Consumer Duty, FG21/1 and ECCA - what do they mean for enterprise risk managers?

Three major FCA frameworks – Consumer Duty, FG21/1 and ECCA -  now work together to create a comprehensive consumer protection regime that demands more from financial services firms than ever before. 

This isn't simply about adding new policies to your compliance library. These frameworks require enterprise risk teams to demonstrate that consumer protection is genuinely embedded in how your organisation operates, that you're measuring real customer outcomes and that you're actively identifying and remediating harm before regulators discover it. 

The new consumer protection trinity 

1. Consumer Duty – treating customers fairly 

This represents the most significant shift in consumer protection regulation in a generation. It requires firms to act in good faith toward customers, avoid causing foreseeable harm and enable customers to pursue their financial objectives. This might sound similar to previous treating customers fairly requirements, but the standard has fundamentally changed. 

Under treating customers fairly, firms could largely demonstrate compliance by showing they followed appropriate processes. Consumer Duty flips this approach entirely. The FCA now expects firms to prove they're delivering good outcomes rather than simply implementing good processes. You need evidence that customers actually understand your communications, that your products deliver fair value and that customer service genuinely supports rather than hinders customers in achieving their goals. 

For enterprise risk teams, this creates a profound challenge. You can no longer build your assurance programme around checking that policies exist and processes are documented. Instead, you need frameworks that test whether those policies and processes actually work in practice and whether customers benefit from them. 

2. FG21/1 Guidance on Vulnerable Customers  

This mandates that firms identify customers in vulnerable circumstances and ensure they receive fair treatment and appropriate support. The guidance recognises that vulnerability can arise from health conditions, life events, resilience factors or capability issues, and crucially acknowledges that vulnerability often changes over time. 

The regulatory expectation goes well beyond simply flagging customers as vulnerable. Firms must understand the specific needs that arise from different vulnerability drivers, ensure staff can recognise vulnerability indicators during interactions, adapt products and services to meet vulnerable customers' needs and monitor whether vulnerable customers achieve good outcomes. 

Enterprise risk teams need robust frameworks for testing whether vulnerable customer identification actually happens, whether the support provided is appropriate and whether outcomes data shows these customers are being treated fairly. This requires deep engagement with frontline operations, sophisticated data analysis and willingness to challenge business practices that might disadvantage vulnerable customers. 

3. Economic Crime and Corporate Transparency Act  

This strengthens requirements for corporate transparency and economic crime prevention. While this legislation extends beyond consumer protection into broader financial crime territory, it creates important connections for enterprise risk teams managing consumer outcomes. 

ECCTA includes enhanced verification of company information, tougher penalties for non-compliance and increased accountability for fraud prevention systems. For firms serving business customers or handling complex corporate structures, ECCTA requirements intersect directly with Consumer Duty obligations around enabling customers to pursue their objectives and avoiding foreseeable harm. 

The Act also increases focus on how firms prevent becoming vehicles for economic crime, which matters for consumer protection because fraud prevention controls can sometimes create friction that harms legitimate customers. Enterprise risk teams need to ensure that strong financial crime controls don't inadvertently cause poor outcomes for customers trying to access services or resolve issues. 

Why this matters for enterprise risk teams 

These three frameworks together create a regulatory environment where enterprise risk teams must operate very differently than they did even five years ago. Several fundamental shifts affect how you build assurance programmes and interact with the business. 

1. Outcomes over processes 

Previously, you might review a customer communication process and confirm that templates were approved, staff were trained and quality assurance sampling occurred. Under the new regime, you need evidence that customers actually understood the communications and acted on them appropriately. You need data showing whether communications led to good customer outcomes or created confusion that caused harm. 

2. Continuous monitoring replaces periodic reviews  

Consumer Duty explicitly requires firms to monitor customer outcomes on an ongoing basis and act when outcomes deteriorate. This makes annual policy reviews and periodic assurance testing insufficient. Enterprise risk teams need frameworks that generate regular management information about customer outcomes, flag emerging issues quickly and track whether remediation actually improves outcomes. 

3. Cross-functional collaboration becomes essential 

The evidence regulators want to see sits across customer service, product development, data analytics, technology and operations. Enterprise risk teams cannot prepare for inspections by working in isolation. Success requires orchestrating evidence gathering across multiple business functions and ensuring that everyone understands regulatory expectations well enough to provide what inspectors need. 

4. Demonstrable culture matters more than ever 

Regulators increasingly test whether consumer protection is genuinely embedded in how firms operate or merely a compliance exercise. They interview frontline staff to assess understanding of consumer outcomes. They review board papers to see whether customer outcomes feature in strategic discussions. They examine remuneration structures to understand whether incentives support good outcomes. 

The practical implications of the consumer protection updates 

Understanding what's changed in regulatory expectations is one thing. Translating that understanding into practical risk management approaches is quite another. Enterprise risk teams face several immediate challenges in responding to the new consumer protection landscape. 

1. Building outcome measurement frameworks  

• Identifying the right metrics for different products and customer segments 
• Establishing data collection processes that capture outcome information 
• Creating analytical approaches that identify when outcomes are deteriorating  
• Developing governance processes that ensure action when problems are identified 

Many firms struggle with this because outcome data often doesn't exist in readily accessible form. Customer satisfaction scores might be tracked, but do they actually measure whether customers achieved their financial objectives? Product uptake data exists, but does it show whether products delivered fair value? Complaint volumes are monitored, but do they reveal whether vulnerable customers received appropriate support? 

Enterprise risk teams need to work closely with data and analytics colleagues to build measurement approaches that genuinely assess outcomes rather than proxies that are easier to measure but less meaningful. 

2. Testing vulnerable customer processes  

This presents particular challenges because vulnerability is contextual and changes over time. You cannot simply check whether customers are flagged as vulnerable and move on. You need to understand whether: 

• Vulnerability indicators are recognised during different interaction types 
• The support provided matches the specific vulnerability drivers 
• Customers receive consistent treatment across channels  
• Vulnerable customers achieve outcomes comparable to non-vulnerable customers 

This requires sophisticated testing methodologies that go beyond typical control testing. You might review recorded customer service calls to assess whether staff recognise vulnerability indicators. You might analyse customer journey data to identify friction points that disproportionately affect vulnerable customers. You might conduct detailed case studies of vulnerable customer experiences to understand whether processes work in practice. 

3. Preparing for inspections  

Inspections now require evidence that demonstrates operational effectiveness rather than policy completeness. When regulators arrive, they want to see: 

• Outcome data showing you're monitoring customer results 
• Documentation of actions taken when outcomes deteriorated 
• Evidence that remediation actually improved outcomes 
• Staff who can explain how consumer protection works in practice 

Enterprise risk teams need to think like inspectors when building evidence libraries. What questions would regulators ask? What evidence would convince them that consumer protection is genuinely embedded? What gaps in evidence would raise concerns?  

Building this perspective requires understanding not just what the regulations say, but how regulators think about assessing compliance. 

4. Managing competing priorities  

This becomes harder when consumer protection requirements increase in complexity and scope. Your enterprise risk team has finite resources. You're also managing prudential risk, operational resilience, financial crime prevention and numerous other regulatory obligations. How do you ensure consumer protection receives appropriate attention without neglecting other critical risk areas? 

This requires strong governance to prioritise risk activities based on: 

• Regulatory expectations and risk materiality 
• Clear articulation of resource constraints to senior leadership 
• Realistic scoping of assurance programmes that test the most important areas rather than attempting comprehensive coverage 
• Effective use of thematic reviews that address multiple regulatory requirements simultaneously 

What successful compliance with Consumer Duty, FG21/1 and ECCA looks like 

Firms that excel at managing the new consumer protection landscape share several common characteristics that enterprise risk teams can emulate. 

They treat consumer outcomes as a core strategic priority rather than a compliance obligation.  

Board papers routinely discuss customer outcome metrics alongside financial performance. Senior leaders ask questions about whether customers are achieving good outcomes, not just whether policies are being followed. This tone from the top makes the enterprise risk team's job significantly easier because the whole organisation understands that consumer protection matters. 

They build sophisticated data and analytics capabilities that provide genuine insight into customer outcomes.  

They don't rely on crude proxies but instead develop nuanced measures that capture whether different customer segments achieve their financial objectives. They use advanced analytics to identify patterns and trends that might indicate emerging harm. They create visualisations that make outcome data accessible to business leaders who need to act on it. 

They cultivate genuine collaboration between risk, compliance and operational functions.  

Enterprise risk teams operate as strategic partners who help the business understand regulatory requirements and implement practical solutions, not as compliance enforcers who issue mandates and check boxes. Operational colleagues see the risk function as a resource that helps them do their jobs better rather than an obstacle creating bureaucratic burden. 

They maintain proportionate approaches that focus resources on areas of greatest customer harm potential.  

They don't attempt to test everything but instead conduct sophisticated risk assessments that identify where poor outcomes are most likely. They invest deeply in high-risk areas while applying lighter-touch monitoring elsewhere. This pragmatism ensures they can actually complete meaningful assurance activity rather than spreading resources too thinly to generate real insight. 

They embrace continuous improvement rather than treating regulatory compliance as a fixed target.  

When assurance testing identifies issues, they're addressed through root cause analysis and systematic remediation rather than quick fixes. When outcome data shows deterioration, they investigate why and implement changes rather than explaining it away. This learning culture means they genuinely improve consumer protection over time rather than simply maintaining compliance. 

Practical risk management approaches for compliance 

Consumer Duty, vulnerable customer guidance and economic crime requirements collectively define what regulators expect. The challenge for enterprise risk teams is translating those expectations into practical risk management approaches that genuinely improve outcomes for customers whilst providing assurance that regulatory obligations are being met. Firms that rise to this challenge will find themselves better positioned not just for regulatory inspections, but for sustainable commercial success in an environment where consumer protection is rightly taking centre stage.