Resource Hub
Insights
Last updated:
July 17, 2026
Share Article:

Financial Promotion Audit Trails: What the FCA Expects and What Most Teams Actually Have

A blurry image of office workers with the title of this blog in bold on top - "AI in Compliance Review: Signal vs Hype"

"Orderly records" is a phrase in SYSC 9.1R that's easy to read and much harder to operationalise. Most compliance teams believe they have an audit trail. Then the FCA, an acquirer, or an internal audit pulls on the thread, and the trail turns out to live across email, Slack, document tools, and whichever workflow system was most recently adopted. Each of those has different retention rules and different ideas about what an "approval" is.

This is the operational view. What a defensible audit trail actually looks like under Consumer Duty and FG24/1, why most stitched-together stacks fail at the point of inspection, and how to close the gap without ripping out the whole toolchain.

Persona pain: the moment the stitching shows

The failure mode for Heads of Compliance isn't the day-to-day review cycle. It's the request that lands at 2pm on a Wednesday asking for the full approval chain on a specific promotion published three months ago. Internally, it looks like effort. Externally, it looks like a firm that can't evidence its own process.

Across several regulated marketing workflows, approvals are still being stitched together across email, Slack, document tools and workflow systems, making it harder to evidence what had actually been reviewed and approved. That fragmentation is the audit-trail gap in one sentence.

T6 · Audit, traceability and evidencing is the theme the FCA has moved toward. Mature firms close the feedback loop by treating every rejection as a data point, updating Training (People), Guidelines (Policy), or Automated Logic (Tech). That's how they meet the regulator's 'Reasonable Steps' standard.

What the FCA actually requires

SYSC 9.1R requires orderly records of the firm's business and internal organisation. For financial promotions under Consumer Duty and FG24/1, that translates to six operational requirements:

  • A unique promotion identifier linked to every version published.
  • An approval record per version: reviewer name, user ID, timestamp, decision and rationale.
  • Immutable version control — each iteration dated, attributed, and retrievable.
  • A retention period of at least five years (longer for some product lifecycles).
  • Evidence of the "reasonable steps" loop: how rejections updated training, policy, or tooling.
  • A readable chain of custody from creation through to publication, including distribution channel and audience segment.

The test isn't whether you could reconstruct the chain with enough time. It's whether the regulator can pull your records and follow the approval journey without having to ask a single follow-up question.

S7 · The key-person audit-trail failure

One live deal captured a pattern that should worry every single-reviewer compliance team. The firm had a sole advisory-grade compliance reviewer who handled second-line sampling across the business. End-to-end sampling cycle: three weeks. The reviewer's pending paternity leave was about to stall the sampling entirely.

The audit-trail problem wasn't the sampling itself. It was that the reviewer's judgement and context weren't captured in any system of record. When that reviewer steps away, institutional memory walks out with them. For Consumer Duty evidence, that's a governance failure. Key-person dependency is one of the quieter systemic risks in compliance.

Why most audit trails are fragmented

Enterprise franken-stacks are the rule, not the exception. One Tier-1 bank admitted that a 5-step approval process stitched across Jira and Confluence is 'not fit for purpose', lacking formal SLAs for campaigns of different complexities.

The five failure points recur:

  1. Email is the default approval system. Three chains later, 40% of the approval record lives in inboxes with no retention guarantee.
  2. Slack approvals feel formal but aren't. A thumbs-up emoji is not a signed-off approval, and threads can be deleted or edited without audit.
  3. Document tools track edits, not decisions. Google Docs shows Sarah edited the file. It doesn't show whether she was approving or proofreading.
  4. Workflow systems don't integrate upstream. By the time the formal system sees the promotion, the substantive approval has already happened somewhere else.
  5. Handoff metadata falls off at system boundaries. From the regulator's perspective, the part of the process where metadata was lost simply didn't happen.

A defensible audit trail: what to build

The shift isn't from "no audit trail" to "audit trail." It's from stitched evidence to a unified system of record. The building blocks below are the ones that survive contact with a real inspection.

  • Unique identifier per promotion, carried through every version and every downstream system.
  • System of record designation. Pick one platform that holds the approval ledger. Every reviewer action logs there — not in Slack, not in email, not in the doc.
  • Upstream integration or consolidation. Either configure the system of record to pull signed-off actions from upstream tools, or move reviewers earlier into the system of record.
  • Automated version logging. Every edit, comment, and decision is timestamped automatically. Don't rely on reviewers to remember.
  • Immutable ledger. Once a decision is recorded, it can be annotated but not overwritten.
  • Retention automation. Five-year minimum, with automated export paths for regulator or internal audit requests.

When the system delivers a single, complete, readable file on demand, the firm has passed the test the FCA is actually running.

What good looks like on a Wednesday at 2pm

The easiest way to stress-test an audit trail is to imagine the regulator or an acquirer sending one request: give us the full chain for promotion X, published on date Y, distributed through channel Z. A defensible stack should answer that request in minutes, not days, with a single export.

From the evidence across regulated marketing teams, the firms that can do this share a handful of traits:

  • Every promotion is assigned a unique identifier at the point of intake, carried through every downstream system, and never reassigned.
  • Reviewer actions, including the rationale for a rejection, are captured as structured fields rather than free-form comments, so the audit export is readable by a non-specialist.
  • Near-misses and second-reviewer overrides are logged with the same rigour as approvals. The "Reasonable Steps" standard expects the firm to learn from what almost went out, not just what did.
  • Retention is automated. A deletion cannot happen inside the window, and an archive export can be produced without a ticket to IT.
  • Integrations are read-only wherever possible. Upstream tools feed the ledger, but the ledger itself cannot be edited from outside the platform that owns it.

The difference between the firms that clear this in a morning and the firms that spend a fortnight in a war room usually comes down to whether the ledger was designed as a system output or retrofitted from a project-management tool.

Quotes that belong in the record

Two operational truths surface repeatedly in deal evidence. One compliance lead at a regulated investor platform described "a verified audit trail for every change" as a non-negotiable for investor-facing communications. A Tier-1 compliance function described the baseline the same way: "see date, amendments, reviewer… total auditing".

Both describe the same requirement: a log that is a system output, not a team discipline.

Objection · "We're building a custom GPT for this internally"

This is the most common build-vs-buy conversation we see in audit-trail work. The appeal is obvious. An internal LLM that summarises the approval chain, flags inconsistencies, and answers regulator questions in natural language sounds like a complete solution on the slide.

The failure mode is less obvious. Custom GPTs fall over on audit-trail integrity, record-keeping under retention requirements, and dynamic regulatory updating. The model doesn't know when the FCA has sent a "Dear CEO" letter. It doesn't version-control its own outputs. And the conversation log is not, by itself, a compliant evidencing system.

Deploy a purpose-built system that has already been tested head-to-head against internal builds. The audit-trail layer is where internal builds most reliably fall over.

FAQ

Can email be our system of record? Technically yes. In practice, no. Emails can be deleted, forwarded out of context, and there's no reliable way to show a specific reviewer saw the final published version. Most firms would not bet the case on the regulator accepting an approximation.

How long do we need to keep records? SYSC retention is at least five years from publication. Some firms keep longer depending on product lifecycle and litigation exposure. Automate the retention; don't rely on folder discipline.

Does a Slack approval count? Not reliably. A reaction emoji is not an auditable approval, and Slack's retention settings are firm-controlled and editable. Route formal sign-off into the system designed to track it.

What happens if we can't produce records the FCA asks for? The regulator's working assumption becomes that the approval did not happen to the required standard. Fragmentation under regulatory pressure is indistinguishable from weak governance from the outside.

Does a dedicated compliance platform replace our existing tools? No. It becomes the system of record that the existing tools feed into. Reviewers can keep working where they work, provided every formal decision is logged in the ledger with the metadata the regulator expects.

Contents
Book a product tour with our Co-Founder, Doni

Once you're booked in, we'll send you a free playbook on Financial promotions compliance for FinTechs.