FCA Consumer Duty, Cyber Threats, and Key Regulatory Updates

Unknown Speaker

Welcome back to the B-Compliant Podcast, everyone. I’m Vicky Pearce, here as always with Rachel MacRae. Rachel, how’s your week going?

Rachel MacRae

Oh, it’s been a whirlwind, Vicky! Lots of client calls, a few fire drills, and—confession time—I’ve maybe eaten a worrying number of custard creams at my desk. But let’s get into it, because there is so much moving in regulation land this week, right?

Unknown Speaker

Absolutely. The big one kicking us off is the FCA’s commitment to refine the Consumer Duty for wholesale firms. Now, I feel like, this is something we’ve all seen bubbling up for a while. They’ve actually written to the new Chancellor, Rachel Reeves, about it—Nikhil Rathi himself outlining industry worries about, you know, a bit too much compliance weight landing where it maybe shouldn’t. It’s about proportionality, isn’t it?

Rachel MacRae

Yeah, they’re finally acknowledging that, sometimes, wholesale firms are getting caught up in rules meant mainly for retail business. The action plan from the FCA—there’s four main bits—first is, clearer supervisory guidance for firms when they're, like, manufacturing products with others for retail. It’s meant to cut out those pointless, duplicate costs. So, if you’re working in a chain, you can identify what you are actually responsible for.

Unknown Speaker

Right, and second, client categorisation—this is big. There’s a consultation planned on tightening the standards for identifying sophisticated investors. Maybe bringing in a high-asset threshold, so it’s not every man and his dog being classed as retail. That should help decide who really needs those Consumer Duty protections.

Rachel MacRae

Exactly. And third point—they want to refine where the Duty applies in distribution chains. There’ll be more clarity coming on when something’s truly business-to-business, so firms aren’t dragged into consumer rules if they really shouldn’t be. That’s a relief for anyone dealing with those big, complicated supply networks.

Unknown Speaker

And last, proposals to totally exclude non-UK business, easing that cross-border headache. Because all those conflicting international requirements can get messy, you know? But the bottom line—wholesale stuff generally stays outside the Duty, except where what you do really impacts the end retail client.

Rachel MacRae

Yeah, the FCA says they want to protect consumers where it matters but dial down unnecessary costs for firms. It’s definitely not going to be “one-size-fits-all,” however this is still a live debate, and is by no means the end of the story—I think we’ll see more consultation papers and, probably, a few more headaches before it’s all settled.

Unknown Speaker

We’ve heard echoes of more proportionality from the FCA's broader strategy as well. At the PIMFA Compliance Conference, Lucy Castledine stood up and basically said—the next five years are all about being a smarter regulator. So it’s not just this week’s letter; it’s a drumbeat that’s been getting louder for a while.

Rachel MacRae

Yeah, Lucy hammered home those four priorities, didn’t she? Support for growth and innovation, smarter regulation—that’s about being proportionate and efficient, not just piling on more bureaucracy. Helping consumers steer their way through finance, and then, fighting financial crime. That last one—tougher on illegal online stuff and finfluencers—it reminded me of what we talked about in the protection market episode. It’s all about keeping people safe.

Unknown Speaker

Smarter regulation, for sure. And, Consumer Duty is right in the middle of that strategy. The FCA wants us challenging ourselves, testing whether outcomes are good, not just ticking boxes. And then there’s this focus on simplified advice and targeted support. Rachel, do you remember—last episode—we dove into “targeted support,” and how they’re bridging the advice gap by opening up new support options? This all ties together, really.

Rachel MacRae

Definitely. And Lucy said, this is a once-in-a-generation chance to rethink how people access advice—make it easier without making it riskier. Plus, they’re gonna keep streamlining reporting requirements, so you don’t end up doing nil returns no one reads. A few of our clients will be happy about that, I think.

Unknown Speaker

Couldn’t agree more. The FCA even called out firms—to actually help police illegal content online. So, if you see something dodgy—some fake adviser slipping into your Instagram feed—report it. The FCA want us all to work together, not just wait for enforcement letters. We’ll have to see if this collaboration really delivers the results they want by the end of the five years. Hope we’re both still around to talk about in this podcast!

Rachel MacRae

Ha! If we are, let’s hope things are a bit simpler for everyone by then. Fingers crossed, Vicky.

Unknown Speaker

Alright, let’s switch gears to cyber threats. Did you catch the BBC story about their cyber correspondent, Joe Tidy? Really chilling stuff.

Rachel MacRae

Yeah, the Medusa ransomware gang, wasn’t it? They actually tried to recruit him—offering a cut of millions if he’d help them get into the BBC’s systems. I mean, it’s like something from a dodgy thriller, but this is real life. They even tried that MFA bombing trick—you know, bombarding your phone with log-in requests to wear you down or trip you up so you accidentally accept a requst. Talk about nerve.

Unknown Speaker

Absolutely. Just shows how much the human factor is the weak link now. No amount of shiny software protects you if your staff are in the crosshairs—especially in finance, where the data is so juicy. Makes you realise, staff awareness and good training are as important as any firewall.

Rachel MacRae

That’s it. If you work in a financial firm, you’re could be a target just for having credentials - and this example highlighted by the BBC shows that it could be anyone in the business who is targeted, not just management; with the financial incentive, you could very well see junior members or members of staff lower down on the pay scale targeted. You may not be able to monitor your staff's phone for dodgy Whats App messages, but having an open reporting culture, so if (or when) something odd pops up, your team knows when and where to report this is going to be critical. As the National Crime Agency keeps saying—paying ransoms isn’t the answer. But you’ve got to be prepared in advance. Otherwise, you’re just hoping for the best.

Unknown Speaker

It’s not just big companies, either. Even smaller firms are attractive to cyber criminals - whether you’re holding data on high-net-worth clients, or just every day information on your client's lives that could easily be manipulated - these smaller firms are often (rightly or wrongly) perceived to have weaker controls, and that means that firm's are often seen as low hanging fruit. You need those reporting protocols, staff trained for all the ‘what-ifs’, and a bit of healthy suspicion. Goes back to what we talked about a few episodes ago on financial crime—constant vigilance, not just ticking “cybersecurity” once a year.

Rachel MacRae

100%. Human behaviour is often the biggest risk, but also the best first defense, if you train and support people properly. I guess the lesson here is watch out for the odd unsolicited requests, and speak up if anything feels off!

Unknown Speaker

To round us off, let’s look at FCA Handbook Notice 133—they’ve squeezed in a fair few changes. First up, the Supervision Manual now reflects new rules on authorisation cancellation, which comes into effect from the 3rd October - so this should be live by the time you listen to this podcast!

Rachel MacRae

Yeah, but for consumer credit firms, the new CCR009 return is big news. Reporting will now line up with the calendar year, which should help those limited permission firms keep things tidy—less confusion about what’s due when.

Unknown Speaker

Absolutely. And for Fund Managers - especially Authorised Corporate Directors —Assessment of Value reporting under COLL has been streamlined. So, instead of writing pages and pages of disclosures (which you may remember from earlier this year no longer have to be published for the public to see), the Fund Manager just needs to give a clear conclusion on whether your charges stack up, value-wise. Saves everyone some headaches, really.

Rachel MacRae

It does! Oh, and one for the investment advisers out there—If you’ve got the CISI Private Client Investment Advice and Management certificate, it’s still valid according to the clarifications in the Training and Competence manual. Nice to have something confirmed for once, instead of more uncertainty!

Unknown Speaker

Never a dull moment, eh? That’s it from us this week. We’ll keep tracking regulatory changes and, who knows, by next episode a whole new batch of updates might have landed. Big thanks for joining me again, Rachel.

Rachel MacRae

Thank you, Vicky! Always fun having a good compliance chat—even if it comes with a side order of cyber anxiety. See you next time!

Rachel MacRae

See you, Rachel! And bye to all our listeners—stay safe, and don’t forget you can use this podcast towards your CPD, so don't forget to update your training records. Until next time!