Quick Answer: What is the FCA Handbook? #
The FCA Handbook is the official rulebook maintained by the UK’s Financial Conduct Authority (FCA). It outlines the regulatory standards that financial services firms must follow to operate legally and responsibly in the UK. These rules cover everything from customer treatment and risk management to data handling and reporting obligations.
The Handbook is based on powers granted to the FCA under the Financial Services and Markets Act 2000 (FSMA), including amendments over time. It serves as a living document that reflects evolving legal, regulatory, and industry expectations.
Up next, we’ll break down what the Handbook covers, the changes shaping it, and how firms can stay compliant.
Table of Contents #
- The FCA Handbook explained
- What are the key modules of the FCA Handbook?
- Which FCA Handbook modules carry significant data-related expectations?
- What does the FCA expect from your data infrastructure?
- Data governance: The missing bridge between policy and execution
- FCA Handbook: Summing up
- FCA Handbook: Frequently asked questions (FAQs)
The FCA Handbook explained #
Summarize and analyze this article with 👉 🔮 Google AI Mode or 💬 ChatGPT or 🔍 Perplexity or 🤖 Claude or 🐦 Grok (X) .
The FCA Handbook is the central source of regulatory requirements for firms operating in the UK financial services sector.
It consolidates decades of financial regulation into a single, authoritative framework that guides firms on how to remain compliant with the standards set by the Financial Conduct Authority (FCA).
The FCA Handbook has evolved from a legal framework into a blueprint for data accountability.
“Data is the lifeblood of a modern regulator and in the next five years, we expect to become as much a regulator of data as a financial one.” - FCA Chief Executive Nikhil Rathi
What is the FCA? #
The Financial Conduct Authority (FCA) regulates the financial services industry in the UK.Its primary responsibilities include protecting consumers, maintaining market integrity, and encouraging healthy competition among financial service providers.
Most firms offering financial services in the UK must be authorised or registered with the FCA. The regulator oversees approximately 42,000 businesses across a broad spectrum, including:
- Wholesale markets, such as buyside and sellside firms, investment funds, trade repositories, and data reporting services
- Insurance and banking, including general insurance intermediaries, banks, credit unions, and insurers
- Consumer finance, such as consumer credit lenders, debt collection firms, and claims management companies
- Investment firms, including financial advisers, wealth managers, stockbrokers, and crowdfunding platforms
- Credit and mortgage brokers, such as credit brokers, mortgage brokers, motor dealers, and retail finance providers
- Payment, e-money, and crypto firms
The FCA has extensive enforcement authority, including criminal, civil, and regulatory powers. If firms or individuals breach the standards defined in the Handbook, the FCA can take action to protect consumers and ensure market stability.
The Handbook itself is a living framework. It is continuously updated to reflect changes in legislation, emerging risks, and industry evolution. It serves not just as a rulebook, but as a practical reference to help regulated firms operate responsibly and in line with the FCA’s expectations.
What are the key modules of the FCA Handbook? #
The FCA Handbook is divided into several modules, each covering a specific area of regulation. These modules apply depending on the type of firm, its activities, and the risks it poses. Understanding these modules is essential for firms to determine which rules apply to them and how to remain compliant.
FCA Handbook modules and principles - Image by Author.
Here are the major modules:
- High Level Standards (HLS): These set the foundation for all regulated firms. They include principles for business (PRIN), senior management arrangements (SYSC), conduct of business obligations (COBS), and thresholds for authorisation (COND).
- Business Standards (BS): This section outlines detailed conduct rules for specific types of business activity, including insurance, mortgage lending, payment services, and investment advice.
- Regulatory Processes (RP): Covers the administrative aspects of regulation, such as authorisation, supervision, enforcement, and disclosure. It includes the Decision Procedure and Penalties Manual (DEPP) and Enforcement Guide (EG).
- Redress (RE): Explains procedures for handling customer complaints and delivering fair outcomes. It also includes rules on compensation through the Financial Services Compensation Scheme (FSCS) and ombudsman procedures.
- Specialist Sourcebooks (SS): Applies to firms in niche sectors such as consumer credit, payment services, e-money, and fund management. These modules address sector-specific obligations.
- Prudential Standards (PS): Focuses on financial stability and risk management. These standards include requirements around capital adequacy, liquidity, and risk controls, especially relevant for banks and investment firms.
Each module is structured with rules (mandatory), guidance (advisory), and evidential provisions (helpful for demonstrating compliance). Firms are expected to interpret and apply the relevant parts of the Handbook in line with their business model and regulatory obligations.
What are the recent changes in the FCA data compliance? #
More recently, the FCA is placing more weight on data, requiring firms to show proof through clear, traceable systems. Here’s what’s changed:
Operational resilience under SYSC and SUP: From claims to evidence
According to FCA Policy Statement PS21/3, firms are now required to prove their operational resilience. This requirement came into force in March 2022, and firms must have live resilience mapping, impact tolerances, and testing in place by 2025.
Requirements include:
- Clear data lineage
- Verifiable and traceable records of automated decisions
- Audit-ready logs
- Secured and structured data
- Documentation enabling regulators to trace operational incidents or decisions
Centralized compliance via the My FCA portal
Launched in March 2025, the My FCA portal offers a unified entry point for regulated firms. It consolidates:
- Connect, RegData, the FCA Register, and Online Invoicing
- Reporting and attestation tasks in one dashboard
- Role-based access and real-time compliance tracking
Enforcement reforms: FCA’s new ENFG (June 2025)
In June 2025, the FCA replaced its Enforcement Guide (EG) with the streamlined ENFG, clarifying how investigations and actions are handled (source). Key changes:
- Private warnings are abolished; firms will now receive direct informal feedback where necessary.
- The FCA can now announce investigations in more cases, including suspected unauthorised activity, reactive confirmations, or anonymised examples for market education.
- Investigation procedures are clarified: scoping meetings are optional, enforcement directors can now initiate cases, and firm-commissioned reports won’t restrict FCA use.
- The new ENFG removes over 250 pages of outdated content and commits to future consultation for any updates.
These changes reflect the FCA’s push for greater transparency, faster enforcement, and more robust documentation, especially in firms with poor audit trails or fragmented data systems.
Which FCA Handbook modules carry significant data-related expectations? #
The FCA Handbook’s most critical rules hinge on how firms govern, trace, and manage information. Some of the core modules of the FCA Handbook that carry significant data-related expectations (regarding data quality, governance, protection, and reporting) include the following:
- PRIN (Principles for Business)
- SYSC (Senior Management Arrangements, Systems and Controls)
- COBS (Conduct of Business Sourcebook)
- GEN (General Provisions)
- Reporting Modules like SUP (Supervision Manual)
Let’s explore the specifics of each module further.
PRIN (Principles for Business) #
PRIN is the ethical backbone of the FCA Handbook. The FCA’s 11 Principles for Businesses apply across the board and form the ethical foundation of a firm’s conduct.
For data governance leads and CDOs, these principles act as a guiding framework to assess whether internal practices around data use align with the FCA’s broader expectations on conduct and risk.
The FCA Handbook principles - Source: FCA Handbook.
Key data implications:
- Principle 3 – Management and control: Firms must take reasonable care to organize and control their affairs responsibly. This includes ensuring appropriate controls around data accuracy, access, storage, and use.
- Principle 6 – Customers’ interests: Requires that customer data be used and protected in ways that serve their best interests.
- Principle 7 – Communications with clients: Mandates clear, fair, and not misleading communication—relying on timely, accurate, and contextualized data.
- Principle 11 – Relations with regulators: Firms must disclose anything the FCA would reasonably expect to know, which necessitates strong data lineage and reporting traceability.
LBGI was fined £90.7M for misleading ~9M home insurance customers between 2009–2017. It falsely claimed prices were “competitive” and promised discounts that were never applied.
SYSC (Senior Management Arrangements, Systems and Controls) #
SYSC outlines expectations for risk management, data governance, and internal systems controls. It applies to senior leaders—CEOs, CFOs, directors, and heads of key functions ensuring they are accountable for how the business is governed and risks are managed.
Key data implications:
- Firms must maintain sound risk management frameworks, including oversight of data-related risks.
- Requires secure data storage, access controls, and audit trails.
- Clear assignment of data responsibilities to senior managers under the SMCR (Senior Managers and Certification Regime).
In 2022, the FCA fined GAM International Management Limited (GIML) £9.1 million for serious failures in managing conflicts of interest and maintaining adequate oversight.
A senior fund manager accepted gifts, made personal investments, and failed to disclose conflicts tied to Greensill-linked transactions. GAM’s governance arrangements were weak—its Conflicts Committee didn’t meet for nearly three years, and policies weren’t enforced. These failings breached SYSC requirements on risk management, internal controls, and clear roles and responsibilities, to name a few.
COBS (Conduct of Business Sourcebook) #
COBS, which comes under Business Standards, sets out conduct standards for firms dealing in investments and providing services to clients. It applies to investment managers, advisors, and other regulated financial service providers.
Key data implications:
- Firms must ensure client reporting is accurate, timely, and based on reliable data sources.
- Requirements around record-keeping, product disclosures, and suitability assessments all depend on complete and correct data.
- The obligation to act honestly and fairly with clients means systems must flag incorrect, outdated, or missing data that could affect client outcomes.
For example, if a financial advisory platform provides investment suitability reports based on outdated client information, it could violate COBS rules—even if the breach is unintentional.
The FCA fined Carphone Warehouse £29.1M for mis-selling phone insurance between 2008–2015. Carphone Warehouse mis‑sold £444.7m worth of “Geek Squad” phone insurance, pushing policies onto already‑covered customers.
Staff used high-pressure tactics, sold to customers who didn’t need it, ignored red flags like 35% early cancellations (within 3 months), and mishandled complaints—including not investigating valid objections. The fine underscores how poor data governance, weak systems, and failure to track cancellation/complaint metrics breach core COBS rules.
GEN (General Provisions) #
The GEN module outlines baseline obligations that cut across other rulebooks. It reinforces requirements under FSMA and the FCA’s operational objectives.
Key data implications:
- GEN 1.2 includes liability clauses and criminal offense implications for breaches, especially where inaccurate reporting or misuse of data leads to misconduct.
- GEN 2.1 emphasizes firms must interpret Handbook rules in line with FSMA objectives, including the integrity and transparency of market operations—both heavily reliant on good data.
GEN acts as a reminder that non-compliance due to weak data controls carries legal weight and accountability.
Reporting Modules like SUP (Supervision Manual) #
SUP governs the FCA’s supervision strategy and sets expectations for how firms should interact with the regulator.
Key data implications:
- Firms must submit periodic regulatory reports (e.g. FINREP, COREP, conduct risk reports), which require timely, accurate, and well-documented data.
- The FCA expects firms to maintain systems that can reconstruct records and provide audit trails in case of queries or investigations.
- SUP 15.3 mandates firms to inform the FCA immediately of anything that could affect their regulatory status—including breaches related to data integrity or control failures.
A recurring FCA concern in enforcement actions is firms submitting inaccurate or incomplete regulatory returns, often stemming from fragmented or poor-quality internal data.
The FCA fined Goldman Sachs £34.3 million for failing to accurately report over 220 million transactions between 2007 and 2017. Of these, 204 million were under-reported, 9.5 million omitted, and 6.6 million reported in error. These failures breached SUP rules, requiring firms to submit complete and accurate transaction data under MiFID (EU Markets in Financial Instruments Directive).
The FCA found weaknesses in systems, data governance, and quality controls, especially in validating trade data before submission. This case highlights the critical need for strong metadata lineage, reconciliation mechanisms, and real-time quality checks in regulatory reporting environments.
What does the FCA expect from your data infrastructure? #
Based on the latest FCA Handbook modules, enforcement trends, and operational resilience requirements, your data infrastructure should demonstrate:
- Mandate-to-asset traceability: SYSC 4.1 and 6.1 require firms to have effective governance, internal controls, and clear accountability. This means your policies must be traceable to the actual processes, data assets, owners, and controls responsible for execution.
- Role-based access controls: SYSC 3.2.6 and 6.1.1 require appropriate systems and controls to protect data. Access controls must be enforced and logs maintained in a tamper-evident, retrievable format.
- Persistent, tamper-proof audit trails: SUP 15 and DISP 1.4 expect timely, accurate disclosures supported by verifiable records.
- Exception reporting and breach detection: SYSC 7 and SUP 15 require internal mechanisms to detect and report breaches or irregularities before they escalate. Firms are expected to surface anomalies across data quality, access, or system failures and escalate them via predefined reporting lines.
- Governed automation: If automated decisions are made (e.g. loan approvals, customer risk scoring), they must be explainable, reproducible, and backed by traceable metadata.
- Real-time monitoring and reconciliation: Reporting modules like SUP require ongoing data quality checks and the ability to reconstruct records if needed.
- Documentation and stewardship: Senior managers under SYSC and SMCR must have clearly assigned data responsibilities, with documented controls and escalation paths.
What challenges do financial firms face in meeting the requirements outlined by the FCA Handbook? #
Despite increasing investments in data programs, many firms struggle to meet FCA requirements consistently. Common challenges include:
- Fragmented data ecosystems: Legacy systems, siloed tools, and disjointed pipelines make it difficult to produce reliable, timely reports or demonstrate full lineage.
- Manual processes: Overreliance on spreadsheets or disconnected point solutions hampers audit-readiness and slows investigations or breach responses.
- Unclear accountability: Without clearly mapped roles, data ownership remains fuzzy and poses risks under SMCR and SYSC accountability rules.
- Limited traceability for automation: Firms often deploy AI/ML-based decisions without full audit trails, exposing them to compliance gaps around explainability.
- Lack of metadata integration: Incomplete metadata makes it harder to classify sensitive information, enforce policies, or respond to data access and reporting requests.
To meet growing expectations, firms need a control plane that connects systems, enforces governance policies, and surfaces real-time lineage and quality metadata across their ecosystem.
Data governance: The missing bridge between policy and execution #
FCA rules—from SYSC to COBS—depend on timely, accurate, and traceable information. But in reality, data is often scattered across tools, teams, and spreadsheets, making compliance difficult to scale or audit.
That’s where a unified metadata control plane like Atlan makes the difference. Atlan uses active metadata to create a live, contextual map of your data estate—linking rules to systems, people, and processes. This enables:
- Visibility across silos: Surface and classify critical data across compliance, finance, and product teams in one searchable view.
- End-to-end traceability: Automatically track how data flows across Snowflake, dbt, Power BI, and more—without stitching together screenshots.
- Effortless audit trails: Capture who changed what, when, and why—supporting FCA audits and Section 166 reviews.
- Policy enforcement through metadata: Flag non-compliant assets or enforce rules like anonymization at the metadata level.
- Clear accountability: Assign owners to every dataset or dashboard, supporting SMCR and SYSC oversight.
- Faster change response: See which assets are affected by rule updates—so you fix the right things, faster.
With Atlan, compliance becomes a daily byproduct of good data governance, embedded into daily workflows and not an afterthought.
Case study: How North scaled governance into daily work #
North, a high-growth payments company, knew that regulatory expectations would only intensify as they scaled. What began as a reporting challenge quickly became a governance problem: fragmented systems, inconsistent field definitions, and no unified view of data risk.
With Atlan, they turned their metadata into a control plane:
- Increased tagged and classified assets by 700%
- Defined data ownership across finance, compliance, and engineering
- Saved an estimated $1.4 million in operational costs
“Without Atlan tracing upstream and downstream, helping us understand potential exposure and implement policies, this process would have been complicated and very manual. But with Atlan, you can not only trace data lineage and organize the complexity, but you can see popularity and usage metrics that help prioritize where efforts are needed the most, or where the biggest impact could be made.” - – Daniel Dowdy, Vice President, Data Analytics & Governance
FCA Handbook: Summing up #
The FCA Handbook a blueprint for how financial firms must manage their data, systems, and accountability. As the FCA sharpens its focus on operational resilience, audit readiness, and traceable governance, it’s clear that compliance now hinges on how well your data infrastructure works under pressure.
Meeting these expectations requires more than policies. It calls for live visibility, consistent controls, and a clear link between data, decisions, and accountability. A unified metadata control plane makes this possible, turning fragmented data environments into transparent, auditable systems.
FCA Handbook: Frequently asked questions (FAQs) #
1. What is the FCA Handbook? #
The FCA Handbook is the official rulebook issued by the UK Financial Conduct Authority. It outlines the rules, principles, and guidance that regulated firms must follow to operate legally and responsibly in the UK financial services sector.
2. What is the difference between the FSA and the FCA? #
The Financial Services Authority (FSA) was the UK’s former regulator for financial services. In 2013, it was replaced by two bodies:
- The FCA, which oversees conduct and consumer protection
- The PRA, which focuses on prudential regulation for banks, insurers, and large investment firms
3. What is the difference between the PRA and the FCA? #
The Prudential Regulation Authority (PRA), part of the Bank of England, focuses on financial stability and soundness of firms. The FCA regulates firm conduct, market integrity, consumer protection, and transparency across financial services.
Many firms are dual-regulated by both.
4. Who needs to comply with the FCA Handbook? #
Any firm authorized or registered by the FCA to operate in the UK financial services sector must comply. This includes banks, insurers, asset managers, payment providers, mortgage brokers, and many fintech firms.
5. What is the ENFG and how does it affect enforcement? #
Introduced in June 2025, the FCA’s new Enforcement Guide (ENFG) replaces the old EG. It removes private warnings, allows earlier publication of investigations, and puts greater pressure on firms to maintain audit-ready systems.
6. What does the FCA expect in terms of data governance? #
Firms must demonstrate traceability, policy enforcement, data ownership, secure access, and audit readiness—especially across regulated reporting, risk controls, and customer interactions.
7. What tools help operationalize FCA requirements? #
Platforms like Atlan help automate data governance across silos—tracking lineage, assigning ownership, detecting breaches, and enabling real-time compliance across data systems.
8. What is the role of metadata in FCA compliance? #
Metadata is information about your data’s origin, movement, structure, and usage. This is critical for FCA compliance.
Active metadata enables audit trails, lineage, access tracking, and policy enforcement across systems. It helps firms demonstrate control, accountability, and transparency—core expectations under SYSC, SUP, and operational resilience frameworks.