How to build a Fintech startup — Chapter 3
Now that you’ve submitted the forms, the waiting game begins. The first step is being assigned an FCA case officer. At the time, the FCA informed us the average wait was 17 weeks, but that it could also take up to 6 months (or 12 months for incomplete applications). In our case, it took approximately two months, perhaps thanks to being a member of the Innovation Hub.
A few weeks after we submitted our application, the Innovation Hub requested a pre-application on our behalf. The latter was quickly approved. The purpose of this face-to-face meeting was to go over our proposition at a high level and to answer some preliminary questions to help them better understand what do. The outcome of this meeting was that we would need to file the Long IT Form (long is an understatement — this form is massive). We were also warned that because we would be reviewed as a tech firm, our application could take as long as 12 months to be approved, ouch…
It’s worth noting that we had shown up without preparing for the meeting, thinking it was just an introduction session to the whole process. This turned out to be a complete underestimation. We were asked for a demo and plenty of questions about how our business model worked. Thankfully we had a basic click dummy. Make sure you go prepared. As far as the demo is concerned, be aware that showing unfinished work could scare them a little. So perhaps try to polish it up a bit. Also be aware you will eventually be asked to include FCA risk disclaimers throughout the customer journey, so there’s no harm in doing it early on. Don’t worry about functionality and even less about what happens in the backend, this meeting is about helping them understand what you do.
Roughly 2 months after the pre-application meeting, our application was picked up by our case officer, who was at the pre-application meeting. This was quickly followed by the first feedback session over the phone and shortly thereafter with questions over email.
The questions spanned the whole application, focusing on the following:
- Gathering further clarification about aspects specific to our proposition (requesting a suitability report, questions in our risk profiler, etc.)
- Filling in holes in our application (missing timelines in the individual application A forms)
- Asking us to confirm we had read relevant guidance papers by the FCA
- Due diligence documentations (SLAs and due diligence about our technology and infrastructure suppliers)
- Various policy documents (information security policy)
- Clarification of our CF10/CF11’s (me) appropriate training for holding the controlled function
In all honesty, many of the questions asked could have been pre-empted had we used a compliance consultant. The consultant would have flagged those in advance and helped smoothen and shorten the whole process. For the remaining questions, many were specific to our proposition and the fact that we’re a startup. We solicited the help of a consultant to review our answers. He suggested we type them up in a spreadsheet alongside the FCA’s question. Where necessary he provided us with relevant templates to fill the gaps in our application.
Customer Journey Demonstration
This is the big one. All stakeholders relevant to your application are included in this meeting. The title of the meeting is self-explanatory: run through a demonstration of the proposition and discuss any outstanding issues in the application.
Going into the meeting our consultant advised us to keep our lips sealed unless asked a question and to plaster our product with risk disclaimers throughout. Obviously we did neither. Why? Because we had strong ideals and felt like the above needed challenging. The end result was mixed. On the positive side, this approach caused a big debate between both sides. The discussion was enlightened and bolstered our relationship with the FCA. Getting them to admit that some things can’t be known until they are tested was our biggest win. The major benefit we took from this was the confidence it gave our little startup in the realm of financial innovation and compliance. On the negative side, it almost certainly extended our application another 2 months, and the satisfaction of getting the FCA to admit to the benefits of using “iterative approaches” for risk disclaimers was short lived. As soon as the application process followed its course, the first request was for the inclusion of risk disclaimers and the need for a follow-up demonstration.
Would we repeat our approach if we had to do it all over? I think so… The short price was a steep one, but the long term benefits of this vote of confidence are only increasing with time.
IT conference call and follow-up questions
As mentioned earlier we were asked to fill out the epic long IT form. This form wasn’t designed for an early stage startup, as its depth is really only relevant for a large financial institution. Our CTO did his best to fill out the form, but most cells were left blank. This led us to request a conference call with the specialist IT agent reviewing our application. The conversation helped clear some confusion and resulted in a list of follow up questions. Most were requests for further implementation details and flow charts about where data would be held. It’s worth mentioning that having a .NET stack helped us greatly as Microsoft has an existing process (Addendum M248) for dealing with financial regulators’ audit requirement.
The final stretch
This was by far the most stressful part of our application. The many question & answer cycles encountered earlier pushed us dangerously close to the FCA’s statutory deadline for resolving an application (12 months). What happens next? In short we were asked to email the FCA indicating we would withdraw our application should we be unable to get approval in time. I won’t share my opinion on this questionable FCA practice…
At this stage in our application there were 4 meaningful tasks remaining:
- Conducting a penetration test (external)
- Submitting our business continuity procedures
- Conducting a disaster recovery test (internal)
- Proof of capitalisation (in line with what was submitted 11 months ago)
You might be asking yourself why after 11 months we still had these significant outstanding tasks. Let’s look at each one separately so you can learn from our mistakes.
As idealists we struggled with the idea of conducting tests purely for the sake of box ticking. This meant a good portion of our build needed to take place prior to conducting a meaningful penetration test. This led us to postpone it repeatedly until we felt our systems would be “ready”. In the end the purpose of conducting the test still felt empty. In retrospect perhaps we should have performed the test earlier and adopted a “do the minimum to pass” approach.
Regarding the DR test and Business Continuity Procedures, the issue came down to poor planning on my part. The process itself is comprised primarily of simulations and problem solving exercises. Both can be done at any point in the application process.
Lastly, the proof of capitalisation completely caught us off guard. The FCA requested to see a bank statement showing the amount of capital mentioned in our application. However, because the capital raised was used for paying wages and other expenses ongoingly, at no point in time did our bank statements display the full amount. This led us to seek proof that the shares issued amounted to the correct figure. Unfortunately, the SH01 forms submitted at Companies’ House only make a clear mention of nominal value. This is typically 0.001 and significantly lower than the value paid by shareholders. Our last week before the statutory deadline was spent in a wild goosehunt trying to get a Companies’ House staff member conferencing with our FCA case officer over the phone!
The last step: the joy of seeing our beloved startup get its dedicated page on the FCA’s website. Receiving that confirmation of approval email felt like crossing the finish line of those interminable Ironman races: the process felt like it would never end, but in a moment of disbelief this bureaucratic ultra marathon is finally over…
I’ve summarised a few pieces of advice on the back of our experience. In the next chapter I will focus on what happens afterwards and how to build a kick-ass compliance culture.
Dos and Don’ts
- Do make sure you have two CF30s in your company or make sure you have a locum agreement for the extra CF30 staff required (in retrospect we could have spent a bit more money to get this service through our compliance consultant)
- Do use a compliance consultant before submitting your application (even if only in an reviewing role, they will help you reduce the application time by avoiding small mistakes)
- Do use a spreadsheet to carefully answer the FCA’s questions (many files, many questions, the whole process can get messy very quickly)
- Do take your statutory deadline seriously
- Don’t keep adding or removing applicants during the application (a direct consequence of bootstrapping our extra CF30 requirement)
- Don’t use a shared office space as your registered address (in retrospect we could have used a personal address and avoided raising unnecessary concerns at the last minute)
- Don’t leave your disaster recovery test & business continuity procedures documentation to the last minute (start it in advance, and be thorough: the more you are, the less likely you will be asked about it)
- Don’t leave your penetration test to the last minute. Be aware this is a pure box-ticking exercise, so don’t be an idealist.
FCA application timeline for WealthKernel
- August 2015 — Acceptance into the FCA Innovation Hub
- October 2015 — Application submitted to the FCA + payment made (£5k)
- November 2015 — Pre-application meeting
- January 2016 — Case officer picks up application
- February 2016–1st official application feedback session done (by phone)
- March 2016–1st set of questions (by email) relating to the applications
- April 2016–1st official review meeting done at the FCA: “Application and Customer Journey Demonstration”
- May 2016 — Conference call to discuss IT form
- June 2016–2nd set of questions relating to the applications
- June 2016–1st set of questions from FCA’s IT division
- August 2016 — Link to user journey shared with FCA for review
- August 2016–3rd set of questions relating to the application: “residual item”
- August 2016 — Application submitted for independent review
- October 2016 — Proof of capitalisation submitted
- October 2016 — Disaster recovery and Penetration test results submitted
- October 2016 — Application approved