Why Financial Services Firms Need to Rethink Their Approach
Complaints handling has always been a sensitive area for financial services firms. It sits at the intersection of customer dissatisfaction, regulatory scrutiny and operational pressure. With the Information Commissioner’s Office consulting on reforms to the data protection complaints process, that pressure is set to increase, particularly for FCA-regulated firms.
This reform agenda is about improving accessibility, consistency and trust. For consumer credit lenders and brokers, however, the implications go much further. Data protection complaints are increasingly intertwined with conduct risk, Consumer Duty and wider governance expectations.
Why the ICO is focusing on complaints now
The ICO has been clear that many individuals struggle to navigate existing complaints processes. Delays, unclear responses and inconsistent handling undermine confidence in how personal data is treated.
The proposed reforms aim to streamline how complaints are raised, considered and escalated. While the focus is formally on data protection, the direction of travel mirrors what FCA-regulated firms are already seeing elsewhere: regulators want complaints to be handled transparently, promptly and in a way that genuinely resolves issues rather than deflecting them.
For financial services firms, this matters because data protection complaints rarely arise in isolation.
The reality for consumer credit firms
In consumer credit, data protection complaints are often closely linked to affordability disputes, collections activity, vulnerability concerns or challenges to commission and decision-making.
A complaint about inaccurate data, incomplete disclosure or automated decisioning may sit alongside, or quickly escalate into, a wider conduct issue. How firms respond can influence not just the ICO’s view, but the FCA’s assessment of governance and customer outcomes.
Where firms treat data protection complaints as technical matters, handled separately from complaints under DISP, they risk missing this wider context.
The link to Consumer Duty
Consumer Duty has raised expectations around how firms engage with dissatisfied customers. The FCA expects complaints handling to support understanding, reduce harm and drive improvement.
Poor handling of data protection complaints can undermine those objectives. Delayed responses, defensive language or overly narrow interpretations of data rights can exacerbate vulnerability and increase mistrust.
The ICO’s reform proposals reinforce that complaints should be handled in a way that is accessible and fair. For FCA-regulated firms, this aligns closely with the Duty’s emphasis on customer support and outcomes.
Operational and governance challenges
Many firms continue to operate fragmented complaints processes. Data protection complaints may be handled by legal or privacy teams, while customer complaints sit elsewhere. Escalation routes are unclear, and MI is rarely joined up.
From a regulatory perspective, this fragmentation is increasingly problematic. Regulators expect firms to understand complaint themes holistically and to identify systemic issues early.
Senior management accountability is also in focus. Complaints handling involves judgement, particularly where data rights, exemptions and disclosures are concerned. That judgement must be governed, documented and capable of being explained to regulators.
What the reforms signal for firms
While the ICO’s consultation does not radically change legal obligations overnight, it sends a clear signal about expectations.
Firms should anticipate:
- greater scrutiny of complaint timeliness and clarity,
- higher expectations around transparency in responses,
- increased focus on accessibility for vulnerable customers, and
- closer alignment between data protection complaints and broader conduct considerations.
In practice, this means firms will need to ensure complaints processes are robust, joined up and capable of standing up to challenge from more than one regulator.
What good looks like now
Firms that manage complaints risk effectively take an integrated approach. They ensure data protection complaints feed into wider complaints governance, with consistent escalation and oversight.
They monitor trends, not just volumes, and use complaints insight to inform changes to processes, systems and customer journeys. Vulnerability is considered throughout, not bolted on at the end.
Crucially, Boards and senior managers have visibility over complaints themes and outcomes including those relating to data protection.
Why this matters beyond the ICO
The ICO’s complaints handling reforms should be viewed alongside the FCA’s broader supervisory approach. Both regulators are increasingly interested in how firms respond when things go wrong and what they learn as a result.
Poor complaints handling is rarely viewed in isolation. It often becomes a signal of deeper weaknesses in governance, culture and operational control.
Firms that address these issues proactively are far better placed to manage regulatory relationships and reduce the risk of escalation.
How ALPH supports firms on complaints and conduct risk
ALPH Legal & Compliance supports consumer credit firms with complaints framework reviews, integration of data protection and DISP processes, Consumer Duty assurance and governance support. We help firms ensure complaints handling meets both ICO expectations and FCA conduct standards.
As complaints handling evolves, firms that treat it as a strategic conduct issue — rather than a procedural obligation — will be best placed to protect customers and withstand regulatory scrutiny.