Financial Services and Markets Act 2000 (FSMA): Summary for UK SMEs

If you run a startup or SME in the UK, the Financial Services and Markets Act 2000 (FSMA) can feel like something that only banks and huge institutions need to worry about.

But in practice, FSMA can apply to everyday business activities - especially if you raise investment, build a fintech product, offer credit, handle customer money, or publish marketing that encourages people to invest.

This summary of the Financial Services and Markets Act 2000 (FSMA) is designed for business owners. We’ll explain what FSMA is, when it matters, and what practical steps you can take to reduce risk (without drowning in legal jargon).

Note: This article is general information only and isn’t legal, financial, or regulatory advice. FSMA and FCA rules are fact-specific, so get advice on your particular business model before you act.

What Is FSMA (And Why Should Small Businesses Care)?

FSMA is one of the main UK laws that governs the regulation of financial services. Put simply, it sets up the legal framework for:

• who is allowed to provide financial services in the UK (and when they need authorisation)
• how certain financial products and investments can be marketed to customers and investors
• the role of the UK regulators - primarily the Financial Conduct Authority (FCA), and in some cases the Prudential Regulation Authority (PRA) for prudential oversight of certain firms
• what happens if you get it wrong (including potential criminal offences in certain situations)

For SMEs and startups, FSMA usually becomes relevant in a few common situations:

• You’re building a product in fintech, payments, lending, crypto, wealth, insurance, or investments
• You’re offering customers ways to pay later, pay in instalments, or access credit
• You’re raising funds and want to communicate with potential investors
• You’re introducing customers to third-party financial providers (affiliate/introducer models)
• You’re handling money on behalf of customers or moving money between parties

FSMA sits within a wider compliance landscape for UK businesses. If you want a broader snapshot of where different legal duties can come from, it helps to also understand what laws businesses have to follow.

When Does FSMA Apply To Your Business? (Regulated Activities In Plain English)

The heart of FSMA is the concept of “regulated activities”. If your business is carrying on a regulated activity by way of business in the UK, you generally need to be authorised by the FCA (or be an exempt person).

Regulated activities include things like:

• Arranging deals in investments (for example, helping someone invest in shares or units)
• Advising on investments (even if you call it “guidance”, if it’s personal or influential enough)
• Insurance distribution (selling, arranging, or advising on insurance)
• Consumer credit activities (lending, credit broking, debt counselling, debt adjusting, debt collecting)
• Payment services and e-money (these are often regulated under separate UK regimes, but FSMA is still relevant to your overall permissions, promotions, and how you structure your offering)
• Safeguarding or controlling client money in regulated contexts

The tricky part is that FSMA risk doesn’t only arise when you call yourself a “financial services business”. It can apply where the substance of what you do looks like a regulated activity.

Common Startup Scenarios Where FSMA Can Come Up

Here are some examples where founders can accidentally step into FSMA territory:

• Fintech apps that provide “recommended portfolios” or auto-invest features
• Marketplaces that match investors with borrowers or businesses raising capital
• Subscription products that include instalment payments, “buy now pay later”, or credit options
• Affiliate/introducer businesses sending leads to lenders, brokers, or investment platforms
• Property businesses that pool investor funds or promote investment opportunities

If you’re in any of these categories, your next step is usually to map your business model carefully: what you do, what you say, who you target, and where money flows.

FSMA Financial Promotions: The Rule That Catches Many SMEs

In many day-to-day cases, a business doesn’t “do” a regulated activity - but still runs into FSMA through financial promotions.

A simplified way to think about it is:

• If you invite or encourage someone to engage in investment activity, and
• your message is sent in the course of business,

then your communication may be a financial promotion and must be issued or approved by an authorised person, unless an exemption applies.

What Counts As A “Financial Promotion” In Real Life?

This can cover a lot more than polished adverts. Depending on context, it may include:

• website landing pages about investment opportunities
• pitch decks and investor teaser documents
• social posts promoting an “investment round”
• emails, WhatsApp messages, or newsletters sent for fundraising
• referral incentives tied to investments

This is why your marketing and fundraising materials should be reviewed with the same care as your legal docs - especially if you’re moving fast and publishing content frequently.

And because financial promotions often interact with your broader commercial messaging, it’s worth making sure your Terms and Conditions and customer-facing contracts are also consistent with what you’re promising publicly.

Why This Matters

Financial promotions aren’t just a “regulator paperwork” issue. If you get them wrong, you could face:

• orders to take down or amend content
• regulatory scrutiny that delays fundraising or partnerships
• investor disputes or misrepresentation allegations
• in serious cases, criminal liability (depending on the breach and facts)

The main takeaway: if you’re raising funds or promoting investments, don’t treat comms as an afterthought. Get the rules checked early so you can market confidently.

Do You Need FCA Authorisation, Or Can You Rely On An Exemption?

If your business is carrying on regulated activities, you’ll usually need one of the following to operate lawfully:

• FCA authorisation (the “permission” to carry on certain regulated activities)
• an exemption (where the law allows the activity without authorisation, provided strict conditions are met)
• an authorised partner model (where an authorised firm is involved and you operate within a compliant structure - still needs careful design)

Which route applies depends on what you do, how you do it, and who your customers are.

Practical Examples Of “Permission vs Exemption” Thinking

• If you are advising customers on investments in a personalised way, authorisation may be needed.
• If you are only sharing factual, non-promotional information, you may be outside the financial promotion regime - but the line can be thin.
• If you are raising investment from certain categories of investors, there may be exemptions available, but you’ll need to follow them precisely (including how you word communications and who you send them to).

This is one of those areas where DIY assumptions can create big risk. It’s common for founders to build a product first and “deal with authorisation later” - but if your model is regulated, you may be building on shaky ground.

Where you’re raising funding, you’ll also want your corporate structure and investor arrangements to be clear. In many startups, that means having a proper Shareholders Agreement in place so everyone knows what happens with control, exits, and decision-making as you grow.

FSMA Compliance Steps For SMEs: A Simple Checklist

FSMA compliance can become complex quickly, but the first steps are usually straightforward. Here’s a practical checklist you can work through.

1) Map Your Business Model (What You Do, Say, And Touch)

Start by documenting:

• your product or service features (including “future roadmap” items)
• who pays you and what you’re paid for
• whether you handle customer money and where it sits
• what your website, app screens, and sales scripts say
• how you acquire customers and investors (ads, affiliates, partnerships)

FSMA analysis is often about details - so having this written down makes legal review faster and more accurate.

2) Review Your Marketing And Fundraising Materials

Ask yourself:

• Are we inviting or encouraging investment activity?
• Could our content be seen as a financial promotion?
• Are we targeting the general public, or a restricted group?
• Do we have a clear approval/exemption basis for what we publish?

Also, keep your contracts aligned with your public messaging. Clear commercial drafting helps reduce disputes about “what was promised”. If you’re sense-checking your legal foundations generally, a working understanding of UK contract law helps you spot risk earlier (especially around representations, refunds, and termination rights).

3) Decide If You Need Authorisation (Or A Different Structure)

If your model is regulated, your options may include:

• applying for FCA authorisation (often time-consuming and resource-heavy)
• adjusting the model so it’s not regulated (where commercially possible)
• partnering with an authorised provider (requires careful contracting and oversight)

There isn’t a “one size fits all” answer. The right solution depends on your product, timeline, funding, and risk appetite.

4) Put Good Agreements In Place With Partners And Customers

FSMA doesn’t replace the need for strong contracts - it increases it.

For example, if you operate a platform, marketplace, or app, you’ll want contracts that clearly allocate responsibilities for:

• who provides the regulated service (if anyone)
• what you do and don’t do (to avoid implied advice or representations)
• customer onboarding and eligibility criteria
• complaints handling and dispute resolution
• limitations of liability (where appropriate and enforceable)

If you run an online platform, your Website Terms and Conditions should match how your product actually works, not how you hope it works in six months’ time.

5) Don’t Forget Data Protection And Operational Controls

A lot of regulated or finance-adjacent businesses process sensitive personal and financial information. Even if you’re not authorised, your compliance standards still matter for trust, partnerships, and due diligence.

As a baseline, if you collect and use personal data through a website or app, you’ll usually need a fit-for-purpose Privacy Policy and internal processes for handling data requests and security incidents.

Common FSMA Pitfalls For Startups (And How To Avoid Them)

FSMA problems often arise when a business is growing quickly and doing what comes naturally: marketing hard, partnering fast, and iterating product features.

Here are some of the most common pitfalls we see in practice.

Accidentally Giving “Advice” When You Meant To Educate

Startups often publish blogs, onboarding quizzes, calculators, or “recommended options” to improve conversion. But if content becomes too tailored or directive, it can start to look like regulated advice.

How to reduce the risk:

• keep content factual and balanced where possible
• avoid personalised recommendations unless you’re sure you’re authorised (or clearly outside scope)
• train sales and support teams on what they can and can’t say

Fundraising Messages That Look Like Financial Promotions

“We’re raising now - here’s the deck” can feel like normal startup life. But depending on who receives it and what it says, it may fall within the financial promotion regime.

How to reduce the risk:

• control distribution of pitch materials
• be careful with public posts about investment opportunities
• check whether an exemption could apply (and follow it precisely)

Affiliate And Introducer Models Without Clear Boundaries

If you introduce customers to lenders, brokers, or investment products, you may be arranging or broking a regulated activity - or you may be publishing financial promotions.

How to reduce the risk:

• define the introducer role clearly in writing
• avoid language that looks like a recommendation or endorsement unless that’s compliant
• make sure payment structures don’t create unintended incentives that increase regulatory risk

Relying On Generic Templates For High-Risk Communications

Templates can be tempting, especially when you’re moving fast. But FSMA compliance depends heavily on context - who you’re communicating with, what exactly you’re saying, and what your business actually does.

Even your standard customer terms should be tailored to your model so you’re not accidentally making promises you can’t keep, or taking on liabilities you didn’t intend.

Key Takeaways

• FSMA is the core UK framework regulating financial services - and it can apply to SMEs and startups, not just major financial institutions.
• Your business may be caught by FSMA if it carries on regulated activities (like credit broking, advising, arranging investments, insurance distribution) or issues financial promotions.
• Financial promotions can include websites, social posts, pitch decks, emails, and other marketing that invites or encourages investment activity.
• Depending on the activity, you may need FCA authorisation, a compliant exemption pathway, or a carefully structured authorised partner model (and some firms may also have PRA considerations).
• A practical compliance approach starts with mapping your business model, reviewing marketing/fundraising comms, and putting strong contracts and policies in place.
• FSMA risk often shows up in “normal startup activity” (product recommendations, investor updates, affiliate introductions), so it’s worth getting advice early.

If you’d like help reviewing whether FSMA applies to your business model, fundraising communications, or customer contracts, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.