Over the last few years, the Financial Conduct Authority (FCA) has taken to publishing the letters it sends to the CEOs of firms within specific supervision "buckets", setting out where it sees the key risks of harm in their sector and where it expects firms to focus their efforts – and, in turn, what FCA supervisors will be honing in on in supervision visits. The letters should not only serve as a useful overview of the regulator's views, but also put firms on notice that any perceived breaches in circumstances where FCA feels its warnings have been ignored will be taken seriously.

In this article, written for Compliance Monitor, Emma Radmore looks at the themes from a selection of letters from 2021, addressed to different sectors of the market.

Overarching themes

Several themes run across most or all of FCA's sectoral communications:

  • Consumer first - Regardless of the sector, FCA expects the customer to be front and centre of all of a firm's efforts. Delivering good consumer outcomes, with fair pricing, appropriate products and clear documentation is key across all areas. For the retail banking and lending sector, affordability is critical, with appropriate policies and procedures to cater for customers who may get into financial difficulties. In everything firms do, FCA expects to see how the customer's best interests has been considered
  • Operational resilience - What operational resilience is covers a wide spectrum of governance and controls. Over the pandemic, resources have been stretched and tested in ways that firms did not previously have to consider. The overarching theme in most supervisory letters, even those from before the pandemic, was the expectation on firms to ensure they understood their vulnerabilities to technical or systems failures, to carry out appropriate stress tests, and to make regulatory notifications in the event of significant problems or outages
  • Culture - FCA has noted on many occasions that culture within the wider industry, and particularly in certain sectors of it, has been a key root cause of major conduct failings. Its drive to get firms to focus consistently on consumer outcomes has, of course, led to its proposals for the Consumer Duty. But culture is not solely and narrowly about focusing on always putting the consumer first, it is about how the firm itself operates and whether it is a professional and safe place to work. To that end, FCA's initiatives on diversity and inclusion, and on whistleblowing, also have a key part to play
  • Governance - FCA took the opportunity to stress that it expects senior management function (SMF) holders at relevant firms to be on top of compliance with regulatory expectations, and to act in accordance with their responsibilities. Where FCA finds a failing in a firm, it will be looking to see which senior manager held responsibility for the relevant area or function, and will look to discipline any individual who has not met their regulatory responsibilities. Many of the letters specifically call out that meeting FCA requirements is the responsibility of the CEO, who should engage with other accountable individuals as appropriate.

Strange times

Of course, the letters of early 2020 had not taken account of a global pandemic, and as 2020 progressed, the themes changed as firms struggled to adapt their policies, procedures, technology and working practices. By 2021, FCA expected firms to have settled down to the new normal, and as the year progressed, the letters also changed. The good news is that, on the whole, FCA found that firms had weathered the storm well, and the later letters focus more on traditional themes, albeit in an environment that was forced to make sudden changes.

Retail banking

FCA has written two letters to the retail banking sector this year – a general letter in February, followed with a damning letter about retail banking anti-money laundering (AML) systems and controls a couple of months later. In the initial letter, it was pleased at the response the sector had made to the challenges of the pandemic, given its critical role. Its four priority areas for supervision going forwards were not new, and would be:

  • Ensuring fair treatment for customers (a theme previously mentioned in its sector letter for mainstream consumer credit lenders published at the end of 2020), particularly around vulnerability and affordability, and not just for individual consumers but also for SME customers
  • Ensuring good governance and oversight of customer treatments and outcomes during business change – so putting customer outcomes first while dealing with the challenges of economic strain. In particular, FCA was concerned about unsuitable pricing, unfair handling of complaints and potentially damaging business changes such as branch and ATM closures and the move towards increased digitalisation. In this context, it reminded firms that it expects them to make a Principle 11 notification about anything of which FCA would reasonably expect notice, including the cessation of a product or service
  • Improving operational resilience. FCA was concerned that there are too many outages and incidents, even though firms generally coped well with the pandemic, but the problems showed weaknesses in governance and technology. FCA particularly focused on the need for sound and careful procurement decisions and warned that FCA will focus on controls around outsourcing of functions that underpin important business services or have direct customer impact – and in this respect will be looking at senior management to show they understand what falls within their responsibility
  • Minimising fraud and financial crime. FCA was already calling for sustained improvements to systems and controls, and backed up its observations with a letter devoted to its expectations of retail banks a couple of months later. Among its key criticisms were that it sees significant failings in governance and oversight, which have the effect that responsibilities are often not properly understood or "owned", and this is the case from high level systems and controls through risk assessment and customer due diligence to transaction monitoring. Lack of training was also highlighted. FCA noted the critical role of senior management generally, and the SMF17 (money laundering oversight) function holder and the Prescribed Responsibility (d) (firm's policies and procedures for countering the risk of financial crime) holder, and called on firms to complete a gap analysis against all the weaknesses it had identified.

Wealth management and stockbroking firms

In September, FCA wrote to firms in the wealth management and stockbroking sector, having previously done so in June 2019. It has three key objectives for firms in the sector:

  • To ensure they do not facilitate scams, fraud or market abuse
  • To ensure they can wind down in an orderly manner where necessary, mitigating the risks of loss of client assets, and
  • That they make consumers fully aware of the overall cost they pay for their investment.

Unsurprisingly, the letter focused on culture and how markets can be made better for consumers – and noted that diversity and inclusion within firms will help better to serve the diverse markets which they serve.

Interestingly, the letter also noted that FCA expects firms to act as gatekeepers and to notify it if they come across unauthorised firms carrying on regulated activities, or authorised firms acting outside their permissions, while themselves ensuring they have only the permissions that they need.


FCA's July update of its February 2020 letter to platform firms highlighted the key risks of unavailability of services following IT outages and operational issues resulting from surges in retail investor activity during the pandemic. For these firms, which are so reliant on technology, it stressed the importance of firms building appropriate controls with the right impact tolerance, with strategies that will respond quickly and effectively to operational disruptions. FCA expects firms to have available for its inspection a self-assessment document showing how they meet the requirements of PS21/3, which take effect from 31 March 2022. Following on from that theme, the letter noted that FCA expects a notification under the provisions of the Supervision Manual for material service degradation incidents such as operational disruptions – and believes it is not currently receiving notification of incidents it should be told about.

Investment-based crowdfunders

In July, FCA updated its letter to investment-based crowdfunders. Its main focus for these firms is how they promote investment opportunities appropriately so that consumers can understand the risks of the speculative and high-risk investments they offer. FCA made it clear that the CEO is responsible for the conduct of the firm as a whole and must ensure clear accountability within the firm's senior management team. FCA is worried not only about inappropriate investments, but also about scams and insufficient oversight of appointed representatives. Its final key concern was that firms should ensure they are able to wind down in an orderly way if the firm fails.

Price Comparison websites (PCWs)

FCA is concerned that PCWs often do not properly or fully understand their regulatory responsibilities and, in particular do not react quickly enough to regulatory change. It reminded these firms of their responsibilities in respect of minimising the risk of customers being sold inappropriate products as well as ineffective governance controls and poor culture, poor operational controls and poorly managed innovation. PCWs need to ensure customers are sold products that meet their demands and needs, and put in place appropriate signposts so that customer can access appropriate financial services.

Personal and Commercial lines insurance

FCA's letter to this sector followed up from a letter from early 2020, and praised firms' general response to the pandemic, but highlighted as key drivers of harm:

  • Poor pricing practices
  • Consumers purchasing products that are not fair value (the letter predated FCA's final rules on value pricing and renewals)
  • Consumers experiencing poor service through ineffective oversight of the value chain
  • Business interruption insurance claims not being paid out in a timely manner or in accordance with the test case judgment
  • Operational resilience not preventing loss or misuse of consumer data or consumers losing access to services.

It also noted that it continues to see in the sector problems in implementing regulatory change, and signs of inability to proactively engage with, plan and implement relevant changes. As many of these are key to ensuring fair treatment of consumers, FCA noted that it expected firms to act to implement the pricing changes, and that they should do so in line with business models that have evolved during the pandemic.

Lloyd's and London Market Insurers

FCA's latest letter to Lloyd's and London Market insurers and others was published in October, roughly a year after the previous missive. It had seen several improvements since the previous letter, but still noted room for improvement. Its key objective for the sector is, most specifically, for the wholesale insurance market to support itself to "do the right thing", embrace the spirit of regulation and put the end-customer at the heart of their business model. FCA particularly welcomed the market initiatives to simplify and clarify contract wordings. It views these as all an important part of the drive to ensure the general insurance market treats customers fairly and that consumers buy products that meet their needs.

The Lloyd's and London Market, with its pivotal global role, insures complex risks across the world and so some of the key market problems, such as complexity of distribution chains and lack of contract clarity, are particularly prevalent.

That said, FCA was pleased at the progress the market had made during the pandemic to prove itself operationally resilient, in terms of the operational demands of homeworking, onshoring services at pace and responding to the changing needs of consumers. But the message was not all positive – firms have some way to go in embedding the culture FCA wants to see, and in ensuring they serve the needs of a diverse range of customers, as well as working harder on clarity of contact terms. On culture, FCA still sees problems with lack of diversity and inclusion and non-financial misconduct as being obstacles to creating the best culture within firms. It has also noted that the pandemic has potentially increased the risk for market hardening in some lines, and many customers have seen significant premium increases or not been able to find cover. These firms, then, are tasked to focus on value of products, fair and timely claims outcomes that do not create barriers for claimants and operational resilience, particularly around the risks of increased use of the cloud.

And, as with other letters, FCA is looking to firms to show strong governance, control and oversight arrangements, and will look to SMF holders to show they are meeting expectations – and will hold them accountable if they are not.

Looking ahead

FCA has put down clear markers on how it expects firms, and, in particular, their CEOs and senior managers, to be ensuring they understand the possible harm they could cause and take ownership of the policies and procedures needed to mitigate it. While it is clear from the letters that FCA will focus on the specific risks that certain business models present, it is equally clear that the drivers of senior management responsibility and consumer protection flow through all expectations.

Operational risk is likely to remain high on the supervisory agenda for some time to come, especially with the regulatory changes taking effect in March 2022. These, coupled with the comments that certain sectors are not good at dealing with regulatory change, should have the effect of making senior managers take extra care to put in place gap analyses and implementation timetables – and make sure there is a clear line of responsibility.

Where FCA finds issues, whether it's operational risk, unfair treatment of customers or anything else both highlighted in the letters and not highlighted, it has made it clear it will be looking to the individuals responsible. The SMCR is still in its relative infancy, especially for solo-regulated firms, and FCA will be looking to prove it works by taking action against individuals who do not meet regulatory expectations as well as their firms.