Legal Checklist Before Providing a Financial Service in the UK

Alex Solo
byAlex Solo12 min read

Financial services businesses often move fast, but the legal risk shows up even faster if the basics are missed. A founder might accept a provider's standard terms without checking liability, start discussing products with customers before confirming whether FCA permissions are needed, or rely on a verbal promise about fees, data handling or service levels. Those mistakes can become expensive once money is moving, customer complaints start, or a regulator asks questions.

If you are planning to offer a financial service in the UK, the legal work needs to be done before you sign contracts, onboard clients or spend money on setup. The right checklist depends on what you are actually doing, whether that is arranging finance, giving advice, handling payments, introducing customers, operating a platform or supporting another authorised firm. This guide explains the main legal issues to check, where founders often get caught, and what to sort out before you accept terms or commit to a service model.

Overview

The main question is not just whether your business idea is commercial, it is whether the activity is regulated and whether your contracts, disclosures and internal processes match that risk. In the UK, businesses that provide or arrange financial services often need to think about FCA authorisation, appointed representative structures, customer terms, outsourcing terms, data protection and financial promotions rules at a very early stage.

  • Confirm exactly what activity you will carry out, and whether it is regulated in the UK.
  • Check whether your business needs FCA authorisation, registration, or another permission structure before trading.
  • Review whether you will act directly for customers, introduce customers, or operate under another firm's permissions.
  • Put written contracts in place with customers, suppliers, platforms, technology providers and any authorised principal.
  • Check financial promotions, disclosures and customer communications before any marketing goes live.
  • Make sure your privacy notice, data processing terms and cyber security arrangements fit the service.
  • Confirm complaint handling, record-keeping, fees, liability and termination rights before you sign.
  • Do not rely on verbal assurances about compliance, scope of permissions or who carries legal responsibility.

What Before Providing a Financial Service Means For UK Businesses

Before providing a financial service means identifying the legal character of the activity first, then documenting how the service will actually be delivered. The key issue is whether your business is carrying on a regulated activity, promoting a financial product, or supporting another regulated business in a way that still creates legal obligations.

Founders often describe the business in commercial terms, such as a platform, marketplace, software tool or referral model. That description may be useful for investors, but it does not answer the legal question. The regulator and your contracts will care about what you really do in practice.

Why the activity definition matters

A small change in the service model can change the legal position. Introducing potential borrowers is different from advising them. Processing payment instructions is different from offering a software dashboard that never handles client money. Marketing an investment opportunity can trigger issues even where the business says it is only providing information.

This is where founders often get caught. The business starts with one narrow service, but the sales process expands. Staff begin explaining product features, comparing options or helping customers complete applications. Those steps can move the activity into a more heavily regulated area.

Check whether FCA authorisation or registration is needed

If your business carries on a regulated activity in the UK by way of business, FCA authorisation or another relevant permission may be required. In some models, the business may operate as an appointed representative of an authorised firm, or provide limited support services to an authorised firm without itself carrying on the regulated activity. The structure matters, and the paperwork needs to match it.

Before you sign with a principal firm or white-label provider, check:

  • what permissions that firm actually holds;
  • whether your activity fits within those permissions;
  • who is responsible for customer communications and compliance;
  • who owns the customer relationship and data;
  • what oversight, training and reporting obligations apply to you;
  • what happens if the arrangement ends suddenly.

A verbal statement that a principal will “cover compliance” is not enough. You need to see the structure in writing and test whether the contract reflects how the service will operate day to day.

Financial promotions can apply earlier than founders expect

You may need to deal with financial promotions rules before you sign up your first customer. Website copy, ads, pitch decks, landing pages, referral messages and onboarding emails can all create risk if they invite or induce someone to engage in investment activity or another regulated service without the right approval pathway.

That matters for early stage businesses because marketing often goes live before contracts are finalised. If the service is regulated, compliance cannot be added as an afterthought after your campaign starts getting traction.

Contracts are part of the compliance picture

Your customer terms, supplier agreements and outsourcing contracts are not just commercial paperwork. They help define responsibilities, service levels, disclosures, liability and complaint handling. For financial services, those points often affect your regulatory risk as well as your commercial risk.

At a minimum, most businesses in this space should think about:

  • customer terms and conditions;
  • referral or introducer agreements;
  • technology and software contracts;
  • payment processor terms;
  • data processing agreements;
  • outsourcing arrangements;
  • non-disclosure agreements where sensitive product or customer information is shared;
  • employment contracts and contractor terms where staff speak to customers or handle regulated processes.

Data protection is usually central, not incidental

Financial services businesses often handle identity data, financial information, transaction records, credit-related information and communications that can reveal sensitive personal circumstances. That means UK GDPR compliance is usually a core legal workstream.

Before you accept the provider's standard terms or build onboarding flows, check:

  • what personal data you will collect;
  • your lawful basis for each use of that data;
  • whether you are controller, processor or both in different situations;
  • what your privacy notice says to customers;
  • whether suppliers process data outside the UK;
  • what security commitments and breach reporting obligations apply.

Where another firm insists that “their privacy notice covers it”, founders should be careful. Shared data flows usually need a closer legal review.

Before you sign, pin down the service model, the permission structure and the contract terms that allocate legal responsibility. Most expensive disputes happen because the parties agreed the commercial objective but left the compliance and risk allocation vague.

1. Scope of services

The contract should say exactly what your business will and will not do. If you are only introducing customers, the agreement should not describe your role as advice, recommendation or decision-making support unless that is truly intended and lawful.

Plain drafting helps here. A founder should be able to read the scope clause and compare it with the sales process, website copy and staff scripts. If those do not match, revise the documents before you proceed.

2. Regulatory responsibility and permissions

The agreement should not be silent about who carries regulatory responsibility. If another firm is authorised, the contract should explain whether you are acting under its oversight, what controls apply, and who approves communications, complaints handling and customer-facing materials.

Key points to document include:

  • which entity holds the relevant permissions or registration;
  • whether approval is needed for marketing and promotions;
  • who monitors compliance breaches;
  • who reports incidents to regulators where required;
  • what training staff must complete;
  • whether audits or information requests can be made.

3. Customer terms and disclosures

If you contract directly with customers, your customer terms need to be clear on fees, scope, exclusions, complaints and termination. Consumer-facing services also need fair and transparent written terms. Hidden charges, vague cancellation language or broad limitation clauses can create problems under consumer law as well as reputational damage.

Where the customer journey includes digital onboarding, make sure the legal terms actually fit that process. Founders sometimes copy a standard set of terms that assumes in-person advice or paper forms, then use it for an app-based service with a completely different risk profile.

4. Liability, indemnities and caps

Before you rely on a verbal promise that “we never enforce that clause”, review liability terms carefully. Financial services contracts often contain wide indemnities, low supplier caps or exclusions that push disproportionate risk onto the smaller business.

Check:

  • whether the cap is realistic compared with the likely customer loss exposure;
  • whether the indemnity is one-sided;
  • whether indirect loss wording goes further than expected;
  • whether data breaches, fraud or regulatory fines are treated separately;
  • whether your insurance obligations and cover align with the contract.

Even where some liabilities cannot be excluded or restricted in the same way, the contract still matters because it shapes the commercial risk and dispute position.

5. Outsourcing and supplier control

If part of the service depends on software, payment infrastructure, identity verification, credit assessment tools or customer support providers, those supplier contracts need attention before you sign. The main risk is assuming the regulated firm bears all responsibility while the operational failure sits with an under-documented supplier chain.

Outsourcing terms should cover service levels, incident reporting, data handling, subcontracting, business continuity, access to records and exit support. If a key supplier fails, you need to know what happens to customers and who pays for the fallout.

6. Data protection and confidentiality

Your contracts should reflect how personal data and confidential information move between parties. This often means separate data processing clauses or a dedicated data processing agreement.

Before you sign, confirm:

  • who determines the purposes of processing;
  • whether customer data can be used for analytics, training or product development;
  • what security standards apply;
  • how data subject requests will be managed;
  • when data must be deleted or returned after termination.

7. Complaints, investigations and record keeping

Financial services businesses need clear internal processes for complaints and evidence. Even if your business is not itself authorised, customer complaints can still trigger contractual disputes, data requests or scrutiny from a regulated counterparty.

The documents and procedures should say how complaints are escalated, who owns the response, what records are kept and how long they are retained. This is especially important where multiple businesses appear to the customer as one joined-up service.

8. Termination, exit and handover

Termination rights matter more than founders expect. If the principal firm changes strategy, a payments provider closes your account or a white-label arrangement ends, you need a plan for customer communications, data access, outstanding fees and ongoing obligations.

Good exit drafting should deal with:

  • notice periods and immediate termination triggers;
  • what happens to in-flight customers or transactions;
  • access to systems and records during handover;
  • who communicates with customers after termination;
  • post-termination confidentiality and data obligations.

Common Mistakes With Before Providing a Financial Service

The most common mistakes happen when founders treat legal checks as paperwork to tidy up later. In financial services, later is often too late because the business model, customer messaging and supplier stack can lock in risk from day one.

Assuming technology language avoids regulation

Calling the business a platform, app, software tool or marketplace does not decide the legal position. If the service helps arrange, advise on, facilitate or promote regulated financial activity, the substance of the model matters more than branding.

This mistake often appears in fintech businesses that have strong product teams but light legal input early on.

Accepting standard terms without negotiating the risky parts

Many SMEs assume a bank, processor, principal or software provider will not negotiate. Sometimes that is true for commercial pricing, but legal risk points can still be raised. Liability, audit rights, data use, suspension powers and termination mechanics are often worth negotiating before you commit.

The wrong time to discover a broad suspension clause is after customer funds or onboarding flows depend on that provider.

Relying on a verbal explanation of permissions

Founders sometimes hear that a partner's authorisation “covers the whole model”. That may be partly true, partly true only in a narrow scenario, or not true at all. If the arrangement depends on another firm's permissions, the exact legal basis needs to be tested and documented.

Before you spend money on setup, ask for the written structure, not just the sales explanation.

Using generic customer terms

General online terms rarely work well for a regulated or near-regulated financial service. They may miss mandatory disclosures, complaints wording, risk warnings, cancellation points or limits on what the business is promising.

This is especially risky where vulnerable customers, credit products, investments or payment services are involved.

Forgetting that privacy and security are front-end issues

Privacy notices and internal data rules should not be left until after onboarding goes live. If your signup form collects identity documents, bank details or customer profile information, the legal basis and customer information need to exist from the start.

Security obligations also need to be reflected in supplier contracts, not just in internal policy documents.

A business may have carefully limited written terms, but sales staff say more than the contract allows. Promises about approval speed, likely returns, low risk, guaranteed outcomes or “fully covered” compliance can create exposure if customers rely on them.

Founders should compare:

  • sales scripts and demos;
  • website statements and FAQs;
  • pitch decks and proposal documents;
  • customer contracts and disclosures.

If those materials tell different stories, fix the mismatch before customers sign.

FAQs

Do all financial services businesses in the UK need FCA authorisation?

No. It depends on the activity, the business model and whether the service falls within regulated activities or another permission regime. Some businesses operate under an authorised firm's structure, but that arrangement still needs proper legal review.

Can an introducer avoid regulation just by referring customers?

Not always. A simple introduction may sit in a different risk category from advice or arranging, but the detail matters. What you say to the customer, how you are paid and how involved you are in the transaction can change the analysis.

Do I need bespoke contracts before providing a financial service?

In many cases, yes. Standard terms often fail to deal properly with regulatory responsibility, customer disclosures, complaints, data protection and liability. Bespoke contract drafting is usually more useful than trying to adapt a generic template at the last minute.

What should I check before signing with an authorised principal or white-label provider?

Check the scope of permissions, oversight obligations, approval rights over marketing, customer ownership, liability, audit rights, data handling and exit terms. You should also confirm how the model works in practice, not just on paper.

Is a privacy notice enough for data protection compliance?

No. A privacy notice is only one part of the picture. You may also need data processing terms, internal policies, supplier controls, security measures and a clear approach to customer rights and breach reporting.

Key Takeaways

  • Work out exactly what financial service your business will provide before you sign contracts or market the service.
  • Check whether the activity is regulated and whether FCA authorisation, registration or another structure is needed.
  • Do not rely on a partner's verbal assurance that their permissions cover your model.
  • Use clear written contracts for customers, suppliers, introducers, outsourced providers and any authorised principal.
  • Review financial promotions, customer communications and sales materials before they go live.
  • Make sure privacy, data processing and cyber security arrangements fit the type of financial information you handle.
  • Negotiate liability, complaints, audit, suspension and termination terms before you accept the provider's standard terms.
  • Compare your legal drafting with the real customer journey so your documents match what staff and systems actually do.

If you want help with FCA-related contract issues, customer terms, outsourcing agreements, and data protection documents, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.