Brad Rees

15 March 2023

How Consumer Duty Regulations Impact Technology in Financial Services Firms

Why financial services technology must be developed, deployed and supported with different consumers in mind.

Whether early-adopter or fast-follower, the UK financial services sector has always been quick to exploit opportunities in the shift to digital. Take, for example, the Big Bang of October 1986, which saw the London Stock Exchange introduce the Electronic Trading System three years before Tim Berners-Lee invented the World Wide Web, or the fact that banks launched online banking capabilities in the mid-eighties, only for consumers to take at least another decade to start making the most of them.

Slow consumer adoption might sometimes give the false illusion that the financial services industry is behind the curve when, in fact, it’s well ahead of it. The financial sector continues to evolve rapidly in the face of both traditional and new competition, technology advances, and the seemingly continual economic headwinds of the last 10-15 years.

In line with these changes, regulation has evolved to ensure both financial prudence within the industry, and the needs of customers across the sector. The revised Payment Services Directive (PSD2 aka Open Banking) targeted secure payments and enhanced consumer protection, Operational Resiliency has focused on minimising operational disruption to customers and, most recently, the introduction of the Consumer Duty Regulations (“the Duty”) is intended to set “clearer and higher expectations for the standard of care firms give customers."​

Although not explicitly targeted at technology, the changes brought about by the Duty will have an impact on the technology side of delivering products and services to retail customers of any 'in scope' financial service organisation.

In this article, we’ll seek to give financial services organisations a clearer view of how the Duty impacts their technology, and we’ll highlight the key areas to focus on.

The Regulatory Change

The regulatory timescales for implementation of the Duty are aggressive and could prove challenging for some firms given the magnitude of change that will be required in some instances. This concern was raised by some respondents during the consultation phase, and the FCA reacted by providing a further year for compliance against closed book products.

The FCA’s regulatory change introduced by the Duty includes the introduction of a new principle that states that firms “must act to deliver good outcomes for retail customers”. It also includes cross-cutting rules and objectives, and the final implementation of the five-stage timeline for the Duty, released by the FCA in its Policy Statement (FCA, PS22/9).

The introduction of the new principle makes these changes some of the most significant since the FCA and PRA were set up in 2013 (in response to the financial crisis of 2008), when it was established that the regulatory framework would follow a ‘twin-peaks’ model. This meant separating the prudential regulation of financial institutions from the oversight of consumer protection and markets conduct.

What we have today is a hybrid of high-level principles and detailed, rules-based regulation which arguably strengthens the strategic objectives of the regulator. This gives regulators more power to act in instances that aren’t explicitly covered by the prescriptive rules, thus preventing sometimes serious breaches from slipping through the cracks.

Looking after customers' best interests is not a new concept, given that the FCA’s founding statutory objective was to secure an appropriate degree of protection for consumers. A number of the FCA’s subsequent high-level principles further this objective, such as Principle 6 that “a firm must pay due regard to the interests of its customers and treat them fairly.” The addition of a new principle that strengthens consumer protection is nonetheless a big step.

The following diagram illustrates the extent of the change introduced by the Duty.

Regulated firms are in scope and all products and services provided to retail customers are covered. This includes prospective customers and products or services developed for retail customers who may not be direct customers of the firm. E-money and payment services are also considered within scope. Out of scope are wholesale businesses (unless connected with a retail product or service) and certain SMEs, as well as the process of entering into Bounce Back Loans (“BBLs”). There is also to be no retrospective action, although the changes will apply to existing products and services going forward. Principles 6 and 7 will continue to apply to products and services provided to non-retail customers and where the Duty does not apply.

Summary of the Impact

It’s worth noting that no private right of action (PROA) or fiduciary relationship is created by the Duty, and there is no impact to instances where such a relationship already exists. This should not be seen as lessening the need for compliance or the impact in the case of a breach, given that the FCA is strengthening its requirements for governance, accountability and redress. The FCA hasn’t ruled out the addition of a PROA in the future, subject to further consultation and full consideration of the likely impact on organisations.

The big focus of the Duty is on the products and services being offered as well as the level of service delivered. Consumers must be presented with the right information on products and services, and in the appropriate format, so that they can make informed and effective product decisions. The support in place must also be adequate, and with the aim of providing good outcomes for the consumer when taking account of their situation and needs. This can include the age, literacy, numeracy and other factors that may impact a customer’s ability to understand a product, make good decisions and be supported throughout effectively. Technology must, therefore, be developed, deployed and supported with different cohorts of consumers in mind.

Driving accountability is an important aspect of the Duty which includes requirements for board-level oversight and the preparation of an annual report. Strategy, governance, leadership and people policies are all required to be in place. There are changes to the Senior Manager and Conduct Rules (“SMCR”) regime, which include senior manager accountability as well as the addition of an individual conduct rule, Rule 6, which requires all those covered to act to deliver good outcomes for retail customers.

Given the potential impact on consumers of failings in operational and cyber resilience, we’ll also address the overlap between the Duty and operational resilience regulations.

Organisations should consider the impact on products and services across all six stages of the product lifecycle and how these relate to the FCA's six consumer outcomes around Treating Customers Fairly (TCF). The FCA offers guidance on these outcomes in its handbook on The Responsibilities of Providers and Distributors for the Fair Treatment of Customers (FPPD).

As an aside to the impact on technology within the financial institutions, it will be interesting to see how the Duty affects the growing trend of branch closures. Elderly customers in particular appear to be impacted by the lack of face-to-face banking, with research from Age UK reporting that almost eight million over 65s say they still need their branch. Although the Duty doesn’t address this directly, decisions to largely remove in-person banking may be seen as falling foul of regulation if alternative arrangements for serving the needs of this cohort aren’t considered.

How Technology Needs to Adapt

Although the main focus of the Duty is the general customer experience, insofar as what services are offered and how, there are still a number of areas and changes that technology teams at financial service firms need to be cognizant of. The proposed areas of focus can roughly be broken into seven key areas. These don’t form an exhaustive list for meeting the requirements of the Duty, but provide a clear sense of the impact on the technology side of an in-scope firm’s organisation.

Data and Analytics

The outcome-focused nature of the Duty suggests that it strongly relies on data and analytics.
The FCA has indicated that it will work to gather its own intelligence from multiple sources, likely increasing the requirement on firms to provide data for the purposes of assessing compliance. This is despite there being no explicit requirement for regular reporting over and above the existing Principle 11 for relations with regulators and any other existing express provisions, although firms should be aware that this could change. Data is king, especially when used to drive the right outcomes for consumers and help avoid substantial penalties imposed by the regulators.

Additionally data will be needed to support the requirement for an annual report concerning compliance with the Duty.

Examples of the types of data to be mindful of include:

• customers’ use of products or services alerting to allow intervention if required
• appropriateness of product or service to meet interests of consumer
• consumer confidence or satisfaction in a given product or service
• customer data such as geography, distribution channel used (so as to help identify potential cohorts)

There are many ways that data can be collected—from app analytics to platform utilisation, through to data collected more directly from the end user concerning their user experience.

The following focus areas are recommended under data and analytics:

• Data governance is critical; data doesn’t necessarily have to be centralised, but governance should be, and this should include the following aspects:
  • Privacy: ensure the necessary consent from customers has been obtained and be transparent about how personal data is used and protected
  • Security: establish measures to prevent unauthorised access, disclosure, alteration, or destruction of personal data
  • Retention: retain personal data for no longer than is necessary and for the purpose for which it was collected; delete it securely when no longer needed
  • Customer access and control: provide customers with access to their personal data and allow them to request changes or corrections to their data or for it to be deleted
  • Quality: ensure that data is accurate, consistent across services, and up to date
  • Ownership: define data ownership and ensure it’s aligned with the organisation's overall data strategy
  • Discovery: automate the identification and cataloguing of data assets so they are discoverable and defined
• Use of an appropriate data warehouse/lakehouse for analytics workloads
• Automated ETL/ELT pipelines
• Data modelling capability
• Continuous adaptation of data strategy with mechanisms in place to measure its success
• Metrics to assess the value of the data assets

Appropriate Quality Assurance and Testing

Appropriate testing is called out as a key requirement in meeting the objectives of the Duty. Existing regulation and law already impose certain requirements, such as those imposed by the Equality Act 2010 (EA 2010) but the Duty goes further in its requirement to consider different cohorts and to meet the needs of individuals. This may involve looking at socio-economic status, age range, background and geography in addition to other characteristics, including protected characteristics, such as accessibility needs. This is particularly important when it comes to meeting the objectives for consumer understanding and consumer support, as well as meeting the objectives for the products and services to ensure they are effectively tailored to the individual.

An FCA Final Notice in December 2022 handed TSB a £29m fine, for the bank’s handling of the botched upgrade to its core banking system, which left large numbers of its customers unable to access their bank accounts for weeks in 2018. Amongst its failings, the FCA called out major deficiencies in TSB’s testing approach as a contributory factor to the failure, thus demonstrating the importance of testing when it comes to delivering good outcomes for customers. The breach event clearly precedes the Duty with breaches being found against Principle 2, skill, care and diligence, and Principle 3, management and control of failures in risk management. The Duty is expected to impose a higher standard, and firms could find themselves in hot water with the regulator for breaches less serious than those in the TSB case.

A testing strategy that meets the requirements of the Duty might include testing how:

• Information is presented and the timing, so that the consumer can understand
• Information is accessed and how this may differ for different cohorts
• Consumer requirements vary and the appropriateness of communications
• Customer data should be used to allow services to be tailored to consumer needs
• A product meet the needs, characteristics and objectives of any groups of retail customers in a target market

We recommend an approach that includes the following:

• High reliance on test automation in the full product lifecycle
• Clear testing strategy covering many testing types, enforced and monitored through an effective Risk and Control Framework
• Ensuring testing is an integral part of product development and avoid handing off to external teams
• Prioritising testing and quality assurance, resisting the temptation to “cut testing first” in response to external pressures

Operational and Cyber Resilience

The Duty’s requirement to provide good outcomes for retail customers may overlap with existing operational and cyber resilience requirements in the financial services sector.

The Policy Statement of the Duty includes a requirement for firms to provide a reasonable level of support to their customers in the event of IT outages or cyber-attacks. This could potentially lead to a need for tighter implementation timescales than those specified in existing operational resilience regulations. The focus areas for operational and cyber resilience include embedding resilience requirements into the Risk & Control Framework, increasing the resilience of underlying cloud platforms and target applications, and ensuring a sound cyber security strategy exists.

Further details on these regulations can be found in my paper on operational resilience, which looks at the importance and impact of this regulatory shift.

We recommend addressing the following aspects of operational and cyber resilience:

• Embed resilience requirements into the Risk & Control Framework
• Increase resilience (both operational and cyber) of the underlying cloud platform
• Embed good practice and increase the resilience (both operational and cyber) of target applications
• Ensure a sound and effective cyber security strategy exists

Agility

Agility is crucial for meeting the requirements of the Duty. Organisations need to be able to quickly develop or adapt their products and services in response to critical changes. To enable this, a low transaction cost and low switching cost are necessary.

Adopting agility involves building an agile culture, adopting agile processes and practices, team building and development, change management, leadership and management, and focusing on the company as a whole. By fostering collaboration, communication and transparency, removing bottlenecks and inefficiencies, while managing resistance to change, a company can optimise its delivery and respond more effectively to changes.

To adopt agility a company should focus on:

1. Building an agile culture: Establish an agile mindset by fostering collaboration, communication and transparency. This involves helping teams and individuals adopt an agile mindset and embrace agile principles and values.
2. Agile processes and practices: Adopt and refine agile processes and practices such as Scrum, Kanban and Lean. These should also help the company identify and remove bottlenecks, waste and inefficiencies in their processes.
3. Team building and development: Help teams develop their skills and knowledge to work effectively in an agile environment. This involves facilitating team-building activities, coaching individuals and teams on agile practices, and fostering a culture of continuous improvement.
4. Change management: Manage the change that comes with adopting an agile mindset and agile practices. This involves helping the company understand the benefits and challenges of agile, managing resistance to change, and facilitating the adoption of new practices.
5. Leadership and management: Help leaders and managers understand their roles in an agile environment and develop the skills to support and empower their teams. This involves coaching leaders on how to provide vision and direction, build and manage high-performing teams, and create a culture of trust and collaboration.
6. Focus on the company as a whole: For agility to be effective, a change must be adopted by the company as a whole rather than a department, such as systems—otherwise you risk optimising in silos.

For advice on becoming an agile organisation see our blog post on “How an Agile Coach Can Help You Become a Truly Agile Organisation”.

Operating Model

The Duty very much points to the need for firms to adopt a customer centric approach to developing products and services, but this doesn’t mean technology is the only answer. Experience shows us that many firms are lacking when it comes to defined, understood and enacted Technology Operating Models (“TOR”). A failure to focus on the people and process aspects can lead to technology improvements being rendered ineffective as the change fails to drive the right level of accountability and responsibility through the technology organisation.

Factoring a customer centric approach into the TOR means empowering teams to focus on consumer needs over products, and designing products and services around the customer experience. This also means ensuring adequate support is given, and considering how this factors into the different modes of operation covered as part of the TOR. Teams need to be fully empowered to achieve this end and not be left with a feeling that they have been set up for failure.

The changes to the SMCR regime (the new individual conduct rule added requiring good customer outcomes) ensure that accountability exists at an appropriate level and that responsibility sits with every individual. The TOR needs to recognise this and drive the right level of accountability and responsibility.

Organisations would be well advised to undertake an operating model review and draw and seek out operating model design, development and embedding consultancy.

For more information on cloud operating models, read our white paper, Building a Cloud Operating Model Brick by Brick: A Blueprint for Cloud Transformation Success.

Governance, Risk and Compliance (GRC)

Having an effective Risk & Control Framework (RCF) and Cloud Control Framework (CCF) is important for accountability and responsibility in all areas of the business that impact technology. These frameworks should include controls for the Duty, such as consumer risks. The audit function should also play a critical role. Firms should reflect the Duty in their strategies, governance, leadership, and people policies.

Recommended focus areas for governance, risk, and compliance include:

• Reviewing RCF/CCF strategy
• Analysing CCF controls
• Aligning CCF with the operating model

Training and Upskilling

Training and upskilling are crucial in implementing any changes, and should not be disregarded. This includes a general refresh of governance and education on the impact of changes to roles and responsibilities under the SMCR. Mandatory training should also be updated to reflect these changes and individuals should be informed of their practical implications. Senior management accountability and oversight should also be emphasised.

Summary

The changes brought about by the Consumer Duty regulations are a big step forward in protecting retail customers with the FCA adding a new principle, cross-cutting rules and objectives to its regulatory handbook. Although not specifically targeted at technology, financial services organisations should ensure they’re compliant by implementing necessary initiatives across the seven key areas—and without delay, given the aggressive implementation timelines.

Contino has in-depth expertise and vast experience across these areas, and works with clients to deliver better outcomes, whether in isolation or as part of an enterprise transformation. Contact us to find out more.