A. FCA consumer credit authorisation and debt collection conduct

Debt collecting, debt administration and the provision of credit references are regulated activities under the Financial Services and Markets Act 2000 (brought within the FCA's remit from 1 April 2014 by the Regulated Activities Order amendments). You must hold FCA authorisation (or be an appointed representative) before carrying on any of these activities. Carrying on a regulated activity without authorisation is a serious offence and agreements made without authorisation are unenforceable.

If you collect debts, you must comply with the FCA's Consumer Credit sourcebook (CONC 7) — clear communication with debtors, treating customers in financial difficulty fairly, no misleading or oppressive practices, and compliance with the FCA's Consumer Duty.

FCA consumer credit authorisation overview

Overview of FCA authorisation requirements for consumer credit activities under the Consumer Credit Act 1974 and FSMA 2000.

Consumer credit activities are regulated by the Financial Conduct Authority (FCA). Since April 2014, businesses providing credit to consumers must be authorised by the FCA, having transferred from the former Office of Fair Trading (OFT).

Industry size: £200 billion with 36,000+ firms holding credit permissions
Regulatory transfer: OFT to FCA in April 2014
Key legislation: Consumer Credit Act 1974, Financial Services and Markets Act 2000
Authorisation types: Full permission (higher risk) or limited permission (lower risk)

FCA consumer credit guidance

FCA debt collection rules (CONC 7)

FCA Consumer Credit sourcebook chapter 7 requirements for firms collecting debts owed under consumer credit agreements, including forbearance and vulnerable customer obligations.

Firms collecting debts under regulated consumer credit agreements must comply with CONC 7, which sets out detailed requirements for fair treatment of customers in arrears or financial difficulty. These rules apply to lenders collecting their own debts as well as third-party debt collectors and debt purchasers.

The overarching principle is that firms must treat customers in default or arrears with forbearance and due consideration. Firms must not pursue unreasonable collection strategies or apply disproportionate pressure.

Forbearance requirement: Firms must treat customers in financial difficulty with forbearance and due consideration (CONC 7.3.4R)
Reasonable repayment offers: Firms must consider freezing interest and charges where a customer is in financial difficulty and has made a reasonable offer to repay
Communication limits: Must not contact customers at unreasonable times or with unreasonable frequency; must not pursue third parties for payment unless legally entitled
Harassment prohibition: Must not use harassment, oppression, or conduct likely to cause alarm, distress, or humiliation (CONC 7.9)
Misleading statements: Must not falsely imply that non-payment will result in criminal prosecution where this is not the case
Arrears charges: Charges for arrears must be no more than necessary to cover the reasonable costs of the firm (CONC 7.7.5R)
Vulnerable customers: Must exercise particular care with customers who are vulnerable, including those with mental health conditions, serious illness, or recent bereavement (CONC 7.2.1R)
Debt management plans: Where a customer engages with free debt advice and proposes a reasonable repayment plan, the firm should accept it
Continuous payment authority: Must not request more than 2 unsuccessful attempts to collect payment using a CPA (CONC 7.6.12R for HCSTC, CONC 7.6.13R for others)

FCA CONC 7 - Arrears, default and recovery (including forbearance)

Credit reference agency duties

If you provide credit references, you are subject to enhanced data-subject rights in addition to FCA authorisation. Individuals can obtain their statutory credit file and require correction of inaccurate data under sections 157–160 of the Consumer Credit Act 1974 and the UK GDPR. The ICO and FCA jointly oversee fairness and accuracy of credit data.

Credit reference agency data and statutory credit file rights

Credit reference agencies must give individuals access to their statutory credit file and correct inaccurate data, under the Consumer Credit Act 1974 and UK GDPR, with the ICO and FCA overseeing fairness and accuracy.

Credit reference agencies (CRAs) are FCA-authorised for the regulated activity of providing credit references, and are also subject to enhanced data-subject rights. Individuals can obtain their statutory credit file and require correction of inaccurate data under sections 157–160 of the Consumer Credit Act 1974 and the UK GDPR / Data Protection Act 2018.

CRAs must process credit data fairly and accurately, respond to access and rectification requests, and handle disputes about the accuracy of entries (including adding a notice of correction). The ICO regulates the data-protection dimension and the FCA the regulated credit-reference activity; the two jointly oversee fairness and accuracy of credit data.

Legal basis: Consumer Credit Act 1974 (ss157–160); Data Protection Act 2018 / UK GDPR
Regulators: ICO (data protection) and FCA (regulated credit-reference activity)
Individual rights: Access to the statutory credit file; correction of inaccurate data; notice of correction
CRA duties: Fair and accurate processing; respond to access/rectification requests; handle disputes
Geographic scope: UK-wide

Credit reports — getting and correcting your credit file

B. Call centre outbound marketing

If you run an outbound call centre using predictive diallers, you must not engage in the persistent misuse of an electronic communications network — including generating silent and abandoned calls. Ofcom's policy sets a maximum 3% abandoned-call rate per campaign (measured over 24 hours), requires a brief information message on an abandoned call (identifying the caller and giving an opt-out), and requires calling line identification (CLI). Ofcom can impose a penalty of up to £2 million under the Communications Act 2003.

Ofcom rules on silent and abandoned marketing calls

Persistent misuse of a communications network — including silent and abandoned calls from predictive diallers — is an offence under the Communications Act 2003, with Ofcom able to impose penalties up to £2 million.

Outbound call centres using predictive diallers must not engage in the persistent misuse of an electronic communications network — including generating silent and abandoned calls. This is a civil enforcement regime under sections 128–130 of the Communications Act 2003: Ofcom can issue a notification of persistent misuse and impose a financial penalty (the penalty power is in section 130) — it is not a criminal offence.

Ofcom's policy on persistent misuse sets a maximum 3% abandoned- call rate per campaign (measured over 24 hours), requires a brief information message to be played within two seconds on an abandoned call (identifying the caller and giving an opt-out), and requires calling line identification (CLI) so the called person can identify and return the call. Ofcom can impose a penalty of up to £2 million. These rules sit alongside the PECR live-marketing and Telephone Preference Service requirements enforced by the ICO.

Legal basis: Communications Act 2003 (ss128–130 — persistent misuse; s130 penalty power)
Regulator: Ofcom
Abandoned-call rate: Maximum 3% per campaign (over a 24-hour period)
On an abandoned call: Information message within 2 seconds (caller identity + opt-out); CLI presented
Maximum penalty: Up to £2 million
Geographic scope: UK-wide

Ofcom — tackling abandoned and silent calls

Electronic marketing (PECR)

If you send marketing by email, text message or automated call, you must comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). PECR requires you to obtain prior consent before sending unsolicited electronic marketing to individuals, subject to the limited 'soft opt-in' exception for existing customers. You must screen against the Telephone Preference Service (TPS) before making live marketing calls. The ICO enforces PECR and can issue monetary penalty notices — since June 2025, PECR penalties are aligned with UK GDPR levels (up to £17.5 million or 4% of annual worldwide turnover, whichever is higher).

PECR electronic marketing rules

Core rules for email, SMS, and telephone marketing under the Privacy and Electronic Communications Regulations 2003. Common cause of ICO enforcement actions.

The Privacy and Electronic Communications Regulations 2003 (PECR) set specific rules for electronic marketing. Non-compliance is a common cause of ICO enforcement action, with fines now aligned with UK GDPR levels following the Data (Use and Access) Act 2025.

Email marketing (B2C): Consent required unless soft opt-in applies
SMS/text marketing: Same rules as email - consent required unless soft opt-in applies
Email to corporate subscribers: Consent not required for companies, LLPs, or government bodies
Live telephone calls: Must screen against TPS/CTPS; cannot call if person has objected
Automated calls (robocalls): Prior consent always required - no exceptions
TPS screening frequency: At least every 28 days
Legislation: Privacy and Electronic Communications Regulations 2003

Soft opt-in exception (4 conditions)

You can email existing customers without consent if ALL four conditions are met:

Contact details obtained during a sale or negotiations for a sale
Marketing is for YOUR similar products or services only
Opt-out opportunity given when details were collected
Easy opt-out provided in every subsequent message

Soft opt-in does NOT apply to: third-party marketing lists, details obtained outside sale context, or dissimilar products/services.

Electronic mail definition: Email, SMS, video messages, picture messages, voicemails, in-app messages, and direct messages over social media
Individual subscribers: Includes sole traders and ordinary partnerships (2-20 partners)
Corporate subscribers: Limited companies, LLPs, Scottish partnerships, government bodies
B2B email marketing: Consent rules do not apply to corporate subscribers - but respect objections

Telephone marketing requirements

Live calls: You can make live marketing calls without consent if the number is not on TPS/CTPS and the person has not objected to your calls. You must display caller ID and provide contact details if asked.

TPS/CTPS screening: Before making any marketing calls, screen your call list against both the Telephone Preference Service (TPS) and Corporate TPS (CTPS) registers. Screening must be done at least every 28 days.

Automated calls: Always require prior consent. General marketing consent is not sufficient - you need specific consent for automated calls.

Claims management cold calls: Banned without prior consent (since September 2018)
Pension cold calls: Banned except for FCA-authorised firms with existing relationship (since January 2019)
Fax marketing to individuals: Consent required; must screen against FPS
Fax marketing to businesses: No consent required but must screen against FPS and respect objections

Required information in marketing communications

Sender identity must not be disguised or concealed
Valid contact address for opt-out requests must be provided
Simple and effective unsubscribe mechanism in every message

1

What to do next

Complete the office and business support compliance checklist to confirm you have met every obligation that applies to your business.

Official sources

Authoritative guidance for office and business support regulatory duties.

Meet your office and business support regulatory duties

Office and business support compliance checklist

Which office and business support regulations apply to your business

Fire safety duties for Northern Ireland businesses

Fire safety duties for Scottish businesses

Set up a limited company

A. FCA consumer credit authorisation and debt collection conduct

Credit reference agency duties

B. Call centre outbound marketing

Electronic marketing (PECR)

What to do next

Official sources

Related guides in Compliance & Legal

A. FCA consumer credit authorisation and debt collection conduct

Credit reference agency duties

B. Call centre outbound marketing

Electronic marketing (PECR)

What to do next

Official sources