Consumer Duty: why evidencing good outcomes never stops being the job

The Consumer Duty is a Financial Conduct Authority standard, in force since 31 July 2023, requiring UK financial services firms to act to deliver good outcomes for retail customers. The FCA called it a major shift in financial services, and structurally it is three things stacked on top of each other:

1. The Consumer Principle. A new Principle 12 in the FCA's Principles for Businesses: act to deliver good outcomes for retail customers. For retail business it replaces the old Principles 6 and 7.
2. Three cross-cutting rules. Act in good faith, avoid foreseeable harm, and enable and support customers to pursue their financial objectives. These apply to everything the firm does.
3. Four outcomes. Products and services, price and value, consumer understanding, and consumer support: each with detailed FCA expectations a firm must monitor and evidence.

The rules live in PRIN 2A of the FCA Handbook, and they apply across retail financial services: mortgages, lending, investments, wealth advice, insurance.

What the structure hides is the verb. The Duty doesn't ask firms to have good intentions, good policies, or good frameworks. It asks them to deliver good outcomes, and to be able to show that delivery happened, customer by customer. That one verb is why the Duty did not end when the implementation deadline passed. A policy describes what should happen. An outcome is what actually happened to a specific customer, and outcomes can only be evidenced one case at a time.

The implementation projects closed in 2023. The obligation they created did not.

Consumer Duty is not a 2023 project that ended. It is a permanent obligation to evidence good outcomes on every case, and most firms can prove they have a policy but not that any single customer was actually treated fairly.

The shape of the work changed on 31 July 2023. Before that date, the job was building: target-market statements, fair-value assessments, board training, new management-information packs. After it, the job became proving, continuously and at file level, that the machinery delivers what it promises. The annual board attestation makes that cycle permanent. There is always a next attestation, and it always needs this year's evidence underneath it.

Most firms aren't staffed for that. Compliance teams built for periodic, sampled review are now carrying a continuous, every-case obligation. An executive who leads AI evaluation at a UK wealth management group described the result to us: his compliance specialists spend their days "sifting around all sorts of information" just to assemble a case, before the review they are actually qualified to do can start. The firm pays for compliance judgement and gets collation.

Treating Customers Fairly, the FCA's previous conduct regime, asked firms to have the right intentions. The Consumer Duty asks them to show the receipts. Knowing the four outcomes is table stakes; proving you delivered them on every case is the actual obligation, and the part no policy document does for you.

The cross-cutting rules are the behavioural test the FCA applies across everything a firm does, which makes them the place where evidencing bites first.

The three rules ask whether the firm acted in good faith toward retail customers, avoided foreseeable harm to them, and enabled and supported them to pursue their financial objectives. FG22/5, the FCA's finalised guidance, runs to over 100 pages on how these apply in practice. We cover the rules themselves in our guide to the three cross-cutting rules.

The operational point is that each rule is a standard you must be able to demonstrate, not just assert. "We acted in good faith" is a claim. A case file showing the customer's circumstances were captured, the recommendation matched them, and the exceptions were reviewed by a person with authority to act: that's a demonstration. The difference between the two is what a supervisory visit is for.

Demonstrating at that standard on a sample is hard. Demonstrating it on every case is impossible by hand, which is why most firms quietly settle for the sample. Curvestone's full compliance check exists for exactly this gap: every case checked against the firm's encoded rulebook rather than a percentage, at 99% accuracy on mortgage compliance reviews. By our own count, around a quarter of UK mortgage-network compliance checks already run through the platform.

Checking every case instead of a sample does catch more bad cases. The bigger prize is being able to answer the cross-cutting question, "did you avoid foreseeable harm?", with data instead of an assertion.

The four outcomes read like principles. Operationally, each one maps to a concrete, checkable control, and the firms finding the Duty manageable are the ones that made that mapping explicit.

• Products and services maps to case-level file review: was this product suitable for this customer, inside its target market, with the evidence on file?
• Price and value maps to fair-value assessment and product-selection validation: can the firm show why this product, at this price, for this customer?
• Consumer understanding maps to communications checking: every customer-facing document and promotion clear, fair, and not misleading, checked before it goes out rather than after it is complained about.
• Consumer support maps to vulnerability assessment: signals of vulnerable circumstances captured from calls, emails, and case notes, flagged on the case, and acted on.

The FCA's Consumer Duty guidance expects firms to monitor and evidence all four on an ongoing basis. That's four parallel evidence streams, not one, and each stream has to reach case level to count. A spreadsheet of complaint volumes tells the board something went wrong somewhere. A case-level record shows which customers were affected, what the firm did, and when.

Two of these streams are where manual processes fail quietest. Vulnerability signals live in unstructured communications, so they rarely surface through a checklist; Curvestone's vulnerability assessment reads the communications themselves and flags the case. And financial promotions fail at volume: the checking discipline that works for ten promotions a month collapses at a hundred. Automated promotions checking, live in production with Curvestone customers today, holds the standard at any volume.

The practical consequence: a firm that runs these as four separate manual exercises does the same reading four times. A firm that checks the case once, against rules encoded for all four outcomes, gets four evidence streams from one pass.

The Duty's hardest demand is not understanding. It is evidence: file-level, consistent, auditable proof that good outcomes were delivered. That's an operational problem, and no amount of policy work solves an operational problem.

Manual review cannot carry it alone. Review quality varies by reviewer experience and fatigue. Compliance knowledge concentrates in two or three senior people, and when they leave, checking quality drops immediately. A sampled audit, however rigorous, evidences the sample and nothing else; we've written before about why sampled audits are too late.

Evidencing at scale means something specific. Every case checked, not a percentage. Every decision and override logged, with a timestamp and a person attached. Every finding traceable to the source document that raised it. The FCA's own review of Consumer Duty implementation draws the same line: the firms it praises are the ones whose outcomes data reaches case level.

This is also the bar compliance leaders now apply to the checking tools themselves. One compliance director at a UK mortgage network, the firm's SMF16, the senior manager personally accountable for compliance oversight, told us while evaluating automated checking: "I need to make sure the output is correct." The reason is the Duty itself: whatever the tool reports becomes the customer-outcomes data the firm and its board rely on.

That's the right test, and it's the regulator's test too. An output nobody can verify isn't evidence; it's a second opinion with no audit trail. Curvestone is built to pass it: the platform surfaces findings with the reasoning and source evidence attached, a human reviewer approves or overrides, and every step lands in the audit trail. The machine does the reading; the accountable person does the judging.

A board attestation is only as good as the file-level evidence underneath it.

Take a mid-tier mortgage network, the shape of firm we work with most. Before: a compliance team of eight reviews a sample of cases, each one taking over an hour to assemble and check. Outcomes are evidenced inconsistently, because each reviewer assembles the picture differently. The board report is built from spreadsheets, weeks after the period it describes.

During the change: the network's checking criteria, lender rules, and Consumer Duty requirements are encoded into the platform. That encoding step matters, because it forces the firm to say precisely what good looks like for each case type, often for the first time. Every submitted case is then routed through the checks automatically, and findings surface to a reviewer for sign-off. For the first weeks the team runs the old process in parallel, testing the output against their own judgement until the ground truths hold.

After: every case is checked, not a sample. Review time drops from over an hour to under ten minutes per case, at 99% accuracy. The audit trail builds itself as a by-product of the work, and the board report draws on file-level evidence rather than reconstruction. The checks run inside the network's existing CRM, so advisers and packagers never leave the system they already use.

The same discipline holds outside mortgages. Walker Morris, the law firm, cut regulated service-agreement review from four hours to fifteen minutes, a 93% reduction, with the same audit-trailed review on much longer documents. And when the FCA does come asking, preparation looks different too; our guide to preparing for a Consumer Duty audit covers what gets requested and when.

Five things a compliance lead can action this quarter, in order:

1. Map each product and customer journey to the four outcomes, so every case type has a named evidence stream. If a journey maps to no stream, that's a finding in itself.
2. Check every case against encoded rules rather than a sample, and log each result as it happens. Sampling evidences the sample; the Duty asks about the book.
3. Capture vulnerability signals from all customer communications, not just the accounts already flagged. Most vulnerability lives in call notes and emails, not in a checkbox.
4. Maintain a file-level audit trail: decisions, overrides, timestamps, and the source documents behind each finding. An override without a logged reason is a future supervisory question.
5. Draw the annual board report from that file-level evidence, not from spreadsheets assembled after the fact. If the report can be traced from attestation to case file, the attestation defends itself.

None of these requires new regulation to interpret. All five are checkable today, and the gap between them and a firm's current state is a reasonable proxy for its Consumer Duty exposure.