FCA’s supervisory approach for firms - “doing the right thing”: what does that mean?

Who this blog is for

Board members, senior executives, compliance, and regulatory affairs teams of FCA-regulated firms.

At a glance

• The FCA’s five-year strategy and the increasing focus on its secondary competitiveness and growth objective (SCGO) are key elements of its evolving supervisory approach. The FCA has consistently indicated it intends to apply a less intensive supervisory approach to firms seeking to do the right thing.
• While 'doing the right thing' encompasses many aspects¹, our focus here will be on retail customers and the interplay with new initiatives such as Consumer Duty. It also plans to act faster and more assertively in areas where harm is the greatest² . Firms that understand and adapt to these two pillars of the current supervisory approach may benefit from reduced supervisory scrutiny.
• In addition, as part of its SCGO, the FCA is relaxing rules to grant retail access to higher risk investment products (e.g. Long-Term Asset Funds (LTAF) and Crypto Exchange Traded Notes (cETNs)), extend mortgages to higher-risk groups, and introduce new offerings such as Targeted Support (TS). These growth initiatives present firms with opportunities, provided they first build the necessary safeguards to protect their customers.
• Firms will need to reflect on what the current supervisory approach means for them, including how to allocate compliance resources effectively to manage conduct risk. This blog aims to explore a possible approach to how firms might adapt their processes, data frameworks, and monitoring capabilities to reflect this change. The analysis underpinning our approach is based on industry insights and FCA publications, with examples chosen to reflect the emerging areas of potential supervisory scrutiny.
• We are of the view that firms should prioritise the identification of areas with the highest potential for customer harm, access to granular customer outcomes and the implementation of a robust early warning system.
• Firms should also determine what it means to demonstrate that they are seeking to do the right thing for customers. In the absence of further clarification from the FCA, we believe the following would help firms achieve this: improving governance arrangements in decision-making processes that affect customer outcomes and being able to evaluate interventions they make promptly. These actions should help embed doing the right thing in firms’ business-as-usual operations.

1. Understanding the current FCA supervisory approach

Figure 1 provides a framework for firms as they adapt to the current FCA supervisory approach. The framework is built around two pillars:

• Pillar 1: anticipating a risk-based approach to supervision
  The FCA states it will concentrate its efforts on areas where the risk of consumer harm is greatest. Firms should be able to leverage both internal and external data sources to identify high-risk areas and develop a robust Early Warning System (EWS) to alert them of harm emerging.
• Pillar 2: demonstrate that the firm is seeking to do the right thing
  Firms that consistently demonstrate that they are doing the right thing should benefit from less intensive supervision. Firms should ensure decisions that affect customers are informed by high quality data (evidence-based) and that the decision-making process is underpinned by robust governance practices. Key actions include reviewing relevant decision-making processes, ensuring effective use of Lines 2 and 3 as well as independent assurance where relevant, and documenting the rationale for decisions.
  

Over the last few months, we have seen some supervisory activity that evidences the current approach. The FCA has been very active in launching specific reviews in areas where risk of harm could be high and acting on the findings by using its supervisory toolkit. For instance, the review of travel and home claims handling resulted in the FCA taking a range of actions against firms, including enforcement, business restrictions, commissioning section 166 reviews or requesting firms seek independent reviews and assurance from third parties.

In addition, the FCA is taking steps to rebalance its own approach to risk, introducing a new Risk Appetite Framework for use when developing future rules³. The FCA Board has indicated regulation should support informed risk-taking and highlighted the need for a cultural shift away from viewing risk solely as negative.

Firms that have always sought to comply with the rules might well be asking themselves how different the current FCA approach really is. Part of the answer to this is that over the years, the FCA has moved increasingly to an outcomes-based regime. This means that firms need to apply judgement to translate the rules into practice and deliver a positive outcome. The current approach to supervision will put that judgement to the test. Firms that can demonstrate being curious and proactive in forming that judgement and in identifying, monitoring and addressing issues as they emerge stand to benefit. A more passive approach of waiting to see where the FCA focuses next and remediating instead of preventing customer harm will result in ongoing scrutiny and the additional costs arising from regulatory restrictions and interventions.

Strengthen the supervisory relationship

A key element of navigating the supervisory approach is strengthening the relationship with supervisors. In line with Principle 11, firms are required to engage with regulators in an open and cooperative manner. However, effective communication extends beyond simply reporting issues. Senior Managers should be briefed on all relevant internal developments and anticipated areas of regulatory scrutiny, applying judgement as to the timing and nature of their supervisory communications, and taking special care when communicating action plans with a clear allocation of resources, timetable, and ownership.

Pillar 1: Anticipating a risk-based approach to supervision

1. Use of internal customer outcomes data

Granular customer outcomes data allows firms to identify customer groups that may be under increased risk of harm. For example, the discussion on the future of the mortgage market explores relaxing responsible lending rules to ease mortgage access for first-time buyers, the self-employed, or those with variable incomes⁴. Lenders intending to take advantage of the rule changes and serve this potentially higher-risk segment should ensure they are able to capture and analyse data across the lending lifecycle for these groups to prevent potential harm. Data examples include arrears rates, pre-lending assessment performance, or rate of uptake for budgeting tools. This would allow lenders to monitor the outcomes for this group of customers, comparing them against the outcomes of other groups and ensuring early detection of any adverse trends or issues requiring intervention/remediation.

Firms should also ensure they are able to interrogate data beyond the use of averages. As highlighted by the FCA, “group averages could disguise outliers or pockets of poor value”⁵. Even if a firm’s average complaint data trend remains relatively consistent, it is crucial to investigate whether there have been material changes in outcomes within specific customer groups. Many firms already assess outcomes for customers with vulnerable characteristics (VC). An additional step would be to use a range of metrics to identify new cohorts (using correlations and overlays) that might be under increased risk. Such an approach would facilitate a more agile and sensitive framework for risk identification. For example, the FCA has previously highlighted as best practice the example of a firm that identified how a disproportionate number of complaints related to deceased customer accounts, thus allowing them to identify the need for improvement in bereavement processes (when next of kin needed to access accounts following the death of a loved one)⁶. For more information on how firms can improve their treatment of VCs, please refer to our previous perspective.

2. Use of external sources

External sources include monitoring FCA communications, FCA and FOS datasets, consumer group actions, and cross-sector insights from FCA reviews. External data can be a rich source of insight to identify areas where risk of harm might be increasing. When combined with an analysis of firms’ internal customer outcomes data trends, they can become a powerful tool for anticipating risk before it crystallises into customer harm.
For example, the FCA recently published the final report on the Premium Finance (PF) Market Study with a clear intention to monitor outlier firms closely (PF firms with high APR agreements) and potentially approach them for a more targeted review, scrutinising whether their Fair Value Assessments (FVAs) are sufficiently robust. PF firms should consider reviewing and challenging the adequacy, completeness, and rigour of their FVAs, especially if they have agreements above 30% APR or find that an increasing proportion of their PF agreements is approaching 30% APR.

Moreover, FCA publications related to specific sectors can be a valuable source of cross-sector insights and might inform how firms can improve in their own sector. For example, in the FCA’s review of claims handling arrangements in home and travel insurance⁷, issues around outsourced claims handling often result in high volumes of complaints. While the findings related to home and travel insurance, firms should consider how they could be applicable to, for example, other insurance lines of business. Moreover, banks that outsource activities to third parties should also consider whether similar findings could also be relevant to them. For example, the current surge in fraud and scams⁸ is likely to translate into an increase in fraud support call volumes, making the quality of any outsourced support critical. Without robust oversight, outsourced arrangements related to fraud processes could result in customer harm through extended call waiting times or delayed fraud resolution.

3. Develop an early warning system (EWS)

Successful implementation of the data practices set out above provides a foundation for developing a robust EWS. Crucial to such a system is a firm’s ability to track a range of customer metrics paired with clear thresholds for investigation. Adopting a risk-based approach within an EWS would mean calibrating the thresholds to the potential for widespread or severe harm to customers. Firms may also consider AI-driven sentiment analysis to detect potential customer issues or gather feedback before issues escalate.

Additionally, the recent rise in credit card complaints⁹ should prompt firms to review the root cause of complaints data, filtering for characteristics such as newly onboarded customers or individuals with low financial literacy. The FCA is expected to conduct a review of consumer understanding in the credit card market in 2026¹⁰.

Pillar 2: demonstrate that you are seeking to do the right thing

1. Review governance over relevant decision-making processes

A range of decisions could affect customer outcomes. These are normally taken in very different fora, including product and pricing committees within Line 1, operational committees (such as those dealing with outsourcing and service level agreements), marketing and brand teams, risk management teams or strategic and board level committees. This means that some firms are taking decisions across the organisation that affect their customers without always considering or even recognising the full customer impact.

Firms need to ensure decisions that affect customer outcomes are taken with the “right people” (right expertise and seniority) around the table who can consider customer outcomes and provide appropriate challenge during the decision-making process. It is also crucial that firms make effective use of Line 2 and 3 teams as well as independent experts where necessary. For instance, the FCA highlighted that firms with formal governance bodies on VCs, comprising senior leaders, typically adopted a more effective approach to measuring and responding to VC outcomes¹¹.

The FCA is also concerned with how meetings are conducted to facilitate effective challenge, noting that remote attendees are often less active in participation¹². Meeting chairs should set an appropriate tone for inclusive participation, actively facilitating contributions from all attendees, but ensuring in particular that those who should provide the voice of the customer do so. Moreover, firms should keep appropriate records of how decisions were made and how they were subject to appropriate challenge at the time.

2. Evidenced-based decision-making

Firms should ensure that decisions that affect customer outcomes are anchored in evidence from internal or external data sources with sufficient granularity (see Pillar 1). Establishing a robust data foundation to identify potential customer harm can help firms integrate these insights into their decision-making process, ensuring that the right people receive the data necessary for any follow-up actions.

For example, a good practice to consider is assigning named owners to products or processes¹³, where movement in certain data indicators may trigger a re-assessment of the product, journey or process . For example, firms could assess the duration of the digital onboarding process for new credit card customers. Should this reveal customers are progressing too quickly, it might suggest a need to re-evaluate the clarity of messaging and information delivery points throughout the journey¹⁴.

When it comes to decisions that require significant judgement, a potential consideration is the improvement of available data sources for the firm. This might include commissioning research (internally or externally) from experts. Alternatively, some situations may need expert judgement or external assistance, where commercially possible. For example, contacting “gone away” customers is a recurring challenge for life insurers. As part of a risk-based approach, insurers should identify a policy threshold value where certain policies above the threshold require enhanced tracing activities or specialist third-party assistance¹⁵.

Firms often possess the data to identify potential customer harm, yet they sometimes fall just short of addressing it. For example, “wear and tear” definitions in home and storm cover insurance have been an area of customer misunderstanding¹⁶. Good practices highlighted in the FCA’s review¹⁷– such as consistent reviews of policy wordings and simple customer communications addressing commonly misunderstood terms – show how insurers can go the extra mile in improving customer understanding without significant resource investment. Central to this approach is the need for firms to be curious and proactive about customer outcomes data, continually assessing how they can further improve them while balancing resource constraints. Should firms decide not to take further steps in improving customer outcomes, they ought to discuss and document the rationale for this choice, incorporating the principles outlined in the governance section.

3. Evaluating actions

In the past two years, Duty implementation has led many firms to implement changes to processes and products to improve outcomes. However, some firms have not yet evaluated the effectiveness of these changes. For instance, some firms introduced appropriateness testing for customers before they invest with Exchange Traded Products (ETPs). However, these tests either did not cover ETP-specific risks or were so simple that they fell short of actually determining whether customers understood the complexity of the product¹⁸. To address this, firms should not only improve these tests, including scenario-based questions and an appropriate threshold to pass, but also require customers to retake the test periodically to ensure their knowledge is up to date, and provide educational materials for those who fail these tests.

Conclusion

The FCA has widely stated it will take a risk-based approach to supervision and will apply a less intensive approach to those demonstrating they are doing the right thing for their customers. Anticipating areas of customer harm (risk-based approach) requires firms to have access to internal and external data and be able to draw insights from the data to build a robust EWS and feed the insights into the right decision-making bodies across the organisation. Firms need to pay particular attention to how decisions are made and whether the decision-making process is effective. The next few months will see the development and implementation of significant regulatory change driven by the growth agenda. These new initiatives present firms with opportunities that will require implementation in a way that internalises the FCA’s new supervisory approach to ensure they manage conduct risk effectively and avoid costly remediation efforts further down the track.