Continuous Regulatory Assurance
for FCA-Regulated SMEs

HIMAYA helps regulated firms monitor control drift, evidence gaps, remediation ownership, and regulatory posture before audits, incidents, or board-level scrutiny expose the weakness.

See ATLAS Platform
THE PROBLEM

Most regulated firms
do not fail
because they lack tools.

They fail because control discipline breaks down between reviews - and no one is watching.

The problem is not that regulated firms have no controls. The problem is that controls decay quietly between reviews. HIMAYA exists to detect that decay before it becomes a breach, audit failure, FCA query or board-level crisis.
01

No Visibility

No live view of which controls are healthy, drifting, or failing. Governance runs on assumption, not evidence.

02

Fragmented Evidence

Proof spread across folders, emails, and tools. When scrutiny arrives, there is no coherent audit trail.

03

Unclear Ownership

No one clearly owns remediation or review actions. Issues are logged but never closed with accountability.

04

Reactive Governance

Audit prep happens under pressure. Continuous discipline is replaced by seasonal activity and scramble.

HIMAYA turns those weaknesses into a live, structured assurance system.

WHAT IS CONTROL DRIFT?

Controls decay quietly
between reviews.

Control drift happens when a firm's documented controls no longer match reality. MFA exceptions grow, access reviews become overdue, evidence goes missing, owners become unclear and remediation deadlines slip. On paper, the firm may still look controlled. In reality, its operating discipline is weakening.

166 cyber incidents reported to FCA in 2024 (source)

£28.96m Starling Bank fined for control failures (source)

Controls drift between annual reviews without continuous monitoring

DRIFT INDICATORWHAT HIMAYA DETECTS
Access reviews overdue

Quarterly review overdue - status turns amber then red. Owner notified automatically.

MFA exception growth

Exception count rising - risk posture score worsens. Escalation triggered at threshold.

Evidence missing

Control marked incomplete until screenshot, config export or policy version is uploaded.

Remediation overdue

Ticket has named owner but SLA breached - dashboard escalates to senior management.

Policy/control mismatch

Policy says one thing, evidence shows another. HIMAYA flags the gap and assigns resolution.

ATLAS PLATFORM

A live control environment
for regulated firms.

ATLAS is not a security dashboard. It is a Continuous Regulatory Posture Assurance System built around controls, evidence, ownership, remediation and defensibility.

Dashboard visuals are representative; final configuration depends on client scope and data sources.

See How ATLAS Detects Control Drift

Regulatory Posture

62/100

FCA: MediumICO: HighISO: 72%
Watch

Control Drift Alerts

3

Controls drifting now

  • Access review overdue
  • MFA exceptions rising
  • Restore test overdue

Last checked: 2 minutes ago

Evidence Status

82%

82% complete | 6 items missing

Last evidence update: 3 days ago

Remediation Owner

OM

Operations Manager

Sarah Mitchell

SLA: 7 days remaining

Escalation: Pending

SLA Deadlines

  • Critical: 0 overdue (Clear)
  • High: 2 due this week
  • Medium: 5 open
  • Low: 12 on track

19 tracked remediations

Monthly Report

Generate board pack: evidence snapshot, remediation list, drift summary.

Last generated: 14 Apr 2026

Evidence snapshot
Remediation list
Drift summary
Regulatory posture

WHAT HIMAYA DOES

Six services. One structured
assurance system.

Every HIMAYA service is designed to produce a clear assurance output: visibility, evidence, ownership, remediation tracking, or board-ready reporting.

Ongoing Visibility

ATLAS Regulatory Assurance

Tracks control status, drift, evidence, owners, SLA deadlines and regulatory exposure.

Real-time posture score
Control drift detection
Evidence coverage tracking
Regulator-mapped alignment
See How ATLAS Detects Control Drift
Strategic Oversight

vCISO Lite / Monthly Oversight

Monthly review, risk posture summary, action prioritisation and executive guidance.

Monthly posture review
Risk prioritisation
Executive summary report
Board-ready pack
View vCISO Lite UK Oversight
Behavioural Risk

Human Risk & Awareness Programme

Awareness tracking, phishing simulations, repeat-risk identification and escalation.

Phishing simulations
Repeat-risk behaviour tracking
GDPR & FCA awareness mapping
90-day KPI measurement
Explore Human Risk & Awareness Programme
Accountability

Remediation & SLA Tracking

Every issue gets severity, owner, deadline, escalation route and closure evidence.

Named owner assignment
SLA countdown tracking
Automatic escalation
Closure validation
View Remediation & SLA Tracking
Audit Readiness

Evidence Library

Stores screenshots, config exports, review logs, policies and closure evidence by control.

Timestamped evidence logs
Control-linked storage
Missing evidence alerts
Audit export ready
See Regulatory Evidence Management
Board Visibility

Board Reporting

Monthly and quarterly reports summarising posture, drift, remediation and evidence gaps.

Monthly Control Drift Report
Quarterly assurance pack
Non-technical format
Board-ready language
View Board-Level Regulatory Reporting
FREE RESOURCE

FCA-Regulated SME
Control Drift Checklist

Assess your own evidence, access reviews, MFA exceptions, backup testing, owner mapping and remediation deadlines. Free practical checklist. No obligation.

  • 20 control drift indicators to assess
  • Evidence readiness self-check
  • Owner mapping worksheet
  • Remediation deadline tracker

HIMAYA

FCA-Regulated SME Control Drift Checklist

Confidential
  • MFA exceptions reviewed and documented
  • Access review completed and evidenced
  • Backup restore test within 90 days
  • Remediation owner assigned for all issues
  • Evidence stored per control...

Download to see all 20 checks

WHO WE HELP

Built for regulated firms where control drift becomes regulatory exposure.

Initial focus: FCA-regulated SMEs with 10-100 employees, small compliance teams, MSP support and manual internal governance.

PRIMARY FOCUS

FCA-Regulated Financial Firms

Operational resilience requirements, SMCR personal accountability, and SYSC governance obligations mean control drift is not just a risk - it is personal exposure for senior managers.

Mortgage and credit brokers under Consumer Duty
Wealth management and advisory firms
Payment institutions and e-money firms
Investment firms with operational resilience obligations
Also SupportedFuture

SRA-Regulated Law Firms

Confidentiality obligations, client data handling, and evolving SRA cyber expectations require structured access and supplier governance.

SRA
Also Supported

Accounting Firms

ICAEW and ACCA oversight combined with sensitive client financial data demands documented data protection governance and access controls.

ICAEW / ACCA
Also Supported

UK GDPR-Sensitive SMEs

Any organisation under ICO enforcement risk - processing personal data without a documented data protection framework is direct regulatory exposure.

ICO / UK GDPR
Also SupportedFuture

ISO 27001 Aspirants

Firms pursuing certification need structured control implementation and evidence before engaging external auditors. HIMAYA builds the foundation.

ISO 27001

FRAMEWORK ALIGNMENT

FCA SYSCUK GDPR / ICOISO 27001Cyber EssentialsSRA (Future)

ENFORCEMENT LESSONS

FCA enforcement shows what weak control discipline can cost.

FCA enforcement actions repeatedly show the same operational pattern: controls are not tested properly, monitoring gaps persist, remediation is delayed, risk ownership is unclear, and firms struggle to evidence effective governance when challenged.

£6.47m

ADM Investor Services fine

£28.96m

Starling Bank fine

£16.675m

Metro Bank fine

ADM Investor Services International

£6.47m

FAILURE PATTERN

Inadequate AML systems and controls; FCA had raised concerns earlier; little evidence of adequate ongoing monitoring through periodic customer reviews.

HIMAYA LESSON

Control drift becomes dangerous when risk assessments, reviews, policies and remediation are not tracked continuously.

View FCA source

Sigma Broking Limited

£1.087m

FAILURE PATTERN

Failed to submit complete and accurate transaction reports for five years; 924,584 incorrect reports after independent review.

HIMAYA LESSON

A system can be running while the control is broken. Firms need ongoing validation, not assumptions.

View FCA source

Starling Bank

£28.96m

FAILURE PATTERN

Growth outpaced financial crime controls; opened over 54,000 accounts for high-risk customers despite a restriction being in place.

HIMAYA LESSON

As firms grow, controls drift unless governance and monitoring scale with the business.

View FCA source

Metro Bank

£16.675m

FAILURE PATTERN

Monitoring gaps affected over 60 million transactions worth over £51bn; concerns raised by junior staff did not lead to a proper fix.

HIMAYA LESSON

Controls need assurance that they are operating as intended; warning signs require escalation and evidence of action.

View FCA source

Equifax Ltd

£11.164m

FAILURE PATTERN

Failed to manage and monitor outsourced UK consumer data security; breach exposed millions of consumers to risk.

HIMAYA LESSON

Third-party risk and outsourced data still require governance, evidence and board accountability.

View FCA source
These examples are public FCA enforcement cases. They are not HIMAYA clients, and HIMAYA does not claim it would have prevented these outcomes. They are shown to highlight recurring governance, monitoring, evidence, and control issues.
Read FCA Enforcement Analysis

PACKAGES

Structured assurance.
Predictable investment.

Essential £750Regulated £1,250Assurance+ £1,850/ month from flexible by scope

Simple monthly tiers - pricing stays flexible because every firm's scope, footprint, and data sources differ. We confirm the right package on a fit call. For many regulated SMEs, HIMAYA provides structured oversight at a fraction of the cost of adding senior internal compliance headcount.

HIMAYA Essential

For regulated SMEs that need basic visibility.

From

£750

/month

Approx. £9,000/year

Includes

ATLAS core dashboard
Control drift visibility
Evidence library
Basic monthly summary
Basic framework mapping
Limited support

Light entry - no deep vCISO work, no heavy remediation.

MOST POPULAR

HIMAYA Regulated

Our main offer - most FCA-regulated SMEs should be guided here.

From

£1,250

/month

Approx. £15,000/year

Includes

ATLAS
Human Risk & Awareness Programme
Remediation / SLA tracking
Evidence status monitoring
Owner mapping
Quarterly assurance call
Monthly control drift summary

HIMAYA Assurance+

For firms that want serious board-level oversight - strategic, visible, and defensible.

From

£1,850

/month

Approx. £22,200/year

Includes

Everything in Regulated
vCISO Lite
Deeper governance support
Board packs
Monthly assurance review
Priority oversight
More strategic recommendations

Built for senior leaders who need board-ready oversight, assurance rhythm, and evidence-backed decision-making.

Essential £750Regulated £1,250Assurance+ £1,850 - indicative monthly from; final fees reflect scope and complexity. Confirmed on a fit call. No long-term lock-in for initial pilots where offered.

FREQUENTLY ASKED

Questions we hear from
regulated SMEs.

GET STARTED

See where your governance is
drifting before scrutiny forces
the question.

Book a 15-minute discovery call to see whether your current controls, evidence, and remediation discipline would stand up under regulatory pressure.

See ATLAS Platform
Flexible monthly packagesDemo response within 24 hoursFCA-regulated firm focusNo sensitive data via public forms

HIMAYA provides cybersecurity, governance, risk, compliance and operational assurance support. HIMAYA does not provide legal advice, regulatory representation, or guarantee regulatory outcomes.

Ask HIMAYA