CP26/19: Penalty and Decision-Making Policies - MEMA Control View

Summary

The FCA source for this weekly release is CP26/19: Changes to our penalty and decision-making policies, published on 2026-06-15. It identifies the most likely affected firms and sets out topic-specific control and evidence questions.

At a Glance

• What changed: the FCA published CP26/19: Changes to our penalty and decision-making policies on 2026-06-15.
• MEMA view on likely affected audience: authorised firms with material conduct, market abuse, financial crime, complaint, breach-escalation or regulatory-investigation exposure, and to senior managers responsible for governance and remediation.
• Key timing: Consultation close date: 10 August 2026. Firms considering a response should allow time for internal compliance, legal and business-owner review before that date.
• Main control implication: affected firms should map the source to DEPP governance, breach escalation, internal investigation records and senior manager briefings.

What Has Changed

CP26/19: Changes to our penalty and decision-making policies is recorded in the FCA source base as a CP. The source summary states: We’re consulting on Decision Procedure and Penalties Manual (DEPP) changes.. Read CP26/19Why we are consultingWe want to update the DEPP to keep our policy current and consistent with how we work in practice.These changes will improve transparency and consistency. They will help us act faster, deter misconduct and maintain confidence in UK markets.What we are changingWe propose a small number of targeted updates to our penalty and decision-making policies:Market abuse: for the most serious cases, raising the minimum for individuals from £100,000 to £150,000 to account for inflation.

Consultation close date: 10 August 2026. Firms considering a response should allow time for internal compliance, legal and business-owner review before that date.

MEMA has not treated the source as a universal rule change. The article should be read as a source-led review that separates FCA source material, MEMA interpretation and MEMA recommended control actions.

Who Is Affected

Most relevant to authorised firms with material conduct, market abuse, financial crime, complaint, breach-escalation or regulatory-investigation exposure, and to senior managers responsible for governance and remediation.

For those firms, the relevance assessment should name the products, permissions, customer journeys, functions and senior owners that connect to CP26/19. The audience definition should not be left as a generic statement.

Who May Not Be Directly Affected

Potentially lower relevance for firms with limited case-comparable exposure or no activity connected to the proposal themes, but still useful for boards reviewing breach escalation and regulatory-response governance.

MEMA recommends retaining a no-impact rationale where the source is reviewed and found not to apply. The rationale should be short, dated and linked to the source reviewed.

Practical Control Implications

The specific control areas to consider are:

For this topic, the review should focus first on DEPP governance, breach escalation, internal investigation records and senior manager briefings. The evidence should show who owns those controls, how they operate in practice and whether board or committee MI needs updating.

Additional review points are market abuse controls, regulatory notification assessment and remediation evidence. These should be added to the action plan only where the source is relevant to the firm's permissions, products or operating model.

CP26/19 should be treated as a governance prompt, not only a policy-tracking item. Firms should test whether breach escalation, internal investigations, senior-manager briefings and remediation records are strong enough before a matter becomes an enforcement issue.

Where misconduct risk is material, boards should be able to see how issues are identified, assessed, escalated, remediated and challenged, including who decides whether external legal or regulatory advice is needed.

What Firms Should Do Now

Board Questions

• Does the firm know which breach types require senior-manager escalation?
• Are investigation records, root-cause analysis and remediation decisions documented consistently?
• Who owns regulatory notification analysis and who challenges that assessment?
• Does market abuse or misconduct MI reach the right governance forum quickly enough?
• Would the firm be able to evidence early action before a regulator asks for it?

Evidence Checklist

• MEMA recommends retaining breach register and escalation criteria.
• MEMA recommends retaining internal-investigation templates.
• MEMA recommends retaining regulatory-notification assessment records.
• MEMA recommends retaining senior manager briefing notes.
• MEMA recommends retaining remediation plans and closure evidence.
• MEMA recommends retaining board or risk committee minutes.

MEMA View

MEMA recommends using this consultation as a prompt to test breach escalation, investigation records and senior-manager briefing routines. MEMA's view is that boards should focus on the evidence trail before enforcement: breach identification, escalation, investigation governance, remediation decisions and senior-manager oversight.

Source Evidence

Disclaimer

This article is for general information only and does not constitute legal or regulatory advice. Firms should assess the application of regulatory requirements by reference to their permissions, products, customers and operating model.

Call to Action

MEMA can help firms strengthen breach escalation, regulatory notification assessments, enforcement-response governance and board evidence. To discuss support, book a call: https://koalendar.com/e/meet-mema-consultants.