A sharp increase in the number of whistleblowing complaints received by the FCA in the first quarter of the year underlines how Consumer Duty is changing the culture of accountability within the financial services industry.
According to the regulator, 355 whistleblowing reports were filed in the first quarter, compared to 281 in both the same period last year and in the fourth quarter of 2025. Significantly, consumer rights abuses generated by far the highest number of reports, with 210 complaints.
As we have long known, the Consumer Duty is more than a regulatory framework focused on customer outcomes; it is increasingly a mechanism through which the sector itself implements policy.
For years, enforcement in financial services was primarily seen as the responsibility of the supervisor. Consumer Duty has fundamentally changed that dynamic. Companies are expected to not only monitor their own behavior, but also identify and, where necessary, challenge bad practices within their distribution chains.
When issues are identified, companies are expected to work with partners to address shortcomings. If that fails, they are effectively obliged to escalate concerns to the FCA. In practice, this creates a self-regulatory environment in which brokers, lenders and providers are responsible not only for their own conduct, but also for the standards used by those they work with.
This latest data shows this in action, as companies demonstrate a willingness to meet their obligations and raise concerns.
Although companies have historically been primarily afraid of regulatory intervention, Consumer Duty is turning the dial. Now there are more and more reasons for companies to pay equal attention to the way they are perceived by colleagues, partners and counterparts in both the distribution chain and the wider market.
As we know, distribution relationships are a defining feature of the industry. In the current regulatory landscape, these relationships depend on trust that all parties can deliver good results – as required under Consumer Rights. This is especially true for vulnerable customers.
Companies that fall within these arrangements can no longer treat compliance as someone else’s problem. If poor customer outcomes emerge within a distribution chain, regulators are likely to question what other participants knew, what oversight existed, and whether enough was done to prevent foreseeable harm.
This places the emphasis not only on compliance, but also on proving compliance. Companies must proactively gather the evidence needed to demonstrate to both their boards and the regulator that their behavior is delivering good outcomes for their customers – especially those with vulnerable characteristics. Just saying that isn’t enough – companies need data to prove it.
If companies later discover poor outcomes, it can be extremely difficult to retrospectively identify customer vulnerability characteristics or customer needs based on historical interactions. As a result, many companies now recognize the need to capture customer attribute data at the point of sale – and monitor it throughout the product lifecycle.
Doing this will not only support consumer rights compliance, but also protect businesses if complaints arise later.
However, this remains a real stumbling block for many companies. The approaches still rely heavily on training of frontline staff and subjective assessments, which is not conducive to consistent results or the level of robust data required. Furthermore, the FCA has recently raised concerns about firms using purely reactive measures, whether they rely on customers to disclose their own measures vulnerabilities or on staff to identify problems only when they become visible. This leads to huge gaps in identification.
It’s no secret that this is an important task for businesses and why the regulator – and bodies such as the Chartered Insurance Institute – continue to advocate for technology adoption. This means businesses can take a more objective and consistent approach to assessing customer vulnerability, supported by digital systems that can securely store and analyze data in line with GDPR requirements.
Digital systems are readily available to help companies prove customer attributes, monitor results over time, and provide consolidated reporting without unnecessarily sharing personal data. Systems that you could describe as providing a credit score, but for vulnerability. Top-level indicators – backed by extensive vulnerability data – that can be confidently and securely shared across the distribution chain.
With the recent joint call from the FCA and ICO for companies to share vulnerability data, something like this means this is completely feasible.
These latest whistleblowing figures suggest that we are now fully into the next phase of Consumer Duty, where the responsibility for identifying and escalating bad practice lies firmly with the market itself. Just as companies say they are regulated by the FCA, they are now increasingly regulated by each other.
Andrew Gething is director of MorganAsh