Consumer Duty has a cyber dimension. Most IFA boards have not connected the two.

Consumer Duty came into full effect for all FCA-authorised firms in July 2023. Most IFA practices have by now worked through the headline obligations: understanding client outcomes, appointing a Consumer Duty board champion, producing an annual board report. What very few have addressed is the connection between Consumer Duty and cyber governance - a connection the FCA has made explicit and which creates personal accountability for directors that goes well beyond the IT department.

What Consumer Duty actually requires on outcomes monitoring

The Consumer Duty places an obligation on firms to actively monitor whether they are delivering good outcomes to clients across four outcome areas: products and services, price and value, consumer understanding and consumer support. The last of these is where cyber risk becomes directly relevant.

Consumer support under the Duty requires that clients can access the services they need, when they need them, in a way that meets their individual needs. A cyber incident that prevents a client from accessing their portfolio, receiving their advice, or communicating with their adviser is a consumer support failure. Under Consumer Duty, that failure must be recorded, assessed for client impact and reported to the board.

The question is not whether your IT provider would handle the technical recovery. The question is whether your board has documented its accountability for the risk that such a failure could occur in the first place.

The board champion obligation

Every FCA-authorised firm is required to have a Consumer Duty board champion - an individual director who takes specific responsibility for ensuring the firm's Consumer Duty governance is embedded and effective. In most IFA practices, this is the managing director or a senior partner.

The board champion obligation means that the individual named in that role is personally accountable for the quality of the firm's Consumer Duty governance. If the FCA identifies a Consumer Duty failure - including a client outcome failure caused by a cyber incident - the board champion is the individual the regulator will look to first. "Our IT provider handled it" is not a sufficient response from a board champion.

Annual board report requirements

Consumer Duty requires firms to produce an annual board report that evidences how the firm has monitored client outcomes and addressed any issues identified. From 2025 onwards, with the operational resilience compliance deadline having passed, the FCA expects firms to be able to demonstrate in that annual report that operational resilience - including cyber resilience - has been considered as part of the firm's consumer outcome monitoring.

In practice, this means that your annual Consumer Duty board report should include a reference to the firm's cyber governance position, any cyber incidents or near misses during the period, the board's oversight of third-party dependencies and the testing of operational resilience against the firm's documented impact tolerances.

Very few IFA firms currently include any of this in their Consumer Duty board reports. The firms that do are significantly better positioned in any supervisory conversation with the FCA.

How GOIA bridges the gap

Domain 6 of GOIA's Executive Review specifically addresses regulatory defensibility - mapping the firm's Consumer Duty governance structure to its cyber risk posture. The output is a regulatory gap register that identifies where the firm's documented governance does not yet meet FCA expectations across both the operational resilience framework and Consumer Duty.

The output feeds directly into the firm's compliance file and provides the board champion with documented evidence of governance oversight - evidence that can be referenced in the annual Consumer Duty board report and in any FCA supervisory conversation.