According to the regulator, 355 whistleblowing reports were submitted in Q1, up from 281 in both the same period last year and Q4 2025. What is significant is that wrongdoing in relation to Consumer Duty generated by far the highest number of reports – at 210 complaints.

As we have long identified, Consumer Duty is more than a regulatory framework focused on customer outcomes, it is increasingly a mechanism through which the industry policies itself.

For many years, enforcement in financial services was seen primarily as the responsibility of the regulator. Consumer Duty has fundamentally changed that dynamic. Firms are expected to not only monitor their own behaviour, but also identify poor practice within their distribution chains and challenge it where necessary.

Where concerns are identified, firms are expected to work with partners to address shortcomings. If that fails, they are effectively required to escalate concerns to the FCA. In practice, this creates a self-policing environment in which brokers, lenders and providers are accountable not only for their own conduct, but also for the standards maintained by those they work with.

This latest data shows this in action as firms demonstrate a willingness to rise to their obligations and report concerns.

While historically, firms may have feared regulatory intervention above all else, Consumer Duty shifts the dial. Now, there is growing reason for firms to pay equal attention to how they are perceived by peers, partners and counterparts across both the distribution chain and the wider market.

As we know, distribution relationships are a defining feature of the industry. In the current regulatory landscape, these relationships depend on confidence that all parties can evidence good outcomes – as required under Consumer Duty. This is particularly true for vulnerable customers.

Firms within these arrangements can no longer treat compliance as someone else’s problem. If poor customer outcomes emerge within a distribution chain, regulators are likely to ask what other participants knew, what oversight existed, and whether enough was done to prevent foreseeable harm.

As a result, the emphasis is not just to comply, but to prove compliance. Firms must proactively gather the evidence needed to demonstrate to both their boards and to the regulator that their behaviour results in good outcomes for their customers – particularly those with vulnerable characteristics. Just saying so will not cut the mustard – firms need data to provide this evidence.

If firms later discover poor outcomes, it can be extremely difficult to retrospectively identify customers’ vulnerability characteristics or customers’ needs from historic interactions. As a consequence, many firms now recognise the need to capture customer characteristics data at the point of sale – and to monitor it throughout the product lifecycle.

Doing so not only supports Consumer Duty compliance, but also protects firms should complaints emerge further down the line.

However, this remains a real stumbling block for so many firms. Approaches still rely heavily on training of front-line staff and subjective assessments which is not conducive to consistent outcomes or the robust level of data required. Furthermore, the FCA has recently flagged concerns over firms using purely reactive measures, whether it’s relying on customers to disclose their own vulnerabilities or on staff to identify issues only once they are visible. This leads to massive gaps in identification.

It’s no secret that this is a significant task for firms and why the regulator – and bodies such as the Chartered Insurance Institute – continue to advocate for technology adoption. Doing so means firms can adopt a more objective and consistent approach to customer vulnerability assessment, supported by digital systems capable of securely storing and analysing data in line with GDPR requirements.

Digital systems are readily available to help firms evidence customer characteristics, monitor outcomes over time and provide consolidated reporting without unnecessarily sharing personal data. Systems which you could describe as providing a credit score, but for vulnerability. Top level indicators – backed by extensive vulnerability data – which can be shared confidently and securely across the distribution chain.

With the recent joint call from the FCA and ICO for firms to share vulnerability data, something like this is means it is fully achievable.

These latest whistleblowing figures suggest that we are now fully into the next phase of Consumer Duty, where the responsibility for identifying and escalating poor practice firmly sits within the market itself. Just as much as firms say they are regulated by the FCA, they are now also increasingly regulated by each other.

Andrew Gething is managing director of MorganAsh