How to prepare for an FCA Consumer Duty audit

Three things must be in place before step 1, or the workflow stalls inside the first fortnight:

• An accountable Compliance Director or Head of Compliance with board-level escalation rights. Year-2 reports require sign-off from someone who can challenge the executive in writing.
• MI infrastructure capable of producing case-level outcomes data, not just process-compliance counts. If your MI dashboard only reports "100% of cases had a suitability review run," you're upstream of where you need to be.
• A board-pack template the Chair has already signed off on as fit-for-purpose. Don't try to redesign the pack mid-cycle. If the template needs work, do that as a separate project after this Year-2 board report ships.

If any of the three is missing, escalate to ExCo before starting step 1. Compressing the workflow with incomplete prerequisites costs you the dry-run window in step 5 and that is the most expensive trade.

This step produces a one-page outcomes-vs-products matrix. Every live product on the left. The four FCA outcomes across the top: Products and Services, Price and Value, Consumer Understanding, Consumer Support. Each cell contains the specific outcome measure your firm will evidence.

This is the lightest step in elapsed effort but the most important in structural impact. Boards reviewing reports routinely conflate Consumer Understanding with Consumer Support. The matrix forces the distinction in writing before any evidence work begins. Allow 3 to 5 working days.

Step 2 produces a list of every system that holds outcomes-relevant data, with a written assessment of whether each can produce case-level evidence on demand.

Systems to inventory: your CRM, advice files, suitability letters, financial-promotions log, MI dashboards, vulnerability indicators. For each, run the FCA-asks-for-case-4217 test: if a supervisor asked for the full suitability evidence pack on this specific case from 14 months ago, can you produce it within an hour? If the answer is no for any system, that's the gap that needs addressing in steps 3 and 4.

Output: the gap register. Allow 5 to 7 working days.

Step 3 produces the reviewed sample. The FCA's guidance is clear that high-quality evidence methods include audits of product suitability by interviewing a sufficient sample of customers, anywhere from 20 to 200 depending on product complexity. Routine cases sit at the lower end. Vulnerability-flagged cases and closed-book legacy cases sit higher.

Curvestone's full compliance check produces case-level outcomes evidence as a structural by-product of the review, at 99% accuracy across UK mortgage compliance work. That matters here because steps 3 and 4 are where the time-cost of Year-2 prep usually concentrates: not in writing about evidence, but in reconstructing it case by case across a sample big enough to hold up to challenge.

Allow 2 to 3 weeks for this step. A compliance director at a UK mortgage network we work with described it as the moment Year-2 prep stops being a writing exercise and starts being a forensic one.

Step 4 produces a written MI framework document the board can challenge in writing without needing the compliance team in the room.

The 2026 FCA focus on vulnerability raised the bar materially: vulnerability indicators need to flow through the same MI pipe as outcomes data, not sit in a separate annual exercise. The joint FCA and ICO guidance from early 2026 added data-handling expectations on top. The MI framework document is the artefact that demonstrates both.

The board-can-challenge-in-writing test is the right standard. If the framework needs the compliance team present to explain itself, the framework isn't done. Allow 1 to 2 weeks.

Step 5 produces a dry-run audit report, written as if the FCA had requested it, with deliberate hostile challenge from a non-executive or external assurance partner senior enough to push back on weak evidence.

The April 2026 FCA observations called out "inadequate documented challenge" as one of the two most common Year-2 failures. The dry-run is your last chance to surface that gap before the real submission. Cross-cutting rules first, outcomes second, vulnerability third. Output: the dry-run report plus a remediation log. Allow 1 to 2 weeks for the dry-run itself plus remediation.

Step 6 produces the board pack itself, plus the minutes that document the questions asked, the challenges raised, and the follow-up actions requested.

The minutes matter as much as the report. The FCA's April 2026 observations explicitly called out reports approved cleanly with minutes that capture only the approval, not the challenge. A clean board approval with no documented dissent now reads as a red flag, not a green light.

If the minutes are thin, the report is exposed regardless of what's in it. Allow 1 week for the board meeting itself plus minute drafting and circulation.

Treating the three rules as one composite requirement

Year-1 reports often did this. Year-2 reports cannot. Good faith is process-evidenced, foreseeable harm is pattern-evidenced, enabling customers is outcome-evidenced. Conflate them and the FCA reads the report as evidencing none of them.

Skipping the dry-run

The dry-run is the most expensive step to compress. Firms that lose 2 weeks to slippage in steps 1-4 often skip the dry-run to recover the calendar. Don't. The FCA's documented-challenge requirement is hard to satisfy if you don't have a written dry-run challenge to point at in the board pack.

Vulnerability evidence as a bolt-on

Defer vulnerability to a separate annual exercise and you've missed that the 2026 focus areas embed it inside the outcomes framework. Vulnerability data needs to flow through the same MI pipe as outcomes data, integrated, not retrofitted in the final fortnight.