FCA Consumer Duty IT Checklist

IT for Financial Services | FCA Compliance | 6 min read

Consumer Duty is now fully in force. The FCA expects you to deliver good outcomes for clients, and that includes your IT and operational resilience. Here’s what you need to evidence.

Consumer Duty and IT: The Connection

Consumer Duty requires firms to deliver good outcomes across four areas:

1. Products and services
2. Price and value
3. Consumer understanding
4. Consumer support

What does this have to do with IT? Everything.

• System failures that prevent clients accessing their money = poor outcome
• Data breaches exposing client information = poor outcome
• Slow or broken processes frustrating clients = poor outcome
• Inability to communicate during outages = poor outcome

---

Operational Resilience Requirements

The FCA’s operational resilience framework (PS21/3) requires firms to:

1. Identify Important Business Services

Which services, if disrupted, would cause harm to clients or market integrity?

• Client account access
• Payment processing
• Trade execution
• Client communication
• Regulatory reporting

2. Set Impact Tolerances

How long can each service be unavailable before unacceptable harm occurs?

• Payment processing: typically 4-24 hours
• Client access: typically 24-48 hours
• Defined for YOUR firm based on YOUR client base

3. Test Resilience

Can you actually recover within your stated tolerances?

• Scenario testing (not just tabletop exercises)
• Actual recovery tests
• Documentation of results

4. Maintain and Improve

Evidence of ongoing monitoring and improvement

• Regular testing
• Lessons learned from incidents
• Investment in resilience

---

The IT Checklist for Consumer Duty

Business Continuity

Data Protection

Third Party Risk

Evidence and Reporting

What the FCA Will Ask

Based on recent supervisory focus, expect questions like:

• What are your important business services and impact tolerances?
• When did you last test your disaster recovery?
• Show me the test results.
• What happened in your last IT incident? How did you respond?
• How do you assess third-party risk (including your IT provider)?
• What investment have you made in operational resilience?
• How does the board oversee operational risk?

---

Common IT Gaps in Financial Services Firms

Backup Testing

Most firms have backups. Fewer test them. Even fewer test full recovery scenarios. The FCA wants to see evidence you can actually recover, not just that data is being copied somewhere.

Third-Party Due Diligence

Your IT provider is in scope for your resilience. If they’re not Cyber Essentials certified minimum, if they can’t evidence their own DR, that’s your problem.

Documentation

“We know what to do” isn’t evidence. The FCA expects documented plans, test results, and improvement tracking.

Recovery Time Assumptions

Many firms assume recovery is quick. Until they test it. A 4-hour impact tolerance means nothing if your actual recovery takes 48 hours.

---

IT Provider Requirements for FCA Firms

If you’re FCA regulated, your IT provider should be able to evidence:

• Cyber Essentials certification (minimum)
• Their own business continuity and DR plans
• Cyber insurance
• Incident response procedures
• How they’d support you during an incident

We support financial services firms across the North West with compliance-aware IT. We understand SMCR, Consumer Duty, and operational resilience requirements. When regulators ask questions, we help you have answers.