You have spent years building your firm's reputation. Five-star Trustpilot reviews. Referrals from clients who trust you with their financial futures. A track record that speaks for itself.
Then your marketing agency publishes a LinkedIn post that constitutes an unapproved financial promotion.
This is not a hypothetical. In 2024, the FCA intervened on 19,766 financial promotions – nearly double the previous year. The regulator assessed approximately 480,000 websites for potential breaches. Criminal prosecutions of social media influencers for unauthorised financial promotions are now before the courts, with trial dates set for 2027.
The agencies that produced much of this content were not incompetent. They were structurally unable to do the job. That distinction matters, because it means the problem cannot be fixed with a better brief, a compliance checklist, or a training session.
What makes content a financial promotion
The definition is broader than most marketing teams realise. Section 21 of the Financial Services and Markets Act 2000 (FSMA) restricts the communication of any "invitation or inducement to engage in investment activity." The FCA's guidance is explicit: this covers any communication with a promotional element, regardless of the medium. A social media post, a landing page, a PPC ad, an email newsletter – all potentially caught.
The FCA confirmed in its 2024 social media guidance (FG24/1) that this extends to communications through "private or invitation only social media channels, like chatrooms such as Discord and Telegram." If your agency produces content that encourages someone to consider an investment, a pension transfer, or a financial product, the financial promotions regime almost certainly applies.
The consequences of getting it wrong are not administrative. Section 25 FSMA makes communicating an unapproved financial promotion a criminal offence: up to two years' imprisonment and an unlimited fine on indictment. Contracts entered into as a result of unlawful promotions may be unenforceable against the customer under Section 30.
The rules your agency does not know
The Conduct of Business Sourcebook (COBS 4) sets out detailed requirements that go far beyond "fair, clear and not misleading" – though that core rule (COBS 4.2.1R) is itself more demanding than it sounds.
Risk warning prominence. When communicating with retail clients, a firm must not emphasise potential benefits without giving a fair and prominent indication of relevant risks. The risk warning font size must be at least equal to the predominant font size. On social media, risk warnings must not be hidden behind truncated text or a "see more" button. The FCA's position is clear: if the platform cannot accommodate the required disclosures, the platform should not be used for that promotion.
Past performance. COBS 4.6 requires that past performance must not be the most prominent feature of a communication. Performance data must cover the preceding five years (or the whole period if shorter), show complete 12-month periods, and include a prominent warning that past performance is not a reliable indicator of future results. Here is the detail a marketing agency will miss: if performance data is only available for a nine-month period, actual past performance cannot be shown at all. An award reflecting a fund manager's skill can itself constitute a past performance indication, triggering the full disclosure requirements. A marketing agency's instinct is to lead with awards and performance numbers. The FCA says that is precisely what you must not do.
Standalone compliance. The FCA expects every financial promotion to be "standalone compliant" – meaning each individual communication must comply with the rules when considered on its own. A marketing agency thinks in campaigns: a series of connected messages building towards a conversion. The FCA does not. Every tweet, every Instagram story, every email in a drip sequence must independently meet every applicable requirement.
The ten-sourcebook problem. FG24/1 identifies 10 different sourcebooks that may apply to financial promotions depending on the product type: COBS 4 for investments, CONC 3 for consumer credit, MCOB 3A for mortgages, BCOBS 2 for banking, ICOBS 2 for insurance, and others. An image advertising exemption exists for investments and mortgages – but not for insurance or banking. A marketing agency that has learned the investment rules may produce a compliant investment promotion and a non-compliant insurance promotion in the same week, for the same client, without understanding that different rules applied.
What changed in 2024 – and why it matters
The rules changed significantly in the past two years, and those changes directly affect how content is produced and approved.
The Section 21 Approver Gateway. Since 7 February 2024, authorised firms must hold specific FCA permission to approve financial promotions for unauthorised persons. Previously, any authorised firm could approve a promotion – which allowed some agencies to find "light touch" partners willing to rubber-stamp content. That route is closed. The FCA has stated that "the approval process being conducted under the section 21 gateway is not just a formality." In 2024, 18 firms accepted voluntary requirements restricting their approval activity, and the FCA used its own-initiative powers on two further firms.
The Consumer Duty. Principle 12, effective since July 2023 and extended to closed products in July 2024, goes beyond the traditional "not misleading" standard. Firms must now act to deliver "good outcomes" for retail customers. The consumer understanding outcome requires that all communications – including financial promotions – support informed decision-making. The FCA expects firms to test whether their communications genuinely help consumers understand what they are buying, and to monitor the impact on consumer behaviour. This is a fundamentally different standard from "accurate and not misleading." It requires judgment about the reader's likely comprehension, not just the writer's factual accuracy.
Social media guidance. FG24/1, published in March 2024, replaced the previous guidance and made explicit what many firms had been ignoring: firms are responsible for the compliance of every promotion they make or cause to be made. That includes content produced by affiliate marketers, influencers, or – critically – marketing agencies. The firm cannot delegate responsibility by delegating production.
What happens when it goes wrong
The FCA's enforcement in this area has escalated sharply.
In June 2024, the FCA brought its first-ever criminal prosecution against social media influencers for unauthorised financial promotions. Nine individuals, with a combined 4.5 million Instagram followers, were charged under Section 21 for promoting an unauthorised forex trading scheme. The case is before Southwark Crown Court, with trial dates in early 2027. In June 2025, the FCA led an international enforcement action involving nine regulators across six countries, resulting in arrests, criminal proceedings, and over 650 takedown requests.
The crypto financial promotions regime, effective since October 2023, has produced its own enforcement wave. In the first year, the FCA issued 1,702 consumer alerts on illegal crypto promotions, took down over 900 scam websites, and removed 56 apps from UK app stores. In February 2026, the FCA commenced civil proceedings against HTX (formerly Huobi) for illegally promoting cryptoasset services to UK consumers – the first major civil enforcement action under the regime.
These crypto cases are instructive for any regulated firm. They illustrate what happens when organisations without specialist regulatory expertise attempt to produce financial promotions. The failures are consistent: generic risk summaries without product-specific amendment, using regulated status as a promotional tool, claims about safety and ease of use without evidence. These are exactly the mistakes a marketing agency would make.
Personal liability is real
This is the part that should concern every compliance officer and managing partner.
Under the Senior Managers and Certification Regime (SM&CR), the person holding the SMF16 (Compliance Oversight) function can be held personally liable if the firm breaches financial promotion rules and that person failed to take reasonable steps to prevent the breach. Liability attaches even if they were not personally involved in producing the content.
In 2024, the FCA fined and banned Floris Jakobus Huisamen, a director at London Capital & Finance, for recklessly signing off on information memoranda, brochures, and website content as COBS-compliant when he was aware of risks that they were not. Individual penalties more than tripled in 2024/25 compared to the prior year. As of late 2024, the FCA had 26 open investigations into individuals for potential SM&CR breaches, including 23 Senior Managers.
When your marketing agency produces non-compliant content, the agency faces no regulatory consequence. The firm bears the enforcement risk. The senior manager who signed it off bears personal liability. The agency moves on to the next client.
Why this is structural, not a training problem
It would be tempting to conclude that the answer is better training for marketing agencies. It is not. The problem is structural, for four interconnected reasons.
The knowledge cannot be transferred in a brief. The CISI Investment Advice Diploma requires 426 hours of study. Compliance professionals typically hold qualifications requiring over 100 hours of focused regulatory education, supplemented by 35 hours of continuing professional development annually. The FCA's own guidance spans 10 sourcebooks with different rules for different product types. The distinction between what constitutes an "image advertisement" in COBS versus ICOBS, or when an award triggers past performance disclosure requirements, is not something that can be conveyed in a brand guidelines document.
The regulatory landscape changes faster than any agency can track. The FCA's Regulatory Initiatives Grid for December 2025 listed 34 live regulatory initiatives, 11 of them new. In the past two years alone, the financial promotions regime has been affected by the crypto promotions regime, the s21 approver gateway, updated social media guidance, two phases of Consumer Duty implementation, a reversal of FPO exemption thresholds, and prospectus regime amendments to COBS 4. The FCA publishes 20 to 30 Consultation Papers per year, alongside Policy Statements, Dear CEO letters, multi-firm reviews, and monthly Handbook Notices. In April 2025, the FCA retired over 90 Dear CEO and portfolio letters, meaning firms must assess which historic expectations remain live. No marketing agency monitors this.
The liability sits in the wrong place. All regulatory consequences – fines, business restrictions, criminal prosecution, personal SM&CR liability – fall on the regulated firm and its senior managers. The agency faces no regulatory consequences whatsoever. Its liability is limited to whatever its contract and professional indemnity insurance provide. This creates a fundamental misalignment: the agency is commercially incentivised to produce content that drives engagement and conversion, while the firm's senior managers carry personal liability for every word. The FCA has never taken enforcement action against a marketing agency. It has taken enforcement action against the firms that published agencies' work.
The incentives conflict. A marketing agency's purpose is to reduce friction and drive conversion. The FCA's Consumer Duty now mandates what might be called "positive friction" – cooling-off periods, prominent risk warnings, balanced presentation of benefits and risks. An agency is rewarded for increasing click-through rates. The regulator requires that communications prioritise consumer understanding over persuasion. These objectives are structurally opposed. An agency optimising for its own metrics will, over time, push against the regulatory boundaries that the firm's compliance team is trying to maintain.
What firms should do instead
None of this means regulated firms should stop marketing. Growth requires visibility, and visibility requires content. The question is who produces it.
Regulated content must be produced by people who understand both the marketing objective and the regulatory framework. Not people who understand one and have been briefed on the other. The judgment calls that financial promotions demand – is this an inducement? Does this award trigger past performance rules? Is this platform appropriate for this disclosure? Would a vulnerable consumer understand this communication? – require years of embedded experience, not a training module.
This is how Penby works. Andy has written FCA-compliant financial promotions for nearly two decades. The expertise that makes the output compliant is human; AI accelerates the research and the editorial process. The regulatory knowledge is not something that was learned from a brief. It was built over 18 years of practising at the intersection of compliance and marketing, for firms where getting it wrong carries real consequences.
Your reputation took years to build. The content that represents your firm to the market should be produced by people who understand what that reputation is worth – and what it takes to protect it.