Key FCA Regulations That Affect Software Architecture
Regulation
Effective Date
What It Requires in Software
FCA Consumer Duty
July 2023 (ongoing)
UX must evidence "good outcomes" for customers. No dark patterns. Pricing clarity. Vulnerable customer identification. Audit trail of customer communications.
PSD2 Strong Customer Authentication
Sept 2019 (ongoing)
SCA (two-factor authentication) for payments and account access. 3DS2 for card payments. Exemptions (low value, trusted beneficiaries, merchant-initiated) must be implemented correctly.
Open Banking (OBIE)
2018–ongoing
AISPs must implement OBIE Read/Write API standards. PISPs require OBIE Payment Initiation. Consent management — detailed, revocable, time-limited. Refresh token handling. FCA AISP/PISP authorisation required.
PS21/3 Operational Resilience
March 2022 — full implementation March 2025
Identify "important business services." Set impact tolerances. Test ability to stay within tolerances. Map technology dependencies — every critical service must be documented including software and cloud providers.
AML / MLRs 2017
Ongoing
Transaction monitoring for suspicious activity. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) workflows. MLRO escalation process. Sanctions screening. Audit trail for all AML decisions.
CASS (Client Assets)
Ongoing (for investment firms)
Client money segregation in software. Daily reconciliation. CASS reconciliation audit trail. Accurate record of each client's entitlement at all times.
FCA Consumer Duty — What It Means for UX and Software
No dark patterns: The FCA has explicitly called out cancellation obstacles, pre-ticked boxes, confusing fee structures, and "sludge" that hinders customers from exercising their rights. ICO cookie consent dark patterns guidance applies in parallel.
Outcome monitoring: Your software must be instrumented to capture evidence of customer outcomes — not just conversion rates. Complaints, drop-off at key stages, and product performance metrics must be tracked and reportable to the FCA.
Vulnerable customer support: Software must identify and support vulnerable customers (bereavement, illness, financial difficulty). WCAG 2.1 AA accessibility compliance is a baseline.
Price and value: Pricing must be transparent and evidently fair. Software that obscures the true cost of a financial product (via UI design choices) creates FCA liability.
The FCA Consumer Duty (effective July 2023) is the most significant change to FCA regulation in a decade. For software, it creates specific UX and architecture requirements:
FCA Regulatory Sandbox — Technical Requirements
Working software demonstrating the innovation — not just a prototype or wireframe
Evidence of security controls: Cyber Essentials or equivalent at minimum
Data protection assessment: UK GDPR DPIA for novel data processing
Consumer protection measures: Compensation scheme, complaints process, vulnerable customer protections
Test parameters: How many consumers, what controls, what success metrics, what exit plan
The FCA Regulatory Sandbox allows innovative FinTech businesses to test products and services with real consumers under FCA oversight, with temporary authorisation. ClickMasters has supported technical sections of FCA Sandbox applications. Technical requirements include: