Consumer Duty monitoring for payment firms: CP26/23 may narrow the scope, but not the need for evidence

In short: Consumer Duty products and services monitoring asks a payment or e-money firm to show, not just assert, that its products give customers good outcomes. The FCA’s review of 10 July 2026 found firms that could describe their processes but could not demonstrate their interventions had worked. CP26/23 may make monitoring more explicitly proportionate to a firm’s role; it keeps the need for credible outcome evidence.
A payment or e-money firm can define its target market, complete its product reviews and maintain an outcomes dashboard, and still be unable to demonstrate that its interventions improved customer outcomes. That is the central lesson from the FCA’s products and services review, published on 10 July 2026, which surveyed 38 firms across seven sectors, including payments and e-money.
The FCA made no new rules. It published the review eleven days after opening CP26/23, a consultation on the scope and proportionality of the Duty. CP26/23 may make monitoring more explicitly proportionate to a firm’s own role. It does not remove the need for a firm to identify poor outcomes, act on them and assess whether its response worked.
Under PRIN 2A.3, a firm that designs a product must build it for a defined target market and review it as the risks change (PRIN 2A.3.4R, PRIN 2A.3.7R); a firm that only distributes must sell to the right customers and avoid harm (PRIN 2A.3.14R, PRIN 2A.3.19R). Every firm must monitor the outcomes its customers actually get and be able to show they are good (PRIN 2A.9.8R, PRIN 2A.9.9R), act where they are not (PRIN 2A.9.12R), and report to its board each year (PRIN 2A.8.3R, PRIN 2A.8.4R). The Duty bites only on retail business, and only so far as the firm influences the outcome (PRIN 3.2.6R, PRIN 3.2.7R).
What the FCA marked down
- Some firms gave target market explanations the FCA called “simplistic or generic”, setting out a product’s risks without saying why the target market suited them. Source: FCA products and services review, section 4.
- Asked how they adapted products for vulnerable customers, some firms explained how they spot those customers instead. Source: as above, section 4.
- One smaller firm judged its customers’ outcomes almost wholly on complaint numbers. Source: as above, section 5.
- At times firms made real changes to products or distribution and had not validated their impact. Where a firm could show an effect it was concrete: clearer in-app wording on ATM withdrawal limits, plus new staff training, cut related complaints by 45% over the next three months. Source: as above, sections 5 and 6.
What this means for payment and e-money firms
Payment institutions and e-money institutions are in scope for their retail business. PRIN 3.1.1AR, PRIN 3.2.1BR and PRIN 2A.1.7R bring payment services and e-money within the Duty, and payment services stay in through BCOBS, one of the sourcebooks named in PRIN 3.2.8R. A bank selling investments or insurance follows the PROD sourcebook, which switches PRIN 2A.3 off for those products. A payment firm has no PROD chapter, so PRIN 2A.3 applies to its products directly, alongside its duties under the PSRs, the EMRs and BCOBS.
The agent point is the one to watch. CP26/23’s payments example confirms that where a firm distributes through an intermediary outside the FCA’s perimeter, it keeps responsibility, under the PSRs 2017 and the EMRs 2011, for whether that firm delivers good outcomes to customers. The Duty’s proportionality relief does not reach that arrangement.
Vulnerability is where the Duty meets data protection. Meeting a vulnerable customer’s needs, rather than just flagging them, can mean recording and sometimes sharing data about those needs, some of it special-category health data. The FCA and the ICO set out how to handle it in a joint statement of 27 March 2026: a firm needs a lawful basis under Article 6 of the UK GDPR and, for health data, a condition under Article 9. Get that wrong and an FCA problem becomes an ICO one. The disclosure duties on payment-firm distributors raise the same overlap.
Consumer Duty products and services: what CP26/23 proposes
CP26/23 is a consultation, open until 18 September 2026, with rules expected early in 2027. It would tie a firm’s obligations to its own role, take non-UK customers out of scope, and let a firm fold its Duty board reporting into its usual governance instead of a stand-alone report. On monitoring, it would replace PRIN 2A.9.8R with a role-based PRIN 2A.9.8AR while keeping the four outcome questions in PRIN 2A.9.9R. None of it lowers the standard of evidence.
| What a firm does | Now | Under CP26/23 (proposed) |
|---|---|---|
| Monitors outcomes | Across the products it provides or distributes, its communications and its support (PRIN 2A.9.8R) | Only the outcomes that reasonably relate to its own role and activities (PRIN 2A.9.8R goes; new PRIN 2A.9.8AR) |
| Shows the outcomes are good | Monitoring must “enable it to determine at least” the four outcome questions (PRIN 2A.9.9R) | Same test, read against the firm’s own role in the chain |
| Reports to the board | A report to the governing body, which must approve it and confirm compliance each year (PRIN 2A.8.3R, PRIN 2A.8.4R) | The board must still approve and confirm, but a firm need not produce a stand-alone Duty report, and reporting is proportionate to its role (new PRIN 2A.8.6G; CP26/23 paras 4.39 to 4.43) |
| Oversees others in the chain | Guidance already limits a firm to its own role, though some have read it more widely | Put in the rules: a firm answers for its own role, not for policing others, unless other rules or a contract require it (CP26/23 paras 4.4 to 4.9) |
| Distributes through an unregulated intermediary | Not spelled out in the Duty | Keeps responsibility under the PSRs and EMRs for whether that firm delivers good outcomes (CP26/23 ch.3) |
Viewpoint
The Duty applies to payment and e-money firms for their in-scope retail business, and no PROD chapter softens it for their products. A firm that has treated the PSRs and the EMRs as the whole of its conduct rulebook has read the Duty too narrowly.
Two things matter more for a payments firm than the monitoring mechanics. It keeps responsibility for an unregulated intermediary in its chain under the PSRs and the EMRs, and its vulnerability work is a data protection question as much as a conduct one. CP26/23 changes neither. The duties bind now.
Frequently asked questions
Does the Consumer Duty apply to payment and e-money firms?
Yes, for their in-scope retail market business. PRIN 3.1.1AR and PRIN 3.2.1BR bring payment institutions, e-money institutions and account information service providers within the Duty, and PRIN 2A.1.7R applies the products and services rules to them. Payment services stay in through BCOBS, a sourcebook named in PRIN 3.2.8R, and there is no PROD chapter to switch PRIN 2A.3 off for their products.
What did the FCA find?
Real good practice, and some recurring gaps. Some firms explained their target markets too generically for the product’s risk, some flagged vulnerable customers without adapting anything for them, some relied on complaint numbers alone, and some changed products without showing the change helped.
Does CP26/23 cut the monitoring duty?
It focuses it. A firm would monitor the outcomes tied to its own role rather than the whole chain, and would no longer need a stand-alone Duty board report. It would still have to show those outcomes are good under PRIN 2A.9.9R, and its board would still have to confirm compliance each year under PRIN 2A.8.4R.
For advice on how the Consumer Duty interacts with the Payment Services Regulations and the e-money regime, or on the data protection questions that vulnerability work raises, contact Rob Bratby at Bratby Law.
