CRM for UK Financial Advisers: FCA Compliance and Consumer Duty Guide for 2026

Choosing a Customer Relationship Management (CRM) system is no longer a routine software decision for UK financial advisers. Since the Financial Conduct Authority's Consumer Duty came into force in 2023 for open products and in 2024 for closed books, the CRM sits at the centre of a firm's ability to evidence good client outcomes. It is where suitability records live, where ongoing service delivery is tracked, and where management information is generated for the annual Consumer Duty board report. Get the CRM wrong and the firm's compliance posture, operational resilience, and acquisition-readiness all suffer at once.

This guide is written for owners, operations directors, and technology leads at UK IFA, wealth management, and financial planning firms with roughly 20 to 150 advisers. It explains what the current regulatory environment demands from a CRM, how the main incumbent platforms measure up, when a bespoke system genuinely earns its cost, and how to plan a switch without putting client data or FCA reporting at risk.

Last updated: April 2026. Sources include FCA final rules and good practice reviews, the ICO guide to lawful basis, ONS workforce data, NextWealth adviser research, Forrester analyst commentary, and UK trade press. Full citations are linked throughout.

The regulatory floor has risen, and the CRM is now load-bearing

UK advisory firms have been operating under Consumer Duty for nearly three years. The implementation deadlines, 31 July 2023 for new and existing open products and 31 July 2024 for closed products, have both long passed. Every firm is now expected to "assess, test, understand and evidence the outcomes their customers are receiving" in the words the FCA used in its final rules document.

The regulator has since been specific about where firms are falling short. In its December 2024 review of 180 firms' first annual Consumer Duty board reports, the FCA identified data as the single biggest weakness:

Insufficient MI to support conclusions or provide governing bodies adequate assurance of Duty compliance.

-- FCA, Consumer Duty board reports: good practice and areas for improvement, December 2024

The same review produced one of the more uncomfortable statistics of the last two years: 49% of portfolio managers and 69% of stockbrokers reviewed identified zero vulnerable customers among their client base, despite the regulator's own guidance that around half the UK adult population will be classed as vulnerable at some point. This is a direct evidence of CRM failure. Firms cannot segment, flag, or report on populations their systems were never structured to identify.

Alongside the Consumer Duty evidence gap, the FCA's February 2025 ongoing financial advice services review requested seven years of suitability and service-delivery data from 22 large firms. A subset of firms "were not readily able to provide data for all of the years" requested. The message to the market is clear. A CRM that cannot produce structured historical records on demand is not fit for the current regulatory environment.

The stakes are further sharpened by two parallel trends:

• Ongoing advice now drives most of the revenue. The proportion of adviser revenue from ongoing advice has risen from 60% in 2016 to 80% in 2023, according to the FCA's October 2024 portfolio letter to advisers and intermediaries. Evidencing the delivery of ongoing services, suitability reviews, vulnerability reassessments, fee justification, has become the dominant compliance workload.
• Consolidation is accelerating. UK wealth and asset management M&A rose from 107 deals in 2023 to 122 in 2024, with total disclosed deal value climbing from £2.1 billion to £9.3 billion (Professional Adviser, January 2025). Half of independent adviser firm owners surveyed by Gunner & Co. in May 2024 said they planned to sell or succeed within two years. Every one of those deals is a data migration or integration project waiting to happen.

Against that backdrop, adviser confidence in their own technology is telling. The NextWealth Financial Advice Business Benchmarks published in October 2025 scored technology at just 3.6 out of 5, the second lowest category in the survey of more than 260 advice professionals. Heather Hopkins, Managing Director at NextWealth, summarised the problem: "Poor data integration significantly hampers technology effectiveness, preventing efficiency gains promised by technology and AI."

For firms in the 20 to 150 adviser bracket, the CRM is no longer just an adviser productivity tool. It is the operational spine that determines whether the firm can evidence compliance, retain value through consolidation, and grow without breaking.

The four regulatory demands any IFA CRM must meet in 2026

Before comparing platforms, it helps to translate the current rulebook into concrete CRM requirements. Four regulatory pillars frame the decision for any UK advisory firm.

1. Consumer Duty monitoring and the annual board report

Under PRIN 2A.8.3-5R, the governing body of every firm must, at least annually, prepare and approve a report on consumer outcomes, confirm compliance with the Duty, and agree any required actions. PRIN 2A.9 requires firms to "monitor the outcomes retail customers are experiencing" on an ongoing basis.

In practice, this means a CRM for a UK IFA needs to capture and report on:

• Client segments, including vulnerability markers and changing circumstances
• Fee and value delivery for each service tier
• Suitability review completion, including client non-engagement
• Complaints, root causes, and remediation status
• Outcomes data mapped back to each of the four PRIN 2A outcomes

The FCA has been clear that "repackaging existing data without genuinely understanding customer outcomes" does not meet the standard. MI that exists only because it was easy to pull from an off-the-shelf dashboard is not MI that satisfies a governing body's obligation.

2. SYSC and COBS record-keeping

SYSC 9.1 of the FCA Handbook requires firms to keep "orderly records... sufficient to enable the FCA to monitor the firm's compliance with the requirements under the regulatory system." The Handbook is equally specific about accessibility: the FCA must be able to "access the records readily, to reconstitute each element in a clear and accurate manner and to identify easily any changes, corrections or other amendments."

For MiFID-scope business, the minimum retention period is five years, with the FCA reserving the right to require seven. For ongoing advice, firms are now being asked to produce evidence going back to 2018 in the ongoing advice review context.

Under COBS 9.5 and COBS 9A.4, firms must also retain structured records of why every recommendation is considered suitable. That obligation is trivial to state and surprisingly hard to meet at scale, particularly when suitability logic is spread across a PDF suitability report, a workflow tool, a risk profiler, and an adviser's notes.

3. Operational resilience and third-party risk

The FCA's operational resilience rules (PS21/3) came fully into force on 31 March 2025. By that date, firms were expected to remain within impact tolerances for every important business service, including during third-party failures. The FCA has been unambiguous about where the accountability sits:

If a third-party provider supporting or delivering your important business services fails to remain within impact tolerance, you should remember that the failure to remain within impact tolerance is your responsibility.

-- FCA, operational resilience insights and observations, May 2024

From 18 March 2027, new FCA rules on reporting material third-party arrangements will require firms to formally notify the regulator where a third-party service supports an important business function. For many advisers, their SaaS CRM will fall squarely within that definition. The contract with the CRM vendor will need to address rights of access, audit, inspection, exit, and data portability, obligations that many standard vendor terms do not currently meet for regulated buyers.

4. UK GDPR, lawful basis, and data residency

The ICO has confirmed in its guide to lawful basis that processing necessary to meet regulatory record-keeping requirements is a valid lawful basis under Article 6(1)(c). The apparent tension between FCA retention rules and UK GDPR's storage limitation principle is resolved as long as firms document the regulatory basis in their Record of Processing Activities.

Two nuances matter for CRM design. First, standard financial data is not special category data, but vulnerability information that relies on health data, for example in protection advice or long-term care planning, is. A CRM must be able to tag, isolate, and apply stricter access controls to those records. Second, UK-hosted infrastructure avoids the Standard Contractual Clauses overhead that comes with using US-headquartered platforms, and simplifies the firm's data residency documentation. The November 2024 joint statement from the FCA, ICO and The Pensions Regulator made clear that the regulators expect firms to manage the intersection of these regimes, not treat them as separate silos.

Where off-the-shelf platforms fit, and where they struggle

The UK IFA back-office and CRM market is dominated by a small number of incumbents. Each has legitimate strengths, and any honest comparison starts by acknowledging them. The weaknesses, though, are where the bespoke conversation usually begins.

Intelliflo Office

Strengths. Intelliflo is the most widely used practice management system in the UK advisory sector. It is deeply integrated with UK platforms, has a large third-party ecosystem, and has steadily added Consumer Duty-oriented capability, including cashflow modelling and AdvisoryAI workflow checks.

Limits. Intelliflo is not a differentiator. Every competing firm runs a near-identical workflow, which means the CRM cannot itself become a source of operational advantage. Reliability complaints surfaced openly in the trade press in 2022, and while the platform has invested heavily since, the episode illustrated the underlying truth about SaaS: when your critical system is a shared multi-tenant platform, your service level is the vendor's service level. For firms in the 50+ adviser range that want non-standard workflow, custom segmentation, or reporting their peers do not have, Intelliflo often requires workarounds rather than configuration.

Plannr

Strengths. Plannr is an API-first challenger that opened to the broader UK advice market in early 2024 after being developed with roughly 70 advisory firms. It publishes an integration-friendly architecture, and its design reflects recent Consumer Duty thinking. For small and mid-sized firms starting fresh, it is a genuinely modern option.

Limits. As a younger platform, Plannr's long-tail of edge cases and legacy integrations is still maturing. Firms with complex historical data, non-standard fee structures, or obscure investment wrappers may find the customisation ceiling lower than they want. Like all SaaS, the roadmap belongs to the vendor.

Iress Xplan

Strengths. Xplan is the most configurable incumbent in the UK market. For firms willing to invest in configuration, it can be shaped around sophisticated workflows, and it remains popular with larger, more complex advisory businesses. Analyst ratings have recovered strongly since 2019.

Limits. The configuration ceiling is also the problem. Firms often find they have effectively paid a SaaS vendor to build a custom system on top of a generic platform, with none of the ownership and most of the fragility. Smaller firms historically struggled with the implementation burden, although Iress has addressed this with targeted offerings.

Salesforce Financial Services Cloud

Strengths. Salesforce FSC brings enterprise-grade audit trails, role-based access, workflow capability, and ecosystem depth that no IFA-specific tool can match. For firms already inside a wealth management group with Salesforce elsewhere, the integration story is strong.

Limits. It is not a UK IFA product. It is a US-originated, generalised CRM platform that requires significant configuration and ongoing maintenance to address UK regulatory obligations. Data residency, Consumer Duty MI, and the 80% ongoing-advice model are not out of the box. Total cost of ownership, including implementation partners, admin licences, and change management, routinely exceeds that of both IFA-specific incumbents and many bespoke builds. For a firm without a dedicated internal Salesforce team, the operating burden is substantial.

The common weakness

All four platforms are built around the assumption that an advisory firm's workflow is similar enough to its peers that a shared product can serve them all. In a commoditised market, that assumption is reasonable. In a regulated, differentiating, consolidating sector, it starts to strain. Forrester's 2021 analyst framing is worth quoting directly:

The closer your software is to the customer, the more you need to own your destiny.

-- Balazs Fejes, EPAM, cited in Forrester, "Forget About Build Versus Buy; Your Choice Is Customize Or Compose", April 2021

For UK financial advisers, the CRM sits very close to the customer. That is the frame in which the bespoke conversation makes sense.

Bespoke CRM vs off-the-shelf: a fair comparison for UK advisers

The table below compares the realistic trade-offs. It is deliberately balanced: off-the-shelf is the right answer for many firms, and bespoke is not a universal upgrade.

Consideration	Off-the-shelf IFA CRM	Bespoke CRM
Time to first value	6 to 12 weeks with standard setup	4 to 9 months depending on scope
Up-front cost	£10,000 to £30,000 implementation	£80,000 to £350,000 plus discovery
Annual running cost	£800 to £1,800 per adviser, per year	Hosting, maintenance, enhancements: typically £30,000 to £120,000 per year
Consumer Duty MI out of the box	Partial, configurable	Designed around the firm's actual outcomes framework
UK data residency by default	Varies; US-hosted vendors need SCCs	UK or EEA hosting by architectural choice
Workflow flexibility	Vendor roadmap; configuration ceiling	Full control of data model and logic
Resilience accountability	Vendor SLA; firm carries FCA responsibility	Firm owns the whole stack and its continuity plan
Fit for the 20 to 50 adviser range	Strong	Often overkill unless differentiation matters
Fit for the 50 to 150 adviser range	Workable but increasingly constrained	Strongest value; scales with the firm
Data portability and exit	Vendor-dependent	Firm owns the schema and the data
Total cost over 5 years	Predictable, low capex, high opex	Higher capex, lower long-run opex per user

Cost ranges are indicative and assume realistic UK market conditions in 2026. For a firm-specific cost model, see our bespoke CRM cost guide for UK businesses.

When a bespoke CRM genuinely makes sense, and when it does not

Not every IFA firm should build. Custom software is a long-term commitment, and the economics only work when the workflow or the differentiation is worth owning. The honest version of the conversation looks like this.

A bespoke CRM probably makes sense when:

• The firm has 40+ advisers and its workflow is demonstrably more specific than the nearest off-the-shelf product can accommodate
• Consumer Duty MI, vulnerability segmentation, or ongoing service tracking are persistent sources of board-level frustration
• The firm is growing through acquisition and needs to integrate very different back-office systems repeatedly
• The firm's platform mix, investment wrappers, or fee structures are unusual enough that SaaS customisation has become expensive
• UK data residency, operational resilience, and third-party accountability are priorities driven by the regulator or by the firm's own risk appetite
• Leadership wants to treat the CRM as a long-term strategic asset rather than a licence fee

Off-the-shelf is almost certainly the right answer when:

• The firm has fewer than 20 advisers and a standard UK advisory workflow
• The workflow is not a differentiator and the firm's commercial advantage is elsewhere (brand, specialism, distribution)
• Budget, appetite for change, or internal product capability is limited
• The firm is preparing for near-term sale where further transformation is disruptive
• An existing platform investment is already working well and the gaps can be closed with targeted integration or focused configuration

The point is not that bespoke beats off-the-shelf. It is that the decision should follow from the firm's actual workflow, regulatory exposure, and strategy. Our wider build or buy guide for UK businesses walks through the framework in more detail, and the seven signs a firm has outgrown an off-the-shelf CRM is a useful self-assessment if the conversation is already on the table.

A six-capability specification for any IFA CRM decision in 2026

Whichever route a firm takes, the specification it runs against should cover six capabilities at minimum.

1. Consumer Duty outcomes data model. The CRM must capture, report on, and retain data against each of the four PRIN 2A outcomes. Vulnerability markers should be first-class fields, not notes. Board reporting should be a query, not a manual exercise.
2. Structured suitability and ongoing service records. Every recommendation, review, non-engagement, and remediation should be retrievable against a client, an adviser, a product, and a date range. Seven years of history must be accessible without reconstruction.
3. Operational resilience. The CRM must have a documented recovery point objective, recovery time objective, and impact tolerance that the firm can defend in an FCA review. Resilience testing should be regular and evidenced.
4. UK data residency and lawful basis tagging. Hosting, data processing locations, and international transfer mechanisms must be documented. Lawful basis should be stored as structured metadata, not implied in a privacy notice.
5. Integration with the firm's platform and back-office stack. The CRM must expose a stable API or equivalent and be able to receive, reconcile, and store data from platforms, risk profilers, modelling tools, and AI-generated meeting notes without double-keying.
6. Exit and portability. The firm must retain the right to extract its own data in a usable format, at any time, without vendor co-operation. For bespoke systems this is axiomatic. For SaaS this needs to be in the contract.

A CRM that meets these six conditions is defensible in front of a regulator, an acquirer, and an auditor. A CRM that meets only some of them is a source of operational risk regardless of price.

How to approach a CRM switch without breaking compliance

Switching an IFA CRM is genuinely hard. Ian McKenna, Director of the Finance and Technology Research Centre, summarised it well in Money Marketing: "Saving £50 a month but buying a system that doesn't do what you want is a 'Buy in haste, repent at leisure' moment." Justin Cash, writing in Professional Adviser in September 2025, put the point more bluntly: "Even if IFAs had the budgets, there is a huge amount of inertia at play here." The inertia is not irrational. It comes from real risks around data quality, regulatory retention, and client experience during transition.

A reasonable switching programme will usually include:

• A structured discovery phase that maps the existing workflow, data model, and integration surface before any build or configuration decisions. Our CRM consultation service is typically 4 to 8 weeks, and produces the specification the rest of the programme runs against.
• A clear data migration plan that covers extraction, transformation, validation, and FCA-compliant retention of historical records. CRM data migration is where most switching projects succeed or fail.
• A dual-running period where old and new systems operate side-by-side, with a defined cutover criterion. Historical data stays accessible during the overlap.
• Phased adviser rollout, usually starting with one or two advisers per office to surface workflow issues before the full population switches.
• Documented evidence of continuity of client records for the FCA, including a clear audit trail of migrated records and any exceptions handled during transition.
• A communication plan for clients, particularly where the change affects client portals, payment records, or reporting.

Firms that have been through this process tell us consistently that the biggest mistake is trying to replicate the old workflow exactly. A CRM switch is an opportunity to retire legacy practice that no longer matches the current regulatory environment, and that upside is lost if the project treats the new system purely as a replacement part.

For firms considering the process in more detail, our bespoke CRM development process from requirements to launch walks through the phases and the realistic timelines involved.

Frequently asked questions

Does the FCA require a specific CRM for financial advisers?

No. The FCA Handbook is deliberately technology-neutral. It defines the obligations, SYSC record-keeping, COBS suitability, PRIN Consumer Duty, operational resilience, and leaves the choice of systems to the firm. What the regulator does require is that whatever system is in place meets the obligations in practice, which is a higher bar than it looks.

Is a bespoke CRM more compliant than an off-the-shelf system?

Not inherently. Compliance is a function of how the system is configured and operated, not whether it is built or bought. A well-configured off-the-shelf platform can meet every FCA obligation. A poorly designed bespoke system can fail them all. The advantage of bespoke is that compliance requirements can be designed into the data model from the outset rather than retrofitted into a generic schema.

How long does a bespoke CRM project take for an IFA firm?

A realistic programme for a firm of 20 to 150 advisers runs 4 to 9 months from discovery to production launch, depending on scope, integration surface, and migration complexity. Discovery typically takes 4 to 8 weeks, build and integration 3 to 6 months, and transition 4 to 12 weeks. Rushed projects are where most of the risk sits.

What happens to our data if we outgrow or terminate a SaaS CRM contract?

That depends entirely on the contract. For SaaS used in an important business function, firms should ensure they have contractual rights to data export in a usable format, a defined termination notice period, continuity of access for regulatory retention purposes, and clear responsibility for destruction of residual copies. From 18 March 2027, these rights become part of the FCA's expectations for material third-party arrangements. It is worth revisiting current contracts against that standard well before the deadline.

Does Consumer Duty make off-the-shelf CRMs unfit for purpose?

No. It raises the bar on what they need to demonstrate. Several incumbent platforms have added Consumer Duty MI, vulnerability flags, and reporting capability since 2023. The question is whether those additions are deep enough for the firm's governing body to rely on in the annual board report. The FCA's December 2024 review suggests that for many firms, they are not yet.

How does a bespoke CRM handle UK GDPR better than a global SaaS?

A UK-hosted bespoke system avoids Standard Contractual Clauses for international transfers, simplifies data residency documentation, and allows lawful basis to be stored as structured metadata against each data field. A global SaaS can be configured to meet UK GDPR, but the burden of proof sits on the firm, and the underlying architecture is outside its control.

What does a realistic total cost of ownership look like for a bespoke IFA CRM?

For a firm of 20 to 150 advisers, indicative ranges are an £80,000 to £350,000 build, £30,000 to £120,000 per year in hosting, maintenance and enhancements, plus integration and migration costs for the legacy system. Over five years the total often sits below the equivalent SaaS licensing for larger firms, though the shape of the spend is more capital-intensive early on. See our full bespoke CRM cost guide for detailed modelling. Regulatory context and any significant capital decision should be reviewed with qualified professional advice appropriate to the firm.

Can a bespoke CRM be built with AI features like automated suitability drafting and meeting notes?

Yes. A bespoke platform can integrate modern AI capability such as meeting transcription, automated suitability drafting, and vulnerability keyword detection, with the same level of audit trail and data residency as any other feature. The FCA Cyber Coordination Group has noted that AI features must be implemented with proper impact assessment, which is easier to do in a system the firm controls than in a SaaS roadmap it does not.

Working out the right path for your firm

The CRM question has stopped being a software procurement exercise and started being a regulatory, operational, and strategic decision. Firms that treat it that way, running a structured specification against the six capabilities above and being honest about workflow, scale, and differentiation, tend to come out with a system they can defend in front of the regulator and build the next decade of the business on top of.

Bespoke CRMs is a UK-based custom CRM development consultancy that works with regulated financial services firms and other regulated sectors including legal. We design, build, and maintain custom systems against the FCA, ICO, and operational resilience obligations described in this article. If you are evaluating whether a bespoke approach is the right answer for your firm, the best starting point is a structured CRM consultation workshop where we map your current state, regulatory exposure, and realistic options against a 5-year view.

To discuss the options for your firm, book a discovery call with our team or request a bespoke CRM proposal. We will send a short pre-call questionnaire so the conversation focuses on your specific workflow, regulatory priorities, and consolidation plans.

The information in this article is general guidance on UK regulation and market practice. It is not a substitute for qualified legal, compliance, or financial advice specific to your firm's circumstances. Firms should consult a qualified compliance adviser before making CRM decisions with regulatory implications.