FCA E-Signature Requirements: What Financial Firms Need to Know

The FCA's Position on Electronic Signatures

The Financial Conduct Authority has never prohibited electronic signatures. In fact, the FCA's regulatory framework is technology-neutral — it does not mandate wet ink signatures for the vast majority of regulated activities. What the FCA does require is that firms can demonstrate the authenticity, integrity, and non-repudiation of signed documents when asked.

This distinction is critical. The question is not whether you can use electronic signatures. The question is whether your implementation meets the evidentiary standards the FCA expects when it exercises its supervisory powers.

SYSC Obligations and Record-Keeping

The FCA's Senior Management Arrangements, Systems and Controls (SYSC) sourcebook establishes the baseline for record-keeping in regulated firms. SYSC 9.1.1R requires firms to arrange for orderly records to be kept of their business and internal organisation, including all services and transactions undertaken.

When applied to electronic signatures, this means your signing platform must produce records that are:

• Complete — capturing not just the signature image but the full context: who signed, when, from where, and what they consented to
• Accurate — timestamps must be reliable (ISO 8601 with timezone), IP addresses must be genuine (not proxied without disclosure), and document hashes must be verifiable
• Accessible — records must be retrievable promptly upon request from the FCA. A system that requires weeks to export audit data does not meet this standard
• Tamper-evident — it must be possible to demonstrate that records have not been altered after creation

What the FCA Looks for in Practice

During supervisory visits and thematic reviews, FCA supervisors assess whether a firm's electronic signature implementation provides sufficient evidence of agreement. Based on published enforcement actions and supervisory communications, the FCA evaluates several specific areas.

First, identity and attribution. Can the firm demonstrate that the person who signed is the person they claim to be? This does not necessarily require identity verification at the point of signing — a unique, time-limited signing link sent to a verified email address may suffice for standard risk transactions. However, the firm must document its risk assessment of the authentication method used.

Second, consent and intention. The FCA expects evidence that the signer intended to be bound by the document. A clear consent step — separate from the signature itself — with recorded consent text, timestamp, and IP address provides this evidence. Implied consent (such as inferring agreement from document download) is not sufficient.

Third, document integrity. The firm must be able to prove that the document signed is identical to the document presented. A SHA-256 hash computed at upload and recorded in the audit trail before signing begins provides cryptographic proof of this. If a dispute arises about document content, the hash resolves it.

Retention Requirements

FCA Handbook provisions require different retention periods depending on the type of record. MiFID II business records must be retained for at least five years, but many firms adopt a seven-year standard to align with HMRC requirements and provide a comfortable margin for potential enforcement action limitation periods.

Your electronic signature platform must support retention for the full required period. This means not just the signed PDF, but the complete audit trail — every event, every timestamp, every IP address. If your platform purges audit data after 12 months, you have a compliance gap that a routine supervisory visit will expose.

The cost of inadequate record-keeping is not the fine. It is the inability to defend a legitimate transaction when a regulator or claimant challenges it three, five, or seven years after the fact.

Practical Implementation Guidance

For firms implementing or reviewing their electronic signature processes, the following steps reduce regulatory risk:

1. Document your risk assessment — record why electronic signatures are appropriate for each document type, what authentication method is used, and what the residual risks are
2. Ensure per-event audit logging — every action (email sent, link clicked, document viewed, consent given, signature applied) should be individually logged with IP, user agent, and timestamp
3. Record consent verbatim — store the exact consent text the signer agreed to, not a reference to a template that may change over time
4. Hash documents at upload — compute and store a cryptographic hash before any signer accesses the document, providing immutable proof of the original state
5. Set retention to seven years minimum — align with the longest applicable retention period across FCA, HMRC, and limitation period requirements
6. Test your export process — regularly verify that audit data can be exported in a format suitable for regulatory submission, and that the export itself is timely

Conclusion

The FCA does not stand in the way of electronic signatures. It stands in the way of inadequate evidence. Firms that implement e-signatures with complete audit trails, cryptographic integrity, recorded consent, and appropriate retention will find that their electronic records are more robust than the wet ink signatures they replaced. The regulatory burden is not the technology — it is the evidence. Get the evidence right, and the technology serves you well.