What is a Consumer Duty audit trail?

A Consumer Duty audit trail is the documented evidence that a firm identified vulnerable customers proactively, treated them appropriately, and monitored outcomes. It must be producible on FCA request and should include: interaction-level records of vulnerability assessment, the signal or process used to identify vulnerability, the action taken for each identified vulnerable customer, outcomes data linking identification to resolution, and aggregate MI showing coverage rates and outcomes monitoring over time.

When will the FCA ask for a Consumer Duty audit trail?

The FCA can request Consumer Duty evidence at any time as part of supervisory engagement, thematic review, or enforcement investigation. The FCA has confirmed that Consumer Duty enforcement is a priority and that firms should expect proactive supervisory requests for evidence as the FCA completes its post-implementation review cycle. Firms should treat the audit trail as an ongoing operational requirement, not something to build when a request arrives.

How long must Consumer Duty audit trail records be retained?

The FCA does not specify a single retention period for Consumer Duty audit trail records — retention must be proportionate to the regulatory purpose. Interaction-level vulnerability assessment records should be retained for at least the period during which the customer relationship continues plus the limitation period for FCA enforcement (typically 6 years from the relevant event). Aggregate outcomes monitoring MI should be retained indefinitely as board-level governance documentation.

What happens if a firm cannot produce a Consumer Duty audit trail?

Inability to produce an audit trail demonstrating proactive vulnerable customer identification is itself evidence of Consumer Duty non-compliance — it demonstrates that systematic identification was not occurring. The FCA can use this absence of documentation as the basis for enforcement action. In 2024, £176M in FCA fines and £479M in customer redress were driven significantly by Consumer Duty failures, many of which involved inadequate documentation of identification and treatment processes.

Can manual QA records satisfy the Consumer Duty audit trail requirement?

Manual QA records satisfy the audit trail requirement only for the interactions they cover — typically 2–3% of all interactions. The remaining 97–98% of interactions have no audit trail of vulnerability assessment. The FCA's proactive identification requirement applies across all interactions, not a sample. A firm whose audit trail covers 2–3% of interactions cannot demonstrate proactive identification — it can only demonstrate reactive sampling.

FCA Consumer Duty Audit Trail: What Documentation Do You Need?

What "audit trail" means in Consumer Duty terms

An FCA Consumer Duty audit trail is not a set of policies. It is not a training log. It is not a set of procedures that describe what the firm intends to do. It is documented evidence that the firm actually identified vulnerable customers proactively, treated them appropriately, and can show that outcomes were fair.

The distinction matters because most firms have invested heavily in the policy and procedure side of Consumer Duty. They have updated scripts, trained colleagues, appointed vulnerable customer champions, and written governance frameworks. What they frequently do not have is the interaction-level documentation showing that the identification process was applied and worked.

When the FCA reviews Consumer Duty compliance — through supervisory engagement, thematic review, or enforcement investigation — they ask for evidence of what happened, not evidence of what was planned. The audit trail is what happened.

The six components the FCA expects

Based on FCA guidance (FG22/5 and subsequent communications) and enforcement precedent, a complete Consumer Duty audit trail for vulnerable customer identification should contain the following:

1. Coverage documentation: Evidence that vulnerability assessment occurred across interactions — not just a sample. This means a record of every interaction assessed, not just those where vulnerability was flagged. If 50,000 interactions occurred in a given month and only 1,500 have assessment records, the audit trail demonstrates that 48,500 interactions were not assessed.

2. Identification records: For each assessed interaction, a record of what signals were present and whether they met the threshold for a vulnerability flag. This should include the specific indicators identified — not just a binary "vulnerable/not vulnerable" outcome. The FCA expects to see what the firm looked for and what it found.

3. Action records: For each flagged interaction, documentation of what action was taken. Escalation to a specialist team, adjusted treatment, referral to support services, complaint handling adaptation — whatever the firm's protocol requires. Flags without documented responses are audit trail gaps.

4. Outcomes data: Evidence that vulnerable customers received appropriate treatment and that outcomes were fair — linking the identification record to subsequent interaction handling and resolution data. The FCA expects firms to be able to show that vulnerability identification led to different treatment and better outcomes, not just that identification occurred.

5. Aggregate MI: Monthly or quarterly management information showing coverage rates, identification rates by driver category, action rates, and outcomes metrics. This demonstrates that the identification process is being monitored and managed at the institutional level, not just applied operationally.

6. Board reporting: Evidence that aggregate MI is reported to senior management and the board at defined intervals. Consumer Duty is a firm-level obligation — the board must be able to demonstrate awareness of vulnerable customer identification performance and outcomes.

Where manual QA documentation fails

Manual QA processes generate audit trail documentation only for the interactions they review — typically 2–3% of the total. This creates an immediate problem with component 1: coverage documentation. A firm with 50,000 monthly interactions and a 2% QA rate has assessment records for 1,000 interactions. The remaining 49,000 have no documentation of vulnerability assessment.

This is not a documentation presentation problem. It is a genuine coverage gap. The 49,000 unreviewed interactions are not assessed for vulnerability. If vulnerable customers were in those interactions — and statistically they will be — they were not identified, not treated appropriately, and not included in the outcomes data.

A firm that presents its QA records as Consumer Duty documentation is presenting evidence that it reviewed 2–3% of interactions for vulnerability signals. The FCA's proactive identification requirement applies to 100% of interactions. The documentation gap is the compliance gap.

Building the audit trail automatically

EchoDepth generates the interaction-level documentation automatically. Every interaction submitted produces a timestamped assessment record: signals evaluated, vulnerability indicators present or absent, flag status, and severity if flagged. This record is created at the moment of analysis and does not require retrospective reconstruction.

The coverage component is satisfied automatically — every submitted interaction has an assessment record. The identification component records the specific signals detected per interaction. The action component is updated when the flagged interaction is reviewed and actioned by the compliance team. Aggregate MI is generated from the interaction data and exportable in the formats required for board reporting.

The result is a complete audit trail — interaction by interaction, month by month — that satisfies each component the FCA expects. When the supervisory request arrives, the documentation is already there.

The time to build the audit trail is before the FCA asks for it. Talk to us about your current coverage → Or see how pricing works →

How to Identify Vulnerable Customers Proactively

Read article →

FCA Consumer Duty Outcomes Monitoring

Read article →