These changes are not just regulatory updates; they are critical for several reasons. Firstly, the CPC will fundamentally reshape how the CBI supervises financial firms, placing consumer protection at the core of regulatory oversight. This is especially significant as it integrates with the Individual Accountability Framework (IAF), ensuring that firms’ conduct aligns with new, stringent standards.
Secondly, the CPC is set to capture not only traditional financial entities but also new players, including firms under the Markets in Crypto-Assets (MiCA) regulation. As the financial sector evolves, all entities - new and existing - must adapt to the changing landscape and regulatory demands. Thirdly, the CPC mandates a customer-focused approach, requiring firms to embed consumer protection into their business models, decision-making processes, and corporate culture. This is more than a compliance exercise; it’s about ensuring that every product, service, and interaction is designed with the consumer’s best interests in mind.
Finally, there is a significant opportunity for organisations to reduce the risk of future enforcement actions. By focusing on consumer outcomes by design - rather than retrofitting compliance after the fact - firms can mitigate the potential for poor consumer outcomes and regulatory scrutiny down the line.
This article outlines the key aspects of the new CPC regulations, the challenges that financial services entities will face in enacting these changes, and actionable steps for ensuring compliance.
The new CPC Regulations: a new era of supervision
Following the release of the draft regulations and consultation paper (CP158) in March 2024 alongside the guidance on securing customers’ interests and protecting consumers in vulnerable circumstances, the industry has been closely monitoring developments, particularly as these changes are expected to be fully implemented by 2026 after a 12-month transition period starting in 2025. The pending publication of the CPC Regulations does not constitute a barrier to progress, especially as the Consultation Paper and the draft regulations are robust and well developed.
The revised CPC regulations are set to introduce a robust framework that aligns with international standards, such as the OECD’s updated principles including new principles in relation to access and inclusion and the quality of financial products. These regulations emphasise a holistic, customer-centric approach, requiring Regulated Financial Service Providers (RFSPs) to integrate consumer-focused strategies into their core operations, governance, and corporate culture. This approach is foundational to how the CBI will supervise firms moving forward.
The new regulations include specific measures addressing the digital transformation of financial services, the governance of products, mortgage credit and switching, error and complaint management, and the protection of vulnerable customers. Moreover, they introduce new principles like “Securing Customers’ Interests”, which necessitate a focus on the outcomes of products and services on consumers. In supporting climate transition, firms need to also consider consumer sustainability preferences and avoid greenwashing.
The challenges ahead for financial services
While the new CPC regulations promise to bring greater clarity and consumer protection, they also present significant challenges for financial services firms:
1. Integration with existing frameworks: The CPC and Individual Accountability Framework (IAF) are significant interventions from the CBI, particularly when taken together. The CPC’s alignment with the Individual Accountability Framework (IAF) adds complexity, as firms must ensure that individual conduct standards under IAF are consistent with the Code’s conduct-related Standards for Business.
2. Holistic implementation: The CPC cannot be implemented in isolation. Firms need to manage its integration across various regulatory requirements, such as Payment regulations, EU Financial Crime directives, the Digital Services Act (DSA) and Digital Markets Act (DMA), and specific sectoral guidelines like those issued in the CBI’s recent ‘Dear CEO’ letter issued on 29 August 2024 on Consumer Protection Risk Assessment for the insurance sector.
3. Technological adaptation: With consumer interactions increasingly driven by technology, firms must build long-term consumer protection capabilities that can keep pace with rapidly changing customer expectations and technological advancements.
Key steps for ongoing compliance with the CPC
To effectively manage the transition to the new CPC, financial services firms should focus on several key actions.
1. Assess the conduct and regulatory landscape
• Understand the linkages: Recognise the interconnectedness of the CPC with other regulatory frameworks like the IAF and ensure that your firm’s conduct and regulatory strategies are aligned across these frameworks to avoid regulatory breaches.
• Customer-centric strategy: Embed a customer-focused approach in your business model and decision-making processes. This includes prioritising consumer outcomes in product design, governance, and communication strategies.
• Tone from the top: In line with other jurisdictions, there is a growing expectation that RFSPs’ boards and management teams can evidence and demonstrate that customer protection expectations are being met primarily through strategy and business model definition.
2. Execute a detailed Regulatory Gap Analysis
• Line-by-line review: Conduct a comprehensive analysis of the draft CPC regulations, comparing them against existing regulations to identify new requirements and assess their impact on your organisation.
• Leverage UK Consumer Duty insights: Utilise lessons learned from the UK Consumer Duty implementation, especially in areas like financial literacy, digitalisation, and the treatment of vulnerable customers. Particularly relevant also are the insights into the data and management information that can be utilised to gain a better understanding of customer outcomes.
• Regulatory Gap Report: Develop a detailed report outlining your current compliance status, identifying any gaps, and recommending actions to address these gaps. Ensure that this process is supported by a dedicated governance structure to drive implementation and compliance.
3. Deliver compliance through design
• Compliance by design: Embed consumer protection into every aspect of the business from the outset, thereby reducing the need for costly and reactive measures in the future. By prioritising consumer outcomes in product design, governance, and communications, firms can better safeguard against potential regulatory scrutiny and ensure long-term compliance.
• Align with broader regulatory initiatives: Ensure that your compliance efforts under the CPC are in harmony with broader EU regulations like the EU Digital Services Act package, as well as sector-specific requirements.
• Make the most of the regulatory investments to support business strategy: Organisations should embrace the revised CPC as it will support balance sheet and revenue growth by enhancing level of trust and confidence. It will also attract new customers by enhancing consumer protection and promoting RFSP’s responsibility and accountability. There is also an opportunity for organisations to make the most of the regulatory investments to support business strategy, and getting ready for the revised code will allow organisations to avoid further intervention from regulators.