What is the FCA Consumer Duty? The 2026 guide for regulated firms

The FCA Consumer Duty is a regulatory framework that came into force on 31 July 2023 for open products and 31 July 2024 for closed-book products. It replaced Treating Customers Fairly (TCF). It applies to every FCA-regulated firm that has retail customers.

The thing that gets lost in most explainers: this is not guidance. It is FCA Principles for Businesses. Breaches are enforceable. Firms cannot contract out of it. The "reasonable care" defences that softened TCF do not soften the Duty in the same way.

Underneath sits Principle 12 of the FCA Handbook, the Consumer Principle. Below Principle 12 sit two structural layers that work together:

1. The four outcomes. Products and Services, Price and Value, Consumer Understanding, Consumer Support. 2. The three cross-cutting rules. Acting in good faith, avoiding foreseeable harm, enabling customers to pursue their financial objectives.

The four outcomes are the surfaces the Duty applies to. The three rules are the standards of conduct the firm must meet at every outcome. Combined, they create a 4×3 evidence grid: twelve cells the firm must populate in board-level reporting. Most reports populate four. That's the gap.

Products and Services

The upstream outcome. The firm designs, distributes, and manages products that meet identified customer needs. Evidence sits in product-design records, target-market analyses, distribution-chain monitoring, and exit-management decisions. If a firm cannot say in writing who its products are not for and why, this outcome is weak.

Price and Value

Products are offered at prices that represent fair value over the product's life, not just at the point of sale. The 2026 FCA focus is heaviest here for protection products, premium finance, and long-term savings. Boards now need to evidence value at the product range level, not just the headline product. "We benchmarked against the market" is no longer a complete answer.

Consumer Understanding

Communications support customer understanding. Not disclose. Support. The Duty moved the bar from "did the firm tell them?" to "did the customer actually get it?". That requires behavioural-response data, comprehension testing, and remediation when consumer behaviour signals confusion. The hardest outcome to evidence well.

Consumer Support

Customers receive the help they need to use products throughout the lifecycle. Friction in complaints, switching, account changes, and vulnerability support. The 2026 joint FCA and ICO guidance on data sharing for vulnerable customers raised the bar on the data-handling side of this outcome materially.

The four outcomes are designed to be MECE: mutually exclusive, collectively exhaustive. Boards reviewing reports routinely conflate Consumer Understanding with Consumer Support; the two address different lifecycle phases and demand different evidence.

Each rule looks like the others. None of them are.

Rule 1: Acting in good faith, the process rule

A firm must act in good faith toward retail customers. What that does NOT mean: it doesn't prevent the firm from pursuing legitimate commercial interests, and it doesn't impose a fiduciary duty.

What it does demand: process evidence. Governance records that show how customer interests entered the decision. Decision documentation. Training records that prove staff judgement was shaped to put the customer at the centre. A documented escalation path when judgement falls short.

If your firm has always documented decisions, your good-faith evidence is probably your strongest. Most firms have this layer reasonably solid.

Rule 2: Avoiding foreseeable harm, the pattern rule

A firm must avoid causing foreseeable harm. Foreseeable harm is any outcome a prudent firm, applying reasonable care and expertise, should be able to anticipate. Not every harm. The harm careful analysis would surface.

This is the rule most firms underestimate.

It demands pattern evidence. Not "did this case go wrong?" but "are we detecting the patterns of harm across our case base in time to act?". Root-cause MI. Case-level audit trails. A documented rectification track record when patterns appear.

There's also a rectification duty baked in: if the firm identifies foreseeable harm has occurred, it must put things right. That is a positive obligation. It's not satisfied by saying "we didn't intend it" or "no complaints received".

Rule 3: Enabling customers to pursue their financial objectives, the outcome rule

A firm must enable and support retail customers to pursue their financial objectives. The rule is positively framed. The firm isn't just avoiding harm; it's actively supporting customer movement toward their goals.

What this demands: outcome evidence. Suitability assessments tied to stated customer objectives. Switching behaviour. Persistency. Satisfaction patterns. Visible movement on customer-stated objectives over the product life.

Three rules, three evidence shapes: process, pattern, outcome.

Conflate them and you produce a board report the FCA reads as evidencing none.

Here's the structure most board reports under-evidence.

Each of the four outcomes requires evidence against each of the three cross-cutting rules. That's twelve evidence cells. Consumer Understanding alone has to show good-faith evidence (how were communications designed?), foreseeable-harm evidence (what behavioural patterns suggest comprehension is failing?), and outcome evidence (do customers actually demonstrate understanding?).

Most Year-2 reports show four-cell evidence stacked across the outcomes. The FCA's expectation, increasingly, is twelve-cell.

The interaction also matters at strategic level. A firm strong on good faith but weak on foreseeable harm has read the Duty as ethics-of-intent only, missing the operational evidence layer. A firm strong on outcomes but weak on good faith looks results-driven without showing the customer-first reasoning underneath. The FCA's reading of board reports increasingly diagnoses these imbalances by looking at where the evidence is concentrated.

The three rules look like a single composite requirement but they aren't. Each demands a different evidence shape: good faith is process-evidenced, foreseeable harm is pattern-evidenced, and enabling customers is outcome-evidenced. Firms that fuse them produce a board report the FCA reads as evidencing none of them.

Here's the thing the framework documents don't say out loud.

All of this lives at the case level.

The board report aggregates upward. The MI dashboards aggregate upward. But every claim a firm makes about good faith, foreseeable harm, or enabling customers is only as strong as the case-level evidence it rests on. When the FCA's Year 2 review said firms must move from "we have implemented the Duty" to "we are living and breathing it and proving it," what it was naming was the operational layer.

At case level, the three rules map cleanly to three evidence artefacts the firm must be able to produce on demand:

• Good faith → the case decision record. Who decided, on what basis, with what challenge documented.
• Foreseeable harm → the case-level review trail. Patterns aggregated across cases; rectification logged where patterns are surfaced.
• Enabling customers → the customer-outcome data. Suitability assessments tied to stated objectives; observed behaviour against those objectives over the product life.

The case-level conversation has become a board-level conversation because the FCA increasingly asks for it. A supervisory request for the evidence pack on a specific case from 14 months ago used to be a one-off. In 2026 it is becoming routine.

Curvestone now runs compliance checks across roughly a quarter of UK mortgage network advice volume. The most consistent Year-2 evidence pattern we see is networks strong on good-faith records (governance, decisions, training) but weaker on foreseeable-harm detection, the pattern-detection layer that manual sampling misses by definition. The good faith evidence is there because firms have always documented decisions. The cross-case pattern view is where the gap usually sits.

Firms that can produce a case evidence pack in under an hour are in a different conversation with the regulator than firms who can't. That gap, not the writing of the board report, is what Year-2 prep actually is.

The FCA's April 2026 observations name the failures by frequency. Three patterns dominate.

Reporting compliance when the FCA asked for outcomes

Year-1 reports leaned hard on process-completion. "100% of cases had a suitability review run." Year-2 reports were expected to evidence what happened after the process ran, whether the resulting recommendation aligned with the customer's stated objective. A lot of Year-2 reports still report compliance and expect it to read as outcomes. The FCA reads them as evading the question.

Light board minutes

Reports approved cleanly. Minutes that capture the approval, not the challenge. The FCA has flagged this explicitly: a board signoff with no documented dissent reads as a red flag, not a green light. Effective board minutes now need to show the questions asked, the challenge raised, and the follow-up actions requested.

Vulnerability evidence bolted on at year-end

Firms that defer vulnerability to a separate annual exercise miss that the 2026 focus areas embed vulnerability inside the outcomes framework. The joint ICO and FCA guidance in early 2026 raised the bar on the data-handling side. Vulnerability evidence needs to be integrated through the year, not retrofitted in June.

A Compliance Director at a UK mortgage network put the underlying point sharply earlier this year. She described the difference between Year-1 and Year-2 prep as the difference between writing the report and rebuilding the evidence stack underneath it. Year-2 is the latter. Year-3 will be more so.