Compliance

FCA Consumer Duty and SME lending in 2026: what's actually changing

The Duty has bedded in. Here's the working guide for UK alt-lender sales, compliance, and data teams — outcome by outcome, with the checklists we wish we'd had on day one.

By Borrowsignal · · 8 min read

The FCA's Consumer Duty took full effect for new and existing products in July 2024. Eighteen months later, the supervisory focus has moved from "have you done the work" to "show us the evidence". The UK SME lending market is now firmly inside that supervisory frame for sole traders and micro-enterprises, and analogous-by-spirit for larger SMEs.

This article is the working guide we'd hand a Head of Compliance, a VP Sales, and a Head of Data on day one — what the Duty requires, where the cliffs are, and the artefacts the FCA actually asks to see.

What's actually changed by mid-2026

Three shifts have set in since the Duty came into force.

Supervisory focus has moved to evidence. Multi-firm reviews now ask for the underlying MI, the board minutes, the customer-understanding sign-off log. A policy document is not evidence. A handful of recent thematic reviews — the FCA's treatment of borrowers in financial difficulty being the most-cited — are now standard reference for SME lender compliance teams.

Fair-value benchmarking is now table stakes. Firms that priced "to market" without a documented benchmark exercise have been asked, in writing, to produce one. The expectation is annual at minimum, with material in-year updates when the market moves.

Sales and BDR scripts are in scope. "Customer understanding" doesn't only mean the consumer credit agreement; it covers the cold outreach that brings a borrower to the agreement. Email templates, cold-call scripts, and on-page pricing claims are now reviewable artefacts.

Scope: which SME customers are in

The Consumer Duty applies in full to:

  • Sole traders — always, where the lending is FCA-regulated.
  • Micro-enterprises — fewer than 10 employees and annual turnover under £2m — for FCA-regulated business lending products.
  • Small partnerships meeting the same threshold.

For larger SMEs that fall outside the FCA perimeter, the Duty does not apply directly. But the FCA's published guidance and Dear CEO letters set an unambiguous expectation: the conduct standards a regulated firm has built for its in-scope customers should not silently degrade for out-of-scope ones. In practice that means most lenders apply the Duty's spirit across their full book.

Classification matters at the lead and the application stage. A documented assessment — captured in your CRM or origination system — is what auditors look for. A lead that arrives without enough metadata to classify it (no SIC code, no headcount range, no turnover band) is a lead you can't onboard cleanly. This is where data quality starts to matter for compliance, not only for conversion.

The four outcomes, applied to SME lending

1. Products and services

You need a documented target-market statement for every product. For a revenue-based advance, that statement should name the customer types it's designed for (e.g. seasonal hospitality with £100k+ turnover and a card-payment provider in place) and the customer types it's not designed for (e.g. very-early-stage businesses with no payment history). A product distributed outside its target market is a Duty breach; "we couldn't tell" is not a defence.

2. Price and value

The price the borrower pays — APR plus all fees, in whatever combination — must represent fair value relative to the benefits. The FCA looks for a cost-plus margin analysis, a peer-pricing benchmark, and a board-approved rationale. If your APR sits more than 5 percentage points above the median for your facility size and risk tier, you need a clear documented reason: faster funding, broader acceptance, a structural cost of capital that's higher than peers'. "Market is what we charge" is not a rationale.

For benchmarking discipline and concrete UK alt-lender pricing data, see our UK working-capital pricing benchmarks for Q2 2026.

3. Customer understanding

Every material communication must be capable of being understood by the intended audience and must not omit material information. For SME lending that means:

  • Pricing claims on your website state an APR range, not just a from-rate.
  • Outreach emails and call scripts that mention a rate also state whether security is required, what repayment looks like, and that approval is subject to underwriting.
  • Where you use jargon — "factor rate", "amortising APR", "warehouse facility" — it's defined in plain English on first use.

The supervisory expectation is a sign-off log: for each material communication, who reviewed it, against what criteria, on what date. Most firms now maintain this in their marketing operations stack.

4. Customer support

Borrowers must be able to reach you and to act on their rights at least as easily as they can apply. That's the asymmetry test. If you have an instant online application but a forty-minute IVR for repayment relief, the FCA will notice. For SME lenders, the most common gap is the in-financial-difficulty pathway — both the design (clear options, no penalty for early disclosure) and the evidence (training records, call samples, complaint outcomes).

What this means for sales and BDR teams

The Duty hits the top of the funnel in three concrete ways.

Scripts are reviewable artefacts. Every cold-call template, email sequence, LinkedIn DM, and pricing claim used by your outbound team is potentially within the customer-understanding outcome. The practical fix: a single source-of-truth scripts repository, version-controlled, with sign-off dates and the compliance reviewer's initials. Banning ad-hoc improvisation isn't the goal; the goal is that any deviation is traceable and defensible.

Target-market evidence at the lead level. If your product is targeted at micro-enterprises in specific SIC codes, your lead source must be capable of filtering to that target. Buying a generic UK business contact list and "filtering at the dial" leaves you exposed: the dialled-and-declined trail is itself customer contact, and BDRs picking up the wrong company waste time, raise complaint risk, and undermine the target-market evidence.

Vulnerability indicators caught early. Where a prospect indicates they're under financial pressure, the conversation has to move from outbound sales mode to the financial-difficulty pathway — not to a different product pitch. BDR training and call-monitoring is where this is enforced in practice.

Data sourcing under the Duty

The Duty is technology-neutral. There is no list of approved data sources. What matters is provenance, accuracy, and the borrower's ability to correct or challenge.

That said, three categories of data carry meaningfully different compliance burdens.

Statutorily-disclosed public data — the UK Companies House register, the FCA register, the HMRC published lists, court judgments — is the lowest-risk source. The data is public by statute, the legal basis for processing it under UK GDPR is well-established, and the data subject has a statutory means to correct upstream errors (filing a change with the registrar). Borrowsignal's leads come from this category; that's a compliance feature, not just a marketing claim.

Aggregated third-party scoring data — credit bureau scores, payment-data scores, alternative-data scoring — is acceptable provided you can document the provenance and the model's reliability for the population you're scoring. The Duty expects you to know whether a score generalises to your SME segment, or whether it was trained on consumer or large-enterprise data and is being misapplied.

Scraped or grey-market data — LinkedIn-scraped contacts, leaked or repackaged datasets, list rentals with unclear consent provenance — is the highest-risk category and is increasingly hard to defend. You may have a lawful basis on paper; you may not have evidence that you do, and the FCA is asking for the evidence.

The practical pattern that most surviving lenders now follow: statutory public sources for top-of-funnel discovery, bureau scoring at decision, and a clear contract-trail for any third-party data that touches the underwrite. For more on the lawful-basis side, see our notes on UK GDPR for lead generation.

A practical 90-day compliance checklist

If you're tightening up to Duty supervision over the next quarter, these are the artefacts the FCA most often asks to see and the order we'd build them in.

  1. Target-market statement per product (week 1). One page each. Who it's for, who it isn't for, evidence the design suits the target.
  2. Fair-value assessment per product (weeks 2–4). Peer-pricing benchmark, cost-plus margin, board approval minute. Refresh annually; mid-year refresh if the market moves more than 100 basis points.
  3. Customer-understanding sign-off log (week 3). Every material outbound communication reviewed by a named compliance approver, dated, with the version and the criteria applied.
  4. Vulnerable-customer / financial-difficulty SOP (weeks 4–6). Decision tree, training material, call-monitoring sample, complaints linkage, MI dashboard.
  5. BDR script library and review cadence (week 5). Centralised, version-controlled, with on-page pricing claims, APR-range disclosures, and clear vulnerability triggers.
  6. Lead-source provenance log (weeks 6–8). For every external data source, the lawful basis, the contract reference, the data quality / accuracy evidence, and the borrower-rectification pathway.
  7. Outcome MI dashboard (weeks 8–12). Per product, per quarter: target-market match rate, fair-value benchmark gap, customer-understanding complaint volume, financial-difficulty resolution time. The board needs to see this; the FCA will ask for it.

None of this is novel. The Consumer Duty is not a new regulatory framework; it is a re-statement of conduct expectations that already existed across PRIN, ICOB, CONC, and the rest of the FCA Handbook. What's new is the supervisory weight and the explicit evidence bar. Eighteen months in, the firms that built the artefacts above on day one are spending less time in supervisory correspondence and more time underwriting loans.

If you want to dig into the regulatory texts directly, start with the FCA's published Consumer Duty board-paper guidance and the multi-firm review on the treatment of borrowers in financial difficulty. Both are the most-cited reference points in current supervisory correspondence on SME lending.

Frequently asked

Does the FCA Consumer Duty apply to SME lending?

The Consumer Duty applies in full to sole traders and to micro-enterprises with annual turnover under £2m and fewer than 10 employees, where the lender's product is FCA-regulated (most unsecured business lending under £25k, and any lending to sole traders, falls inside the FCA perimeter). For larger SMEs, the Consumer Duty does not apply directly but the FCA expects firms to consider analogous good-conduct principles. The classification of any individual customer should be assessed and documented at onboarding.

What does the "price and value" outcome require for an SME loan?

Firms must demonstrate that the total price the borrower pays — APR plus all fees — represents fair value relative to the benefits provided. In practice that means a documented benchmarking exercise against peer pricing, a cost-plus margin analysis, and a clear rationale for pricing that sits more than 5 percentage points above the median for the same facility size and risk tier. The board must approve this analysis at least annually.

How does Consumer Duty affect outbound sales and BDR teams?

Any communication that could lead an in-scope borrower into a credit decision is a "communication" under the Duty's "customer understanding" outcome. Cold call scripts, outreach emails, and pricing claims must be capable of being understood by the intended audience, must not omit material information (APR range, security required, repayment schedule), and must be reviewable on demand. BDRs need a documented script and an evidence trail of training.

What data sources can a lender use under Consumer Duty?

There is no list of approved sources. The Duty is technology-neutral. What matters is that the data has a lawful basis, is accurate enough for the decisions you take with it, and that the borrower has a fair means to challenge or correct it. Statutorily-disclosed public data — the Companies House registry, the FCA register, HMRC published lists — carries the lowest compliance risk. Aggregated third-party scoring data is acceptable provided you can document its provenance and reliability.

What evidence does the FCA actually expect a lender to keep?

Four artefacts are now the working minimum: a target-market statement, a fair-value assessment refreshed annually, a customer-understanding sign-off process for every material communication, and a vulnerable-customer / financial-difficulty operating procedure with evidence of training. The FCA expects management information (MI) reporting that lets the board see, by product, how each outcome is being delivered. Spot-check supervisory reviews focus heavily on the gap between policy documents and observed practice.