The Risk and Reg Edit: Spring 2026 edition

In this Risk & Reg Edit, we examine how the UK’s regulatory landscape is changing, and ask how new and sometimes competing initiatives are shaping the UK’s future as a finance hub. While each topic has distinctive features, there’s a common thread of consistent tension between the costs of regulatory change and the benefits of enhanced trust and innovation.

Read on for our experts’ views on:

• Evolving expectations on conduct
• Targeted support
• Buy Now Pay Later: Regulation catches up
• Insurers face a major shift in regulatory priorities
• Resilience: a continued regulatory focus in 2026
• Innovation, regulation, and the evolution of Open Banking

Evolving expectations on conduct

Thom Hart

Now more than two years since the Consumer Duty came into force, the FCA is increasing its scrutiny of how the Duty is embedded, with a particular focus on how firms monitor and manage customer outcomes – from the board downwards.

Many firms are taking this as an opportunity to review how successful they have been in embedding outcome monitoring into their day-to-day operations. For a significant proportion of firms, reporting and monitoring of customer outcomes is still less a fully integrated way to manage their day-to-day business, and more a bolt-on consideration, reviewed at the top of the firm – with less relevance and consideration for those on the front line. Therefore, now is the ideal time to take a step back and interrogate the maturity of your firm’s outcome monitoring. Questions to ask include:

• How do we understand what makes the difference between a ‘Good’ or ‘Poor’ outcome for different groups of customers?
• How are our thresholds for customer outcome measures set, and how do we test that they’re correct?
• Is everyone clear who is responsible for acting in response to each customer outcome, and are they clear on how to measure whether their action has been successful?
• How integral are customer outcomes to everyday practice and decision-making at all levels of the organisation?
• How have processes changed post-Duty in direct response to outcomes measures?
• Is there a robust governance framework for customer outcomes in place?

Customer outcomes must be a priority across the whole organisation. The first line must take the lead, but Risk and Reg functions also have a vital role to play in actively challenging business units to meet high standards. CROs need to ensure their teams have the tools, data, and authority to do so.

Implemented in the right way, the Duty will continue to encourage firms to think more actively about customer treatment, leading to better outcomes and stronger public trust. As a result, over time, a clearer link between customer costs and customer value should enable firms to differentiate on quality and enjoy stronger, more sustainable profitability.

Targeted support

Molly Preleski

The new targeted support regime marks a major change to UK retail finance, aimed at the 23 million customers currently underserved for advice. Targeted support aims to build consumer confidence, improving the availability and affordability of help with financial decision-making. While not considered full investment advice, it enables firms to use high-level characteristics to segment customers into cohorts and offer them appropriate suggestions.

Nineteen firms have already joined the FCA’s pre-application support service, signalling clear industry interest. However, it’s yet to be seen if targeted support will deliver on its promise to close the advice gap. Providers should weigh up the potential commercial advantages against the need to meet targeted support conduct rules and mitigate the risks of straying into regulated investment advice.

Some of the challenges facing firms wishing to provide targeted support include:

• Designing coherent segmentation models, particularly where partial customer data could lead to mis-categorisation
• Communicating the risks and benefits of investing risk in a way that engages and motivates customers whilst ensuring required disclosures are made
• Ensuring that clear guardrails separate suggestions from advice, especially when digital and in-person customer journeys diverge or customers volunteer additional information
• Defining segment ownership, matching rules, exception logging, and practical control points in a way that demonstrates appropriateness, but without making processes unmanageable
• Strengthening marketing governance to ensure consistent labels, clear explanations of service limitations, and Consumer Duty-compliant outcomes
• Ensuring efficient, consistent group-wide governance across large financial institutions.

Regulators also have a key role to play. The FCA, FOS, and ICO have already agreed upon some constructive principles. For instance, the FOS emphasises that it will only base its decisions on point-in-time assessments of suitability. However, so far the FCA has declined to provide examples of good practice, which could encourage potential providers to ‘wait and see’ how it will approach implementation and supervision.

Targeted support calls for providers to overcome a range of practical challenges. Regulators must be aligned, adaptive, and responsive to emerging issues as it rolls out. Only then will the new regime achieve its goal to improve outcomes and nurture a stronger UK investment culture.

Buy Now Pay Later: Regulation catches up

Charlie Cook

The e-commerce explosion has driven rapid growth – and increasing fraud – in deferred payment credit (DPC) or ‘buy now pay later’ (BNPL) lending. From July 2026, DPC will enter FCA supervision for the first time, requiring providers to abide by the Consumer Credit Handbook and the Consumer Duty. Firms that want to continue providing DPC have until July to achieve full compliance or sign up to the Temporary Permissions Regime and commit to becoming compliant in the future.

Firms moving from unregulated to fully regulated status, such as BNPL specialists and online retailers, face a major operational and cultural transformation. DPC regulation will also affect providers with other regulated activities, such as payments. Key steps firms should take to prepare include:

• Establishing robust change programmes
• Conducting fair value to demonstrate whether DPC pricing is reasonable
• Conducting target market assessments to ensure DPC meet the needs and characteristics of its identified market
• Beginning to measure and monitor customer outcomes
• Reviewing the suitability of DPC selling practices
• Testing end-to-end customer journeys
• Amending, replacing, or withdrawing individual products and services if required.

For firms entering FCA supervision for the first time, establishing a compliance governance framework is key. This will enable boards and executives to:

• Define policies and procedures
• Establish and act on KPIs
• Meet the requirements of the Senior Manager Regime1
• Protect vulnerable customers
• Provide complaint handling that meets FOS expectations.

The regulation of DPC reflects the product’s success and brings the UK in line with markets like the EU and Australia. Providers will incur regulatory set-up costs, but tech-enabled compliance mechanisms need not affect long-term profitability. Going forward, higher standards will bring providers into the financial mainstream and allow them to compete on a larger stage.

Insurers face a major shift in regulatory priorities

Dale Bowes, Ria Vadgama

The FCA’s leading insurance priority for 2026 is to improve consumer understanding, claims handling and service quality. Firms must move beyond technical compliance and deliver customer journeys which meet the standards of the Consumer Duty – including outsourced and delegated claims processes.

The 2025 Which? Super-complaint, highlighted what they identified as systemic weaknesses in claims and customer handling. This has challenged insurers to evaluate whether they are doing everything they can to identify, address, and learn from root cause, and understand how culture impacts how they deal with customers on the front line. FOS2 reforms aimed at accelerating decisions and complaint resolutions also mean that insurers should expect poor decisions, weak evidence trails, and inconsistent reasoning to be exposed and challenged more quickly and decisively.

To climb this steep learning curve, insurers must understand current regulatory thinking, such as:

• Claims handling is key to reputation. The FCA believes too many consumers face poor claims experiences. The regulator is willing to take stronger action where harm is greatest
• Consumer understanding is a weak link. The FCA wants clearer communication throughout customer journeys, with monitoring that ensures products deliver on their promises
• Complaints show where customer journeys fail. With more informed and empowered consumers, insurers should expect more complaint escalations – and tougher scrutiny
• FOS reforms raise the bar for defence. Firms must prepare for faster triage, more structured decision-making expectations, and increased exposure to weak or inconsistent reasoning.

Insurers can draw on lessons learned in the banking sector. For example, firms should:

1. Better define the differing needs of segments of customers within their target markets, and how this impacts their service and communication needs within all journeys
2. Review customer journeys across sales, claims, redress and complaint handling with a particular focus on how customer information needs are established and met
3. Strengthen decision quality, consistency, and evidence standards across claims and complaints to meet FCA and FOS expectations
4. Map and tighten oversight of outsourced and delegated claims processes to achieve the same level of control and oversight of processes that are managed internally
5. Use Management Information (MI) and root cause analysis to identify and proactively improve areas of harm
6. Embed the Consumer Duty, especially on fairness, vulnerability, and communication.

Insurers that invest early in decision quality, defensibility, and end-to-end controls will be better placed to navigate regulatory pressure and get ahead of the curve to strengthen customer trust.

Resilience: a continued regulatory focus in 2026

Sundeep Gupta

Following the 31 March 2025 operational resilience implementation deadline, UK regulators have moved from assessing preparedness to considering whether firms can demonstrably remain within their impact tolerances in practice.

Recent observations from the FCA show that firms have made progress in embedding operational resilience. Both the FCA and the Prudential Regulation Authority (PRA) continue to identify areas for improvement, particularly in testing, governance, and the management of third-party risks.

The PRA’s 2026 priorities reinforce operational resilience as a key focus for firms to embed into their governance, risk management, and strategic decision-making, rather than treating it as a standalone compliance exercise. Regulators are expecting boards and senior management to routinely consider resilience implications when making decisions about technology change, outsourcing, and business growth. Key considerations to keep in mind include:

Sharper use of impact tolerances: While impact tolerances are now widely established, regulators continue to observe weaknesses in how they are used. In particular, many firms are struggling to clearly distinguish between consumer harm and market integrity impacts, reducing the effectiveness of tolerances during live disruption.

Mapping of important business services: Emphasis continues to be placed on technology alone, with insufficient consideration of dependencies on people, processes, facilities, and third parties. Firms should demonstrate a holistic understanding of how important business services could fail, including the vulnerabilities introduced by outsourcing arrangements, concentration risk, and limited substitutability.

Testing that provides genuine assurance: Regulators are seeking testing programmes to provide credible assurance. Both the FCA and PRA highlight cyber attacks and third-party disruption as among the most challenging risks to manage, requiring robust capabilities to detect, respond to, and recover from disruption — not just introducing preventative controls.

Vulnerability management and remediation discipline: Regulators continue to observe limited evidence of mature, end-to-end vulnerability management. Common shortcomings include unclear ownership, inconsistent remediation governance, and weak tracking of issues identified through mapping and testing. Post implementation, firms need to demonstrate not just identification of vulnerabilities, but clear accountability and sustained remediation.

Communications under stress: The FCA emphasises that many firms have not adequately tested the loss of primary communication channels or developed credible alternatives. Regulators expect firms to be capable of maintaining clear, timely and coordinated communication with customers and stakeholders during disruption, recognising that communication failures can significantly amplify harm.

Governance and accountability: Regulators identify inconsistent board engagement, inconsistent review trails, and limited second and third line challenge. The PRA’s 2026 priorities emphasise that boards and senior management are responsible for ensuring operational resilience is embedded proportionately across the organisation and fully integrated into decision-making on change, outsourcing, and risk management.

While proportionality remains a core principle, regulators are clear that, post-deadline, firms must be able to evidence resilience outcomes, not simply frameworks. Firms that treat operational resilience as a continuous discipline grounded in testing, learning, and remediation.

Innovation, regulation, and the evolution of Open Banking

Olivier Ottavi, Emma Hollingsworth

The UK’s Smart Data Strategy aims to enable consumers to safely access and share their own data in ways that support competition and economic growth. Open Banking (OB) has become the most established example of this in financial services to date. Created after a CMA Order was applied to nine UK deposit takers, OB uses industry collaboration to enable secure data sharing, giving customers greater control over their data and enhancing competition.

The FCA and PSR are now shaping a more scalable and sustainable regulatory framework for data sharing. This will support the continued evolution of OB, enable new payment use cases, and provide a strong foundation for Open Finance by extending data sharing across a broader range of financial products and providers, aligned to UK Smart Data legislation.

In parallel, industry and regulators are progressing new OB payment capabilities, most notably Variable Recurring Payments (VRPs). VRPs allow customers to authorise payment providers to initiate payments within defined parameters set by the customer. Phase 1 focuses on commercial VRPs for lower-risk use cases such as utility, sweeping, and financial services payments. Broader e-commerce use cases are being explored as part of the next phase, subject to further regulatory and commercial development and will most likely drive further mass adoption.

Firms have a triple opportunity to share in the potential upside of these changes. First, they should provide input to regulatory consultations to help shape the data-sharing framework. Second, they can influence the design and governance of VRPs through industry collaboration. And lastly, they should prepare operationally for the rollout of VRPs by engaging through partnerships with other firms, assessing merchant and customer demand for this new form of payment.

Looking ahead, the OB ecosystem offers valuable lessons in cross-industry coordination, standard-setting and trust-based data sharing, which can inform the UK’s Smart Data and Open Finance ambitions for the future.

Is regulatory change enhancing or hindering UK financial services?

Will shifting regulatory priorities help the UK to develop a secure, dynamic, and world-leading financial industry? Or do additional burdens and the layering of rules risk hobbling UK financial services on the global stage?

This is a false choice. While any regulatory change brings cost, a smarter and more adaptable regulatory regime has the potential to foster confidence, trust, and operational excellence. The UK may not be a global standard setter, but it can leverage its deep expertise to shape consistent, principles-led regulation that supports consumers without limiting industry profitability.

Individual firms that can understand changing regulations, adapt accordingly, and seize the opportunities it provides have the chance to build a lasting competitive advantage.

People trust us because of our deep knowledge of the regulatory system. Our experience working with regulators, banks, insurers, building societies, and others means we’ll give you advice that works in the real world. If you’d like to discuss any of the issues below in depth with our experts, you can do so here.