On 10 January 2025, the FCA published a Dear CEO letter: FCA strategy for Credit Reference Agencies (CRAs) and Credit Information Service Providers (CISPs). The letter sets out the FCA's priority areas of focus for this portfolio for the next two years. The FCA states it will keep the priorities under review and they are subject to change in light of emerging issues; but that it will communicate any changes if they happen.

The letter includes the following priorities: 

• Firms embedding of Consumer Duty: ongoing work will be focused on reviewing how the Duty has been embedded across firms in the portfolio and will include testing and gathering evidence of how the Duty is making positive changes in CRAs and CISPs. Within consumer duty, the FCA highlight two key focus areas:
  • Consumer support and understanding: the FCA flags concerns that the process of raising a data dispute or complaint can be challenging for consumers to navigate. They note that this may be hindered by how firms are categorising these disputes which could result in poor root cause analysis and a lack of senior management oversight. 
  • Price and fair value: the FCA states that they will continue to assess how firms are meeting this outcome in relation to the different products and services on offer, particularly credit repair, credit builder and subscription models.
• Operational Resilience: firms need to better prevent, adapt, respond to, recover, and learn from operational disruptions and the FCA states it will continue to engage with those firms who have shown significant deficiencies. The FCA also reminds in-scope firms that under PS21/3 they should be able to demonstrate that they remain within Impact Tolerance (ITol) for their Important Business Services (IBSs) in severe but plausible (SBP) scenarios, by 31 March 2025.
• Cyber Resilience: firms should have a forward-looking outlook and remain vigilant to technological advances and emerging threats to be able to anticipate potential systems vulnerabilities. As technology and sophistication develops, firms must continue to manage the impact of data breaches and cyber-attacks to effectively protect the data they hold.
• Financial Resilience: firms should undertake regular reviews of the adequacy of capital and liquidity to ensure the financial resilience to withstand a range of stress-tested scenarios.
• Credit Information Market Study (CIMS):  the FCA sets out next steps and planned publications in light of the CIMS final report. It discusses the Interim Working Group (IWG) producing recommendations to the FCA on the design, implementation, and operation of the proposed new Credit Reporting Governance Body (CRGB). The letter states that the FCA will provide detailed feedback to the IWG upon publication of their final report. Once CRGB will be established by the industry, the FCA expects firms to support its work. The letter also confirms that the FCA plans to publish a consultation paper on rules relating to mandatory data sharing. 

So what?

The FCA advises firms to carefully consider the letter's contents and its implications for their operations, stressing the importance of compliance with FCA rules and principles. Ensuring compliance with consumer duty and resilience measures are critical and firms should ensure that they are providing good outcomes for consumers.