A regulatory investigation can start with a single letter from Ofcom, the FCA, the PSR or the ICO. It may be a formal information request, a complaint referral, a supervisory enquiry or a notice of regulatory investigation. The deadline is short and your internal team needs specialist support now, not next week. We act for regulated businesses on the receiving end of a regulatory investigation or enforcement action across telecoms, data protection and payments.

Who this is for

Received an information request, compliance questionnaire or investigation notice from Ofcom, the ICO, the FCA or the PSR? Early strategic response matters. We advise on the procedural framework, manage regulator correspondence and protect your position from first contact through to resolution.

Regulator	Typical trigger	Key powers	Typical timeline	Maximum penalty
Ofcom	Complaint, market monitoring, breach of General Conditions or licence terms	Information requests (s 135 CA 2003); provisional and final determinations; dispute resolution	3 to 18 months	10% of relevant turnover
FCA	Supervisory review, whistleblower report, breach of authorisation conditions	Information requirements (s 165 FSMA 2000); skilled person reviews (s 166); enforcement notices	6 to 24 months	Unlimited financial penalty
PSR	Non-compliance with PSR directions, competition concerns in payment systems	Compliance orders (s 56 FSBRA 2013); directions; penalty orders	6 to 18 months	No statutory cap (proportionality applies)
ICO	Data breach report, complaint, proactive audit programme	Assessment notices (s 149 DPA 2018); enforcement notices (s 149); monetary penalties	3 to 12 months	£17.5m or 4% of global turnover
CMA	Merger review, competition investigation, consumer protection concern	Information requests; interim measures; disqualification orders	6 to 24 months	10% of worldwide turnover

Typical triggers for a regulatory investigation

• The business receives an Ofcom section 135 information request and needs to understand the scope and deadline for responding
• An ICO investigation letter arrives following a reported personal data breach
• The FCA notifies the firm of a supervisory visit or a skilled person review under section 166 FSMA

What we deliver in a regulatory investigation

• Initial triage: assessment of the regulatory communication, risk exposure and response deadline within 24:48 hours
• Draft response: a response to the regulator’s information request or enquiry, drafted to the deadline
• Regulator response strategy: a note setting out the options, risks and recommended approach to the investigation
• Ongoing representation: managing information requests, attending meetings, advising on settlement or appeal
• Multi-regulator coordination: where an issue engages more than one regulator (e.g. Ofcom and ICO, or FCA and PSR), we advise across regimes
• Board and audit committee briefing: a concise note for the board or audit committee summarising the investigation, risk exposure, potential outcomes and recommended next steps
• Penalty mitigation submission: where a penalty is proposed, representations to the regulator on the appropriate level of any financial penalty, addressing the statutory factors and any mitigating circumstances

How a regulatory investigation typically proceeds

The course of a regulatory investigation varies by regulator and subject matter, but most follow a recognisable pattern Where investigations involve proprietary technology or trade secrets, we advise on protecting confidential information and IP rights throughout the regulatory process.. Ofcom typically opens a regulatory investigation with a formal notification letter, followed by one or more information requests under section 135 of the Communications Act 2003. The FCA may begin with a supervisory enquiry or skilled persons report (section 166 FSMA 2000) before escalating to a formal regulatory investigation. The ICO generally starts with a complaint or reported breach and may issue assessment notices or information notices before determining whether enforcement action is warranted.

At each stage of a regulatory investigation, the regulated business faces strategic decisions: how much information to provide beyond the minimum required, whether to engage proactively with the regulator, whether to make voluntary disclosures and how to protect legally privileged material. The approach taken in the early stages of a regulatory investigation often determines the outcome. A cooperative but disciplined response, supported by specialist regulatory counsel, reduces the risk of escalation and helps contain the scope of the regulatory investigation.

Enforcement outcomes range from informal warnings and voluntary undertakings to formal enforcement notices, directions, financial penalties and, in serious cases, revocation of authorisation. Understanding the regulator’s enforcement priorities and decision-making process is essential to managing a regulatory investigation effectively. For background on the regulatory frameworks, see our pages on telecoms regulation, data protection and payments regulation.

Representative experience

Recent and representative matters include:

• Defended a telecoms provider against Ofcom enforcement action for alleged breach of contract requirements, securing case closure without penalty through early engagement and targeted submissions.
• Advised an online platform on responding to an ICO investigation into data subject access request handling, achieving a compliance outcome that avoided a formal enforcement notice.
• Represented a payment institution in responding to PSR compliance enquiries on interchange fee arrangements, providing the analysis that closed the enquiry at preliminary stage.
• Managed an operator’s response to an Ofcom monitoring programme on compliance with telecoms security duties, delivering the required evidence within the compressed regulatory timeline.
• Supported a communications provider through an Ofcom own-initiative investigation into numbering condition compliance, negotiating an outcome that avoided financial penalties.

Frequently asked questions

How do I respond to an Ofcom section 135 information request?

An Ofcom information request under section 135 of the Communications Act 2003 is a statutory demand and must be taken seriously. You should not ignore the deadline or provide incomplete information. We help you assess the scope of the request, identify what information is required, manage any commercially sensitive material, and draft the response within the statutory timeframe. Early engagement with us reduces the risk of follow-up enforcement action.

What happens if we receive an ICO enforcement notice about a data breach?

An ICO enforcement notice requires you to take specific steps to comply with data protection law, and failure to comply is a criminal offence. We advise on the response strategy, assess whether the notice is proportionate, and if appropriate prepare representations to the ICO. If you have suffered a personal data breach, we also advise on the notification obligations under Articles 33 and 34 of the UK GDPR and manage communications with the ICO on your behalf.

Can you help us manage an FCA supervisory visit?

Yes. FCA supervisory visits can be triggered by routine monitoring or by specific concerns about your compliance. We advise on preparation, attend alongside your team where appropriate, and help you respond to any follow-up requests or required actions. For payments firms, we have particular experience with safeguarding reviews and Consumer Duty assessments, which are current FCA supervisory priorities.

How quickly can you respond?

We can review an investigation letter and provide initial assessment within 24:48 hours. Same-day response is available for urgent matters. We work alongside your in-house team to manage the process, coordinate document production and prepare for any regulatory meetings or interviews.

Do you represent businesses in Ofcom enforcement proceedings?

Yes. We advise through the full enforcement process under the Communications Act 2003, including provisional notifications, penalty representations and Competition Appeal Tribunal appeals. We work alongside your in-house team to manage the process, coordinate document production and prepare for any regulatory meetings or interviews.

Should we self-report to the regulator?

That depends on the obligation, the severity and the regulator’s published approach. We advise on the risks and benefits of voluntary disclosure in each case. We work alongside your in-house team to manage the process, coordinate document production and prepare for any regulatory meetings or interviews.

How does this page differ from the Telecoms Regulation or Payments Regulation pages?

Those pages explain the enforcement frameworks. This page is for a live instruction where you have received contact from a regulator and need to act. We work alongside your in-house team to manage the process, coordinate document production and prepare for any regulatory meetings or interviews.

We have received a letter from the regulator. What should we do first?

Do not respond without taking advice. The first letter sets the tone for the entire investigation and the information you provide at this stage can significantly affect the outcome. We review the letter, assess the risk exposure and advise on the appropriate response strategy before any substantive reply is sent. We can typically turn around an initial assessment within 24 to 48 hours.

How long does a typical regulatory investigation take?

Timelines vary considerably depending on the regulator and the complexity of the issue. An Ofcom investigation under the Communications Act 2003 may take several months from the initial enquiry to a final decision. FCA and PSR investigations can extend further. We advise on realistic timescales at the outset and manage the process to avoid unnecessary delays or escalation.

Will our investigation become public?

That depends on the regulator and the stage of the investigation. Ofcom and the FCA may publish enforcement decisions and penalty notices. Some regulators publish warning notices before a final decision. We advise on managing the public disclosure aspects of a regulatory investigation, including the timing of any public statements and board communications.

Should we handle the investigation in-house or instruct external lawyers?

Specialist external advice is advisable from the outset. Responses to regulators set the tone for the entire process and missteps in early correspondence can narrow your options later. In-house teams benefit from independent experience of the regulator’s investigation process, a dispassionate assessment of risk exposure and a clear strategy for managing the investigation through to resolution.

Related direct legal advice pages

See also our other direct legal advice pages:

• Do I need regulatory authorisation before offering my product in the UK?
• What regulatory risks should I check before buying a regulated business?
• Payments Product, Safeguarding and Scheme Governance Advice
• Commercial and Technology Contract Support
• AI, Data and Governance Advice
• Telecoms Product Launch Advice
• Direct Legal Advice (overview)
• Deal Structuring and Negotiation

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology