Why Financial Services Firms Should Pay Attention
In early January, the Information Commissioner’s Office entered into a formal Memorandum of Understanding with HM Government. On the surface, this may appear to be an internal, public-sector focused development. In reality, it signals something far broader, and far more relevant to regulated firms.
For the ICO this MoU is about strengthening trust, accountability and consistency in how data protection standards are applied. For financial services firms, particularly those already regulated by the FCA, it is another indicator that data governance is moving firmly into the realm of conduct risk rather than standalone technical compliance.
What the MoU actually tells us
The MoU formalises cooperation between the ICO and central government on data protection, transparency and public confidence. While its immediate scope relates to public bodies, the underlying message is unmistakable: data protection failures are no longer tolerated as isolated operational issues.
The ICO has been clear for some time that poor data governance undermines trust. What the MoU does is reinforce that data protection is now viewed as a systemic issue, it is one that affects markets, consumer confidence and the legitimacy of institutions.
That perspective does not stop at the public sector. Financial services firms sit at the centre of some of the most sensitive and complex data flows in the economy. The standards expected of government bodies inevitably influence expectations of regulated private firms.
Why this matters for FCA-regulated firms
Consumer credit firms already operate under intense scrutiny from the FCA around transparency, fairness and outcomes. Increasingly, data protection is intersecting with those expectations.
Customer understanding, vulnerability identification, affordability assessments, automated decisioning and complaints handling all rely heavily on personal data. Where data is inaccurate, poorly governed or misused, consumer outcomes are affected, and both regulators take notice.
The MoU reinforces the likelihood of closer alignment between regulators. Firms should expect data governance issues to surface not only in ICO engagement, but also in FCA supervision, Consumer Duty assessments and thematic reviews.
In practice, this means data protection can no longer sit quietly with IT or legal teams. It is now a Board-level issue with direct conduct implications.
The link to Consumer Duty and outcomes
Consumer Duty requires firms to deliver good outcomes across the customer lifecycle. That obligation is difficult to meet where data is fragmented, outdated or poorly controlled.
If vulnerability flags are not captured accurately, customers may not receive appropriate support. If affordability data is incomplete or poorly interpreted, customers may be offered unsuitable credit. If automated models rely on flawed inputs, bias and unfairness can creep in unnoticed.
The FCA increasingly expects firms to understand and explain how data quality supports, or undermine, their Consumer Duty obligations. The ICO–Government MoU strengthens the regulatory backdrop for this expectation.
Governance, accountability and senior management
One of the most important signals in the MoU is its emphasis on accountability. Data protection is no longer framed as a purely technical obligation, but as a matter of governance and leadership.
For financial services firms, this aligns closely with SM&CR expectations. Senior managers are expected to take reasonable steps to ensure systems and controls are effective. Data governance now clearly sits within that remit.
Boards that are not sighted on data risks, breaches, complaints trends or data-driven decisioning may find themselves exposed and not just to ICO action, but to FCA challenge around governance and oversight.
What firms should be doing now
The MoU should prompt firms to reflect on how data protection is embedded operationally. This is not about rewriting privacy notices, but about understanding how data flows through the business and how it influences outcomes.
Firms should be asking whether data quality is actively monitored, whether staff understand how data protection links to conduct risk, and whether MI captures issues early enough to prevent harm.
Importantly, firms should consider how they would evidence good data governance to either regulator because increasingly, the standards will overlap.
Why this matters beyond enforcement
As with the FCA’s shift toward supervision, the ICO’s approach is increasingly preventative. The MoU signals a desire to raise standards before trust is damaged, rather than relying solely on penalties after the fact.
For firms, this means regulatory pressure may surface earlier and in more subtle ways: questions during supervisory meetings, requests for evidence, or cross-regulatory engagement where data and conduct intersect.
Those that view data protection as a strategic risk, rather than a compliance tick-box, will be better placed to respond.
How ALPH supports firms on data governance and regulatory alignment
ALPH Legal & Compliance supports FCA-regulated firms in strengthening data governance in a way that aligns with both ICO and FCA expectations. Our work includes data governance reviews, DUAA readiness assessments, Consumer Duty and data alignment reviews, and Board-level support on accountability and oversight.
The ICO–Government MoU may not target financial services directly, but its implications are clear. Data protection is no longer a siloed obligation. It is part of how regulators judge trust, governance and consumer outcomes and firms that recognise that shift early will be far better prepared.