Section 166 is a part of the Financial Services and Markets Act that gives the regulators power to require a firm to engage a 'skilled person' to carry out a forensic level review of part of the firm's operation.

This is an intrusive and disruptive process...with consequences.

It's crucial that you respond to the s166 Requirement Notice in a timely manner and that you liaise appropriately with the regulator during the course of the process.

Getting the initial response right will determine:

  • The level of future supervision.
  • Whether enforcement action will be taken against the firm or individuals.
  • Whether a post s166 review will be conducted.
Regulatory intervention: S166 Keep control when you're under the microscope


Most firms will be aware of the regulators' box of supervisory tools, especially the one described under section 166 (S166) of the Financial Services and Markets Act (FSMA 2000) that gives the FCA and PRA the power to commission reports by 'Skilled Persons' in order to obtain an independent view of any aspect of a firm's activities.

Anyone who's been subject to a skilled person review, commonly referred to as a s166 report, will tell you it is not to be taken lightly. From receiving the draft requirements notice to completion of the remediation actions and demonstrating sustainability, the process has to be carefully managed.

The S166 investigation is carried out at the expense of the firm, but on behalf of the regulator and almost always results in a comprehensive list of findings and requirements.

Lysis Financial understands the challenges at each step of a section 166 engagement and draws on an experienced team of highly skilled individuals who understand the regulator's requirements. We recognise that prompt and effective action is fundamental to our clients' businesses and their relationships with regulators and prosecuting authorities. Our team can deliver accurate, swift and incisive analysis of issues, and our substantial Operational Support Team provides a flexible and cost-effective solution for framework, policy and procedure and customer file and document review and remediation.

With the costs of a section 166 spiralling firms will want to do all they can to maintain control when the supervisor calls.

The true cost of the intervention wasn't the skilled persons report, but the impact it had on BAU.” – COO, Interdealer Broker
Regulatory intervention: S166


Knowing what to expect from s166 and preparing for the journey can be a deciding factor in making the process less arduous and in ensuring the best outcome.

Understanding the challenges presented within each stage of a section 166 engagement will enable you to stay in control. The outcome of the review will have a lasting effect. Taking positive steps to not leave anything to chance will pay off in the long run.

Warning Signs

Forewarned is forearmed and being able to read the warning signs can put you on the front foot.

Before using s166 the regulator will often highlight concerns following its own visits. Repeated findings without significant improvement is a likely trigger to s166, which will usually follow a supervisory visit.

S166 can be used:

  • as part of close and continuous work
  • following a thematic review
  • when an issue has been raised by the firm itself.

It is not just section 166:

  • S165 – An early warning if the regulator uses this to request information
  • S166a – Often called a shadow 166. Used for information gathering even when no issues have been identified. All Cat. 1 banks receive an annual s166a
  • S167, S168, S169, S262, S284 are all sections of the act, connected to s166

Draft Requirements Notice

Before informing the firm that it intends to use section 166, the regulator would have been through approximately 6 internal process steps. The firm will usually be notified with a call to the CEO, stating the intention to use the powers under s166. This will shortly be followed by the draft requirements notice.


  • Take steps to conduct a full review of the in-scope areas. If there are concerns around internal capability, get independent support
  • Prepare evidence packs to support claims made. Where you have provided assurance that progress has been made or actions completed following a previous regulatory visit, evidence should be gathered and packaged to present during the review
  • Issue a firm-wide document preservation order – it is a criminal offence to destroy any relevant material prior to a skilled person review.
  • Take time to objectively consider the regulators concerns. Engage specialist help if necessary.

There are four main reasons for using s166:

  1. Diagnostic Purposes – to identify, assess and measure risk
  2. Monitoring – to track the development of identified risks
  3. Preventative – to limit or reduce identified risks
  4. Remedial action – to recover from and correct deficiencies.

Agreeing the scope

The regulator will attempt to avoid a broad scope, keeping it narrow and focused on the areas of concern. Firms have little influence over the scope of the review.

CAUTION: Do not assume other areas won't be involved; under section 166, the skilled person is able to extend the scope of its investigation if it discovers additional concerns.


The requirements notice won't be finalised until after the skilled person has been selected. Once the skilled person has been selected, however, there will be an opportunity to discuss the scope. This usually happens through a tripartite meeting between the firm, skilled person and the regulator.

Selecting the skilled person

A skilled person will be engaged in one of two ways:

  1. Firm contracts with the skilled person.
  2. Regulator contracts directly with the skilled person (s167) – this only happens when there are very specific concerns.

Where the firm contracts directly, it must research and produce a short list of firms (usually five) that it believes are suitable. The firm must select a skilled person from a panel maintained by the regulators. The panel is divided into fourteen lots according to the focus area.

It is the firm's responsibility to define the selection criteria and meet with each prospective Skilled Person firm to decide which will be the most suitable. There are several factors that should be considered here. You should do your best to ensure that the Skilled Person selected has the resource, knowledge and experience to understand the problem and more importantly, your business. You should seek to understand the relationship the Skilled Person has with the regulator and importantly that they are prepared to work with you in a realistic and timely manner to conduct the investigation.

Timing and terms of engagement

There are 4 types of Skilled Person report:

  1. Reasonable Assurance – This provides defined opinion and is based on testing assertions made by management. The work is carried out within a formal assurance framework and will have a limited and focused scope.
  2. Limited Assurance – a more focused version of reasonable assurance.
  3. Agreed upon Procedures – The Skilled Person makes no assessment of the subject matter or provides assurance conclusion. The regulator assesses results and draws its own conclusions.
  4. Review and Recommend – The results are based on the Skilled Person assessment. Often includes recommendations where the Skilled Person identifies weaknesses.

The timing and duration of the skilled person's engagement will largely be set by the regulator, however there is an opportunity for some negotiation when first discussing the engagement during the selection phase. You should take this opportunity to seek to agree a timescale that makes sense to you.

Managing the review

The investigation may start with a request for information that will be reviewed off-site. Once the skilled person has begun their fieldwork, do not assume it is out of your hands. Working closely and proactively with the Skilled Person is extremely important.


  • The CEO must set the tone and lead from the top
  • Make all staff aware of the investigation and direct them to behave professionally and openly
  • Establish clear internal governance procedures and allocate a relationship manager to manage all Skilled Person requests
  • Allocate internal resource to support the review; section 166 interventions will impact business as usual. Get coaching for senior staff.
  • Identify and address any urgent issues, prior to the start of the review if possible.
  • Engage specialist help where necessary as this is seen as a positive step by the Skilled Person and regulator.
  • Form a s166 committee (often a Board sub-committee) and s166 working group(s) to track and control the review and deliverables

Response and remediation

The skilled person's report will be shared with the firm and the regulator simultaneously.

They may provide unofficial feedback as they progress, but don't count on this.

There is a two-week period for you to review and challenge any factual inaccuracies in the report and you can advise of further progress you have made since the evidence was gathered. You cannot challenge the recommendations based on factually correct findings.

The regulator will take some time to consider the findings.

You must outline the corporate response and agree to reasonable timelines.

Certain points may require clarification. The regulator will offer time to discuss this – use this time.



  • Review the report and recommendations in detail
  • Extract and reference all original points – recommendations are not always black and white
  • Produce a remediation plan with ownership to address all points; ensure this plan is adequately resourced; get external help if required.
  • Document everything that is done
  • Gather and package evidence
  • Get all evidence signed off by the s166 committee
  • Establish formal communications protocols with the regulator
  • Be aware of lead times for sign off when submitting to deadlines
  • Develop good MI to track progress
  • Stick to timelines and warn of any deviation


Embedding and Follow up

Many Skilled Person reviews now include a Stage 2 review that takes place six months after the Stage 1 review. This is for the regulator to obtain assurance that the firm has addressed the points sufficiently and has actually done what they say they've done.

The Skilled Person will look not only for evidence of completion, but that the solutions implemented are embedded and sustainable.

  • Do not take a tick-box approach to remediation
  • Think about embedding; improvements should be permanent and become part of the fabric of the way the firm operates
  • Meet regularly to review progress
  • Address issues as they arise
  • Stay engaged

Section 166 and Enforcement actions are both up on last year; there are new powers to harness parent companies who fetter the autonomy of their UK regulated subsidiaries. Judgement based supervision has taken shape and firms are under more pressure.

Key Benefits

  • Structured and experienced response to regulatory intervention
  • Expert and experienced support and guidance
  • A full and detailed analysis of your current situation
  • Gap analysis and clear change roadmap
  • Templated and packaged response to each remedial action
  • Delivery of all regulatory recommendations
  • Removal from the watch list and a return to a regular footing with the regulator
  • Improved operational framework and strategy execution


Lysis has significant experience in assisting clients with complex and contentious regulatory issues. We can help our customers by doing a pre-S166 review, by supporting the firm through the review itself or by heling to design, manage and execute a S166 remediation programme.

We will engage with the Board and senior management to shape each project and then produce a detailed Programme plan which will provide the delivery roadmap.

We build on that with a project delivery methodology to maintain absolute control over the tasks and objectives.

We work with executive and senior management to build the team required and respond to the initial challenges by providing essential subject matter expertise and experience.

We can manage the entire global program, spanning functions including Governance, Risk, Compliance, Operations and IT, typically reporting to a Board-level Steering Committee. Alternatively, we can supply skilled personnel to bolster the firms efforts in any of these areas.

“Lysis provided the framework and expertise that saw successful delivery of each point to the FCA” FTSE 100


We have significant experience in assisting clients with complex and contentious regulatory issues. Our section 166 team is organised into internal practice groups and our key point of difference is the integration of experienced financial regulation specialists with senior compliance advisors specialising in operational governance, risk and compliance; combining sound technical and industry consultancy experience.

Beginning with an initial discovery phase, we work with you to understand and identify the gaps before setting out the steps to build the necessary capability and embedded process for a sustainable solution.

Our remediation change roadmap delivers clearly defined, tangible results with a known duration and cost.

Each phase is structured to meet key milestones and deliver specified outcomes.


Recent cases include:

Inter-Dealer Broker

A major global FTSE-100 financial services firm. The firm had one month to shape, scope and plan a 60-project programme of work in response to a Section 166 Skilled Persons Report.

The firm then had to deliver all 60 projects over a nine-month period with sub-deliveries due each month.

Lysis worked with the firms' Board and senior management to shape each project and produce a detailed programme plan, which provided the delivery dates included in the response to the report. We then worked with executive and senior management to initiate the programme and projects, build the team required and respond to initial FSA challenges on programme and project set-up.

Lysis managed the entire global programme, spanning the Governance, Risk, Compliance, Operations and IT functions, reporting to a Board-level Steering Committee. Lysis was responsible for programme management, planning, tracking and reporting, including programme risks, issues, dependencies and budget.

  • All milestones across the 12-month programme were achieved on time and under budget.
  • All deliverables (several hundred in total) were accepted by the FSA.
  • All changes arising from the programme were implemented and embedded as business as usual within the firm.
  • Confirmation was received from both internal audit and the appointed skilled person, in their post-implementation report that the firm had satisfied the requirements of the s166 report.

Islamic Investment Bank

Following a period an intrusive oversight, relating to financial crime, AML, CTF and governance arrangements this bank received a draft requirements notice under section 166 of FSMA.

The bank had limited resources and some critical skills gaps. Lysis was engaged to provide both subject matter expertise and resource to help the bank respond to the skilled person review and deliver the remediation actions.

Lysis provided a complete solution including regulatory rules mapping, a detailed customer file review and remediation, AML and CTF policy and procedure review. We reviewed and rewrote the AML policies and procedures for the bank, as well as provided training and surge resourcing. Lysis identified all KYC gaps and cleared a back log of customer files. All points raised by the regulator were successfully addressed and the client was returned to a sound footing with the regulator.

UK Corporate Bank

Whilst in its mobilisation phase for a Part V banking licence application this organisation received a section 166 relating to its risk management and control framework. The scope was focussed but included governance and management information. Lysis reviewed the existing risk register, controls framework, management governance structures including organisation structures, terms of reference, and firmwide risk exposure. Lysis conducted iterative risk assessments and reported areas of improvement back to the bank. The firm was also provided with model capital provision, stress testing as well as firm-wide training (which included the board), to deliver the risk and controls framework.

Lysis carried out an enterprise risk management maturity assessment and regulatory roadmap. Lysis provided assurance to the regulator through ongoing dialogue which resulted in the bank obtaining an unrestricted banking license.

Middle Eastern Corporate and Retail Bank

As part of the FCA's proactive AML supervision strategy, this bank took part in a thematic review in 2013, 2015 and 2017. Following each visit, the bank received a letter from the regulator detailing their findings and concerns with the Bank's 3 Lines of Defence Model, as well as other weaknesses related to AML controls within the bank. The FCA commissioned a skilled person report on the bank.

Lysis explored all the prior issues raised by the FCA in their previous visits as well as the scope of the 166 itself. We conducted a rapid gap analysis across a slightly extended s.166 scope. Lysis was then able to identify areas for improvement and prepare evidence packs to provide evidence of progress already been made to the skilled person/regulator. During the identification of gaps, Lysis conducted a detailed KYC review of the entire bank's customer population and highlighted to the bank areas of concern.

Lysis carried out a risk assessment and addressed the most urgent issues and concerns facing the bank. Lysis created a regulatory improvement road map for the bank and conducted a readiness and staff alignment exercise to ensure individuals understood what the gaps were and what the improvement process was so that they were able to engage effectively and positively with the skilled person. Senior management, board and NED's were also provided support - this exercise included mock interview training and awareness.

Lysis was involved in the end to end shortlisting and selection process of the skilled person. Lysis supported the firm's engagement with the skilled person to ensure accurate and timely information was given.