UK DUAA 2025 and FCA Consumer Duty: synthetic data for demonstrable compliance.

§ 01 / UK divergence

The post-Brexit regulatory baseline

The UK financial services compliance landscape in 2026 is no longer a subset of the EU framework. DORA does not apply directly to UK-only entities. The EU AI Act has no domestic UK equivalent of comparable scope. The UK GDPR, while structurally similar to the EU GDPR, is now amended substantively by the Data (Use and Access) Act 2025. For Chief Data Officers and Heads of Compliance in UK banks and building societies, the practical effect is that a compliance programme designed against EU frameworks needs UK-specific reinterpretation.

Two domestic instruments dominate. The first is DUAA, which received Royal Assent on 19 June 2025 and brought most of its data protection provisions into force on 5 February 2026 through the Commencement No. 6 Regulations. The second is the FCA Consumer Duty, in force since 31 July 2023 for open products and 31 July 2024 for closed products, supplemented by PRA SS1/21 on operational resilience and PRA SS1/23 on model risk management. Each instrument has its own evidentiary expectations, and the data infrastructure required to satisfy them in 2026 is the bottleneck that most UK CDOs underestimate.

The EU adequacy decision for the UK was renewed on 19 December 2025 and runs until 27 December 2031, but the European Commission's renewal note signals that the UK framework remains under review as the two regimes drift apart. For UK firms with EU operations, this creates a dual compliance posture: maintain UK GDPR plus DUAA at home, and continue to meet EU GDPR plus DORA plus AI Act in EU markets. The data infrastructure question is the same on both sides: how do you generate evidence for compliance without exposing real customer data in test environments.

§ 02 / DUAA timeline

From Royal Assent to Commencement No. 6

The Data (Use and Access) Act 2025 was enacted on 19 June 2025. The Department for Science, Innovation and Technology published a staged commencement plan setting out four primary stages. The first commencement regulations came into force on 20 August 2025, bringing technical provisions and the framework for the Information Commission into effect. Commencement No. 2 followed on 30 September 2025, Commencement No. 3 addressed law enforcement processing under Parts 3 and 4 of the Data Protection Act 2018, and Commencement No. 4 brought the UK digital identity and attributes trust framework into operation from 1 December 2025.

The pivotal date for most firms is 5 February 2026, when the Commencement No. 6 Regulations brought the majority of Part 5 data protection provisions into force. These are the provisions that change the lawful bases for processing, the rules on automated decision-making, the regime for further processing, and the alignment of PECR enforcement with UK GDPR levels. A small set of provisions, including the complaints handling framework requiring controllers to acknowledge complaints within 30 days and respond without undue delay, are expected to commence around 19 June 2026, twelve months after Royal Assent.

The phased approach has operational consequences. Firms that built compliance programmes on the assumption that DUAA would come into force in a single date have been forced to track multiple effective dates. Recognised Legitimate Interests under the new Article 6(1)(ea) is now operative. Article 8A on compatible further processing is now operative. The codified "reasonable and proportionate" DSAR search standard is now operative. ICO guidance covering each of these is still being published and revised through 2026, which means firms are operating under a framework whose interpretation by the regulator is not yet fully settled.

§ 03 / Recognised Legitimate Interests

What the new lawful basis does and does not do

DUAA inserts Article 6(1)(ea) into the UK GDPR, creating a new lawful basis that the legislation calls Recognised Legitimate Interests. The mechanism is narrow but important: for processing that falls within a specified list of public interest activities, the controller is no longer required to conduct a Legitimate Interests Assessment balancing the controller's interest against the rights of the data subject. The presumption of legitimacy is provided by the Act itself.

The specified activities include prevention and detection of crime, safeguarding of vulnerable individuals, emergency response, public interest tasks for which the controller has statutory authority, and national security purposes. For UK banks the most consequential entry is crime prevention, which covers fraud detection and anti-money laundering processing. Before DUAA, every legitimate interests basis for fraud detection processing required a documented LIA. After 5 February 2026, processing for crime prevention purposes that falls within the Annex 1 conditions can be carried out under Recognised Legitimate Interests with the LIA requirement removed.

What Recognised Legitimate Interests does not do is equally important. It does not remove the obligation to satisfy UK GDPR Article 9 conditions for processing of special category data. It does not exempt the controller from Article 32 obligations on security of processing. It does not authorise reuse of personal data in non-production environments simply because the original collection was for a Recognised Legitimate Interest. A bank that processes transaction data for fraud detection under Article 6(1)(ea) still needs to satisfy Article 32 when it copies that data into UAT for model validation, and Article 32 increasingly forces the question of whether real personal data is necessary at all.

§ 04 / Article 8A and further processing

Compatible reuse for fraud model development

DUAA inserts Article 8A into the UK GDPR governing when further processing for a purpose different from the original collection purpose is treated as compatible. Three pathways are established: where the data subject has consented to the new purpose, where the purpose is scientific or historical research or archiving in the public interest, or where the further processing falls within the categories listed in Annex 2 of the Act including crime prevention, public interest tasks, safeguarding, and emergency response.

For banks developing new fraud detection models, Article 8A provides a clearer statutory pathway for reusing transaction data originally collected for service delivery. However, "compatible further processing" is not the same as "compliant further processing without additional safeguards". The controller must still satisfy the security requirements of Article 32, the data minimisation principle of Article 5(1)(c), and the transparency obligations under Articles 13 and 14. The DUAA Article 8A operates as a permissive framework on top of, not in place of, the existing protective provisions.

The operational implication is that DUAA reduces the legal friction around reusing real production data for fraud model development, but it does not change the technical risk profile. A bank that copies fresh production snapshots to an analytical sandbox for model training still exposes personal data to processors and personnel with access to that environment. If a breach occurs in that sandbox, the controller faces the same enforcement exposure as before. The regulatory simplification of DUAA actually intensifies the case for synthetic data in development environments: with fewer legal blockers, the technical security posture becomes the binding constraint.

§ 05 / Consumer Duty fair outcomes

Four outcomes and what evidence looks like

The FCA Consumer Duty, codified as Principle 12 of the FCA Handbook, requires firms to act to deliver good outcomes for retail customers. Principle 12 is supplemented by cross-cutting rules and four substantive outcomes that firms must demonstrably achieve. The Duty came into force on 31 July 2023 for open products and services and on 31 July 2024 for closed products and services. The first annual board report under the Duty was due on 31 July 2024.

The evidentiary load is the surprising element of Consumer Duty for many UK firms. The FCA does not accept narrative descriptions of good intent. The annual board report must contain quantitative evidence that the four outcomes are being achieved, broken down by customer segment, with specific attention to vulnerable customers. For a credit product, this means demonstrating that pricing is fair across affordability brackets, that decline rates do not produce disproportionately adverse outcomes for protected groups, and that distress communications reach customers who are starting to default before harm crystallises.

The data underpinning these assessments is large, multi-table and sensitive. Customer demographics, product holdings, pricing history, complaints data, vulnerability indicators, decline reasons and outcomes data all sit in production systems with full PII. A fair value assessment that draws on this data for an annual report can be carried out under the existing collection basis, but stress testing alternative pricing structures, simulating decline policy changes, or validating new model behaviour against a counterfactual portfolio crosses into territory where production data exposure is harder to justify.

§ 06 / Where DUAA meets Consumer Duty

Bias testing for fair value

The intersection of DUAA and Consumer Duty creates a specific operational pattern that UK CDOs increasingly encounter. The FCA expects firms to demonstrate that their credit, insurance and investment products produce fair outcomes across customer segments. Demonstrating this requires testing model behaviour on representative samples that include protected characteristics. UK GDPR Article 9 generally prohibits processing of special category data, and DUAA preserves this prohibition while widening the conditions under Article 9 for bias detection and correction in some narrow cases.

The tension is the same one that EU banks face under AI Act Article 10(5): to test whether a model is fair, you need data that includes the characteristics by which fairness is measured. To process that data, you need a lawful basis and a security posture commensurate with the risk. The cleanest technical answer is synthetic data that preserves the causal relationship between protected characteristics and outcomes without containing real protected characteristic values. Statistical synthetic data fails this test because it smooths the joint distribution and loses the causal mechanism. Causal synthetic data is designed to retain the mechanism by construction.

UK firms relying on naive masking or simple subsetting for fair value testing face two problems simultaneously. The masked data fractures multi-table integrity and produces test outcomes that are not representative of production. And the underlying real personal data remains in the environment, with the Article 32 obligations that come with it. Synthetic data is the only technical approach that addresses both problems.

§ 07 / Article 32 still binds

Security of processing in non-production

UK GDPR Article 32 requires the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. DUAA does not amend Article 32. The duty applies equally to production and non-production environments, and ICO enforcement under both pre-DUAA and post-DUAA cases has consistently treated UAT and development environments containing personal data as in scope.

The practical implication for UK banks is unchanged by DUAA: copying production snapshots to non-production environments for model development, validation or operational testing exposes the firm to enforcement risk if the security measures in the non-production environment are weaker than in production. They almost always are, because non-production environments by design have wider access patterns, fewer audit controls, and shorter-lived configurations. The PECR alignment introduced by DUAA, which raises maximum PECR fines to £17.5 million or 4% of global annual turnover, increases the financial exposure for related categories of non-compliance.

For UK firms operating in 2026, the right operational posture is to treat personal data in non-production environments as exceptional rather than routine. Each instance of personal data outside production should require a documented justification, a defined retention period, and a security posture matching production. Synthetic data shifts the default: the development team works with synthetic data by default and requests access to real data only when justified, which makes the audit story under Article 32 substantially simpler.

§ 08 / PRA frameworks intersection

SS1/21 and SS1/23 alongside Consumer Duty

UK banks operate under a regulatory stack where the PRA and the FCA expect aligned but separate evidence. PRA SS1/21 on operational resilience required firms to set impact tolerances for important business services and demonstrate the ability to remain within those tolerances by 31 March 2025. PRA SS1/23 on model risk management is effective from 17 May 2024 and requires independent effective challenge of high-risk models including those underpinning credit decisions feeding Consumer Duty outcomes.

The convergence point is the data infrastructure. A model used for credit scoring is in scope of SS1/23 for independent effective challenge, in scope of Consumer Duty for fair value assessment, and in scope of UK GDPR plus DUAA for the lawful basis and security of processing. A single validation cycle has to produce evidence that satisfies all three frameworks simultaneously. The validation team cannot reasonably run three different test environments with three different datasets; they need one environment that supports all three evidentiary requirements.

Operational resilience testing under SS1/21 adds a fourth dimension. The firm must be able to demonstrate that the model continues to deliver fair outcomes under stress scenarios including operational disruption. This means stress testing has to happen on representative data, with the same causal patterns as production, and the test results have to be reproducible across cycles for the PRA to accept them. Static mockups break the reproducibility requirement. Live production runs break the security requirement.

§ 09 / What CAUSA is designed to address

Infundum's positioning for UK frameworks

Infundum's CAUSA AI Data Engine is being designed as a causal multi-table synthesis infrastructure for the financial sector. CAUSA is pre-MVP; what follows describes design intent and architectural direction, not shipped feature set.

For UK firms navigating DUAA, Consumer Duty, SS1/21 and SS1/23, the design intent addresses three operational needs. First, multi-table fidelity at retail bank scale: CAUSA is designed to model the causal dependencies across customer, product, transaction, complaints, vulnerability indicator and outcome tables, preserving referential integrity across 100 or more linked entities. This is the basis for fair value testing on counterfactual portfolios without exposing real customer data. Second, controlled proxies for protected characteristics: synthetic proxies for age, disability indicators, financial vulnerability markers and other characteristics relevant to fair outcomes testing, generated such that the bias testing question can be answered without processing real special category data. Third, an audit trail aligned to UK frameworks: each generated dataset produces lineage documentation suitable for evidencing model risk management under PRA SS1/23 and Consumer Duty fair value assessment.

Deployment is self-hosted within the bank's secure perimeter. Production data never leaves the security boundary. Specific architecture details are available under NDA during formal evaluation.

§ 10 / Related

Regulatory context

For the EU counterpart on model documentation requirements see AI Act Article 11 Technical File for banking credit scoring. For PRA SS1/23 model risk management see PRA SS1/23 Model Risk Management: validating multi-table banking models without PII exposure. For PRA SS1/21 operational resilience and safe live testing see PRA SS1/21 Operational Resilience: synthetic data for continuous compliance.

Conclusion

The UK regulatory baseline in 2026 is distinct from the EU and demands UK-specific compliance design. DUAA Part 5 commenced on 5 February 2026, introducing Recognised Legitimate Interests for crime prevention processing and codifying Article 8A compatible further processing. FCA Consumer Duty requires demonstrable fair outcomes evidenced quantitatively in annual board reports. PRA SS1/21 and SS1/23 add operational resilience and model risk management evidentiary obligations on top. UK GDPR Article 32 continues to govern security of processing in all environments, and the PECR alignment with UK GDPR penalty levels at £17.5 million or 4% of global turnover increases the financial exposure. UK firms relying on production data in UAT or on masked snapshots for model validation face increasing pressure from both the security side and the regulatory expectation side. Synthetic data is the architectural answer, and only causal synthesis preserves the multi-table dependencies and protected characteristic proxies required for Consumer Duty fair value assessment. Infundum is designing CAUSA AI Data Engine for precisely this gap.