressed as core components of the transaction process. The scope and intensity of due diligence is a key question that is typically determined by several factors, including time constraints and the risk profile of the target. The most effective transactions are those where legal, regulatory and financial advisers work in a co-ordinated way from the earliest stages of deal planning — early identification of these issues can significantly improve deal certainty and reduce post-completion regulatory risk.

Meet The Team

Andrew Hart
Andrew Hart
+44 (0) 20 3207 1148

Richard Werner

Richard Werner
+44 (0) 20 3400 2329

Meet The Team

Andrew Hart
Andrew Hart
+44 (0) 20 3207 1148

Richard Werner

Richard Werner
+44 (0) 20 3400 2329

Meet The Team

Andrew Hart
Andrew Hart
+44 (0) 20 3207 1148

Richard Werner

Richard Werner
+44 (0) 20 3400 2329
This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.