As financial services firms look ahead to 2026, the FCA’s priorities will continue to shape the regulatory environment, reinforcing the balancing act between enabling growth and ensuring firms consistently “do the right thing.” The direction of travel is clear. The regulator is adopting a more pro-growth tone, but there is no softening of expectations when it comes to outcomes, integrity and accountability.
The FCA’s five-year strategy, launched in March 2025, is anchored in four key themes: becoming a smarter, more efficient regulator; supporting growth and innovation; helping consumers navigate their financial lives; and combating financial crime. Central to this approach is a renewed focus on proportionality and regulatory efficiency. Firms that can demonstrate compliant conduct and efficient controls are likely to benefit from lighter-touch oversight, including streamlined reporting, simplified authorisation processes and fewer ad hoc data requests. This approach is already visible, with around 36,000 firms reportedly benefiting from reduced reporting requirements.
What this signals for 2026 is a shift in how supervision is applied. Firms may face fewer headline enforcement actions and a lower overall reporting burden, but scrutiny is not easing. Instead, it is becoming more targeted and increasingly data-led. The FCA is relying more heavily on focused information requests and expects firms to evidence, in practice, how they deliver good customer outcomes, prevent financial crime and maintain effective governance and risk management, as Joe Norburn (pictured), CEO of TCC Group (TCC, Momenta and Recordsure) explains…
Consumer Duty: from policy to proof
The Consumer Duty remains central to the FCA’s agenda, continuing to act as the primary mechanism for driving good outcomes rather than through additional prescriptive rules. Its programme of multi-firm reviews will test how effectively the Duty is embedded, with particular attention on outcome monitoring, product design, customer journeys and consumer understanding. In consumer investments, for example, the FCA is undertaking a market-wide review of how the Duty is being applied to model portfolio services.
Vulnerable customers also remain a key regulatory focus. Firms are now required to report complaints involving vulnerable customers as part of a streamlined complaints reporting process, while the FCA continues to work with the Information Commissioner’s Office on the practical challenges of supporting these customers while meeting data protection requirements.
In 2026, expectations are moving beyond alignment to evidence. Firms need to be able to show that they monitor outcomes, deliver fair value, communicate clearly, and design products responsibly. While formal intervention may be used less frequently, the increased use of information requests means firms must be able to demonstrate, quickly and clearly, how decisions and customer interactions support good outcomes. Firms that embed the Duty consistently and can evidence it effectively will be better positioned to build trust, transparency and competitive advantage.
Data and innovation: responsible AI becomes non-negotiable
Digitalisation and efficiency sit at the heart of the FCA’s strategy. As firms accelerate transformation, the use of AI, advanced analytics and digital identity solutions are becoming more widespread. Regulatory expectations are evolving alongside this, with greater emphasis on deploying innovation safely and responsibly, and on maintaining robust oversight of third-party providers, models and data flows.
AI governance is now a mainstream regulatory theme. Firms are expected to ensure tools are explainable, unbiased and aligned with customer outcomes, with clear accountability for model risk and decision-making. Safety, security, ethical use and transparency are no longer emerging concepts but baseline expectations.
A common challenge firms run into is scaling technology without scaling governance. Common weaknesses include unclear data ownership, limited monitoring of model performance, gaps in vendor oversight and ongoing difficulties in complying with data protection requirements. In a data-led supervisory model, these issues do not stay hidden for long. They can quickly attract regulatory attention and create reputational risk.
Motor finance: redress readiness and data integrity
The FCA continues its work on motor finance following concerns about historical discretionary commission arrangements (DCAs). It has paused the handling of certain motor finance complaints while the regulatory and legal position is clarified. In the meantime, firms are still expected to retain relevant records, respond promptly to FCA information requests and prepare for the possibility of an industry-wide redress scheme. The regulator made it clear that operational readiness, data integrity and strong governance will be critical when a scheme is introduced.
It is important not to overlook the risks this poses financially, operationally and reputationally speaking. Firms that delay preparation may struggle to respond at pace to high volumes of complaints, regulatory queries and potential redress activity. The challenges typically lie with fragmented or incomplete historical data, inconsistent documentation of commission arrangements and limited visibility across past customer journeys. Scaling complaints handling, evidencing fair treatment and producing defensible audit trails can quickly overwhelm existing systems and teams, particularly where governance is weak, ownership is unclear, and management information is limited.
Cyber and data protection: resilience must be real
The FCA is also signalling that operational resilience must go beyond compliance frameworks to focus on how firms are actively protecting customer data and responding to cyber threats. Its supervisory lens is widening to include data privacy, cyber controls, incident reporting and the resilience of third-party and vendor ecosystems. As the sector becomes more interconnected, the regulator expects operational resilience, cyber security and data governance to operate as a single, integrated discipline.
High-profile cyber incidents, data breaches and third-party failures in 2025 underlined how quickly harm can spread to customers and markets. In response, the FCA increasingly expects firms to demonstrate that cyber and data protection are built into resilience planning, with clear escalation routes, regular testing and well-rehearsed response capabilities.
Conclusion: capability, not intention
2026 is shaping up to be a year in which the FCA differentiates more clearly between firms that intend to do the right thing and those that can prove they are doing it. A more pro-growth regulatory tone should not be mistaken for lower expectations. Supervision will become more targeted, data-driven and more focused on outcomes.
For firms, the message is simple: investing now in strong governance, auditable customer outcomes evidence, responsible AI controls, resilient data architecture and cyber readiness will lighten the severity of regulatory risk. More than that, they are fast becoming the defining markers of trust and competitiveness. The firms that succeed in 2026 will be those that treat regulation not as a constraint, but as a framework for building resilient, transparent and customer-centred businesses.
