Fit and Proper Persons Regulation Healthcare: Regulation 5 and 19 Compliance Guide

Fit and proper persons checks fail when they happen once and get filed

Most healthcare organisations treat the Fit and Proper Persons Requirement as a recruitment checkpoint. A director joins, the checks run, the paperwork goes into a folder, and the folder stays shut until the next CQC assessment. The problem is that fitness can change. A director's financial standing, conduct record, or regulatory status can shift at any point during their tenure. A check completed in 2024 says nothing about 2026.

This gap between initial assurance and ongoing monitoring is precisely what the Kark Review identified in 2019 when it concluded that the Fit and Proper Person Test was "not fit for purpose" (Kark Review, 2019). Seven years later, most providers still operate the same way.

For compliance leads and governance directors, the operational question is straightforward: can you demonstrate, right now, that every individual subject to Regulation 5 or Regulation 19 meets the fitness requirements? If the answer depends on opening a spreadsheet and manually checking dates, the answer is probably no.

What Regulation 5 and Regulation 19 actually require

The fit and proper persons regulation healthcare framework sits across two separate regulations under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and they cover different populations with different requirements.

Regulation 5 applies to directors and equivalent roles. It requires that individuals holding director-level positions are of good character, have the necessary qualifications and competence, are physically and mentally fit to perform their role, and have not been responsible for or complicit in serious misconduct or mismanagement. Regulation 5 also includes specific disqualifying criteria: individuals listed on the children's or adults' barred list, those subject to undischarged bankruptcy, or those included on the insolvency register cannot hold these positions.

Regulation 19 applies to all employed staff. It requires that recruitment procedures are established and operated effectively to ensure that persons employed are fit for the work they are to perform. This covers identity verification, right to work, professional registration, criminal record checks, satisfactory references, and evidence of competence.

The practical distinction matters. Regulation 5 places ongoing obligations on the organisation to monitor directors continuously. Regulation 19 focuses on the point of recruitment but also requires that employment is conditional on satisfactory checks being maintained.

The Kark Review found the test was not working

Tom Kark KC was commissioned by the Secretary of State for Health and Social Care to review the Fit and Proper Person Test following a series of governance failures across NHS trusts. His report, published in February 2019, reached a blunt conclusion: the test was "not fit for purpose".

The review found several structural problems. There was no central database of directors who had been found unfit. Individuals removed from one trust could, and did, move to director positions at other trusts. CQC's enforcement powers were limited to action against the organisation, not the individual director. And the information available to boards making fitness decisions was often incomplete.

Kark made 22 recommendations. The central proposal was a national database, maintained by an independent body, recording fitness to serve decisions. He also recommended that CQC should have the power to remove individual directors, not just penalise the organisation.

The Parliamentary and Health Service Ombudsman has since conducted two investigations into CQC's regulation of FPPR (PHSO, 2021 and 2023). Both found that CQC's approach remained insufficient. Parliament has repeatedly urged implementation of the Kark recommendations.

CQC has no direct power over individual directors

This is the structural weakness at the centre of the fit and proper persons regulation healthcare framework. CQC can take regulatory action against a registered provider, but it cannot act directly against an individual director. If a trust employs a director who does not meet the fitness requirements, CQC's options are limited to issuing a warning notice to the organisation, imposing conditions on the registration, or, in the most serious cases, cancelling registration entirely.

The practical effect is that enforcement relies on organisations policing their own boards. A director found unfit at one trust faces no regulatory barrier to appointment at another, because no central register exists and CQC cannot impose a personal bar. The Kark Review's proposed database was intended to close this gap. As of April 2026, no such database is operational.

For compliance teams, this creates a specific burden: you cannot rely on the regulator to flag problems. Your own assurance processes are the primary line of defence.

NHS England's FPPT Framework changed the compliance expectation

In response to the Kark Review, NHS England developed the Fit and Proper Person Test Framework. This framework moved the compliance expectation beyond a point-in-time check at appointment.

The framework requires NHS bodies to carry out annual assessments of all board members against the fitness criteria. It introduced standardised assessment templates and guidance on what constitutes a thorough review. It also recommended that boards maintain a register of interests that is reviewed at least annually and that references are sought in a structured format that specifically addresses fitness to hold a director-level role.

For NHS trusts, the framework is mandatory. For independent sector providers, CQC has signalled that it expects equivalent rigour in how Regulation 5 obligations are met, even though the NHS England framework does not formally apply to them.

The shift in expectation is significant. Annual assessment, structured documentation, and proactive monitoring are now the baseline. A one-off check at appointment, filed and forgotten, does not meet it.

The difference between ticking the box and maintaining ongoing assurance

A compliance team that runs checks at appointment and reviews them annually is meeting the minimum expectation. A compliance team that maintains ongoing assurance is operating at a materially different standard.

Ongoing assurance means monitoring for changes between annual reviews. A director's DBS status, professional registration, insolvency record, or disqualification status can change at any point. A fitness assessment completed in January means little if a disqualifying event occurs in March and is not detected until the following January.

From the perspective of the individuals being checked, the process also matters. A board member who receives a clear, structured request to confirm their ongoing fitness, with specific documentation requirements and a defined timeline, experiences a professional governance process. A board member who receives a forwarded email asking them to "send over their DBS again when they get a chance" does not.

The operational indicators of genuine ongoing assurance include automated alerts when a monitored credential approaches expiry, daily or weekly checks against primary sources for professional registration and regulatory body status, documented audit trails showing when each check was performed and by whom, and group-level visibility for organisations operating across multiple sites.

FPPR compliance for multi-site and group providers

Organisations operating hospitals, clinics, or care services across multiple locations face a compounded version of the FPPR challenge. A director may sit on the board of a parent company while also holding governance responsibilities at individual registered locations. Regulation 5 applies at the level of the registered person, which means the compliance obligation attaches to each registration, not to the corporate group.

In practice, this means a group with ten registered locations may need to demonstrate Regulation 5 compliance for the same individual across ten separate CQC registrations. Without a centralised system, this typically results in duplicated checks, inconsistent documentation, and gaps where one site assumes another has completed the work.

CQC inspectors reviewing the Well-Led domain look for evidence that governance structures are effective across the organisation, not just at individual site level. A group that cannot demonstrate consistent FPPR compliance across all its registrations is exposed in exactly the area CQC is prioritising.

Building FPPR compliance that holds up under scrutiny

The compliance gap here has two dimensions. Detection: knowing when a director's fitness status changes between annual reviews. Documentation: maintaining an auditable record that proves ongoing monitoring, not just periodic checks. Solving both requires automation and centralisation, because the volume of checks and the frequency of change makes manual tracking unreliable at scale.

Credentially's platform is built around these requirements. Automated compliance checks run against primary sources on a continuous basis, covering professional registration, DBS status, and regulatory body standing. Expiry alerts flag upcoming renewals before they lapse. Every check, document, and decision is logged with a timestamped audit trail. For organisations operating across multiple sites, the platform provides group-level visibility with role-based access control, so governance leads can see compliance status across all locations from a single view.

The audit-ready reporting function generates CQC-aligned documentation that shows not just current status but the history of compliance for each individual. When an inspector asks to see evidence of ongoing Regulation 5 assurance for a specific director, the answer is available in seconds rather than hours.

What your compliance team should review this quarter

The gap between where most organisations are on FPPR and where the regulatory expectation sits is not closing. The Kark Review is now seven years old. Its core recommendations remain partially implemented at national level. CQC's enforcement powers over individual directors remain unchanged. The burden of assurance sits with providers.

Start with the annual assessment process. Does the organisation have a documented, repeatable procedure for Regulation 5 assessments that covers all required fitness criteria? If so, does any monitoring occur between annual cycles to detect changes in DBS status, professional registration, insolvency, or disqualification? Finally, test the documentation itself: would the file for each board member and senior leader satisfy a CQC inspector reviewing the Well-Led domain today, without advance preparation?

Credentially publishes a FPPR compliance checklist covering the full scope of Regulation 5 and Regulation 19 requirements, mapped to current CQC expectations and the NHS England FPPT Framework. It is a practical starting point for any compliance team looking to close the gap between checkbox compliance and genuine ongoing assurance.