Paper compliance vs active evidence: surviving FCA desk-based reviews
Claude
How can mid-sized UK financial services firms survive intensive regulatory scrutiny during an FCA supervisory assessment? Our analysis at Compliance Consultant reveals that firms frequently fail desk-based reviews because they rely on static paper compliance—having signed policies sitting in a folder—rather than producing active, operational evidence of those policies in daily use. The Financial Conduct Authority (FCA) has made it clear that firms proving active oversight will benefit from less intensive supervision, but this requires live data like a Compliance Risk Register with Heat Mapping or structured management information (MI). Transitioning from static documentation to verified active evidence is the single most effective way for compliance officers in 2026 to pass these reviews and reduce regulatory pressure.
Quick verdict: Why the paper trail is no longer enough
For any UK financial services business, the shift in regulator expectations has been stark. During a recent reporting period, the FCA dramatically ramped up its supervisory interventions, executing a total of 816 desk-based reviews and 21 on-site visits. The results of these desk-based reviews (DBRs) were sobering. The number of businesses assessed as fully compliant collapsed from 43% down to a mere 7%. This drop does not mean firms suddenly stopped writing policies. It means the regulator stopped accepting those policies at face value.
The FCA now prioritises high-risk firms, directing 656 of its DBRs toward them. When an officer reviews your business-wide risk assessment, they do not just check if the document exists. They look for proof that it actually guides daily decision-making. If your firm cannot produce records of how risks are identified, monitored, and mitigated in real-time, the regulator categorises your framework as purely nominal.
In our work with mid-sized financial firms, we find that the gap between a written policy and operational reality is the primary trigger for supervisory intervention. A policy document is a statement of intent. Active evidence is the record of that intent being executed.
Defining the two compliance approaches
To survive a desk-based review, a compliance officer must understand exactly where their firm sits on the spectrum between theoretical policy and operational reality.
Paper compliance (the baseline expectation)
Paper compliance represents the historical minimum. It is characterised by off-the-shelf policy templates, signed annual declarations, and static risk registers that sit untouched on a shared drive until the next audit. These documents establish the baseline regulatory standards that every firm must legally meet, as outlined in our Comprehensive FAQs on FCA Compliance.
The danger of this approach is its immediate obsolescence. An anti-money laundering (AML) policy or a conflicts of interest policy written twelve months ago cannot prove that your team checked a high-risk client's source of wealth yesterday. When the FCA conducts a desk-based review, presenting a generic, un-tailored policy document suggests a lack of understanding of your firm's specific operational risk.
Active evidence (the operational reality)
Active evidence is the continuous generation of data that proves your compliance policies are working. It is the visible trail of your compliance framework in motion. Instead of just having an Appointed Representative (AR) policy, active evidence means presenting a structured monitoring dashboard, completed site-visit templates, and clear RAG-rated self-assessments, such as those found in our Appointed Representative Oversight Policy & Playbook.
Active evidence requires systems that record everyday compliance tasks as they happen. If your AML policy states that you perform enhanced due diligence (EDD) on politically exposed persons (PEPs), active evidence is the completed EDD workbook containing verified independent sources, signed off by the Money Laundering Reporting Officer (MLRO). It is structured, time-stamped, and verifiable.
Head-to-head comparison: Static documentation vs. operational proof
Our advisory team has mapped how the FCA evaluates these two models across different core operational categories.
| Dimension | Paper Compliance | Active Evidence |
|---|---|---|
| Core Focus | Having the policy written down | Proving the policy works in practice |
| FCA Audit Response | Slow document retrieval, manual assembly | Instant delivery of live dashboards and files |
| Risk Management | Static annual reviews of generic threats | Active risk registers with heat mapping |
| Consumer Duty | Stating that you treat customers fairly | Documented price and value assessments |
| Governance Proof | Signed board declarations without COLP/COFA context | Board minutes detailing actual debate and challenge |
| Regulatory Action | High risk of remediation or Section 166 | Light-touch, preventative supervision |
This comparison shows that paper compliance is a fragile state. It relies on the hope that the regulator will not ask to see the mechanics behind the curtain. When they do, the framework falls apart, often resulting in expensive remediation programs or formal supervisory intervention.
What actually qualifies a firm for "less intensive supervision"
The FCA's approach to supervision outlines a clear philosophy: regulation must be outcomes-focused and evidence-led. For a mid-sized investment or wealth management firm, earning the right to "less intensive supervision" requires proving that your compliance framework preempts risk rather than merely reacting to breaches.
Documenting board-level governance decisions
Board minutes are one of the first things a case officer requests during a desk-based review. The regulator frequently finds that minutes do not record the discussion, challenge, and debate that occurred before a decision. If your board packs contain nothing but passive updates, you cannot prove effective senior management oversight.
To fix this, firms should adopt The lean governance framework for FCA board reporting packs. This structure ensures that board minutes record the specific challenges raised by non-executive directors and the compliance team, showing the regulator that governance is an active process of holding the business to account.
Proving continuous risk assessment
A static business-wide risk assessment (BWRA) is a significant compliance vulnerability. In their multi-firm review of risk assessment processes and controls, the FCA observed that many firms failed to tailor their BWRAs to their specific business models.
To satisfy a desk-based review, you must show how your risk assessments change when your business changes. If you launch a new product or target a new client demographic, your risk register must reflect that update immediately. Using a live Compliance Risk Register with Heat Mapping allows you to show a timeline of risk adjustments, proving to the FCA that risk management is an active part of your operations.
Evidencing Consumer Duty outcomes
Under the Consumer Duty, the FCA has shifted the burden of proof entirely onto the firm. You must prove that your customers are receiving fair value and good outcomes. If your only evidence is a policy stating that your fees are fair, you will fail a desk-based review.
Active evidence under Consumer Duty means maintaining a live Complaints Root Cause Analysis (RCA) & MI Reporting template. This template must show that when a complaint trend emerged, your firm analyzed the cause, adjusted its practices, and measured the subsequent impact on customer outcomes. This proactive tracking is what the regulator means by "doing the right thing."
The tools required to transition to active evidence
The transition from paper to active evidence does not require a massive increase in compliance headcount. Instead, it requires replacing static documents with structured toolkits that automatically generate an audit trail as part of your team's daily workflow.
Choose paper compliance if...
You should only rely on paper compliance if you are a start-up in the earliest pre-authorisation phase, where your immediate priority is simply establishing your baseline policies for the initial application. However, even during initial authorisation, the FCA expects a clear plan for how these policies will be operationalised once you begin trading. Relying on paper compliance as an ongoing operational model is an invitation for regulatory intervention.
Choose active evidence if...
You must choose an active evidence model if you are an established, mid-sized financial services firm, payment processor, or principal firm managing Appointed Representatives. Proving active compliance is the only way to protect your senior managers from personal liability under the Senior Managers and Certification Regime (SMCR) and avoid the high costs of a Section 166 review.
Compliance Consultant offers structured advisory retainers designed to make this operational transition practical:
- Silver Retainer (Compliance Professional): At £895 per month (billed quarterly at https://www.e-junkie.com/i/14miu?card) or £795 per month (billed annually at https://www.e-junkie.com/i/14miv?card), this tier is built for established firms wanting proactive compliance management. It includes eight hours of advisory support, quarterly compliance reviews, and an annual monitoring programme review. It also includes our full suite of digital compliance templates, including the Compliance Risk Register with Heat Mapping and the Complaints RCA & MI Reporting Template (a retail value of £1,194).
- Gold Retainer (Compliance Partner): At £1,495 per month (billed quarterly) or £1,345 per month (billed annually), this tier provides a dedicated compliance consultant, a four-hour response guarantee, sixteen hours of advisory support, and complete access to our advanced template library, including the Third-Party Oversight Toolkit and Section 166 Preparation Toolkit.
Final verdict: Preparing your firm for the next desk-based review
If your firm faces an FCA desk-based review, the regulator will typically give you a short window to submit your policies, risk assessments, and management information. If your compliance team has to spend weeks manually pulling together files, chasing down staff, and writing retrospective explanations, you are already on the back foot.
The transition to active evidence is an investment in operational security and budget certainty. By replacing static policy files with live, structured templates and securing ongoing expert support, you remove the single-point-of-failure risk that plagues overstretched internal compliance teams.
To evaluate your current compliance posture and identify any gaps before the regulator does, book a free 30-minute discovery call with our advisory team. Email us at info@complianceconsultant.org with the subject "Retainer Discovery Call" or call our UK freephone on 0800 689 0190 to discuss how our Silver and Gold retainers can build your active evidence framework.
