Consumer Duty cross-cutting rules

The Consumer Duty cross-cutting rules are three FCA Principle 12 standards that every regulated firm must evidence: act in good faith, avoid foreseeable harm, and enable customers to pursue their financial objectives.

Set out in the FCA Handbook at PRIN 2A.2, they sit underneath the Consumer Principle and shape how a firm treats retail customers at every stage. In the FCA's own order, they are:

1. Act in good faith toward retail customers, with honest, fair and transparent treatment across the product lifecycle.
2. Avoid causing foreseeable harm to retail customers, anticipating and preventing detriment before it occurs.
3. Enable and support retail customers to pursue their financial objectives, removing practical barriers to access, support, switching, cancelling and claiming.

Consumer Duty itself is the wider framework, and this guide is about the rules underneath it. For what Consumer Duty is and how the four outcomes map to operational controls, see our Consumer Duty pillar.

The rules apply across every product, service and interaction. There is no carve-out for the files you did not get round to reviewing. That universality makes them less of a definition exercise and more of an evidence one, which is where most firms now feel the pressure. For a quick reference, see how many cross-cutting rules there are. <!-- TODO: resolves when sibling publishes -->

In April 2026, when the FCA set out its Year-2 observations on how firms were embedding the Consumer Duty, one failure mode kept recurring across board reports: weak evidence for the cross-cutting rules. Firms could describe what they did. Far fewer could prove it held across every customer. That gap is the story. The rules are not the hard part to understand. They are the hard part to evidence.

Read closely, the three rules ask one question of a firm: can you prove you knew before it broke? They demand evidence that risks were identified before customers were harmed, not a description of intentions after the fact.

That is where most operating models buckle. The honest version of the problem, as one compliance leader put it to us, is structural:

"Most networks currently check low-teen percentages of files. They know it's not enough. Regulators know it too. Networks are forced into sampling, which means risk is statistical, not managed."

When risk is statistical rather than managed, the foreseeable-harm rule has nothing to bite on. You cannot anticipate detriment in files you never opened.

The FCA's FG22/5 guidance is explicit that good outcomes must be demonstrated, not asserted, and its April 2026 Year-2 observations named weak cross-cutting-rules evidence as a recurring board-report failure. The point is not that firms are acting badly. It is that they cannot show, file by file, that they were not.

So the lens shifts. Under Consumer Duty the FCA is not auditing your speed. It is auditing whether your evidence holds. That reframing runs through all three rules, and it changes what each one asks you to keep.

Good faith sounds like a value. Under the cross-cutting rules it is a demonstrable standard, something you show rather than something you assert in a policy.

The FCA's PRIN 2A.2 frames good faith as honesty, fair dealing and consistency with customers' reasonable expectations across the lifecycle. Law firms such as Browne Jacobson have drilled into the same standard, and the common thread is that good faith has to be visible in how decisions are actually made, not just declared.

That makes evidence-of-decision the heart of it. For every flagged file, you want the reasoning behind the call, not only the outcome. This is where reasoning transparency earns its place: Curvestone records why a check fired, with citations to the specific document pages and an audit trail behind each decision. The rationale is recoverable later, which is exactly what a regulator asks to see.

Good faith also has to be consistent firm-wide. A standard that lives in one reviewer's head, or in a checklist last updated two years ago, becomes an evidence weakness the moment that person is on leave. Consistency across reviewers and files is itself part of the proof.

A compliance officer at a UK directly-authorised mortgage brokerage described the gap plainly: vulnerable-customer data sits in the CRM, but it never reaches the audit-ready report. Good faith intended is not the same as good faith evidenced.

This is the load-bearing rule. Avoiding foreseeable harm means anticipating and preventing detriment before it occurs, which calls for forward-looking detection rather than retrospective spot-checks.

The economics are what make that hard. Manual file review takes 50 to 90 minutes per case in UK mortgage networks, and at typical broker volumes that cost forces single-digit-to-low-teens sampling, leaving every out-of-sample file unevidenced against the rules. A compliance lead at a wealth-advice firm told us their manual checks reach only 20 to 30% of the business, and that the rest goes unchecked, and that the firm knows it.

You cannot anticipate harm in the files you never see. That is the heart of the contrarian read:

Sampling 2% of files satisfies a 2010 quality-assurance mindset. It does not satisfy Consumer Duty. The cross-cutting rules require evidence that risks were identified before widespread harm, and a 98% blind-spot is not evidence.

Forward-looking detection is what closes the gap. Curvestone processes roughly a quarter of UK mortgage-network compliance checks at 99% accuracy with a per-case audit trail, which is the forward-looking detection record this rule requires. A full file-review check runs on every case, not a sample, and a vulnerability assessment reads the actual comms, calls and emails rather than waiting for someone to tick a box.

The FCA expects risk identified before it crystallises into harm. A model that inspects one file in fifty cannot make that claim, however well it documents the one it saw.

The third rule is about removing practical barriers, to access, to support, to switching, cancelling and claiming, and then proving you removed them for each kind of customer.

Different customers carry different objectives, so the evidence has to be specific. A vulnerable customer, a buy-to-let landlord, a bridging borrower and a debt-consolidation case do not face the same barriers, and a single generic check will not show you cleared the right ones. The proof is per segment, not blanket.

That is why configurability matters as evidence rather than convenience. Curvestone runs checks tuned per product and per customer type, so a vulnerable-customer file is assessed against the support that customer needed, and a bridging file against its own risks. Each segment generates its own evidence trail. Case files ingest directly from origination systems including OMS, so the assessment runs on the real record, not a re-keyed summary.

A compliance director at a UK mortgage broker handling 50 to 60 cases a month described the throughput ceiling precisely: chasing brokers and solicitors for missing documents is what caps the business, and they want gaps flagged before submission rather than after. That is rule 3 in operational terms. Enabling a customer's objective starts with not letting their file stall on a preventable gap.

The FCA's consumer-support good and poor practice sets the bar: support that is as easy to use as the sale was, evidenced in how customers are actually treated.

Picture a directly-authorised broker or network between 50 and 300 cases a month. Evidencing the rules is not a quarterly report. It has to be true of every case as it moves.

In practice that means each file carries its own chain. A dated good-faith decision record showing the call and its reasoning. A foreseeable-harm detection pass run before submission, not sampled after. An objective-enablement check matched to that customer's segment. And an override log, so any human change to an automated flag is recorded with a reason and a timestamp.

Strung together, that chain answers the regulator's question. For any customer you can name, you can show what was checked, what was found, what was done and when.

The obvious objection is that 100% review is not operationally feasible. It is. Walker Morris cut compliance review time on service agreements from four hours to fifteen minutes per file using Curvestone's automated checking, a 93% reduction, and the same approach scales the cross-cutting rules across every file rather than a 2% sample.

That is a regulated-sector reference where full coverage already runs. The constraint was never the law. It was the 50 to 90 minutes a manual review used to cost. For the wider programme, see how to prepare for an FCA Consumer Duty audit. <!-- TODO: resolves when sibling publishes -->

If you are pressure-testing your own evidence, start here.

1. Map each rule to a dated, per-case evidence artefact, not a policy document. A statement of intent is not proof that intent was carried out.
2. Replace sampling with monitoring at scale. Define your coverage target as 100%, not a percentage you can defend in a meeting but not to a regulator.
3. Capture the decision and its reasoning per file, not just the outcome. Good faith lives in the why, and the why is what gets audited.
4. Tag vulnerability from the actual interaction record, the calls, comms and emails, rather than a CRM field nobody updates.
5. Keep a remediation trail linking each identified risk to the action taken and the date it was taken. An open risk with no closing entry reads as a risk you missed.

Run that list against a real month of files, and the gaps tend to show up fast.