FCA sets out retail banking and mortgage priorities

What does this mean?

Retail banking priorities

Good outcomes from products and services

The FCA will increasingly rely on data and outcome monitoring to assess how well firms are embedding the Consumer Duty. It expects banks to continue developing the data, metrics and governance frameworks needed to monitor consumer outcomes, noting that most firms have further improvements to make. 

Particular focus will be placed on areas where customers may receive poor value, or where firms fail to identify or respond appropriately to customers in vulnerable circumstances. Where poor outcomes are identified, the FCA has signalled it will take targeted supervisory or enforcement action.

The FCA also expects firms to keep consumer outcomes front and centre when designing and delivering products and services, particularly where new technologies or AI are being deployed.

Access to cash and essential services

As banks transform their distribution models, the FCA will remain focused on ensuring customers retain access to essential banking services, particularly those who rely on in-person support.

While it recognises firms have improved their approaches to managing branch closures, the FCA will continue scrutinising digital transitions to ensure they do not create foreseeable harm. This includes assessing firms’ branch closure notifications, and researching the potential harms created by reduced in-person banking services.

Alongside this, the FCA will continue monitoring firms’ compliance with the Access to Cash regime. The regulator will also conclude its mystery shopping exercise on how firms provide basic bank accounts in Q2 2026. 

Operational resilience and data security

Operational resilience and cyber and data security remain  central regulatory priorities. The FCA expects firms to identify and mitigate evolving risks from: technology transformations, increasing reliance on critical third parties, cyber threats, and insider risks. 

Particular scrutiny is expected for large technology change programmes, where poor governance or execution could create operational risks or customer harm.

The regulator will also collect information on insider risk management this year. 

Fighting fraud and other financial crime

The FCA expects firms to continually evolve their financial crime systems and controls as criminal tactics and technologies develop. Banks should be actively monitoring emerging risks, refining their defence frameworks and promptly identifying and remediating weaknesses in controls where they arise.

Over the coming year, the regulator will: engage with firms progressing system and control improvement programmes or presenting heightened risks; use data and analytics to identify outliers; and continue its review of money laundering controls around cash deposits.

An independent evaluation of the Payment Systems Regulator’s Authorised Push Payment fraud policies will conclude in Q3 2026.

Additional areas of focus: innovation and business banking

In addition to these priorities, the FCA’s retail banking report reiterates its support for innovations such as AI, targeted support, open finance, stablecoins and tokenised deposits. Firms are encouraged to explore and test these developments, while ensuring the Consumer Duty and customer needs remain central to product design and delivery. As innovation accelerates, the FCA expects firms to maintain strong governance, risk management and oversight frameworks.

The FCA will also continue monitoring business banking outcomes under the Consumer Duty. It wants firms to assess how business customers are treated and their access to services, identifying areas for improvement, particularly in sectors important to the UK’s economic growth and national security.

Mortgage market priorities

The FCA’s priorities centre on the ongoing Mortgage Rule Review, which aims to widen access for first-time buyers and underserved consumers. 

Most of the proposed changes will be permissive, creating opportunities for firms to adapt how they design products and deliver services. However, the FCA emphasises that greater flexibility will bring greater responsibility for firms to set and manage their own risk appetites and deliver good consumer outcomes.

As firms explore opportunities to broaden access, the regulator expects them to closely monitor the effectiveness of their affordability assessments.

The regulator plans to develop its monitoring and supervisory framework to support the Mortgage Rule Review and wider rebalancing of risk. While the FCA acknowledges this rebalancing will involve trade-offs, it emphasises that responsible lending and high standards of conduct will remain core principles.

Alongside these reforms, the FCA highlights several more targeted supervisory expectations. Second charge lenders are expected to review the findings of the FCA’s supervisory review, ensuring that affordability assessments are robust, and expenditure assumptions are realistic for their customers. It asks all firms providing mortgage advice to consider the review’s findings on record keeping and quality assurance.

Supporting borrowers in financial difficulty remains a supervisory priority. 

As part of its broader work on vulnerable consumers, the regulator is also considering policy changes to support good outcomes for consumers consolidating debt.

What do firms need to do?

While the reports largely reinforce the FCA’s existing priorities, they provide a clearer articulation of the regulator’s focus across the retail banking and mortgage markets. The FCA emphasises that firms’ boards and chief executives should treat the reports as a guide to supervisory expectations and take action to ensure these expectations are met.  

Banks should focus on strengthening their ability to monitor consumer outcomes, manage risks from technology transformation, and maintain robust financial crime and conduct controls as regulatory expectations continue to evolve.

Firms should continue improving their data, governance and monitoring frameworks to demonstrate that products and services consistently deliver good outcomes. The FCA’s increasing reliance on data and analytics means firms must be able to identify emerging risks and poor outcomes early, particularly for vulnerable customers or those receiving poor value. This will require robust management information, clear escalation processes and effective governance oversight. Advanced analytics and AI can support these efforts by enabling firms to analyse large data sets and identify emerging patterns of harm more effectively.

In the mortgage market, firms exploring new flexibilities should ensure risk appetites are clearly defined and managed, and that affordability assessments remain robust and continue to support good consumer outcomes.

Banks should also ensure that innovation and digital transformation programmes remain aligned with Consumer Duty expectations and supported by strong governance frameworks.

Operational resilience will remain an important supervisory focus. Firms should continue strengthening their resilience frameworks, technology governance and third-party risk management, particularly where they are undertaking major technology change programmes. Effective management of cyber risks, data security and insider threats will be critical in the current enhanced threat environment, and as banks modernise their systems and increasingly rely on external technology providers.

Finally, firms should ensure their financial crime systems and controls continue to evolve as criminal tactics and technologies develop. This includes strengthening detection capabilities, monitoring emerging threats and rapidly remediating weaknesses in control frameworks. As the FCA increases its use of data and analytics to identify outliers, firms should expect more targeted supervisory engagement where risks are elevated.

Next steps

The reports set out a detailed timeline of upcoming initiatives. Key milestones include the FCA consultation on responsible mortgage lending rules, expected by June 2026, and final FCA, PRA and Bank of England rules on incident, outsourcing and third-party reporting, also due by June 2026 (with implementation 12 months later).