Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

Context

HM Treasury has published its long-awaited Consultation on the future of the Appointed Representatives (ARs) regime.  In announcing the Consultation, the Treasury has stated that the regime plays an important part in the supply of financial services and provides substantial benefits to consumers and businesses.  It supports innovation and competition by allowing firms to access financial services markets without the regulatory burden and cost of becoming authorised.  The government intends to preserve the AR regime in its current scope.

However, as explained in the policy statement published in August 2025, there is concern that poor oversight of some ARs is putting some consumers at risk. The government intends to address this concern so consumers and businesses can have confidence in the regime and so that the benefits provided by ARs can continue well into the future.  In line with the commitment made in the August policy statement, this consultation seeks views on the changes the government proposes to make to the legislative framework for ARs.

Following a review of the regime, the Government has concluded that reform of the overall legislative framework for ARs is needed. This review has taken into account responses to the Call of Evidence issued under the previous administration in December 2021.

Key points to note and next actions

The consultation will remain open for 8 weeks, closing on 9 April 2026, and the three main proposals are set out below.  Two were expected following the Policy Statement, but there is one additional proposal which has been the subject of discussion since the Senior Managers and Certification Regime (SM&CR) was rolled out to all firms in December 2018.

Introducing a specific FCA Permission to act as a Principal firm

• In a similar way to the Permission that was introduced previously for approving financial promotions, HMT and the FCA both believe that this will provide more focus and oversight of firms wishing to become Principals. However, existing Principal firms will not need to apply for this and will be “grandfathered” over and given the Permission.  However, if an existing Principal with just Introducer Appointed Representatives (IARs) wants in future to take on ‘full’ ARs then it would have to apply for a Variation of Permission to be allowed to take on a ‘full’ AR.  It is unclear whether there will be some lesser form of the initial Permission for those existing Principals which only have IARs.

Extension of FOS jurisdiction to ARs

• This is for the rare cases where an AR does something outside the Principal / AR agreement (so for which the Principal has not accepted responsibility), thereby enabling FOS to adjudicate directly against the AR.  Unfortunately, the Treasury does not give any examples of where this might arise.

Bringing ARs within scope of the Senior Managers and Certification Regime

• This was omitted from the 2025 Policy Statement but was in the 2021 document.  It seems sensible to have one consistent regime rather than Approved Persons at ARs remaining under the old Approved Persons Regime.  One area that may create more work is that staff at the ARs will be in scope of the Conduct Rules. Although the Consultation Paper does not go into this level of detail, alongside training (which they should already be doing anyway) Principal firms may need to set up systems and controls to identify and be informed of breaches of the Conduct Rules by AR staff, and whether any resulting disciplinary action needs to be recorded on the principal firms REP008.
• The Treasury is also considering whether the FCA would have the ability to create a new dedicated AR Senior Management Function (SMF) in Principal firms, the holder of which would be held to account for overseeing the Principal’s ARs. We would expect that such a responsibility would already feature on a Senior Manager’s Statement of Responsibilities, but this suggestion would make the accountability more explicit.  There is also recognition that SM&CR is also subject to reform, and so any changes in the AR regime will be considered there.

Context

The ICO has published its new guidance in relation to handling data protection complaints, which explains what data controllers and processors need to do to meet the new requirement to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, the ICO has published the guidance now so that firms are ready for the changes.

Key points to note

• Data controllers and processors must have a process for handling data protection complaints – there are no exemptions to this.
• For FCA authorised firms, the requirements sit comfortably within the existing requirements for handling financial services complaints.

Data protection law says that firms must:

• give people a way of making data protection complaints;
• acknowledge receipt of complaints within 30 days of receiving them;
• without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
• without undue delay, tell people the outcome of their complaints.

The Guidance is made up of the following sections:

• What are data protection complaints?
• How do we prepare to handle data protection complaints?
• What do we do when we receive a complaint?
• What do we do after we’ve finished our investigation?
• How does the ICO deal with complaints?

Context

The FCA has published its Q4 2025 whistleblowing data, which shows the number of new whistleblowing reports it received between October and December 2025, and the existing reports closed during this period.

Key points to note

In this quarter, the FCA received 281 new whistleblowing reports.  For the same period in 2024 the team received 292 reports.  In Q3 2025 (July to September), the FCA received 405 reports.

• The majority of reports are still made via the FCA’s online reporting form, or by e-mail.
• Two thirds of whistleblowers chose to share their contact details with the FCA, with one third remaining anonymous.
• The 281 reports received in Q4 contained 788 allegations in total, with the following top five:
  • Compliance – 109
  • Fitness and propriety – 99
  • Culture – 67
  • Systems and controls – 58
  • Consumer detriment – 45

The FCA closed 282 whistleblowing reports between October and December 2025.

• Significant action to manage harm in 9 reports (3%) (e.g., enforcement action, a section 166 skilled person report, or restricting a firm’s Permissions or an individual’s approval).
• Action to reduce harm in 96 reports (34%) (e.g., writing to or visiting a firm, asking a firm for information, or asking a firm to attest to complying with FCA rules).
• 164 reports (58%) informing the FCA’s work, including harm prevention, but no direct action.
• 13 reports (5%) not considered indicative of harm, but the information was recorded and will be available for future reference.

Context

The ICO has published an update announcing that two further individuals have been convicted following the ICOs extensive investigation into the unlawful accessing and sale of personal information obtained from over 400 garages across the UK, as well as claims management and insurance companies.

Key points to note and next actions

• The ICO initially started this investigation in 2016 when the owner of a car repair garage in County Durham contacted the regulator, saying he was worried his customers blamed him for the nuisance calls they were receiving about personal injury claims.
• From this first initial complaint, the investigation snowballed into one of the largest nuisance call cases that the ICO has ever dealt with, resulting in a wealth of evidence that demonstrated misuses of personal data for the purpose of making calls relating to personal injury claims.
• After identifying the people involved, the ICO investigations team conducted nine warrants in the Manchester and Macclesfield areas. The devices seized under search warrant contained 241,000 emails, 4.5 million documents,144,000 spreadsheets,1.5 million images and 83,000 multimedia files.
• The defendants were found to have conspired together between 2014 and 2017, where they accessed or obtained personal data of people from vehicle repair garages without their consent. Approximately one million records were accessed by the defendants convicted of an offence under the Computer Misuse Act.
• This data was then sold onto claims management firms hoping to generate potential leads for personal injury claims.
• The ICO has an ongoing second phase of their investigation and anticipate further prosecutions of people embedded into insurance companies and claims management companies with the sole aim of stealing personal data.

Context

The OFSI has launched a call for evidence to seek industry’s views on how UK financial sanctions regulations on ownership and control are applied in practice, including how firms implement the regulations and where they face challenges.

Key points to note and next actions

The ownership and control test is designed to stop sanctioned individuals and entities from sidestepping UK sanctions by hiding behind complex company structures, trusts or proxies. However, industry representatives report to OFSI that assessing the ability of a designated person to control an entity – even if they are not actively doing so – can be difficult in practice and may create additional costs and legal risk.  OFSI is therefore asking firms, representative bodies and other interested stakeholders to share evidence and practical examples of: 

• How often ‘hypothetical control’ is present in real financial sanctions cases;
• The impact it has on compliance costs, legal risk and business decisions (including derisking);
• Whether existing legal concepts and typologies of control are helpful in applying ownership and control regulations.

This information will help OFSI understand whether the current approach is as clear, effective and proportionate as it should be, so that sanctions remain tough on those they target while being workable for legitimate businesses.

The Call for Evidence is open until 13 April 2026.

Context

According to the ABI’s latest data, Insurers have paid out £6.1 billion in property claims in 2025, this is the highest annual total on record. In the final quarter alone, payouts reached £1.5 billion, as adverse weather events continued to drive up claims costs.  In 2025 insurers paid out almost £3.4 billion across more than 560,000 home insurance claims. The average claim increased by 15% year-on-year, rising by almost £800 to £6,000.

Key points to note and next actions

The latest premium data from the ABI shows: 

• The average price of combined building and contents home insurance in Q4 2025 was £379, £14 lower compared to the same period in 2024.   
• In the final quarter of 2025, the average cost of buildings-only insurance fell to £312, from £323 in the fourth quarter of 2024. 
• The average price of contents-only insurance in the fourth quarter of 2025 was £122, £14 lower compared to the same period in 2024. 

Context

The ASA and CAP have published research showing that many people find it difficult to tell when influencer content is advertising. Influencer ads are often confused with ordinary posts and are harder to recognise than people expect.

Key points to note and next actions

Unlike traditional media, social media has no clear ad breaks. To understand how people recognise influencer advertising, ASA and CAP commissioned research testing real content on TikTok and Instagram. Algorithms regularly surface posts from unfamiliar creators on these platforms, making it harder to spot whether a post is an advert. The research shows:

• Strong public support for transparency and the desire for influencers to be clear. Around eight in ten say they want influencers to clearly label paid content upfront
• Confidence does not always match reality. Brand adverts on social media were the clearest, with around three-quarters of people able to identify them correctly. Influencer ads were harder to spot, around half of people confidently saying an influencer post was an advert, and more than a quarter did not recognise them at all. Confusion worked both ways. Some genuine reviews were mistaken for ads, and some paid influencer posts were seen as ordinary, unpaid content.
• Clear labelling makes a difference as it gives people certainty and helps them recognise ads quickly and confidently.

Context

Following the Supreme Court decision in the Hopcraft, Wrench and Johnson motor finance cases, and the publication of the FCA’s premium finance market study final report, CBPF has decided to remove the need for explicit customer consent for commission.  CBPF has, therefore, posted an update in the Broker Help and Support section of its website to confirm that it is changing its commission disclosure and consent (CDC) requirements, and that from 10 March 2026 it will be removing the need to obtain explicit consent from customers for the broker to receive commission from CBPF.

Key points to note and next actions

• From 10 March, explicit commission consent will be removed from the customer journey, and a new and ‘improved’ single Verbal Sales Script will need to be implemented (suitable for both Telesign and Non-Telesign business).
• As it has in the past, the new script encompasses all of CBPF’s commission disclosure requirements, so there is no further action for brokers to take at new business stage.
• CBPF will be including a new section on commission in all welcome packs issued to customers.
• The CDC Renewal Guide, shared with broker firms in 2025, has been decommissioned. It has been replaced with a condensed summary of CBPF’s commission disclosure requirements for renewals, MTAs and additional lending.

This decision does not change CBPF’s other commission disclosure requirements for customers, which are that they must be made aware of the following:

1. The relationship between CBPF and the broker.
2. The existence of commission.
3. The nature of the commission.
4. The amount of commission the broker will receive.
5. The method CBPF uses to calculate the commission amount.