Compliance Briefing — July 27, 2022

Executive briefing: The Financial Conduct Authority’s (FCA) Consumer Duty came into force on 27 July 2022 through Policy Statement PS22/9 and Finalised Guidance FG22/5, introducing an overarching Principle 12 and cross-cutting rules that require firms to act in good faith, avoid foreseeable harm, and enable customers to pursue their financial objectives.¹ The regulator set a board-approved implementation plan deadline of 31 October 2022, mandated open-product compliance from 31 July 2023, and extended the Duty to closed books by 31 July 2024, creating a multi-year change programme that touches product design, distribution, pricing, communications, data, and culture.¹ FCA supervisors have emphasised that firms must evidence – not merely assert – that they deliver good outcomes, meaning compliance and risk teams need to embed metrics, dashboards, and governance that surface consumer detriment early, remediate root causes, and demonstrate fair value across every product portfolio.²

The Duty applies to all firms with a material influence over retail customer outcomes, including manufacturers, distributors, and service providers spanning banking, insurance, investments, and consumer credit.¹ FCA guidance details expectations for target market clarity, distribution oversight, and end-to-end monitoring of customer journeys, including vulnerable customers.² Because the Duty interacts with the Senior Managers and Certification Regime (SM&CR), boards must allocate clear accountability for implementation and ongoing attestations, supported by Consumer Duty champions at the board level and cross-functional programme leads.³ Firms that outsource servicing or rely on third-party technology must align contractual obligations, data-sharing arrangements, and oversight routines to ensure delegated processes still deliver evidencable outcomes.

Implementation timeline and governance checkpoints

Policy Statement PS22/9 requires boards or governing bodies to sign off on a detailed implementation plan by 31 October 2022, including resource allocation, risk mitigation, and dependencies for open-book (live products and services) and closed-book (legacy) workstreams.¹ FCA Dear CEO letters and portfolio strategies reinforce that senior managers will be assessed on how they prioritise gaps, make timely investment decisions, and escalate issues when delivery milestones slip.³ Implementation plans should include a heat map of products and services, with high-risk segments – such as complex investments, vulnerable customer cohorts, or distribution chains with limited MI – flagged for accelerated remediation. Programme management offices need integrated change roadmaps that cover policy updates, systems enhancements, data sourcing, staff capability, and customer-facing communications.

After the October 2022 plan approval, firms must complete all necessary reviews and changes for open products by 30 April 2023 so they can share key implementation milestones with distributors.¹ Throughout 2023, supervisory engagement will test whether firms have re-baselined product governance committees, pricing governance, and fair value assessments to reflect Consumer Duty standards. Closed-book implementation requires mapping legacy products, understanding data availability gaps, and sequencing remediation to meet the 31 July 2024 deadline without disrupting ongoing servicing.² Boards should receive quarterly progress reports with red/amber/green status, resource utilisation, risk registers, and remediation outcomes, and must attest annually that the Duty is embedded.

Data, metrics, and evidence expectations

FG22/5 explains that firms must collect and interpret both quantitative and qualitative data to demonstrate that products and services are delivering good outcomes.² Expected metrics include: product performance versus customer needs, persistence and churn analysis, complaints and root cause trends, arrears and forbearance outcomes, call waiting times, digital drop-off rates, servicing response quality, and vulnerability flags. The FCA encourages firms to triangulate MI by combining transaction data, customer journey analytics, and sentiment from surveys or complaints to identify emerging detriment.² Where data gaps exist – for example, legacy platforms without granular fields – firms should develop data remediation plans with target dates, interim proxies, and documented limitations reviewed by risk committees.

To support proportionality, firms should segment MI by product line, distribution channel, customer demographic, and vulnerability status, applying thresholds that trigger investigation or remedial action.² Dashboards should highlight both positive outcomes and areas needing improvement, with commentary explaining trends, exceptions, and actions. Control functions must maintain auditable logs of MI reviews, challenge sessions, and decisions, ensuring that evidence can be provided quickly during supervisory reviews. The FCA expects firms to maintain MI retention policies aligned with record-keeping obligations and ensure that data used for Consumer Duty monitoring is accurate, timely, and sourced from governed systems.

Control design and assurance routines

Compliance teams should map Consumer Duty requirements into control libraries that span design (policies, standards), preventive controls (product approval gateways, pricing committee sign-off, marketing approvals), detective controls (outcome testing, first line quality assurance, complaints MI), and corrective controls (remediation programmes, customer redress playbooks).¹ Firms need to embed Consumer Duty checkpoints into product lifecycle governance: ideation, design, distribution, servicing, and exit. Fair value assessments must consider total cost of ownership, non-monetary costs (time, behavioural friction), and the relationship between price and benefits, with documented challenge by independent functions.²

Internal audit should conduct thematic reviews focused on Consumer Duty readiness, prioritising high-risk business areas, data governance, and MI reliability.³ Second line compliance monitoring plans must expand testing coverage to include outcome testing, vulnerable customer treatment, and the effectiveness of remedial actions. Third-party oversight frameworks should require distributors and outsourcers to provide MI demonstrating compliance with the Duty, supported by right-to-audit clauses and breach reporting protocols. Firms should update risk and control self-assessments (RCSAs) to include Consumer Duty risks, inherent/residual ratings, and action plans.

Operating model, culture, and training

The Consumer Duty demands cultural change alongside technical compliance. Boards need to articulate risk appetite for customer outcomes and embed it into incentive structures, performance management, and product development decisions.² Training curricula should cover the Duty’s three elements (Principle 12, cross-cutting rules, four outcomes), provide case studies by product type, and equip staff to identify vulnerable customers and escalate issues. Frontline staff should have scripts, knowledge bases, and decision trees aligned with the Duty’s expectations for clear communication and effective support. Product teams need playbooks for assessing customer needs, scenario testing, and documenting value assessments.

Operational resilience considerations include ensuring that complaints handling, payment processing, and digital platforms can scale to deliver consistent support during incidents. Firms must evaluate whether service-level agreements (SLAs) with outsourcers reflect Duty obligations for response times, accessibility, and customer support quality.¹ Incentive schemes should be reviewed to avoid conflicts that prioritise sales volume over customer outcomes, and whistleblowing channels should explicitly invite Consumer Duty concerns. Change management communications should explain why product adjustments or pricing changes are being made to comply with the Duty, helping customers understand the benefits.

Scenario analysis and remediation playbooks

Firms should perform scenario analysis covering foreseeable harms such as technology outages affecting vulnerable customers, biased algorithmic pricing, misaligned communications that trigger customer confusion, or backlogs in complaints resolution. For each scenario, map preventive and detective controls, escalation paths, and customer redress procedures. Stress tests should include surge analysis for complaints volumes, call centre load, and digital channel resilience, particularly during product migrations or pricing changes.

Remediation playbooks must define how firms identify affected customers, quantify harm, determine redress calculations, and communicate outcomes transparently.² Where MI indicates that vulnerable customer needs are not met (e.g., reliance on digital-only channels), firms should develop alternative support routes, accessible documentation, and staff training to provide tailored assistance. Supervisory communications expect firms to self-identify and report material Duty breaches, including actions taken, customer impact assessments, and timelines for full remediation.³ Aligning Consumer Duty monitoring with operational resilience and conduct risk frameworks will help firms embed continuous improvement beyond initial implementation.

Sources

• ¹ FCA Policy Statement PS22/9: A new Consumer Duty.
• ² FCA Finalised Guidance FG22/5: The Consumer Duty.
• ³ FCA Consumer Duty implementation landing page and supervisory messaging.

Zeph Tech supports UK-regulated firms with Consumer Duty MI architecture, fair value assurance, and closed-book remediation tracking.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 89/100 · December 5, 2023

Compliance Briefing — December 5, 2023

MAS and the Singapore FinTech Association launched a voluntary code of conduct for ESG rating and data providers, setting governance, transparency, and conflict management benchmarks for financial institutions’ vendors.

Compliance · Credibility 90/100 · September 17, 2020

Compliance Briefing — September 17, 2020

Operational blueprint for the CFTC's September 2020 swap data reporting rewrite, covering data model redesign, lifecycle event handling, verification controls, and implementation timelines.

Compliance · Credibility 91/100 · August 2, 2022

Compliance Briefing — August 2, 2022

MiFID II firms must now capture and honour client sustainability preferences, aligning product data, governance, and outcome testing with EU Taxonomy, SFDR, and PAI criteria.

Compliance · Credibility 89/100 · June 23, 2022

Compliance Briefing — June 23, 2022

Operational teams now have 15 months to register EU data intermediation services, harden secure processing environments, and build data altruism governance under the Data Governance Act that took effect on 23 June 2022.

Compliance · Credibility 87/100 · June 21, 2022

Compliance Briefing — June 21, 2022

CBP’s 21 June 2022 enforcement of the Uyghur Forced Labor Prevention Act imposes a rebuttable presumption against goods tied to Xinjiang or the UFLPA Entity List, forcing importers to evidence granular tracing…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.