Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

Context

The FCA has published a summary of its findings from a multi-firm review of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing due diligence controls, which it conducted in 2025.  The review was part of wider financial crime supervisory work in support of the 2025-30 strategy (PDF), which covered a range of portfolios and firm types with the aim of raising standards and sharing practical insights.

Key points to note and next actions

The FCA review involved the Asset Management, Crowdfunding, Wholesale banking, Contracts for difference and non-bank lenders, evaluating firms’ controls against:

• Money Laundering Regulations 2017
• FCA Financial Crime Guide (FCG)
• Senior Management Arrangements, Systems and Controls (SYSC)
• Joint Money Laundering Steering Group (JMLSG) guidance
• Financial Action Task Force (FATF) guidance

The findings, and examples of good and poor practice, are grouped under the following headings:

• Policies and procedures: Some firms distinguished between CDD and EDD for higher‑risk customers like PEPs, incorporating the January 2024 domestic PEP changes, but many policies lacked practical detail. Gaps were common around alternative ways to identity customers that couldn’t provide usual forms of identification; and frequency of periodic reviews and what was expected in case of event‑driven reviews.
• CDD and EDD processes: Most firms adopted a risk‑based CDD approach and applied enhanced checks to higher‑risk customers. Some firms documented each stage of their EDD processes, including senior management oversight. Some firms failed to evidence or record key information relating to EDD actions, or specify where certain types of customer would require senior management approval.
• Compliance monitoring and audit: Most firms had compliance monitoring and audit arrangements in place, but their depth and independence varied. One firm conducted regular, proportionate reviews and another included independent third‑line testing. Some firms lacked independent assurance, with one firm’s staff onboarding customers and then performing second-line assurance on their own onboarding activity, raising concerns about impartiality and effectiveness.

Next steps: Firms are encouraged to consider the FCA’s findings and suggestions and to continue to review CDD controls.

Context

The FCA is hosting a webinar on 29 April 2026, to be run by its technology, resilience and cyber team, marking 1 year since the FCA’s operational resilience rules came into force.  The webinar is aimed at senior professionals responsible for operational resilience, incident management, and third party risk within regulated firms, as well as relevant industry advisers.

Key points to note and next actions

The webinar will focus on the importance of operational resilience in financial firms, highlighting the need for collaboration between firms and regulators, sector-wide knowledge sharing, and ongoing investment to manage disruptions such as cyber incidents and third‑party failures.

During the session, the FCA will share findings from regulatory reviews and explain newly published incident and third‑party reporting requirements, which are due to apply from March next year. Attendees will gain practical insights to benchmark their approaches, understand good practice observed across the sector, and learn how reporting data can strengthen incident management and resilience.

Context

The FCA’s ‘Working together to fight financial crime’ conference brings together leaders from across regulation, industry, law enforcement, government, technology and professional bodies.

Key points to note and next actions

Speakers at the conference includes Fraud Minister Lord Hanson and Nikhil Rathi, CEO of the FCA, with content to include the sharing of the latest thinking on collaboration, innovation and emerging threats.

Attendees will gain insight into the future of financial crime and cyber risk, explore how criminals are adapting and what the industry must do next to stay ahead.  They will also learn practical, actionable takeaways they will be able to put into practice.

Interactive breakout sessions are to be hosted by UK Finance, techUK, StopScams UK and the UK Financial Intelligence Unit (UKFIU), each designed to dive deeper into important issues.

The conference takes place on 14th May 2026 in London at Park Plaza Victoria London, 239 Vauxhall Bridge Road London, SW1V 1EQ.

Context

The FCA’s Consumer Duty web page has been updated to include information covering Data Protection law and vulnerability related data.

Key points to note and next actions

The following information has been included in the updated Consumer Duty webpage:

Data Protection law and customer communications

Under the Consumer Understanding outcome, the FCA expects consumers to be given the information they need, at the right time, in a way they can understand. 

Data protection laws (the UK GDPR and Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR) don’t stop firms from telling customers about better deals or providing information that they need to know as part of their relationship with that firm.

Administrative or customer service messages aren’t considered to be direct marketing, so there are no restrictions on communicating this type of information. Firms can also provide regulatory communications to all customers that provide neutral, factual information. For example, information about the product they hold, terms of other available products, and what their options are for moving to another product.

The Information Commissioner’s Office (ICO) guidance on direct marketing and regulatory communications explains how to draft regulatory communications and includes illustrative examples.

Data Protection law and vulnerability related data

The FCA requires regulated firms to act to deliver good outcomes for all consumers, including those in vulnerable circumstances. In practice, this can involve processing personal information, and where appropriate, sharing data related to vulnerability.

The FCA has published a joint statement to help firms understand the relevant FCA and ICO expectations around data processing in terms of:

• Supporting consumers in vulnerable circumstances.
• Sharing vulnerability related data appropriately across the distribution chain.
• Monitoring outcomes for these consumers.

Context

The PRA and Bank of England have published a letter in response to a  28 January 2026 letter on AI-driven innovation from the Chancellor of the Exchequer, the Secretary of State for Science, Innovation and Technology, and the Secretary of State for Business and Trade.

Key points to note and next actions

The letter responds to HMT and DSIT requests to set out plans for enabling safe AI innovation and to report annually on progress and reaffirms the Bank of England and PRA’s commitment to supporting responsible AI adoption while protecting financial stability. It also references long‑standing work on AI, including the 2022 joint FCA–PRA Discussion Paper and ongoing industry engagement.

The introduction of technology‑agnostic Model Risk Management Principles is signposted, noting further development is planned for 2026.

The letter also:

• Describes extensive engagement with industry through surveys, roundtables, CRO discussions, and ad hoc market intelligence.
• Outlines the role of the AI Consortium and Taskforce in exploring key systemic risks, including third‑party concentration, explainability, contagion, and agentic AI.
• Emphasises coordination with domestic and international bodies (e.g. FSB, IAIS, G7, AI Security Institute, DRCF).
• Notes that firms generally do not yet see a need for AI‑specific rules or a PRA sandbox, given existing FCA initiatives.
• Explains how the Bank and PRA are using AI internally to enhance analytics, supervision, and productivity.
• Confirms ongoing review of whether additional regulatory guardrails may be needed as AI adoption evolves.
• States that annual reporting on AI‑driven innovation and growth will be provided through the PRA Business Plan and Annual Report.

Context

FSCS has listed Nukula Ltd (FRN 616475), trading as InsureThat, as a ‘failed firm’ and is no longer trading.

Key points to note and next actions

Nukula Ltd’s InsureThat webpage confirms that it entered administration on 12 July 2024, with policies being administered by Toyota Insurance Management UK Limited.

The FSCS listing includes a link to check for eligibility if a claim can be made and a separate link to information outlining the documents needed for each type of claim.

Context

The Chartered Insurance Institute (CII) says customer vulnerability management is an opportunity for firms, rather than a cost, in its latest ‘Road to Consumer Trust’ report, which sets a ‘proportionate, practical approach’ to vulnerability management and outcomes monitoring.

Key points to note and next actions

The new CII Consumer Duty, Proportionality and Vulnerability Management for Financial Planning Firms Roundtable summary report shares the findings of regulatory specialists, financial planning leaders, compliance experts, and vulnerability practitioners.

The report suggests that effective vulnerability management can support firms in expanding their potential client base, reducing the cost of ad-hoc vulnerability handling, evidencing value to clients and regulators, and building long-term consumer trust.

With ‘demonstration of how firms are delivering good customer outcomes’ identified as a key supervisory priority for the Financial Conduct Authority (FCA) in 2026, roundtable participants outlined four core principles for determining the right proportional level of Consumer Duty implementation and vulnerability management: size of firm; role in distribution chain; characteristics of client base; and risk level of product or service.

The report concludes that firms should measure the same outcomes for vulnerable and non-vulnerable clients, and track the additional support provided to achieve those outcomes. Evidence of good outcomes throughout the journey, not just at the endpoint, and building robust vulnerability data infrastructure were recognised as essential prerequisites for meaningful outcomes comparison.

It also outlined three key indicators of when firms may not be doing enough to effectively manage vulnerability. These include a ‘one-size-fits-all’ vulnerability process, cultural resistance, and opaque outcomes monitoring systems that cannot identify whether different client groups are receiving good outcomes. Recommendations involve building strong data foundations, embedding inclusive design, and addressing cultural fears around vulnerability.