Data Governance Is Now a Conduct Risk | ALPH Legal & Compliance

How FCA and ICO Expectations Are Converging

Data has traditionally been viewed as an operational or technical issue. Something for IT, legal or data protection teams to manage in the background.

That position is no longer sustainable.

Across UK financial services — and particularly within consumer credit — data governance has rapidly evolved into a core conduct risk. Increasingly, both the Financial Conduct Authority and the Information Commissioner’s Office are assessing firms through a shared lens: how data is collected, used, governed and acted upon directly affects customer outcomes.

For directors and senior compliance leaders, this convergence creates a new reality. Data governance is no longer just about GDPR compliance. It sits at the centre of Consumer Duty, affordability, vulnerability and fair treatment.

The shift from data protection to data accountability

Historically, data protection focused on privacy, consent and security. Those elements remain critical, but regulatory expectations have broadened significantly.

Regulators now expect firms to demonstrate that:

customer data is accurate and reliable,
decisions based on that data are fair and explainable,
data usage supports good customer outcomes, and
governance frameworks ensure ongoing oversight at senior level.

This represents a shift from technical compliance to strategic accountability.

Where data quality or governance is weak, the risk is no longer limited to privacy breaches. It can affect lending decisions, collections strategies, vulnerability identification and complaint handling — all of which sit squarely within conduct regulation.

Consumer Duty has accelerated the change

Consumer Duty has been a major catalyst in reframing data governance as a conduct issue.

To evidence good outcomes, firms must rely on data. Fair value assessments, outcome monitoring, vulnerability tracking and complaints analysis all depend on accurate and accessible information. Where data is incomplete, inconsistent or poorly governed, the ability to evidence compliance quickly deteriorates.

The FCA increasingly expects firms to demonstrate:

what data they rely on to assess outcomes,
how that data is validated and monitored, and
how insights are translated into action.

Boards should assume that data quality and governance now sit within the regulator’s assessment of whether Consumer Duty is genuinely embedded.

Affordability, vulnerability and automated decision-making

The convergence between FCA and ICO expectations is particularly evident in areas such as affordability and vulnerability.

Affordability assessments rely heavily on customer data, credit reference information and increasingly sophisticated decisioning models. If that data is inaccurate or poorly interpreted, the risk extends beyond credit loss into conduct and remediation exposure.

Similarly, firms are expected to identify and support vulnerable customers. This requires consistent and sensitive use of customer data across the lifecycle, from onboarding through to collections and complaints.

Automated and algorithmic decision-making introduces further complexity. Where firms rely on automated underwriting, pricing or account management tools, regulators expect those systems to be explainable, monitored and capable of delivering fair outcomes.

The governance of these models is now firmly within regulatory scope.

Complaints, DSARs and regulatory alignment

Another area where data governance and conduct risk intersect is complaints handling.

Customer complaints increasingly involve data-related issues from affordability evidence to communications history and account records. Weak record-keeping or fragmented systems can significantly undermine a firm’s ability to defend its position with the Financial Ombudsman Service.

At the same time, data subject access requests (DSARs) continue to rise. Poor coordination between complaints and data functions can create inconsistent responses and regulatory risk.

Both the FCA and ICO expect firms to manage these processes in a coordinated, controlled manner. Silos between compliance, operations and data teams are becoming increasingly difficult to justify.

Why this is now a board-level issue

The convergence of FCA and ICO expectations means data governance has moved firmly into board territory.

Directors should be able to explain:

what data the firm relies on to make customer decisions,
how data quality is monitored and assured,
how data supports Consumer Duty outcomes, and
where key data-related risks sit within the business.
Where this visibility is lacking, so too is control.

As regulatory supervision becomes more data-led, firms with weak governance or fragmented systems will find themselves increasingly exposed — not only to data protection risk, but to conduct and remediation risk as well.

A more integrated regulatory future

The direction of travel is clear. Data protection, conduct regulation and operational governance are becoming increasingly interconnected.

For consumer credit firms, this means data can no longer be treated as a technical back-office function. It is a core component of customer outcomes and regulatory compliance.

Those firms that treat data governance strategically, aligning compliance, operations and leadership oversight will be better positioned to demonstrate control and resilience in a more demanding regulatory environment.

Those that do not risk finding that data weaknesses surface first through complaints, then through supervisory engagement.

How ALPH Legal & Compliance Can Support

ALPH Legal & Compliance works with consumer credit firms to ensure data governance supports both regulatory compliance and strong customer outcomes.

Our support includes:

independent reviews of data governance and control frameworks,
Consumer Duty and data alignment assessments,
affordability and vulnerability data reviews,
complaints and DSAR coordination audits, and
board-level governance and oversight support.

As FCA and ICO expectations continue to converge, firms that take a proactive approach to data governance will be best placed to manage regulatory risk and demonstrate effective control.

To discuss how ALPH can support your firm in reviewing or strengthening its data governance framework, speak to our team directly.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How FCA and ICO Expectations Are Converging

The shift from data protection to data accountability

Consumer Duty has accelerated the change

Affordability, vulnerability and automated decision-making

Complaints, DSARs and regulatory alignment

Why this is now a board-level issue

A more integrated regulatory future

How ALPH Legal & Compliance Can Support

Related Posts

Consumer Duty 2026: The FCA’s Next Phase of Supervision Has Begun

Complaints, Redress and Reputation

Leave a Reply Cancel Reply