Article

New U.K. regulatory landscape: enforcement and supervision shift

New U.K. regulatory landscape: enforcement and supervision shift
Published Date
Feb 6 2025
This article examines the latest trends in U.K. regulatory enforcement and supervisory action and highlights the key takeaways for firms in 2025 and beyond.

Over the past 18 months, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have undergone significant shifts in their enforcement strategies. The total number of enforcement cases initiated by the FCA has dropped to levels not seen since 2016, with several long-running cases either being discontinued or expedited to public resolution. However, this reduction in enforcement activity has been more than compensated for by both regulators taking a significantly more assertive approach to supervisory action, which often yields swifter and, in some instances, more impactful results for firms. The frequency of assertive supervisory action, such as voluntary and own-initiative requirements, attestations by Senior Managers and skilled person reviews, has increased considerably.

But it is unlikely that we have seen the last of changes in this area. The FCA is in the midst of the second phase of its consultation on proposals to publicize enforcement investigations into firms and seems determined to continue advancing enforcement investigations with increased speed, all while continuing to make more assertive use of its supervisory tools. Meanwhile, in 2024, the PRA introduced an early account scheme for firms and now has a new policy for calculating fines for firms, which is anticipated to result in higher fines.

This article looks at some of the key trends in FCA and PRA enforcement and supervision from 2024 as well as looking more closely at developments in the areas of financial crime, governance, culture and individual accountability, consumer protection, operational resilience and cyber resilience.

Enforcement and interventions insights from 2024

In 2024 observers started to see the effects of the FCA’s and the PRA’s revised approaches to enforcement and how they intend to deter, investigate and punish wrongdoing. This included the quantity, focus and speed of enforcement investigations, as well as greater use of other tools to tackle issues.

FCA enforcement appetite and fines

In 2024, the FCA took enforcement action resulting in fines totaling just over GBP176 million and spread across 26 cases: 12 involving firms and 14 involving individuals. Compared to 2023, this represents a 117% increase in the number of cases resulting in fines and a significant increase of 230% in the total value of fines imposed.

In a notable shift in strategy under its current Directors of Enforcement and Market Oversight, the FCA has decelerated the pace at which it initiates new investigations. During the first six months of 2024/25, the FCA opened only 14 new cases and closed 60 cases: a 58% increase in closures compared to the same period in 2023/24. Towards the end of 2024, the FCA’s overall caseload had decreased to 447, the lowest number since 2016.

The FCA continues to focus most of its enforcement efforts on core areas of focus that are consistent with its overall regulatory agenda:

  • Unauthorized business.
  • Insider dealing.
  • Retail conduct.
  • Wholesale conduct.

Cases that focus on these areas represent approximately 80% of the FCA’s current caseload. However, there are signs of new areas of focus. For example, in 2024, the FCA took action against two audit firms and it has confirmed that it has one ongoing investigation into a firm relating to environmental issues (see “Root causes of enforcement action”).

Root causes of enforcement action

Both the FCA and the PRA continue to take enforcement action in relation to a very broad range of topics, the most popular being consumer protection. However, behind these topics sit several of the same root causes. Some of the most common root causes of enforcement action against firms since 2023 are set out below.

Management information

Information about a business or function that is used by decision makers must be fit for purpose. More than half of enforcement action taken against firms in 2023 and 2024 involved criticisms of firms’ production or use of management information or identified data quality issues that affected the effective oversight of a business or function. These issues typically revolve around three key considerations: the purpose of the management information, how it is produced, including the quality of data inputs, and how it is used.

Remediation

Failings relating to remediation are another recurring root cause of enforcement action. The FCA and the PRA expect that remediation should be conducted thoroughly, proactively and on a timely basis. In addition, firms must ensure that remediation that is focused on a particular issue or part of a business is read across to other parts of the business where a similar issue could arise. These key concepts underline several specific failings identified by the FCA and the PRA in recent enforcement cases; for example, incomplete or poor remediation of known issues leading to repeated or similar issues in other areas, unacceptable delays in remediation exercises being commenced or completed, or inadequate resourcing.

Escalation

If information and decisions do not flow to the right people at the right time, firms and their Senior Managers are unlikely to be aware of key risks, preventing them from taking mitigating action to address them on a timely basis, or at all. Where key governance mechanisms are undermined, or bypassed entirely, this can result in escalation failures or delays. Enforcement action taken by the PRA against a Senior Manager in 2024 illustrated this risk as, in that case, decisions that had been reserved for a firm’s board were instead taken individually by the Chief Executive. Firms with matrix management and reporting structures can face additional challenges and must be alive to the potential for key executives to be cut out of information flows and decision making.

Escalation failures of this nature contribute to the late reporting of issues to regulators and are often cited as an aggravating factor when regulators come to calculate the appropriate penalty to impose on a defaulting firm.

Risks relating to escalation are particularly acute in times of stress or crisis, during which the risk increases that individuals or teams will not follow documented governance procedures and escalation routes. However, these situations can also provide a good stress test of a firms’ escalation frameworks. It is often in times of crisis that a firm will discover, practically, how information flows and decisions are made when it matters most.

Resourcing

Firms and their Senior Managers must ensure that a business or function is adequately resourced, both in terms of headcount and capability or expertise. Several enforcement actions that were concluded in 2024 highlighted the risks of failing to maintain appropriate expertise, particularly in risk and compliance functions. In some cases, the lack of expertise was temporary and in others it persisted for years but, in both cases, the absence of necessary expertise contributed to significant firm failings and, in most cases, delayed remediation.

While resourcing issues have been identified for all kinds of firms, both regulators are especially concerned with this issue in the context of small firms that experience rapid growth, where the control environment often lacks investment and cannot keep pace with the firm’s rapid growth.

Resourcing must be considered both for business as usual but also for times of operational stress. The impact of the Russian invasion of Ukraine and the sanctions issued in response, is an example of an operational stress that affected whole sectors. FCA feedback in September 2023 highlighted that the scale of sanctions took a number of firms by surprise, resulting in significant backlogs. These events have a clear read-across to operational resilience planning, especially for consumer-facing firms.

Accelerated FCA investigations

The FCA has long faced criticism for the time it takes to complete investigations. However, in 2024, it announced several regulatory investigations and one criminal prosecution that it was able to complete in under 16 months, marking a 62% reduction from the average duration of 42 months.

Expedited investigations are likely to have many benefits. The FCA can disseminate information on specific issues arising from enforcement cases more quickly and individuals involved face shorter periods of regulatory uncertainty. However, accelerated timelines also present challenges. Firms have tighter deadlines to respond to information requirements and less time to prepare individuals for interviews. In addition, compressed timelines may curtail the extent and depth of investigative work carried out by the FCA, potentially affecting the scope and detail of the public findings that the FCA can ultimately present.

FCA plans to publicize investigations

In early 2024, the FCA unveiled proposals to publicize investigations into firms. The consultation on these proposals attracted an exceptionally high number of responses and significant public scrutiny. In response, the FCA published a second set of revised proposals in November 2024. While the FCA remains intent on increasing transparency in relation to its investigations, it now also plans to introduce additional safeguards. These include providing firms with more notice of proposed publicity, as well as considering the likely impact of publicity on a firm and market stability. The FCA intends to finalize its plans in the first quarter of 2025.

PRA enforcement appetite and fines

While the PRA has issued fewer fines than the FCA, the value of these fines has increased considerably in recent years. In 2024, the PRA imposed fines amounting to just over GBP90m, largely due to two significant fines of GBP57.4m and GBP33.9m. This trend of imposing larger fines has driven the PRA’s average fine imposed on firms to GBP59.9m over the past couple of years, a figure that significantly exceeds the average fine imposed by the FCA during the same period.

The PRA continues to conduct significantly fewer investigations compared to the FCA, consistent with its different process and policy for deciding when to investigate firms and individuals. As of October 2024, the PRA had only eight active investigations, with two involving firms and six involving individuals.

In early 2024, the PRA implemented a new framework for calculating the fines that it imposes on firms. This new framework uses the prudential category of a firm and the seriousness of its breaches as the starting point for calculating a fine, which is likely to result in the PRA being able to impose significantly higher fines compared to its previous policy. At the same time, the PRA rolled out its early account scheme, which provides a formal route for firms in certain circumstances to make early factual admissions in return for potentially larger discounts on any fines that may be imposed. As these initiatives are still in their infancy, it is anticipated that public outcomes involving them may not materialize until late 2025 or even 2026.

Revised FCA proposals to publicize investigations

The FCA remains committed to its proposals to name firms under enforcement investigation but in its “Part 2” consultation on the matter it made some significant adjustments to the proposals first announced in February 2024.

Extended notice period

The FCA plans to give firms ten business days’ notice that it is proposing to announce an investigation, followed by an additional two days’ notice if the FCA decides to announce. This marks a material increase to the originally proposed one-day notice, affording firms more time to prepare representations about why the FCA should not announce its investigation and to decide whether to pre-emptively disclose the investigation themselves.

Consideration of impact on a firm

In the first of two changes to the FCA’s proposed public interest test that it will apply to decide if publicizing the fact of an investigation would be in the public interest, the FCA will now consider the impact of publicizing an investigation into a firm.

Public confidence

In the second change to the FCA’s proposed public interest test, the FCA will now assess whether its announcement could seriously disrupt public confidence in the financial system or the market.

No retrospective effect

Initially, the FCA indicated that it would publicize investigations that are ongoing when the proposals come into effect. However, it has now clarified that it will not proactively announce these cases. Nevertheless, the FCA has left the door open on this point, noting that it “may reactively confirm ongoing investigations that are already in the public domain, where this confirmation is in the public interest”.

The Part 2 consultation will close on February 17, 2025 and a decision on the proposals is expected from the FCA’s Board during Q1 2025.

Marked increase in skilled person reviews

The FCA’s current agenda is as much about using its supervision tools as it is about using more traditional enforcement tools. Skilled person reviews remain a significant component of the FCA’s supervisory agenda and have increased by 124% in the last three years. The appointment of a skilled person is often an indication of regulatory concern, which is reflected in the fact that, since 2023, 59% of enforcement action taken by the FCA and the PRA against firms involved a skilled person review.

Both regulators have discretion to require firms to appoint a skilled person or to appoint a skilled person directly. Direct appointment by the regulator is usually reserved for more serious cases or where trust with the firm in question has been eroded. However, the frequency of direct appointments by the FCA appears to be increasing, with 20% of skilled person appointments in 2023/24 having been made directly. This is more than double the historic norm.

Despite the significant increase in the number of skilled person reviews commissioned by the FCA, the aggregate cost of these reviews has remained relatively stable. While larger and more costly skilled person reviews persist, this change suggests that the FCA may be increasingly directing smaller firms to appoint skilled persons and that reviews may be more narrowly focused in scope than was previously the case.

Most skilled person reviews commissioned by the FCA are focused on retail banking, lending and investment services, which reflects its continued focus on tackling consumer harm. The subjects of these reviews are varied, with the most popular topics being controls and risk management, financial crime and conduct of business. Notably, governance and individual accountability issues accounted for only 19% and 5% of skilled person reviews conducted by the PRA and FCA, respectively, in 2023/24, despite these issues often being significant drivers of failures that can lead to enforcement action being taken against firms (see “Lessons learned from attestations”). 

Rising numbers of early interventions

The FCA’s commitment to making full use of its intervention tools remains undiminished. The most common form of intervention used is the agreement of voluntary requirements, commonly known as VREQs. Over the last four years, the number of VREQs agreed between the FCA and firms has increased very significantly, by 486%. This increase is the result of a significant strategic repositioning by the FCA and is underpinned by more integrated ways of working between the FCA’s supervisory and enforcement teams, as well as more streamlined internal governance that controls how the FCA can exercise these statutory powers.

There is now a strong presumption towards the publication of VREQs on the FCA Register. In the three-year period running from financial year 2021/22 to 2023/24, the FCA has published 87% of VREQs agreed, compared with only 29% of VREQs agreed in 2019/20. Nonetheless, the FCA retains discretion as to whether to publish VREQs and can sometimes be persuaded not to publish them where it would be unduly detrimental to the firm or would otherwise not support the FCA’s statutory objectives.

The FCA frequently employs VREQs as an intervention mechanism when it identifies an imminent financial crime risk that necessitates urgent attention. This approach can sometimes be a precursor to other measures, such as requiring the appointment of a skilled person or initiating a formal enforcement investigation. In 2024, the FCA took enforcement action against two firms for breaching the terms of VREQs that they had agreed to, which were aimed at mitigating risks associated with identified deficiencies in their financial crime control frameworks.

Lessons learned from attestations

Attestations are an important component of the regulators’ accountability toolkit. An attestation is a request from a regulator, such as the FCA, to a named senior individual at an authorized firm that they personally attest that the firm will take, or has taken, an action that the regulator requires.

 

The number of attestations required by the FCA has been steadily increasing in recent years, but between 2022/23 and 2023/24, there was an increase of 85% in the number of attestations requested.

 

Attestations are a popular tool for regulators because they focus individual accountability on specific deliverables and reduce the need for direct, ongoing, regulatory involvement. Given the formal status that attestations have and the high stakes for individuals if they transpire to be inaccurate, it is essential that individuals who provide attestations verify the matters that they are asked to attest to.

 

Lesson can be learnt from recent enforcement action that has touched on attestations. In particular, firms and the attestor must:

 

• Be clear on exactly what is being attested to and have confidence that what is being requested can actually be delivered in the terms agreed. This point needs to be established at the outset.

 

• Take steps to ensure that there is a well-designed and thorough program of work to deliver the attestation required, with clearly defined governance, roles and responsibilities, to ensure clarity about how the attestation and the work to support it will be delivered and what reliance is being placed on other individuals within the firm. 

 

• Produce and maintain robust records to demonstrate the basis on which an attestation has been given, particularly the verification or assurance exercise that has been completed before the Senior Manager provided the attestation. The regulators may request sight of these underlying records at some point in the future, even if the matters being attested to are delivered successfully.

Data-led supervisory activities

The FCA’s approach to data-led supervision is starting to become clearer, with proactive data-led information requirements forming an important part of its more assertive approach. The FCA has invested in its dedicated data teams and is adopting a more integrated approach to data in relevant supervisory teams. The staffing of the FCA’s Data Technology and Innovation team increased by approximately 31% between 2022/23 and 2023/24. Part of this investment is intended to enable the FCA to better analyze the data that is already available, such as data reported to it or data collected through web-scraping. The FCA also continues to invest in its data analytics capabilities for market monitoring and countering market abuse.

Since the end of 2023 the FCA has increasingly used targeted data requests, often at short notice, to enable a deeper dive into areas where it perceives an increased risk of harm. Areas where the FCA has adopted this approach include non-financial misconduct, general insurance value, provision of banking services, de-banking, treatment of politically exposed persons and on-going advice charges.

The manner in which firms respond to these requests carries enforcement risk. A firm’s response may prompt the FCA to use its early intervention powers or to commission a skilled person review. This can occur either due to concerns about the data provided by a firm or because a firm has difficulty providing the data requested on a timely basis or at all. These issues may cause the FCA to be concerned about a firm’s systems and controls, ability to effectively oversee its business or its governance arrangements and to investigate the perceived risks in more detail.

Financial crime

The frequency of financial crime investigations and formal enforcement outcomes is in decline, but this belies the level of enforcement risk in this area of financial regulation.

Enforcement and interventions

The number of financial crime enforcement outcomes against firms has decreased significantly over the last two years, as has the average fine value: from GBP20m and GBP24m in 2022 and 2023 respectively, compared with GBP16m in 2024. Across 2023 and 2024, the FCA took action against seven firms in connection with financial crime issues. This represents a 36% decrease, compared with the prior two-year period.

This trend is likely to change tack soon. Higher levels of financial crime enforcement outcomes tend to follow periods when the FCA has commissioned higher numbers of skilled person reviews into financial crime-related matters. The number of skilled person reviews commissioned into potential financial crime-related issues increased by 130% between 2022/23 and 2023/24, which suggests that an increase in related FCA enforcement outcomes is on the horizon (see “Financial crime horizon scanning”).

Notwithstanding a drop in formal enforcement outcomes, financial crime issues have been attracting attention from the FCA’s early interventions team. There is a strong connection between the implementation of VREQs and financial crime weaknesses. In fact, two-thirds of the financial crime enforcement cases that were concluded in 2024 featured firms that had agreed VREQs with the FCA. 

Financial crime horizon scanning

Reducing financial crime remains a priority for the FCA with the following issues attracting particular scrutiny:

Money laundering

The FCA has dedicated significant resources to preventing firms with inadequate anti-money laundering controls from entering the regulated sector. Enhanced collaboration between supervisory and enforcement teams at the FCA is likely to result in earlier, proactive, identification of issues at more established firms, resulting in more frequent regulatory intervention. 

Fraud

Thematic work conducted by the FCA in 2023 identified a number of common weaknesses in relation to firms’ controls, governance and customer treatment, and new reimbursement requirements now apply in relation to authorized push payment fraud. Both of these require firms to balance their Consumer Duty and their financial crime obligations.

Sanctions

In October 2024, the FCA imposed a fine of almost GBP29m against a challenger bank for failures relating to its sanctions systems and controls. Perceived weaknesses in firms’ sanctions controls are often first addressed with FCA early-intervention tools. Failure to properly implement these is very likely to result in enforcement action. 

De-banking

Firms will need to take account of the findings of the FCA’s 2023 thematic work on de-banking and of its review of the treatment of domestic politically exposed persons. The FCA considers that banks, payment firms and lenders need to do more to ensure that people running for office or taking senior public roles or their families are not disadvantaged.

Root causes of financial crime failings

Four issues appear in 80% of financial crime final notices issued by the FCA since 2023: 

  • Failure to have or to appropriately implement appropriate policies and procedures.
  • Inadequate financial crime risk assessments at a customer, business or firm level.
  • Failing to conduct adequate customer due diligence or enhanced due diligence.
  • Transaction monitoring failings. 

Even the most sophisticated firms struggle to effectively implement some of these safeguards. Consequently, they are likely to continue to be targeted through enforcement action. 

Recent enforcement notices have also highlighted the importance of: 

  • Ensuring that financial crime controls keep pace with the growth and evolution of a business.
  • Preparing adequate Money Laundering Reporting Officer reports, that reflect a proper assessment of a firm’s anti-money laundering (AML) systems and controls or the weaknesses that have been identified.
  • Not relying on due diligence, analysis or processes carried out overseas, which do not comply with U.K. legal and regulatory requirements.

Governance, culture and individual accountability

The enforcement landscape under the Senior Managers and Certification Regime (SMCR) remains modest but the FCA is maintaining its focus on non-financial misconduct and, in particular, how firms investigate and respond to incidents.

Enforcement action against Senior Managers

Nearly a decade after the SMCR came into force, enforcement action has been taken by the PRA against only two Senior Managers for failing to take reasonable steps. While these cases involved very different facts, they underscored the importance of establishing and adhering to proper governance arrangements both in relation to routine business activities and significant ad hoc initiatives. 

The FCA has taken enforcement action against more Senior Managers, although this action has largely been prompted by personal as opposed to business misconduct by Senior Managers. In addition, some of this enforcement action has arisen from instances where Senior Managers have failed to disclose issues that they should have reported to their firms and, in some cases, the FCA.

The pipeline for enforcement action against Senior Managers remains modest. As at late 2024, the FCA had 29 Senior Managers under investigation, while the PRA had only six Senior Managers and certified persons combined under investigation. These figures represent an incredibly small proportion of Senior Managers operating in the U.K. financial services industry today.

Nevertheless, regulatory enforcement action against Senior Managers and other individuals represents only the tip of a much larger iceberg. The SMCR brought with it significantly increased expectations for firms to hold their employees to account when things go wrong. This includes the use of internal individual accountability reviews that may lead to:

  • Disciplinary proceedings.
  • Decisions that an employee has breached the regulators’ code of conduct.
  • Assessments of fitness and propriety.
  • Adjustments to variable remuneration.

Broader criticisms of senior management

While enforcement action against Senior Managers remains sparse, the FCA and the PRA do not shy away from criticizing senior management generally when they take enforcement action against firms. For example, in 82% of enforcement action taken against firms in since 2023, the regulators identified failures by senior management to adequately oversee the business or function for which they were responsible. In enforcement action against firms during the same period, the regulators also identified inadequate governance arrangements (65%) and ineffective boards or committees (53%).

Unclear allocation or recording of responsibilities among senior management was an issue identified in 35% of enforcement action taken against firms since 2023. In one case, this finding led to the PRA finding that a bank had breached PRA Fundamental Rule 6 in relation to its implementation of SMCR, as the bank had failed to expressly allocate responsibility for a specific process relating to deposit protection requirements to a Senior Manager. Testing how well firms have allocated roles and responsibilities among their Senior Managers is an important part of the FCA’s and PRA’s supervisory work and there is mounting concern that firms are not consistently meeting expectations in relation to the clarity and detail of their SMCR arrangements and supporting documents.

Non-financial misconduct

In November 2024, the FCA published the findings from its survey about the prevalence and management of non-financial misconduct incidents. The survey found that the number of reported non-financial misconduct incidents increased by 72% across all firms surveyed between 2021 and 2023, with the most common types of non-financial misconduct reported being bullying and harassment (23%), discrimination (19%) and sexual harassment (12%). It also revealed that it was very rare for a firm not to investigate allegations of non-financial misconduct, but that 35% of allegations were not upheld after investigation.

Moving into 2025, the financial services industry continues to await the feedback from the FCA and the PRA on their long-awaited diversity and inclusion proposals, which were published over a year ago, in September 2023.

The FCA is set to finalize its new guidance on non-financial misconduct early in 2025, which will provide helpful clarification about how this type of conduct should be assessed, how it interacts with other matters such as regulatory character and code of conduct assessments, and how these types of conduct should be reflected in regulatory references. The regulators' feedback on their broader proposals, which primarily concentrated on data collection and submission, is expected to be delivered later in 2025.

The FCA is set to finalize its new guidance on non-financial misconduct early in 2025, which will provide helpful clarification about how this type of conduct should be assessed, how it interacts with other matters such as regulatory character and code of conduct assessments, and how these types of conduct should be reflected in regulatory references. The regulators' feedback on their broader proposals, which primarily concentrated on data collection and submission, is expected to be delivered later in 2025.

Consumer protection

Eighteen months after it introduced the Consumer Duty, the FCA maintains its focus on consumer protection issues, particularly in relation to vulnerable customers.

Enforcement action and appetite

There has been no shortage of enforcement action taken by the FCA in relation to consumer protection issues, which has resulted in the FCA imposing GBP28m in fines on firms in the last two years. The enforcement landscape in this area has been dominated by enforcement action relating to defined benefit pension transfer advice, notably involving the British Steel Pension Scheme, which accounts for approximately 75% of the consumer protection enforcement action taken by the FCA over the last couple of years. However, with the majority of these cases now resolved, the FCA’s focus is shifting towards other consumer protection issues, particularly the treatment of vulnerable customers.

The future looks like it holds a full pipeline of consumer protection cases. Approximately 18% of the FCA’s current enforcement caseload comprises investigations into consumer protection issues and 76% of the skilled person reviews commissioned by the FCA in 2023/24 related to firms that offered services to retail consumers.

It is rare to see an FCA policy initiative, document or a speech that touches on consumer issues but does not also mention the Consumer Duty. For example, the Dear CEO letter sent to payments firms in October 2024 about the new authorized push payment (APP) fraud rules focused heavily on how firms had assured themselves that their approaches to those new rules were compatible with their obligations under the Consumer Duty.

Focus on consumer redress

Ensuring that firms make redress payments to consumers who suffer harm remains a priority for the FCA (see “Enforcement risks around the Consumer Duty”). Alongside the fines imposed on firms for consumer issues, those firms also paid out more GBP789m in redress to consumers. In addition, the FCA used its powers to secure redress for consumers through a scheme of arrangement and secured voluntary contributions towards redress for consumers from two parent companies of U.K. regulated firms that were the subject of FCA enforcement action.

However, the FCA also saw its powers to require firms to pay redress tested in 2024 as an asset manager challenged the FCA’s decision to require it to pay significant redress to investors using its statutory own initiative powers. The Court of Appeal confirmed that the FCA could use its own initiative powers in this way, even when the criteria for a formal statutory redress scheme, such as loss, breach of duty, causation and actionability, are not satisfied. The FCA saw this decision as a significant victory in terms of how it may continue to use its statutory powers to require single-firm redress schemes.

Enforcement risks around the consumer duty

 

Before long, the FCA will start to take enforcement action against firms for breaching the requirements of the Consumer Duty, which started coming into force in July 2023. Those requirements include Principle 12 of the FCA’s Principles for Businesses that requires firms to deliver good outcomes for retail consumers and the FCA has said that its three cross-cutting rules (acting in good faith, avoiding causing foreseeable harm and enabling and supporting retail customers to pursue their financial objectives) exhaust what is required of firms under Principle 12. As a result, breaches of the Consumer Duty will focus on these cross-cutting rules. However, the FCA may still make broader findings that are relevant to how firms comply with the Consumer Duty under its other, more general, rules. 

 

There are six key risks and sources of potential enforcement action associated with the Consumer Duty:

 

• Implementation. Firms should expect scrutiny over the next couple of years in relation to their implementation measures.

 

• Future products, services and developments. The FCA will be interested in firms’ assessments of how new products and services meet the requirements of the Consumer Duty and how changes made by firms in compliance with other regulatory developments have been implemented.

 

• Product distribution. Firms are required to conduct ongoing assessments, monitoring and management of distribution chains, which will persist as a key risk area for many firms.

 

• Oversight. Similarly to scrutiny around individual accountability, senior management oversight will be scrutinized.

 

• Culture. Regulators will focus on how firms have created and embedded cultures whereby the interests of customers are central to their cultures and purposes.

 

• Management information. Producing information that provides meaningful oversight of customer outcomes may prove more challenging in practice than expected.

Consumer Duty workflow

Image of the Consumer Duty workflow

Operational resilience

Operational resilience is an area of growing importance and increasing risk. Events including the 2024 Crowdstrike outage have sharpened regulatory concern and focus.

By the end of March 2025, firms should have fully implemented the operational resilience chapter of SYSC in the FCA Handbook and, if applicable, the equivalent PRA rules. The regulators provided a relatively long transition period for these new rules and are unlikely to demonstrate leniency if a firm's implementation is found to be significantly lacking.

FCA feedback on firms’ preparations to comply with the new regime highlights that governance is going to be a particular focus. The FCA is concerned about the quality of information some boards receive to enable them to make properly informed decisions about the firm's current resilience position and what needs to be done to improve it. Where firms have already identified vulnerabilities, they should be significantly progressed in addressing them. There is unlikely to be much latitude if issues relating to these vulnerabilities have not been addressed and failure subsequently occurs.

Other developments on the horizon include the FCA’s and the PRA’s new requirements on critical third-party suppliers to the U.K. financial services sector introduced under the Financial Services and Markets Act 2023 and the Regulation on digital operational resilience for the financial sector (2022/2554/EU) and Directive 2022/2556/EU, known as the Digital Operational Resilience Act or DORA, which came into force in January 2025.

At the end of 2024, the FCA, Bank of England (BoE) and the PRA published a consultation on proposed reporting requirements for firms in relation to operational incidents and firms’ important third-party suppliers. The final rules are expected to be published in the second half of 2025 and will create an additional regulatory reporting risk for firms. This risk is exacerbated by the fact that these reports are likely to be scrutinized only after the actual impact of an operational incident is known.

Cyber resilience

The FCA, the BoE and the PRA attach high importance to firms’ cyber security because disruptive events have the potential to impact financial stability, cause intolerable harm to consumers and other market participants, and disrupt market confidence. The FCA has recently taken enforcement action in this area and more action seems likely.

Common failings identified in the final notices of FCA enforcement action relating to operational and technology resilience issues include:

  • Inadequate governance of significant change programs or incidents.
  • Insufficient planning and testing.
  • Ineffective incident management or continuity planning.
  • Inadequate incident response training.
  • Failures in procedures for notifying affected customers.
  • Failure to address known IT vulnerabilities.
  • Inadequate consideration of the risks of holding data with third parties.

Some of these have also been highlighted in the annual CBEST (critical national infrastructure banking supervision and evaluation testing) assessments conducted by the FCA, BoE and the PRA. The results of the last two assessments have been published in full, with an expectation that firms, Chief Information Officers and Chief Information Security Officers will have regard to the outcomes.

Firms should be prepared to engage with these issues in discussions with supervisors and should perform a gap analysis to ensure that similar vulnerabilities do not persist within their own businesses.

Not what but how

Perhaps the most interesting trend to track in FCA and PRA enforcement is not what is being investigated, but how it is being investigated. A deliberate shift to data-led enforcement, together with mounting pressure to reduce the time taken to investigate matters and take action appears to have finally bound the supervisory and enforcement functions of both regulators together. For firms, this makes the landscape more complex and requires more frequent and early engagement with enforcement risk.

This post is based on an article New U.K. regulatory landscape: enforcement and supervision shift which first appeared in the January / February edition of PLC Magazine, a copy of the full article is available on the PLC Magazine website.

Related capabilities