FCA Targeted Support and Data Protection: What the ICO and FCA Joint Statement Requires

The FCA’s new targeted support regime went live on 6 April 2026. Firms authorised under the new gateway may now make suggestions to groups of pension and investment customers who share common characteristics. It is the first new category of customer interaction in UK retail financial services in a generation, and it relies on customer data. Before any firm sends a single targeted support message, the joint statement published by the FCA and the ICO on 11 December 2025 requires compliance with UK GDPR, the Data Protection Act 2018 and PECR 2003. The data protection workload sits on the critical path to launch, not behind it.

Regulatory background to FCA targeted support

The FCA published PS25/22, Supporting consumers’ pensions and investment decisions: rules for targeted support, on 11 December 2025 alongside near-final rules. The FCA Board subsequently made the final rules. The authorisation gateway opened on 2 March 2026 and the regime became live on 6 April 2026. Targeted support is the first live deployment of the Advice Guidance Boundary Review launched by the FCA and HM Treasury in December 2023. It sits between information and regulated advice. It lets authorised firms suggest actions to groups of consumers sharing common financial characteristics, without delivering personalised advice.

Segmentation requires personal data processing. The FCA and ICO anticipated this and published two joint statements. The first, on 11 December 2025, covers targeted support and direct marketing. The second, on 27 March 2026, covers vulnerability-related data under the Consumer Duty. Both apply to firms offering targeted support.

The advice-guidance gap and what targeted support permits

Before 6 April 2026, firms serving retail customers in pensions and investments operated inside a binary. On one side sat information: factual content, identical for every reader, with no call to action aimed at the individual. On the other sat regulated advice: a personalised recommendation based on full analysis of the customer’s position, delivered by a firm with advice permissions at a cost of several thousand pounds. The middle was empty. A firm that told a customer “people in your position at your age, with a pot like yours, typically consider consolidating” risked straying into advice territory. The safer route was to say nothing specific, and most firms did.

The FCA’s own evidence estimated that around 23 million UK consumers sit in the middle of the binary. They have modest pots or portfolios, cannot afford the cost of personalised advice, and get nothing useful from generic information. The Advice Guidance Boundary Review identified the gap in December 2023. Targeted support is the first regulatory response.

Targeted support creates a third category of customer interaction. An authorised firm can identify a group of customers sharing a common characteristic, such as age band, pot size, drawdown pattern or product holding, and send that group a suggestion designed for the segment. The suggestion is not advice because it is not personalised to the individual’s full circumstances, and the customer takes the decision. It is not information because it proposes a course of action tailored to the segment. It sits between the two.

A workplace pension provider with one million members can now tell members aged 58 to 62 with defined contribution pots of £50,000 to £200,000 and no decumulation plan what customers in their position typically consider before state pension age. A challenger bank can tell customers whose saving patterns suggest unused ISA allowance near year-end to use the allowance before 5 April. A wealth platform can nudge customers whose portfolios have drifted from their target allocation to rebalance. A consumer credit firm can tell customers nearing the end of a fixed rate how typical customers refinance.

None of this was possible as a mass communication before the regime went live without either advice permissions, consent to a full advice process, or a nervously generic disclaimer that diluted the message to nothing. Targeted support is the mechanism that lets firms act on the commercial logic of their own customer data. The commercial logic in turn depends on personal data processing. Without a workable data protection position, FCA rules would permit the service but UK GDPR and PECR uncertainty would stop firms launching. The 11 December 2025 joint statement is the document that makes the model viable.

What the FCA/ICO joint statement requires

The 11 December 2025 statement identifies four obligations. Each maps to a concrete operational decision a firm must make before launch.

Lawful basis and transparency

A firm must identify a lawful basis under Article 6 UK GDPR before placing a customer into a segment. The joint statement does not prescribe which basis applies, but the practical choices are narrow. Legitimate interests under Article 6(1)(f) will usually be the right fit for existing customers where the firm has an established relationship and segmentation is consistent with reasonable expectations. Consent under Article 6(1)(a) is more restrictive and complicates PECR compliance for the communication itself. Contract under Article 6(1)(b) will rarely apply because targeted support is not a contracted service.

Article 13 UK GDPR transparency is mandatory. Firms must update privacy notices to describe the segmentation, the data used, the retention period and the right to object. Silent segmentation is not compliant and will not survive ICO review.

Special category data

Some targeted support use cases will involve health information. A pension decumulation segment for customers approaching state pension age, or a vulnerability segment, will typically engage Article 9 UK GDPR. Processing is prohibited unless a condition applies. The workable conditions are substantial public interest under Article 9(2)(g), read with a condition in Part 2 of Schedule 1 to the Data Protection Act 2018, or explicit consent. The 27 March 2026 joint statement on vulnerability-related data reinforces that firms must document the condition and complete an appropriate policy document where required.

Automated decision-making and profiling

Segmentation is profiling. Where a targeted support output has a legal or similarly significant effect on the customer, Articles 22A to 22C UK GDPR apply. The Data (Use and Access) Act 2025 amended the Article 22 regime to permit solely automated decisions based on non-special category personal data, provided the firm deploys safeguards and a route to human review. Firms must document the Article 22A assessment, embed the safeguards in the customer journey, and include the right to contest in the communication itself. The new regime is not lighter-touch in practice: it shifts the burden from prohibition to accountability. We have covered the new framework in more detail in Automated Decision-Making After the DUAA.

Electronic direct marketing

Regulation 22 of PECR 2003 applies to most targeted support communications sent by electronic mail. Firms must have prior consent or a soft opt-in. The soft opt-in requires a customer relationship arising from a previous sale or negotiation, a similar product or service, and an opportunity to object at every communication. Firms that hold neither consent nor a soft opt-in may still send a factual neutral message informing customers that the firm is authorised to provide targeted support, provided the message does not actively promote products. That carve-out matters. It lets firms with large non-consented customer bases prime the market with a neutral notification before asking for consent to the promotional communications themselves.

Commercial and operational implications

Targeted support is a commercial opportunity for firms that combine three things: a large retail customer base, usable customer data with clear lineage, and a data governance function mature enough to pass ICO scrutiny. Digital-first pension providers, neobanks, challenger wealth platforms and the large integrated insurers all fit the profile. Firms that lack the data infrastructure, or that hold the data but cannot evidence how it was collected and used, cannot enter the market on the same terms.

The customer beneficiaries are identifiable. Holders of defined contribution pots of around £10,000 to £150,000, first-time retail investors, workplace scheme members approaching retirement, and customers in the vulnerability cohort covered by the 27 March 2026 joint statement. These are the segments for whom a £3,000 advice fee is disproportionate and for whom generic information is not actionable. Targeted support lets a provider tell these customers, at low marginal cost, that customers in their position typically do X. The commercial model is at least as interesting to the FCA as a policy result: it closes part of the advice gap without redefining advice itself.

The commercial winners are firms with data scale and capital discipline. A neobank with several million current-account customers. A workplace pension provider with a captive member base and retirement-pathway data. A wealth platform with funded customer relationships and engagement history. A retail investment platform with transaction patterns. Each has the raw material. The firms that struggle are traditional independent advisers serving the mass market at the lower end of net worth: a large part of what they currently deliver will be captured by targeted support from firms the customer already banks or invests with. Smaller challenger firms without the compliance budget to stand up authorisation, a DPIA, an Article 22A assessment and a PECR review in parallel face a cost-of-entry question that will shape the market.

Three workstreams sit on the critical path to launch. First, a data protection impact assessment under Article 35 UK GDPR covering segmentation design, profiling and downstream decisions. The ICO expects DPIAs to be completed before authorisation, not retrofitted after launch. Second, a review of marketing permissions and PECR compliance across the existing customer base. Many firms’ permissions registers were not built to distinguish targeted support communications from other direct marketing, and the remediation takes time. Third, a segmentation governance model that defines how segments are designed, tested, monitored and retired, with ICO-facing documentation. The FCA’s Pre-Application Support Service will ask about each during authorisation engagement. Firms should prepare materials for ICO scrutiny on the same timeline. The interaction between the FCA gateway and the ICO’s Article 22A expectations is where experienced regulatory counsel pays for itself.

Viewpoint

Rob Bratby’s view: targeted support is an elegant regulatory design. It allows firms to act on the commercial logic of their customer data without crossing into regulated advice, and it lets the FCA close an access gap without redefining the advice boundary. The data protection overlay is where firms will either build or lose the operating model. Firms that treat the UK GDPR work as a second-order compliance exercise will struggle through authorisation and will risk enforcement afterwards. Firms that make segmentation and the Article 22A assessment part of core product design will move faster, price the opportunity properly, and avoid the regulatory tax. The 11 December 2025 joint statement sets the bar. It is short, unembellished and worth reading in full. The firms that read it carefully and build against it will have the first-mover advantage in a market the FCA intends to open, not restrict.