Your CRM isn't just an admin tool — it's your compliance record. This guide explains what the FCA actually requires from your mortgage case management system and how to check yours measures up.
Written by
Charlotte BrownRole
Mortgage Industry Writer
Most mortgage advisers know they need to keep good records. But when the FCA comes knocking — or when a complaint surfaces two years after completion — the question isn't whether you kept records. It's whether your system can actually prove what happened, who decided what, and when.
That's the gap many advisers don't discover until it's too late.
Your CRM is either your best defence or your biggest liability. This guide walks through what the FCA actually requires, which regulations your case management system touches, and what to look for — or demand — when assessing whether your current setup is genuinely compliant.
In its first dedicated Mortgage Regulatory Priorities document (published March 2026), the FCA singled out record-keeping as a specific area of concern for mortgage intermediaries. Following a review of the second charge mortgage market, the regulator found that record-keeping was "sometimes incomplete, making it hard to demonstrate that advice was appropriately tailored."
The FCA's message to all mortgage advice firms was direct: review your documentation practices and quality assurance processes — not just for second charge cases, but across the board.
This matters because the same documentation standards apply whether you're advising on a first-time buyer purchase or a later-life remortgage. And with Consumer Duty now fully embedded as a regulatory expectation (since July 2023), demonstrating good outcomes at the individual case level has become harder to separate from having the right systems in place.
Two parts of the FCA rulebook are most directly relevant to how you manage and store mortgage case information.
MCOB is the core rulebook for mortgage advice. It sets out what advisers must do before, during, and after an advised sale. From a record-keeping perspective, the key requirements cover three documents that must be created at the point a personal recommendation is made:
The factfind. A record of the client's needs, circumstances, and financial position as assessed at the time of advice. This isn't just a form — it's the evidential base that justifies your recommendation.
The suitability record. Documentation showing why the recommended product was suitable for that specific client, taking into account affordability (including the effect of future rate changes), the appropriateness of the product type, and whether it was the most suitable option available to you.
The recommendation itself. A record of what was recommended, why, and what alternatives were considered or discounted.
These records must be created contemporaneously and retained for a minimum of three years from the date of the recommendation. For ongoing client relationships or cases involving long-term products, retaining them for longer is good practice.
SYSC 9 sits alongside MCOB and sets out broader requirements for how firms organise their record-keeping infrastructure. Under SYSC 9.1, firms must arrange for records to be kept that are:
In practice, this means your records cannot simply exist as PDF attachments in an email chain or handwritten notes in a filing cabinet. They need to be retrievable, auditable, and capable of demonstrating the full sequence of events in a case.
The term "FCA compliant CRM" gets used loosely in marketing material. A system isn't compliant by virtue of being designed for mortgage brokers. Compliance depends on what the system actually does — and whether you're using it correctly.
Here's what an FCA-ready case management system needs to support.
Every action taken on a case — every note added, document uploaded, status change made, or communication sent — needs to be logged with a date and time and attributed to a specific user. This is what a genuine audit trail looks like.
If your system lets you edit historical notes without flagging the change, or allows documents to be deleted without a trace, you have a problem. The FCA expects to see what happened and when. A system that lets history be rewritten silently doesn't support that.
Your factfind shouldn't live outside your case management system. If advisers are completing fact-finds in Word documents, Excel spreadsheets, or on paper before copying summary details into the CRM, you're creating a version control risk — and making it harder to demonstrate that the advice given matched the data gathered.
A well-designed system captures factfind data as structured fields. That means the information is searchable, can be audited, and — critically — the version of the factfind used to generate the recommendation is clearly linked to the recommendation itself.
Suitability letters should be generated from the data already in your system, not written from scratch in a separate document that then gets saved to the case as an attachment with no connection to the underlying record. Systems that template suitability letters from case data reduce the risk of inconsistency between what was recorded and what was communicated to the client.
The system needs to retain documents for the required minimum period and restrict who can delete or modify case records. For SYSC 9 purposes, records need to be accessible to the FCA upon request, which means they also need to be stored in a secure environment with appropriate backup and resilience.
Consumer Duty requires firms to test and evidence that customers are receiving good outcomes. For mortgage advisers, this means being able to look back across your cases and demonstrate that advice was suitable, clients understood the recommendation, and no group of clients was systematically receiving worse outcomes than others. A full guide to outcomes monitoring for mortgage firms covers what the FCA expects your annual board report to contain and where most firms fall short.
A CRM that can generate case-level outcome data and flag anomalies is a genuine asset here. One that operates as a simple document repository doesn't help you meet this obligation.
If you're not sure whether your CRM is up to scratch from a compliance standpoint, start here.
1. Can you produce a full chronological audit trail for any case, showing every action taken and by whom?
If the answer requires you to cross-reference multiple systems, email threads, or paper notes, the answer is no.
2. Are your factfinds stored within the system and linked directly to the recommendation record?
Separate documents saved as attachments aren't the same as integrated, version-controlled case data.
3. Can you demonstrate, for any completed case, that the suitability letter was generated from the same data as the recommendation?
Inconsistencies between documented circumstances and the letter provided to the client are a red flag in any file review.
4. Do your records show who made each entry and when, with no ability to silently overwrite history?
Immutable audit logs are not a nice-to-have. They're what the FCA expects.
5. Can you run reports across your case book to identify whether particular client groups, product types, or advisers are producing systematically different outcomes?
Consumer Duty requires you to be able to answer this question. Most traditional CRM tools cannot help you do it.
The FCA's own review work and the experience of compliance consultants who carry out file reviews for brokers point to a consistent set of weaknesses. These aren't obscure edge cases — they're the things that come up again and again.
Incomplete factfinds. Fields left blank, income figures without supporting notes, or circumstances that changed between application and offer with no record of how the advice was updated.
Suitability letters that don't reflect the case record. Letters that describe the client's circumstances differently from the factfind, or that omit affordability considerations that should have been documented.
No record of alternatives considered. Advised sales require documentation of why the recommended product was chosen over alternatives. If your case record simply states what was recommended without explaining why other options were ruled out, this is a gap.
Notes added retrospectively. Case notes that appear to have been written after the fact, or that lack timestamps, are a problem in any file review. This is particularly relevant if your system allows notes to be edited without tracking the amendment. Vulnerable customer documentation is another area where retrospective notes frequently fall short — for guidance on what the FCA expects, see how to identify, record and support vulnerable customers.
Documents saved outside the system. If supporting documents — payslips, bank statements, AIP letters — are stored on a shared drive rather than attached to the case record, they may not be accessible in the event of a system change, staff departure, or audit.
Cleera was built with the FCA's record-keeping expectations as a design constraint, not an afterthought. Every case has a timestamped, user-attributed activity log. Documents are stored within the case record rather than in external drives. Factfind data is structured and linked to the recommendation workflow so there's no disconnect between what was captured and what was advised.
Suitability letters are generated from case data, which means the letter reflects the record rather than being a separate document that may or may not match it.
For Consumer Duty, Cleera's reporting tools give you visibility across your case book so you can identify patterns and evidence good outcomes — rather than trying to reconstruct this picture manually when it's needed.
We don't claim compliance on your behalf. How you use the system matters as much as what the system can do. But the infrastructure is there, and it's designed around what the FCA actually looks for.
If you'd like to see how Cleera handles a specific compliance scenario — suitability record generation, audit trail retrieval, or outcome reporting — we're happy to walk through it with you. Book a demo here.
| Requirement | What Good Looks Like |
|---|---|
| Factfind storage | Structured fields within the CRM, version-controlled and linked to the recommendation |
| Suitability record | Generated from case data, timestamped, stored within the case |
| Audit trail | Chronological, user-attributed, immutable — no silent edits |
| Document retention | Stored within the system for minimum 3 years, accessible on request |
| Consumer Duty evidence | Outcome reporting across the case book, identifiable by product, adviser, or client group |
| Access controls | Role-based permissions; no ability to delete or modify records without a logged reason |
Start with a file review. Pick five recently completed cases at random and work through them against the checklist above. Can you produce a clean audit trail? Is the factfind complete and linked to the suitability record? Does the letter match what was documented?
If you find gaps, document them and address them systematically — preferably with support from a compliance consultant who knows the mortgage market. The FCA does not require perfection, but it does require that firms take a proactive approach to identifying and resolving weaknesses in their processes.
And if the gaps you find are structural — if your system simply can't produce what's needed — then the right conversation is about whether your case management software is fit for purpose. If you are also weighing up whether going directly authorised versus staying as an appointed representative changes your compliance obligations, that decision is worth understanding before you invest in new infrastructure.
We've put together a one-page checklist that covers the key requirements across MCOB, SYSC 9, and Consumer Duty — formatted so you can work through it case by case or use it to assess your current system. Download the checklist here (no email required).
The FCA's 2026 regulatory priorities make clear that record-keeping is an active area of scrutiny for mortgage intermediaries, not a background concern. Your CRM is central to meeting these obligations. It needs to support structured factfind capture, immutable audit trails, suitability letter generation from case data, appropriate document retention, and — under Consumer Duty — some capacity to evidence outcomes across your case book.
If it can't do these things, it doesn't matter how much you trust the system or how long you've been using it. The risk sits with you.
Try Cleera
Manage mortgage and protection cases together. Pipeline, branded client portal, document gathering, e-signatures, and an FCA audit trail in one place.