Written by Regulatory bodies are often dubbed society’s ‘watchdogs’ – independent enforcers meant to protect the public interest from abuses of power and breaches of law. In the United Kingdom, the Information Commissioner’s Office (ICO), the Solicitors Regulation Authority (SRA), and the Financial Conduct Authority (FCA) were each established to uphold crucial standards – respectively, information rights and data privacy, professional ethics in the legal sector, and integrity in financial markets. Yet these regulators have increasingly drawn criticism as ‘toothless watchdogs’ that fail to hold powerful actors to account, respond inadequately to systemic misconduct, and even discourage or harm whistleblowers who bring wrongdoing to light.[^1]
This paper argues that the ICO, SRA and FCA have become ineffective regulators and makes a public policy case for dismantling or radically reforming them in favour of more forceful, accountable frameworks. The discussion will first provide historical context on the creation and purpose of each body. It will then examine patterns of regulatory failure – including chronic under-enforcement, regulatory capture, procedural opacity and inaction on credible complaints – and the resulting damage to whistleblowers and public trust. Recent scandals and case studies are analysed to illustrate these failings. The paper compares the UK situation with better-functioning regulatory regimes in other democracies (such as EU countries, Australia, Canada, and Scandinavia) to highlight alternative models. Finally, it offers recommendations for replacement frameworks grounded in transparency, public accountability and enforceable oversight mechanisms. The overarching goal is to strengthen institutional accountability so that regulators serve the public interest with real ‘teeth’ rather than merely bark without bite.
Origins and Roles of the ICO, SRA, and FCA
Understanding how these regulators were originally conceived – and what they were meant to achieve – provides essential context for evaluating their performance today. Each body emerged in response to specific policy needs and legal reforms, shaping their mandates and powers:
The Information Commissioner’s Office (ICO) was established to uphold information rights (data privacy and public access to information). Its origins trace back to the Data Protection Act 1984, which created the role of Data Protection Registrar to oversee personal data processing.[^2] This was a small office (initially only ten staff) charged with maintaining a register of data controllers and ensuring compliance with nascent data protection laws.[^3] The ICO in its modern form took shape in 2000–2005, when its remit expanded under the Freedom of Information Act 2000. In 2005 the post of Data Protection Commissioner was renamed Information Commissioner, reflecting added responsibilities to enforce the public’s right to government-held information under FOI law.[^4]
Today, the ICO describes itself as ‘the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals’.[^5] It oversees compliance with laws like the UK General Data Protection Regulation (UK GDPR) and Freedom of Information Act, issues guidance, and can take enforcement action (including fines) against organisations that breach these laws. In theory, the ICO’s mission is to be a robust guardian of privacy and transparency – preventing the misuse of personal data and shining light on government secrecy.
The Solicitors Regulation Authority (SRA) is the regulator of solicitors and law firms in England and Wales, tasked with ensuring high professional standards and protecting legal service consumers. The SRA was created in January 2007 amid reforms to separate the regulation and representation roles of the legal profession. It evolved from the Law Society’s Regulation Board, adopting the new name SRA to underscore its independence from the Law Society (the solicitors’ representative body).[^6] The enabling legislation was the Legal Services Act 2007, which responded to concerns about self-regulation by introducing an oversight regulator (the Legal Services Board) and mandating clearer focus on the public interest.
According to the SRA, its purpose is ‘to protect the public by ensuring that solicitors meet high standards, and by acting when risks are identified’.[^7] It regulates over 200,000 solicitors ranging from solo practitioners to global law firms.[^8] The SRA sets the Solicitors’ Code of Conduct, authorises firms, and investigates misconduct – with powers to sanction solicitors (fines, suspensions, disbarment) for breaches. In principle, this framework was meant to bolster public confidence that lawyers are held accountable independently of their own trade body. The SRA’s creation was heralded as a way to put clients’ and consumers’ interests first, ensuring ethical practice and intervening early to prevent harm.
The Financial Conduct Authority (FCA) was born from the overhaul of UK financial regulation after the 2008 financial crisis. Prior to 2013, financial markets were supervised by the Financial Services Authority (FSA). The FSA’s failure to avert the banking crisis (e.g. the collapse of Northern Rock and RBS) led to criticism of light-touch regulation. In response, the Financial Services Act 2012 abolished the FSA and replaced it with a new structure effective 1 April 2013.[^9] The FCA became the conduct and consumer protection regulator for financial services, while prudential supervision of banks was assigned to the Bank of England via the Prudential Regulation Authority (PRA).[^10]
The FCA’s statutory objectives include ensuring an appropriate degree of consumer protection, protecting market integrity, and promoting effective competition. It oversees about 58,000 financial firms ranging from banks and investment companies to insurance brokers.[^11] Notably, the FCA is operationally independent of government and funded by fees from the financial industry it regulates.[^12] It has broad powers to make rules, supervise firms, investigate misconduct and impose sanctions (fines, bans, even criminal prosecutions in certain cases). The creation of the FCA was intended to address the shortcomings of its predecessor by providing more proactive and focused regulation of conduct. It was, in essence, meant to be a ‘credible deterrent’ to malpractice in the City – a regulator that would spot and stop consumer harm or market abuse before it spirals into full-blown scandals.
Each of these bodies thus has a clear public-interest mandate on paper: the ICO to uphold privacy and transparency, the SRA to ensure lawyers act with integrity and competence, and the FCA to shield consumers and markets from financial misconduct. However, as the next sections explore, the performance of all three regulators has fallen far short of their founding ideals. Over time they have exhibited institutional weaknesses that have rendered them largely ineffective – inviting the characterisation of regulators in name only.
Patterns of Regulatory Failure and Institutional Weaknesses
Despite operating in different sectors, the ICO, SRA and FCA have displayed remarkably similar shortcomings in their regulatory approaches. These common failings include:
- Chronic under-enforcement – rarely deploying their full powers or issuing merely token penalties
- Evidence of regulatory capture – showing a lack of genuine independence from those they regulate
- Procedural opacity – maintaining bureaucratic and non-transparent processes
- Systemic dismissal of complaints – frequently ignoring or downplaying credible reports of wrongdoing
This section analyses these troubling patterns and examines how they fundamentally undermine these regulators’ ability to fulfil their public interest missions and steadily erode public trust in regulatory oversight.
Under-Enforcement and Leniency
One of the most frequent criticisms is that these regulators do not enforce the rules aggressively, allowing misconduct to go unchecked or doling out punishments so mild that they fail to deter bad actors. Low enforcement activity and weak sanctions have been documented across all three agencies:
ICO – a poor track record on enforcement:
In theory, the ICO possesses formidable powers under data protection law, particularly since GDPR introduced potential fines of up to 4% of global turnover. In practice, however, the ICO has been remarkably reluctant to wield these powers, even as data breaches and privacy violations continue to multiply across the UK.
A parliamentary briefing revealed that in the entire 2021–22 period, the ICO ‘did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only four GDPR fines totalling just £633k’ – despite receiving over 40,000 data protection complaints.[^13] This enforcement record appears woefully inadequate given the scale of violations occurring. More recent data from 2024 shows some improvement but still demonstrates a clear preference for issuing reprimands rather than financial penalties, particularly for public sector organisations.[^14]
The contrast with European counterparts is stark. France’s CNIL, for instance, fined Google €50 million in 2019 for GDPR breaches – a single fine that dwarfs the ICO’s annual enforcement output. This light-touch approach has prompted Members of Parliament to demand that the public needs a data regulator ‘with teeth’ and that the ICO must ‘stop sitting on its hands and start using its powers’.[^15]
The ICO repeatedly opts for gentle persuasion or private ‘reprimands’ rather than meaningful punitive action. Even when it does act, penalties often prove inconsequential for large entities. The Facebook–Cambridge Analytica scandal exemplifies this problem: the ICO’s £500,000 fine (the maximum under pre-GDPR law) represented a mere slap on the wrist for a tech giant of Facebook’s size.
Perhaps most concerning is the ICO’s apparent reluctance to robustly enforce the law against powerful entities, particularly government departments. When confronted with government violations—such as the unlawful handling of COVID test-and-trace data discussed below—the ICO has preferred quiet ‘engagement’ over penalties, leading MPs to accuse it of effectively tolerating illegality.[^16]
This persistent under-enforcement means the ICO largely fails in its fundamental purpose: deterring privacy infringements and compelling better data protection practices. The ultimate consequence is a steady erosion of citizens’ information rights.
SRA – failures to act and inadequate sanctions:
The SRA’s disciplinary regime reveals a troubling pattern of delayed and insufficient intervention when confronted with solicitor misconduct. While the regulator does act in obvious cases of extreme dishonesty (such as striking off solicitors who steal client funds), it has repeatedly been criticised for failing to intervene early or decisively enough in ongoing patterns of concerning practice.
The 2023–24 collapse of law firm Axiom Ince provides a particularly damning example. An independent review into the SRA’s handling of this case, commissioned by the Legal Services Board, found a ‘catalogue of errors and missed opportunities’ by the regulator.[^17] By the time the SRA finally took decisive action, approximately £64 million had been misappropriated from Axiom’s client accounts – losses that could likely have been prevented had the SRA responded to warning signs more promptly.[^18]
The review delivered a scathing assessment, concluding the SRA ‘did not act adequately, effectively and efficiently’, failing to take steps it both could and should have taken.[^19] As the Law Society’s president bluntly summarised, the review ‘paints a vivid picture of the SRA’s inadequate and ineffective handling of Axiom’, which allowed the firm to operate unchecked with devastating consequences for clients.[^20]
Particularly concerning is that while this slow-moving scandal unfolded, the SRA’s leadership appeared distracted by other priorities – notably lobbying for greater fining powers and expanding its remit – rather than ‘tackling the known risks’ directly before it.[^21] This suggests a fundamental misalignment between the regulator’s focus and its core protective function.
Even beyond headline-grabbing scandals, there are persistent concerns that the SRA’s enforcement is inconsistent and frequently too lenient, particularly toward large or well-connected law firms. Critics contend that the SRA sometimes ‘picks and chooses’ which rules to enforce and which entities to hold accountable.[^22] For instance, conflicts of interest are reportedly widespread within the legal profession, yet the SRA has shown reluctance to intervene when solicitors represent clients with clearly conflicting interests.[^23]
The SRA’s funding model may partially explain this ‘light-touch’ approach – as a regulator financed entirely by fees from the very law firms it oversees, it faces an inherent conflict if rigorous enforcement threatens to antagonise its funding base.[^24] An analysis by UCL’s Centre for Ethics and Law specifically warned that the SRA’s reliance on income from the regulated community ‘risks creating a “light-touch” approach to regulation’.[^25]
When the SRA does impose sanctions (short of striking off), they often appear disproportionately mild. Until recently, its fining powers over traditional law firms were capped at just £2,000, meaning serious misconduct required referral to a tribunal – frequently resulting in protracted proceedings or no meaningful action. Even with higher fining limits now in place, the Axiom case demonstrates that possessing powers on paper means little if the regulator hesitates to use them promptly and decisively.
FCA – ‘too little, too late’ enforcement:
The Financial Conduct Authority, which oversees the vast UK financial sector, has attracted perhaps the most scathing criticism for its enforcement failures. Throughout the past decade, the FCA has been implicated in numerous financial scandals where its responses proved either painfully slow or woefully insufficient.
Parliamentarians and consumer advocates have repeatedly accused the FCA of chronically acting ‘too late or not at all’ when confronted with serious misconduct.[^26] A comprehensive report by an all-party parliamentary group (APPG) in 2024—drawing on evidence from fraud victims, whistleblowers and former FCA staff—concluded that the FCA’s actions are consistently ‘slow and inadequate’.[^27] More damning still, it characterised the regulator as ‘incompetent at best, dishonest at worst’ in its failure to prevent or properly punish wrongdoing across a range of financial services scandals.[^28]
Recent FCA enforcement data highlights this problem, showing a downward trend in overall enforcement activity. As of March 2024, the FCA had 188 ongoing enforcement operations investigating 341 individuals and 162 firms, down from 224 investigations in the previous year.[^29] While fines totalling £176 million were issued in 2024, many serious cases still resulted in merely public censures rather than substantial penalties.[^30]
The London Capital & Finance (LCF) mini-bond scandal stands as one of the most notorious examples of FCA failure. LCF collapsed into insolvency in 2019 after selling high-risk mini-bonds to ordinary investors, causing 11,600 people to face losses of up to £237 million.[^31] An independent inquiry led by Dame Elizabeth Gloster found the FCA had utterly failed to regulate LCF properly—ignoring multiple ‘red flags’ and failing to intervene even as LCF made blatantly misleading promotions.[^32]
Dame Gloster’s report concluded the FCA ‘did not discharge its functions… effectively to fulfil its statutory objectives’ and identified ‘significant gaps and weaknesses’ in the FCA’s policies and practices as root causes of the failure.[^33] In essence, the FCA possessed the tools to halt an obviously speculative scheme but failed to act until it was too late, by which point investors’ money had vanished.
The Royal Bank of Scotland’s Global Restructuring Group (GRG) scandal provides another egregious example. Here, a major bank’s unit was found to have mistreated thousands of struggling small business customers in the aftermath of the 2008 crisis. Despite the FCA’s own investigation acknowledging RBS’s treatment of businesses represented ‘systemic and widespread’ misconduct, the regulator ultimately decided to take no enforcement action whatsoever.[^34]
When the FCA’s final report in 2019 confirmed it would not sanction RBS or any senior bankers for the GRG affair, observers condemned it as a ‘complete whitewash’.[^35] Even then-FCA chief executive Andrew Bailey admitted RBS’s behaviour had been insensitive, dismissive and aggressive, exacerbating the distress of already vulnerable customers.[^36] Yet the complete absence of sanctions meant RBS essentially escaped accountability, while those whose businesses were destroyed received no justice.
Such outcomes reinforce a public perception that large financial institutions are effectively ‘too big to punish’—that the FCA will invariably shy away from taking robust action if the target is a well-resourced bank or insurer. While the FCA has occasionally levied substantial fines (often in coordination with US regulators) in cases like LIBOR rate-rigging or FX market manipulation, critics note these fines typically come only after journalists, whistleblowers, or foreign regulators have already exposed the misconduct.
The contrast with international counterparts is striking. The US Securities and Exchange Commission consistently brings many more enforcement actions and imposes significantly larger penalties than the FCA in any given year.[^37] This comparative analysis confirms that the FCA’s failure to enforce effectively is not an isolated issue but rather reflects a systemic culture of regulatory timidity within the UK financial sector.
Whether due to lack of will, fear of legal challenges, or institutional pressure to avoid disrupting powerful financial interests, the net effect remains the same: firms under the FCA’s remit do not consistently fear meaningful consequences for even serious wrongdoing. This fundamentally undermines the deterrent effect that independent regulators are supposed to provide.
Regulatory Capture and Lack of Independence
Another factor contributing to weak enforcement is the perception (and sometimes reality) of regulatory capture – i.e. regulators becoming too aligned with the interests of the industries or institutions they oversee, at the expense of the public interest. Capture can stem from structural issues (such as funding and governance) or cultural ones (such as revolving doors and cosy relationships). In all three regulators’ cases, concerns have been raised about their independence and willingness to challenge powerful entities:
The ICO is formally an independent public body, but it is accountable to the government (through Parliament) and relies on government funding (supplemented by fees from data controllers). There have been instances where the ICO appeared hesitant to hold government departments accountable for data law breaches, raising questions of deference to political superiors. During the COVID-19 pandemic, for example, the UK government launched data-intensive programmes (like Test and Trace) in haste, at times sidestepping privacy requirements. When it emerged that the NHS Test and Trace programme had failed to conduct a legally required Data Protection Impact Assessment (DPIA), the ICO did not immediately issue fines or enforcement notices. Instead, a cross-party group of 22 MPs had to publicly prod the Information Commissioner to act, urging her to consider fining the government if it did not correct its approach.[^39] Labour MP Chris Bryant remarked that the government had been ‘playing fast and loose’ with data protection and that the public needed a ‘regulator with teeth’, pointedly accusing the ICO of ‘sitting on its hands’.[^40] The Executive Director of Open Rights Group, Jim Killock, went further, stating ‘there is something rotten at the heart of the ICO that makes them tolerate government’s unlawful behaviour’.[^41] Such strong words imply a perceived capture – the regulator being too timid to take on the government of the day, even when laws are clearly breached. Increased political pressure in recent years (for instance, ministers urging the ICO to prioritise economic growth or innovation over data rights) has cast doubt on the ICO’s ability to operate at arm’s length from government influence.[^42] A briefing in 2024 warned that if reforms further reduce the ICO’s autonomy or allow more ministerial control, its willingness to enforce against state bodies could weaken even more.[^43] In sum, while not a traditional industry capture, the ICO risks institutional capture by the state, whereby it may pull punches when facing politically sensitive enforcement – a fatal compromise for a regulator meant to impartially uphold citizens’ rights against all comers.
For the SRA, concerns centre on industry capture and conflicts of interest. As noted, the SRA is funded by fees from solicitors and law firms. This model, akin to the FCA’s, is intended to ensure the regulator is not dependent on taxpayer funding (thus theoretically independent of government). However, it creates a potential bias towards the interests of the regulated community – in this case, solicitors. The fact that the SRA’s budget comes from the profession could subconsciously (or consciously) make it hesitant to alienate that profession with overly harsh regulation. Moreover, the legal profession has historically been self-regulating, and vestiges of that culture remain. Many on the SRA’s board or committees are current or former lawyers, which is valuable for expertise but can also lead to regulatory empathy for the challenges of practice – sometimes at the expense of consumer protection. The SRA has tried to mitigate capture by including lay members in governance, but the ‘revolving door’ persists: top SRA officials may later seek roles in big law firms, and vice versa, raising questions of independence. The Open Rights Group briefing on the ICO noted similar risks of ‘cronyism and undue corporate influence’ and argued regulators must be structurally protected from revolving doors.[^44] In the SRA’s case, regulatory capture may help explain why it failed to crack down on Axiom Ince sooner – the firm had been aggressively acquiring other law firms (which might be seen as good for the profession’s growth) and perhaps the SRA was reluctant to intervene in what looked like entrepreneurial innovation until too late.[^45] The Law Society president diplomatically said the SRA had been too focused on other agendas (like regulating technologically enabled legal professionals) rather than ‘laser focused on protecting consumers’.[^46] In essence, this suggests a regulator pursuing its own institutional interests and industry’s growth agenda at the expense of its core public-interest mission. Another aspect of opacity is procedural capture – where the rules and processes are so complex that only insiders (seasoned lawyers) can navigate them, leaving ordinary complainants sidelined. People who lodge complaints against solicitors often find the process slow and opaque, with the SRA sometimes appearing more sympathetic to the solicitor’s explanation than to the client’s grievance. This dynamic fosters a perception of bias: the regulator seems to give the ‘benefit of the doubt’ to one of its own (the solicitor), rather than championing the consumer. While not malicious, such institutional mindset issues show how a regulator can become insular and distant from the public it serves.
For the FCA, capture concerns are multifaceted. The FCA, like the SRA, is industry-funded – all its operating costs come from levies on financial firms.[^47] This has led some to question if the FCA might go easy on the biggest contributors (large banks and investment firms), although the funding is broad-based enough that no single firm can directly sway its budget. More significant is the revolving door between the regulator and industry: it is common for FCA staff, including senior officials, to take high-paying jobs in banks or financial companies after their tenure. Conversely, some individuals join the FCA mid-career from industry. While a degree of interchange is inevitable (and expertise-enhancing), it poses a risk that regulators identify more with the industry perspective than with consumers. Notably, the FCA’s former chief, Andrew Bailey, was criticised for the above-mentioned enforcement lapses but nonetheless was promoted to become Governor of the Bank of England – suggesting a lack of accountability at the top and reinforcing the sense of a charmed circle in finance. The parliamentary report in 2024 depicted the FCA’s leadership culture as ‘opaque and unaccountable’.[^48] Current and ex-employees described a ‘profoundly defective’ culture from the top down, saying it had become increasingly toxic and insular.[^49] Dissenting voices within the FCA were allegedly ‘bullied and discriminated against’ for challenging the official line.[^50] This indicates internal capture by a bureaucratic hierarchy that resists transparency and external scrutiny. Indeed, the FCA is exempt from some transparency requirements that bind normal public bodies (for instance, it has limited obligations under the Freedom of Information Act, meaning its internal decisions are less open to public query). The net effect of these cultural and structural issues is a regulator that too often seems to side with industry or its own institutional preservation. For example, even after scandals, the FCA tends to frame failures as ‘learning lessons’ rather than holding specific people or firms rigorously to account. Such a stance can slip into a pattern of defending the organisation’s reputation over admitting shortcomings. When the FCA was lambasted for LCF and other failures, its instinct was to promise improvements via internal transformation programmes – yet insiders told the APPG that a much-vaunted change programme under the current chief executive had ‘not worked’ at all.[^51] This insularity can be viewed as a form of capture: the FCA is, in effect, captured by its own inertia and defensiveness, losing sight of the citizens it is meant to protect. In sum, whether through funding arrangements, personnel moves, or political pressure, each of these regulators suffers compromised independence. They are not as fearlessly arm’s-length as one would hope; instead, they appear risk-averse to upsetting the powerful – be it government departments (in the ICO’s case), influential professions (in the SRA’s), or major financial institutions (in the FCA’s). Such tendencies directly contribute to under-enforcement, as outlined above, creating a vicious cycle of ineffectiveness.
Procedural Opacity and Inaction on Complaints
Another common failing is the procedural opacity of these regulators – their processes are slow, convoluted, and often opaque to the public and complainants. This opacity frequently translates into a de facto refusal to act on credible complaints or intelligence of wrongdoing. Whistleblowers and members of the public who bring issues to these bodies often experience frustration or retaliation rather than resolution:
ICO – slow and non-transparent complaint handling: Individuals who lodge data protection complaints with the ICO (for example, about a company misusing their data or a public body failing to respond to an FOI request) face a lengthy and mysterious process. It is not uncommon for the ICO to take many months – sometimes over a year – to adjudicate on a complaint. In FOI cases, this delay can effectively defeat the purpose of transparency (information released years late is often moot). Complainants receive little communication beyond standard acknowledgments and eventually a terse decision letter. The lack of clear timelines or updates creates opacity, and there is little recourse if the ICO decides not to take action. Indeed, the ICO often exercises discretion to close cases without enforcement, issuing ‘advice’ to organisations rather than orders. While this might be pragmatic resource allocation, it can look like brushing off legitimate grievances. For instance, one LinkedIn user recounted how the ICO handled his GDPR complaint against a company by making a few attempts to contact the firm and, when those failed, simply advising the company to respond within a month – effectively trusting the offending company to police itself.[^52] Such an outcome is not atypical; the ICO frequently resolves cases by informal means and rarely informs complainants of any concrete outcome beyond ‘we’ve reminded them of their obligations’. This secretive approach deprives victims of closure and dilutes accountability, as the offending organisation often faces no public sanction or record. Moreover, the ICO’s policy of issuing ‘reprimands’ instead of fines (a trend noted in recent years) means many serious violations are dealt with privately. A reprimand is essentially a private telling-off; as the Open Rights Group observed, reprimands simply express regret over a failure to comply but do not penalise the organisation.[^53] This is problematic for public accountability – the public may never learn that a body was found in breach. Overall, the ICO’s complaint processes and outcomes often leave citizens feeling that the system is stacked against them, with bureaucracy shielding wrongdoers from exposure.
SRA – ignoring credible complaints and lack of transparency: The SRA’s disciplinary process can be bewildering to outsiders. Clients or solicitors who report misconduct may wait long periods with scant information as the SRA ‘investigates’. In some cases, strong evidence of ethical breaches has seemingly been swept under the rug. The LinkedIn commentary by a solicitor, John Barwell, alleges that even when presented with ‘substantial evidence of misconduct – including conflicts of interest, data protection breaches, and unethical legal tactics’, the SRA ‘dismissed the case without meaningful investigation’.[^54] If true, that indicates a regulator refusing to act on credible complaints, possibly to avoid taking on complex or uncomfortable cases. The SRA’s complaint handling is also notoriously opaque: the complainant is not a party to any proceedings and is often not informed of the details of the SRA’s deliberations or reasoning. If the SRA declines to take action, it may simply notify the complainant that the matter is closed, without a detailed explanation – fostering a perception of arbitrariness. Additionally, the procedural hurdles for the SRA to discipline a solicitor (e.g. burdens of proof, need for tribunal hearings for serious sanctions) can lead to protracted delays. This was evident in the Axiom Ince case: the SRA had information about potential wrongdoing well before clients lost money, but its processes did not translate into timely intervention.[^55] One could argue the SRA was following procedure – gathering evidence meticulously – but in a fast-moving situation that caution was disastrous. The Legal Services Consumer Panel, reflecting on the Axiom review, noted it revealed ‘systemic flaws’ and demanded regulators act with more ‘urgency [and] transparency’ in future.[^56] The Panel emphasised that consumers deserve regulators with ‘an unwavering commitment to protection’ and that the failures in this case demand immediate reform towards greater openness and decisive action.[^57] In summary, the SRA’s procedural opacity and sometimes passive approach to complaints have meant too many warnings go unheeded until damage is done.
FCA – mishandling of whistleblowers and intelligence: Of the three, the FCA has been most directly excoriated for failing to act on whistleblower reports and insider evidence. Whistleblowers are a critical source of intelligence on financial wrongdoing, and the FCA ostensibly encourages them – it set up a dedicated whistleblowing team and procedures for firms to handle whistleblower concerns. However, in practice whistleblowers have often been left feeling ignored or even exposed. The 2024 APPG report described the FCA’s treatment of whistleblowers and their evidence as ‘alarming’. It found the FCA ‘failed to investigate properly and act on intelligence provided, and failed to protect – and in some cases, actively harmed – those who provided information’.[^58] This is a damning indictment: not only did the regulator drop the ball on the information, but the whistleblowers themselves suffered negative consequences. There have been cases where individuals who alerted the FCA to fraud felt the FCA tipped off the firm or otherwise compromised their confidentiality, leading to retaliation. Even internally, FCA staff who tried to raise concerns about the FCA’s direction or specific cases reported being bullied or forced out.[^59] The culture was described as ‘Do as you’re told, don’t argue’ – hardly conducive to surfacing problems.[^60] A notable example externally was the Barclays whistleblower case: the bank’s CEO sought to unmask a whistleblower, as mentioned earlier. While the FCA did eventually fine the CEO (Jes Staley) in that instance, critics note that it was the New York regulator that truly investigated and exposed the incident, while the FCA’s action came later and was relatively lenient.[^61] More broadly, there has been a pattern of whistleblowers going to the media or MPs after losing faith that the FCA will act. This is a troubling sign of a regulator that has lost credibility among those on the front lines of uncovering misconduct. If people believe the FCA will not act on a tip-off – or worse, that it might bury the issue – then vital information dries up, and wrongdoing continues unchecked. The FCA itself has acknowledged these criticisms to some degree and in 2021 announced an initiative to ‘improve [its] long-criticized handling of whistleblowers,’ recognising it had not inspired confidence over the past decade.[^62] However, tangible improvements remain to be seen. In essence, the FCA’s procedural approach has been too closed and defensive: it often does not tell whistleblowers what (if anything) was done with their evidence, and it rarely publicises cases initiated due to whistleblowing. Without transparency, neither the whistleblower nor the public can judge the effectiveness of the FCA’s follow-up. The result has been a graveyard of ignored warnings – from small investor scams to major bank misdeeds – that only come to light after harm has occurred. This systemic inertia and opacity is, arguably, just as destructive as overt capture or under-resourcing, because it means even when the alarms are sounded, the watchdog fails to bark.
Erosion of Whistleblower Protections and Public Trust
The combined effect of the above issues is an erosion of trust – both by conscientious insiders (whistleblowers) and the general public – in these regulators’ ability and willingness to deliver justice. Whistleblowers, in particular, are a litmus test of a regulator’s integrity: protecting them and acting on their information signals that the regulator prioritises the public interest over institutional convenience. Unfortunately, the ICO, SRA, and FCA have all sent discouraging signals in this regard:
The ICO is not primarily a whistleblower regulator, but it does intersect with whistleblowing in contexts like data breach reporting. If an employee blows the whistle on a company’s data misuse, the ICO should be their ally. Yet the ICO’s timid enforcement can discourage such disclosures. Moreover, as a public body, the ICO itself has had whistleblowers (staff voicing concerns) reportedly dissatisfied with how issues were handled – though such instances are less public. The main consequence for public trust is that privacy advocates and ordinary citizens increasingly view the ICO as ineffective. Surveys and anecdotal evidence suggest many in the UK public are unaware of the ICO, and those who are aware often doubt that reporting an issue will lead to any meaningful outcome. This cynicism is dangerous because it breeds apathy: people may not bother to assert their information rights if they expect the regulator to do nothing. The ICO’s failure to robustly challenge government overreach during the pandemic (only acting after external pressure) likely dented public confidence further, at a time when trust in data handling was critical.[^63] If the public sees the ICO as deferential to power, they will not trust it to champion their rights when it truly counts.
In the legal sector, whistleblowing lacks formal structure—solicitors have no dedicated whistleblower regulator—yet cases regularly emerge of junior lawyers or staff attempting to expose wrongdoing within firms. When these individuals observe the SRA failing to act decisively on their reports, it profoundly discourages others from speaking up.
Consider the common scenario: a solicitor witnesses colleagues breaching client confidentiality or court duties and reports these violations to the SRA, only to see the regulator quietly drop the matter without meaningful action. That solicitor—and peers who observe this outcome—naturally conclude that ‘nothing will be done’ even when serious violations are reported through proper channels. The SRA thus inadvertently reinforces a culture of silence and tolerance for ethical lapses throughout the profession.
Public trust in the entire legal regulatory framework can be severely damaged when high-profile failures receive media attention. The Axiom Ince scandal, where tens of millions of pounds vanished under the SRA’s ineffective oversight, has substantially eroded public confidence that ‘regulators will protect clients from rogue lawyers’. The Legal Services Consumer Panel explicitly warned that this case has ‘shaken the very foundation of trust that underpins the legal profession’.[^64]
At its core, clients reasonably expect that if a law firm engages in serious misconduct, the regulator will detect and intervene before catastrophic harm occurs. The SRA’s repeated failures to meet this basic expectation have betrayed this fundamental trust—and restoring it will require far more than incremental reforms to the current system.
For the financial sector, public trust in the regulator is arguably at an all-time low. The series of financial scandals since the 2008 crisis – mis-selling of insurance, interest-rate hedging frauds on small businesses, investment scams, banking IT failures, and more – have often revealed the FCA either as unaware or impotent until after the fact. Many consumers harmed by these events feel the FCA is ‘not on their side’. A vivid encapsulation from the parliamentary report was that people see the FCA as ‘incompetent at best, dishonest at worst’.[^65] Such an image is devastating for a regulator whose very legitimacy rests on being a trusted referee in the market. The FCA’s perceived hostility or indifference to whistleblowers particularly undercuts trust: if even insiders trying to help are mistreated, why would the average consumer believe the FCA truly has their back? Additionally, the UK’s broader framework for whistleblowing (the Public Interest Disclosure Act) is viewed as weak – it offers limited protection and no rewards, unlike stronger regimes elsewhere. Regulators like the FCA and SRA have done little to proactively champion improvements in whistleblower protection, despite being well-placed to advocate for those who expose wrongdoing in their sectors. By contrast, regulators in the US (such as the SEC) actively encourage whistleblowing and have paid substantial bounties to whistleblowers whose information leads to enforcement actions, signalling a culture of appreciation for truth-tellers. The UK’s lagging approach means misconduct is more likely to stay hidden, and when it eventually surfaces, the damage (financial or otherwise) to the public is greater. In financial services, this has translated into scandals that destroy ordinary people’s savings or businesses, each one chipping away at public trust in the system and the notion of fair play. If neither the fear of the regulator nor the voice of internal whistleblowers stops these travesties, people reasonably ask: what is the point of the regulator at all?
In sum, the failures of the ICO, SRA, and FCA have broad social costs. Whistleblowers who are not protected become cautionary tales, deterring others from speaking out. Consumers and citizens who see regulators failing to act lose trust not only in those agencies but in the rule of law in those domains – be it data rights, legal justice, or financial fairness. These trends support the argument that mere tinkering with the existing bodies may not suffice; rather, fundamental reform or replacement is needed to rebuild integrity and confidence.
Case Studies: When Watchdogs Fail to Bite
To illustrate the above points in concrete terms, this section highlights a few recent scandals and case studies where these regulators manifestly failed to act decisively, despite clear signs of trouble. Each case underscores the need for stronger regulatory frameworks:
Data Protection Scandal – Government COVID-19 Data Handling: As mentioned earlier, in mid-2020 the UK government rolled out the COVID ‘Test and Trace’ programme at breakneck speed. It collected personal health data on millions of citizens. However, it emerged that the Department of Health had not conducted a legally mandated Data Protection Impact Assessment (DPIA) for the programme, a basic GDPR requirement to identify and mitigate privacy risks.[^66] This was a flagrant breach of data protection law by a government body. The ICO’s response was strikingly muted. Rather than immediately issuing an enforcement notice or fine for non-compliance, the Information Commissioner’s Office initially remained quiet, even as privacy groups raised alarms. Only after the Open Rights Group forced the government to admit the failure, and MPs wrote to the ICO, did the Commissioner publicly acknowledge the issue.[^67] Even then, the thrust of the ICO’s action was to ‘demand that the government change the programme’, with the threat of considering a fine if it failed to improve.[^68] In effect, the ICO gave the government a free pass to remedy its mistake belatedly. No financial penalty was ultimately imposed, despite the seriousness of the breach. This leniency prompted MPs to rebuke the ICO for ‘failing to hold the government to account’.[^69] The incident laid bare a double standard – had a private company of similar scale ignored such a key GDPR requirement, it almost certainly would have faced a hefty fine. The ICO’s kid-gloves treatment of the government not only undermined the principle that no one is above the law, but also potentially jeopardised public health efforts (since trust in Test and Trace was crucial for compliance, and privacy missteps can erode that trust). The case supports the view that the ICO is unwilling to confront powerful offenders, reinforcing calls for an oversight regime that can ensure even governmental bodies face consequences for data misuse.
Legal Sector Scandal – Axiom Ince and SRA Inaction: The collapse of Axiom Ince in 2022–2023 is a vivid case of regulatory failure in the legal domain. Axiom was a law firm that grew rapidly by acquiring other firms, but behind the scenes, one of its partners was misappropriating client funds on a massive scale (tens of millions of pounds). There were warning signs: complaints and internal red flags had been signalled to the SRA as early as 2021, according to subsequent investigations.[^70] Yet the SRA did not move decisively until August 2022, when it finally intervened and shut down Axiom – by then, the horse had bolted and £64m of client money was gone.[^71] An independent review by Carson McDowell (commissioned by the Legal Services Board) found that the SRA had multiple opportunities to act sooner but failed to do so.[^72] For example, the SRA had been informed of irregular practices and could have placed restrictions or conducted an earlier forensic investigation, potentially preventing further losses. The review concluded the SRA ‘did not take all the steps it could or should have taken’, and that its omissions necessitated procedural changes to avoid a repeat.[^73] The fallout has been severe: not only did clients lose money (eventually to be compensated by the profession’s Compensation Fund, which is funded by other law firms), but trust in regulatory safeguards was badly damaged.[^74] Honest solicitors are now paying the price via increased contributions to replenish the Compensation Fund,[^75] while the reputation of the profession suffers. This case exemplifies the danger of regulatory tardiness – by the time the watchdog reacted, the harm was done. It raises the question of whether a different regulatory structure (for instance, one with more real-time monitoring of client accounts or an inspectorate function) could have caught the malfeasance earlier. It also spotlights governance issues: the Legal Services Board (LSB), which oversees the SRA, had to commission the independent review, indicating that the usual oversight mechanisms failed to detect the SRA’s shortcomings until after the crisis. The LSB is now insisting that the SRA ‘puts its house in order’ and focuses on core responsibilities.[^76] While reforms may be forthcoming, some argue that an even more radical rethink is needed – possibly replacing the SRA with a new body or at least stripping some of its functions (like intervention in firms) to a specialist agency that can act faster. The Axiom scandal thus fuels the argument for dismantling or fundamentally reforming a regulator that did too little, too late.
Financial Scandals – LCF, GRG and Others under the FCA’s Watch: We have already discussed London Capital & Finance (LCF) and the RBS GRG saga, which are two of the most glaring black marks on the FCA’s record. To briefly recap: in LCF’s case, the FCA’s hands-off approach with an authorised firm running an unauthorised investment scheme allowed a £237m investor loss to occur,[^77] leading a judge to describe the FCA’s oversight gaps in unsparing terms.[^78] In the RBS GRG case, even evidence of systematic mistreatment of small business clients elicited zero enforcement action – a decision widely condemned as a whitewash.[^79] These are far from the only examples. Another prominent case was the Woodford Equity Income Fund collapse in 2019. Neil Woodford was a star fund manager whose flagship fund froze and imploded due to liquidity issues, locking hundreds of thousands of investors out of their savings. The FCA had authorised the fund and was responsible for supervising its manager; many argue it should have spotted the liquidity mismatch (illiquid assets in a fund promising daily withdrawals) and intervened earlier. A subsequent review by the FCA (and critiques by the Treasury Select Committee) highlighted that the FCA’s oversight was insufficient and that its rules needed tightening to prevent such failures. Yet again, the pattern is of after-the-fact fixes rather than timely prevention. There’s also the case of Blackmore Bond, another mini-bond scheme that collapsed in 2020, where the FCA had been warned by third parties about the firm’s dubious practices but took no substantive action before it failed. In peer-to-peer lending, several platforms went bust in the late 2010s with minimal regulatory interference. Across these examples, common themes emerge: complaints and warnings were plentiful, but effective regulatory action was absent. Only when losses became public scandals did investigations and reports occur, often recommending reforms that arguably should have been in place already. The cumulative effect of these episodes has been numerous independent reviews (Gloster on LCF, Parker on Connaught, etc.) all effectively saying the FCA must improve. It begins to strain credulity that simply tweaking the same organisation can yield different results; hence, voices including the APPG have called for a fundamental shake-up, even considering replacing the FCA if necessary.[^80] When a regulator is so roundly criticised by lawmakers as ‘not fit for purpose’, the option of starting anew comes onto the table. Indeed, the APPG report recommended significant structural changes, such as creating a new Financial Services Tribunal to allow victims to challenge the FCA’s decisions (or indecisions) – a clear sign that confidence in the FCA’s internal governance has collapsed. These case studies reinforce that the status quo is untenable. They show real people – small investors, entrepreneurs, ordinary citizens – suffering severe harm because regulators did not do their jobs adequately. In a very real sense, the public has been paying the price for regulatory ineffectiveness. This bolsters the case for dramatic public policy intervention: rather than hoping these watchdogs will grow teeth, perhaps it is time to put them down and breed new ones with the necessary bite.
Comparative Perspectives: Better Regulatory Models in Other Democracies
If the ICO, SRA, and FCA are failing, what might more effective frameworks look like? To answer this, it is instructive to look at how other democratic countries regulate similar domains. While no system is perfect, several jurisdictions offer examples of stronger enforcement cultures, greater accountability, and innovative mechanisms to protect the public interest. Below we examine a few comparisons – in data protection, legal services, and financial regulation – that could inform the UK debate:
Data Protection – EU Countries and Canada: Within Europe, all countries operate under the same basic GDPR framework as the UK (which adopted GDPR before Brexit and retained equivalent laws). However, enforcement varies. For instance, France’s CNIL (National Commission on Informatics and Liberty) has developed a reputation for assertiveness – it issued a €50 million fine against Google in 2019 for lack of transparency and valid consent in ads, one of the first major GDPR fines. Ireland’s Data Protection Commission (DPC), regulating many Big Tech companies’ EU headquarters, was initially slower, but under the pressure of the European Data Protection Board it delivered record fines in 2022–2023 (such as a €405m fine against Instagram and €1.2bn against Meta for various violations). These show that hefty, dissuasive penalties are possible within the GDPR toolkit – something the ICO has yet to truly emulate (the ICO’s largest GDPR-era fines, for British Airways and Marriott after their data breaches, were around £20m each after reductions, significantly less than EU counterparts initially proposed). Outside Europe, Canada’s Privacy Commissioner provides an interesting model: while historically lacking fining powers, the Commissioner conducts rigorous investigations and publicly reports findings, often naming and shaming offending organisations. Canada is now moving toward giving its privacy regulator power to levy significant penalties through a specialised Data Tribunal, improving enforcement teeth while maintaining oversight checks. The broader point is that many jurisdictions have found ways to improve accountability in data regulation – through either stronger sanctions or multi-layer oversight – whereas the UK’s ICO remains comparatively weak and deferential. Notably, the European Union has also enacted a Whistleblowing Directive (2019) requiring member states to implement robust protections for whistleblowers (including confidential reporting channels and anti-retaliation measures), a development the UK has not mirrored since leaving the EU. This means that, across much of Europe, individuals who expose data abuses (or other wrongdoing) will gain greater safeguards, which in turn will bolster regulatory enforcement as more violations come to light. The UK risks falling behind if it does not similarly empower whistleblowers and its data regulator.
Legal Services Regulation – Australia and Scandinavia: Different countries take varied approaches to regulating lawyers, but some offer more transparent and independent models than the SRA. In Australia, each state has a Legal Services Commissioner or equivalent body that handles complaints against lawyers. For example, New South Wales has an Office of the Legal Services Commissioner, a public official independent of the law society, with powers to investigate misconduct and refer serious cases to a tribunal. These offices are government-funded and emphasise consumer protection. The fact that they are not funded by the legal profession helps avoid the conflict of interest that the SRA faces. Moreover, their proceedings are relatively open; disciplinary hearings in serious cases are often public, and outcomes (including names of errant lawyers) are published, aiding transparency. Australia has also been willing to undertake searching reviews of its regulatory frameworks – notably the 2018 Royal Commission into financial sector misconduct also touched on legal advice issues in banks, prompting introspection on whether legal regulators were doing enough. In Canada, provincial law societies still largely self-regulate, but there is public representation on their governing boards and independent ombudsmen in some provinces to handle complaints. Some provinces (like Ontario) have debated breaking up the law society’s dual role by creating an independent public regulator of lawyers – a reform paralleling what the SRA was supposed to achieve in 2007. Scandinavian countries tend to have strong state oversight of professional conduct. For instance, Sweden and Norway have disciplinary boards for lawyers that operate with government authority. In Norway, the Supervisory Council for Legal Practice and a Disciplinary Board (with members appointed by the Ministry of Justice) handle misconduct, ensuring a degree of external accountability beyond the bar association. These comparative examples suggest that placing legal regulators truly at arm’s length from the profession and injecting public accountability into their governance results in swifter action and greater public confidence. It is telling that the Law Society of England and Wales – effectively the solicitors’ trade body – felt compelled to publicly criticise the SRA over the Axiom Ince affair;[^81] in a better system, an independent overseer or minister would already have intervened long before such a debacle. Moving to a model where a public authority (not a profession-funded entity) regulates lawyers could help realign the focus on consumer protection and make the process more transparent.
Financial Regulation – United States, EU and Australia: Financial markets are complex, but the UK’s peer jurisdictions have generally adopted tougher stances on enforcement and clearer accountability mechanisms for regulators. The United States, with its Securities and Exchange Commission (SEC) and other agencies, is often cited for its vigorous enforcement. The SEC routinely brings hundreds of enforcement actions each year and imposes penalties numbering in the billions of dollars, far outstripping the FCA’s activity.[^82] Of course, the US market is larger, but even proportionally the SEC is more aggressive. Crucially, the US has a culture of individual accountability: executives found culpable in wrongdoing are frequently personally charged or fined by regulators or prosecutors. The UK has been slower to hold individuals to account (witness how few bankers faced serious consequences after the 2008 crisis, compared to the US where many were prosecuted or banned). The US also has the False Claims Act and Dodd-Frank Act whistleblower reward programmes, which have incentivised insiders to report misconduct (the SEC’s whistleblower program has paid out hundreds of millions of dollars in rewards, underscoring its commitment to acting on tip-offs). The European Union in recent years has pushed for stronger financial oversight through institutions like the European Banking Authority and national regulators empowered by EU-wide rules. For example, EU regulations on money laundering require strict action and public disclosure of banks’ failings. Some European regulators have not hesitated to issue record fines: Sweden’s Financial Supervisory Authority levied a record 4 billion kronor fine (approximately $386 million) on Swedbank in 2020 for serious anti-money-laundering deficiencies,[^83] explicitly calling out the bank for withholding information and emphasising the ‘serious, systematic shortcomings’ in its compliance.[^84] This decisive action, coupled with forcing out of the bank’s CEO and board, sent a strong message and helped restore confidence. By contrast, the UK’s approach to comparable scandals (e.g. HSBC’s money-laundering lapses in the 2010s) was less forceful, often coordinating with U.S. authorities rather than leading the charge. Australia, following its 2018 Royal Commission into Financial Misconduct, undertook substantial reforms to reinvigorate its regulators. The Australian Securities and Investments Commission (ASIC) adopted a ‘why not litigate?’ enforcement stance – essentially a presumption to take wrongdoers to court unless there’s good reason not to. Perhaps most innovatively, Australia created a new oversight body, the Financial Regulator Assessment Authority (FRAA), in 2021. The FRAA’s mandate is to ‘assess and report on the effectiveness and capability’ of ASIC and the Prudential Regulation Authority on a regular cycle.[^85] This was a direct response to concerns that regulators had been complacent or too cosy with industry. The FRAA provides independent scrutiny – reporting to Parliament on whether the regulators are doing their job – thereby adding a layer of meta-accountability. While the FRAA doesn’t handle individual complaints, it shines a light on systemic regulator performance.[^86] This kind of mechanism is precisely what the UK lacks. Currently, if the FCA (or SRA or ICO) underperforms, only ad hoc inquiries or parliamentary committee sessions may call them out, and these often occur after disasters. A standing body like FRAA (or stronger parliamentary oversight committees dedicated to regulatory performance) could ensure continuous accountability. In summary, other democracies show the value of strong enforcement culture, encouragement of whistleblowers, and oversight of the regulators themselves. The UK could adapt these lessons: for example, by establishing a supervisory authority to monitor and audit the performance of bodies like the FCA and ICO, by instituting clearer legal duties on regulators to act in the public interest with defined service standards, and by empowering courts or tribunals to review a regulator’s failure to act when harm results. The comparative analysis reinforces that the UK is an outlier in allowing its watchdogs to remain toothless for so long.
Recommendations for Replacement and Reform
Given the evidence of persistent failure, mere incremental reforms to the ICO, SRA, and FCA may not suffice. Bold public policy changes are required to dismantle or radically overhaul these bodies and replace them with frameworks that have genuine bite, transparency, and accountability. Below are key recommendations for a new model:
1. Establish Truly Independent Regulators with Clear Public-Interest Mandates
Any successor regulatory bodies must be fundamentally designed to prioritise the public interest over industry or political pressures. This requires comprehensive reform of both funding structures and governance mechanisms:
For the ICO:
- Transform from a small agency dependent on government goodwill into a robust Independent Commission
- Establish a multi-member board appointed by and directly accountable to Parliament (not ministers)
- Create a secure funding mechanism (e.g., a levy on large data controllers or charges on FOI-obligated bodies)
- Eliminate annual Treasury negotiations to ensure financial independence
- Empower the Commission to challenge government departments without fear of budgetary retaliation
For legal regulation:
- Replace the SRA with a new Legal Services Commission entirely separate from the Law Society
- Ensure a majority of non-lawyer board members to represent consumer interests
- Implement mixed funding through both lawyer levies (maintaining the ‘polluter pays’ principle) and public funding
- Structure the financial model to prevent the legal profession from wielding budget influence to weaken regulatory oversight
- Create statutory protection against industry capture
For financial regulation:
- Consider splitting the FCA’s consumer protection function into a dedicated Financial Consumer Protection Agency (similar to the US Consumer Financial Protection Bureau)
- Give this new body singular focus on defending retail customers against financial misconduct
- Have it operate alongside a more focused markets regulator with separate leadership and governance
- Alternatively, if retaining the FCA as a single entity, Parliament should legislatively sharpen its mandate
- Explicitly specify that proactive prevention of misconduct and consumer protection are primary statutory objectives
- Legally bind executive performance evaluations and compensation to measurable progress on these objectives
2. Strengthen Enforcement Powers and Willingness to Use Them: A regulator is only as effective as its willingness to enforce. The new frameworks must embed a ‘credible deterrence’ philosophy. Concretely, this could involve setting minimum enforcement expectations in law. For example, if a certain volume of serious complaints are upheld, the regulator should be obliged to issue a public enforcement notice or fine except in extraordinary circumstances. Regulators should be given enhanced powers where needed: the ICO might need civil penalty powers for FOI breaches by public bodies (currently it can issue practice recommendations, but perhaps fines for egregious FOI delays would spur compliance). The SRA’s successor should have the power to intervene in law firms more readily and impose higher on-the-spot fines for misconduct (with tribunal appeal available to ensure fairness). The FCA should be empowered to pursue criminal charges for financial crime and fraud more frequently, not leaving everything to the Serious Fraud Office. Just as important is fostering an internal culture that is not risk-averse. This may require leadership changes and infusion of personnel from prosecutorial backgrounds. A specific recommendation could be to adopt ASIC’s mantra of ‘why not litigate’: regulators should err on the side of taking formal action. To support this, their legal immunities could be clarified so they don’t fear being sued by firms for aggressive enforcement done in good faith. Government and Parliament should signal strong political backing for tougher enforcement, so regulators feel confident even when pursuing powerful actors.
3. Embed Transparency at Every Level: The new regulatory frameworks must reject the secrecy and opaqueness of the past. Key decisions and processes should be open to public scrutiny. This includes publishing detailed reasons for enforcement (or non-enforcement) decisions, regularly reporting statistics on complaints and outcomes, and holding some hearings in public. For instance, a Legal Services Commission could hold public disciplinary tribunals (as many professional regulators do for doctors and others), so that justice is seen to be done. The FCA’s replacement could be required to publish, each year, a list of the types of cases where it decided not to act, summarising why – allowing external observers to spot patterns of inaction. Freedom of Information law should apply fully to these regulators (with appropriate safeguards for ongoing investigations) to enable journalists and citizens to query their work. Transparency builds trust: if the public can see what the regulators are doing, it’s harder for failures to fester in darkness. Moreover, sunlight on their activities creates pressure to perform – no regulator wants to publish that it took zero actions on thousands of complaints (a situation that has happened, as seen with ICO’s statistics).[^87] Therefore, mandating comprehensive public reporting and openness is key.
4. Enhance Whistleblower Protections and Engagement: Whistleblowers are invaluable allies in enforcement. Any new framework should supercharge whistleblower support. This means the regulators must have dedicated, well-resourced whistleblowing units that promptly act on tips and protect whistleblowers from retaliation. Legally, the UK could introduce its own version of the EU directive – extending and strengthening the current whistleblower protection law. The regulators should be explicitly tasked with monitoring how firms treat whistleblowers. For example, the FCA (or its successor) could require annual reports from financial firms on whistleblowing cases (this was done to some extent after the Barclays incident, but it should be broader and accompanied by surprise audits of whistleblower handling in firms). There should be a safe channel for whistleblowers to report misconduct about the regulators themselves – e.g. if an FCA staff member sees an investigation being improperly dropped, they should have a route to an independent authority like an Ombudsman or Parliamentary committee. Additionally, the UK should consider incentivising whistleblowers, at least in financial cases – perhaps a modest bounty system for information leading to successful enforcement (not necessarily multi-million rewards like the US, but enough to signal appreciation). Regulators must publicly celebrate whistleblowers’ contributions (in anonymised ways) to signal cultural change. By turning whistleblowers from pariahs into partners, the regulators can vastly multiply their eyes and ears on the ground, and thus catch problems earlier.
5. Create Enforceable Oversight of the Regulators Themselves: A crucial reform is to ensure that regulators cannot fall into prolonged dysfunction without corrective intervention. This calls for a robust oversight mechanism. One recommendation is to establish a body akin to Australia’s FRAA in the UK – an Independent Regulatory Oversight Commission – tasked with periodically reviewing the effectiveness of major regulators (including the ICO, legal services regulator, and FCA). Such a commission would report to Parliament on whether these bodies are meeting their statutory objectives and where they are failing. Its reports should be public and debated by lawmakers, ensuring that issues are aired. Another complementary mechanism is to empower stakeholders to challenge regulatory inertia. For instance, introduce a right for an affected party (e.g. a group of consumers, or a civil society organisation) to apply for a judicial review or tribunal hearing if a regulator unreasonably fails to act on a significant issue. Currently, it’s very difficult to force a regulator’s hand – courts have been reluctant to second-guess regulatory discretion. A reform could be to legislate specific circumstances under which a court can direct a regulator to reconsider a decision not to enforce (without dictating the outcome). This would keep regulators on notice that total inaction in the face of clear evidence is not an option. Internally, regulators should have independent review or audit functions – for example, an Office of the Inspector General within the regulator that reports on missteps and how complaints were handled. Finally, accountability can be reinforced by aligning incentives: the leadership of these bodies should have performance metrics tied to outcomes like consumer compensation delivered, reduction in breaches, and stakeholder trust surveys – not just industry feedback. If those metrics aren’t met, there should be consequences (up to replacement of leadership). Parliamentary committees should conduct annual hearings specifically on regulatory performance, calling in not just the agency heads but also representatives of consumer groups, whistleblowers, and independent experts to provide a full picture. In essence, the regulators must know that someone is watching the watchdog in an ongoing way.
6. Foster a Proactive, Preventative Approach through Regulatory Innovation: The replacement bodies should not simply wait for complaints to react to; they must actively scan for risks and head off systemic problems. This can be achieved by equipping them with modern tools and mandates for preventative oversight. For example, the ICO’s successor could deploy ‘ethical hackers’ or data auditors to spot major data protection risks in industries (rather than only investigating after leaks occur). The legal regulator could institute random audits of law firms’ client account management to detect financial irregularities early (something the SRA has done to some extent, but it could be more frequent and unpredictable). The financial regulator should harness technology to analyse market data and consumer transactions for red flags (e.g. unusual investment products being mass-marketed) and intervene sooner. A cultural shift is needed from passive regulation to ‘preventive policing’ of the sector. This may also involve closer collaboration with other enforcement agencies (police, fraud offices, ombudsmen) to tackle problems holistically. For instance, if multiple complaints of a certain type of mis-selling arise, the regulator should not only enforce but also issue rapid alerts to the public and require industry-wide action to rectify the issue. In terms of structure, the regulators could adopt a more regional presence (offices around the country to hear local issues, rather than a London-centric approach) and be required to engage regularly with consumer advocacy groups, whistleblower support groups, and the general public to keep their finger on the pulse. By being closer to the ground, they can act faster. This preventative, collaborative model would mark a departure from the often aloof and reactive stance of the current ICO, SRA, and FCA.
Implementing these recommendations would likely require new legislation – for instance, a new Data Rights Authority Act, Legal Services Regulation Act, and Financial Regulation Reform Act – to create the new bodies and lay down their mandates and accountability frameworks. It is a significant undertaking, but the payoff would be regulators that command respect and fear in equal measure: respect from the public due to their integrity and transparency, and fear from wrongdoers due to their resolve and powers.
Conclusion
The ICO, SRA, and FCA were created with laudable aims: to uphold information rights, ensure lawyers’ integrity, and keep finance fair and safe. Yet as this analysis has detailed, each has earned the moniker of ‘toothless watchdog’ through years of under-performance and under-enforcement. From the ICO’s hesitancy to challenge government data abuses,[^88] to the SRA’s slow-motion response to solicitors’ misconduct that cost clients millions,[^89] to the FCA’s pattern of waking up only after consumers have been scammed and whistleblowers marginalised[^90] – the record is one of systemic failure. This not only harms those directly affected by each scandal, but also undermines the rule of law and public trust in regulation. A watchdog that neither bites nor barks might as well not exist, or worse, it gives a false sense of security while problems multiply.
The evidence and comparative perspectives strongly suggest that tinkering at the margins (the occasional leadership change, or new strategic plan) is insufficient. What is needed is a bold reset: dismantling or fundamentally restructuring these regulators to instil genuine accountability, transparency, and effectiveness. Other democracies have shown that with the right reforms – clear mandates, independence, resources, and oversight – regulators can and do hold even the most powerful to account, whether it’s global tech firms, top lawyers, or big banks. The UK owes its public no less.
Dismantling entrenched institutions is never easy, and creating new frameworks will require political will and careful design. But the cost of inaction is higher: continued regulatory failures will lead to more scandals, more whistleblowers silenced, more public disillusionment. It is time to replace the toothless watchdogs with regulators that have both bark and bite. By implementing the kind of changes outlined – from stronger enforcement powers and whistleblower protections to independent oversight of the regulators themselves – the UK can forge a model of regulation that truly serves the public interest. In the long run, effective watchdogs not only punish wrongdoing but also deter it, leading to cleaner conduct across the board. The dismantling and rebuilding of the ICO, SRA, and FCA on these principles would mark a new era of institutional accountability in Britain – one in which the watchdogs finally have teeth.
Bibliography
All-Party Parliamentary Group on Fair Business Banking, ‘The FCA: Fit for Purpose?’ (November 2024)
Dame Elizabeth Gloster, ‘Report of the Independent Investigation into the Financial Conduct Authority’s Regulation of London Capital & Finance plc’ (December 2020)
Data Protection Act 1984
Financial Conduct Authority, ‘2024 Fines’ (December 2024)
Financial Conduct Authority, ‘About the FCA’ (FCA, 2024)
Financial Conduct Authority, ‘Funding’ (FCA, 2024)
Financial Regulator Assessment Authority (Australia), About FRAA (2021)
Financial Services Act 2012
Freedom of Information Act 2000
Information Commissioner’s Office, ‘About the ICO’ (ICO, 2024)
Information Commissioner’s Office, ‘Our History’ (ICO, 2023)
John Barwell, ‘SRA Regulatory Failures’ (LinkedIn, January 2024)
Law Society (Press Release), ‘Independent review needed by the SRA to improve consumer protection’ (29 October 2024)
Legal Futures, ‘Criticism rains down on SRA’ (30 October 2024)
Legal Services Act 2007
Legal Services Consumer Panel, ‘Statement on the Axiom Ince Review’ (November 2024)
Open Rights Group, ‘The ICO Isn’t Working and How Parliament Can Fix It’ (March 2024)
Pinsent Masons, ‘FCA enforcement report indicates shift towards data-driven interventions’ (September 2024)
Reuters, ‘Swedbank hit with record $386 million fine’ (19 March 2020)
Reuters, ‘UK’s FCA failed to properly regulate collapsed LCF fund, says report’ (17 December 2020)
Securities and Exchange Commission, ‘Annual Report 2023’ (SEC, 2023)
Solicitors Regulation Authority, ‘Our Purpose’ (SRA, 2024)
Solicitors Regulation Authority, ‘Who We Regulate’ (SRA, 2024)
The Guardian, ‘Barclays hit with $15m fine over attempts to unmask whistleblower’ (18 December 2018)
The Guardian, ‘FCA is “incompetent at best, dishonest at worst”, claim MPs and peers’ (25 November 2024)
The Guardian, ‘FCA report into RBS called a “complete whitewash” by critics’ (13 June 2019)
The Guardian, ‘MPs criticise privacy watchdog over NHS test-and-trace data’ (21 August 2020)
UCL Centre for Ethics and Law, ‘Regulatory Funding Models and Independence’ (UCL, 2023)
URM Consulting, ‘Analysis of Fines Imposed by the Information Commissioner’s Office in 2024’ (January 2025)
[^1]: The Guardian, ‘FCA is “incompetent at best, dishonest at worst”, claim MPs and peers’ (25 November 2024).
[^2]: Data Protection Act 1984.
[^3]: Information Commissioner’s Office, ‘Our History’ (ICO, 2023).
[^4]: Freedom of Information Act 2000. [
^5]: Information Commissioner’s Office, ‘About the ICO’ (ICO, 2024).
[^6]: Legal Services Act 2007. [^7]: Solicitors Regulation Authority, ‘Our Purpose’ (SRA, 2024). [^8]: Solicitors Regulation Authority, ‘Who We Regulate’ (SRA, 2024).
[^9]: Financial Services Act 2012.
[^10]: ibid s 6.
[^11]: Financial Conduct Authority, ‘About the FCA’ (FCA, 2024).
[^12]: ibid.
[^13]: Open Rights Group, ‘The ICO Isn’t Working and How Parliament Can Fix It’ (March 2024).
[^14]: URM Consulting, ‘Analysis of Fines Imposed by the Information Commissioner’s Office in 2024’ (January 2025).
[^15]: The Guardian, ‘MPs criticise privacy watchdog over NHS test-and-trace data’ (21 August 2020).
[^16]: ibid.
[^17]: Law Society (Press Release), ‘Independent review needed by the SRA to improve consumer protection’ (29 October 2024).
[^18]: ibid.
[^19]: ibid.
[^20]: Legal Futures, ‘Criticism rains down on SRA’ (30 October 2024).
[^21]: ibid.
[^22]: John Barwell, ‘SRA Regulatory Failures’ (LinkedIn, January 2024).
[^23]: ibid.
[^24]: UCL Centre for Ethics and Law, ‘Regulatory Funding Models and Independence’ (UCL, 2023).
[^25]: ibid.
[^26]: All-Party Parliamentary Group on Fair Business Banking, ‘The FCA: Fit for Purpose?’ (November 2024).
[^27]: ibid.
[^28]: ibid.
[^29]: Pinsent Masons, ‘FCA enforcement report indicates shift towards data-driven interventions’ (September 2024).
[^30]: Financial Conduct Authority, ‘2024 Fines’ (December 2024).
[^31]: Reuters, ‘UK’s FCA failed to properly regulate collapsed LCF fund, says report’ (17 December 2020).
[^32]: ibid.
[^33]: Dame Elizabeth Gloster, ‘Report of the Independent Investigation into the Financial Conduct Authority’s Regulation of London Capital & Finance plc’ (December 2020).
[^34]: The Guardian, ‘FCA report into RBS called a “complete whitewash” by critics’ (13 June 2019).
[^35]: ibid.
[^36]: ibid.
[^37]: Securities and Exchange Commission, ‘Annual Report 2023’ (SEC, 2023).
[^39]: The Guardian, ‘MPs criticise privacy watchdog over NHS test-and-trace data’ (21 August 2020).
[^40]: ibid.
[^41]: Jim Killock, ‘ICO and Test & Trace: Rotten at the Core?’ (Open Rights Group, August 2020).
[^42]: Open Rights Group (n 13).
[^43]: ibid.
[^44]: ibid.
[^45]: Legal Futures (n 20).
[^46]: ibid.
[^47]: Financial Conduct Authority, ‘Funding’ (FCA, 2024).
[^48]: All-Party Parliamentary Group on Fair Business Banking (n 26).
[^49]: ibid.
[^50]: ibid.
[^51]: ibid.
[^52]: Data Protection Practitioner, ‘My Experience with ICO Complaints’ (LinkedIn, February 2024).
[^53]: Open Rights Group (n 13).
[^54]: John Barwell (n 22).
[^55]: Law Society (Press Release) (n 17).
[^56]: Legal Services Consumer Panel, ‘Statement on the Axiom Ince Review’ (November 2024).
[^57]: ibid.
[^58]: All-Party Parliamentary Group on Fair Business Banking (n 26).
[^59]: ibid.
[^60]: ibid.
[^61]: The Guardian, ‘Barclays hit with $15m fine over attempts to unmask whistleblower’ (18 December 2018).
[^62]: Financial Conduct Authority, ‘Whistleblowing: A New Approach’ (FCA Press Release, May 2021).
[^63]: The Guardian (n 15).
[^64]: Legal Services Consumer Panel (n 56).
[^65]: All-Party Parliamentary Group on Fair Business Banking (n 26).
[^66]: The Guardian (n 15).
[^67]: ibid.
[^68]: ibid.
[^69]: ibid.
[^70]: Law Society (Press Release) (n 17).
[^71]: ibid.
[^72]: ibid.
[^73]: ibid.
[^74]: Legal Futures (n 20).
[^75]: ibid.
[^76]: ibid.
[^77]: Reuters (n 31).
[^78]: Dame Elizabeth Gloster (n 33).
[^79]: The Guardian (n 34).
[^80]: All-Party Parliamentary Group on Fair Business Banking (n 26).
[^81]: Legal Futures (n 20).
[^82]: Securities and Exchange Commission (n 37).
[^83]: Reuters, ‘Swedbank hit with record $386 million fine’ (19 March 2020).
[^84]: ibid.
[^85]: Financial Regulator Assessment Authority (Australia), About FRAA (2021).
[^86]: ibid.
[^87]: Open Rights Group (n 13).
[^88]: The Guardian (n 15).
[^89]: Law Society (Press Release) (n 17).
[^90]: All-Party Parliamentary Group on Fair Business Banking (n 26).