At first glance, the FCA’s Q4 2025 whistleblowing data looks like a routine quarterly update. Volumes are down. Only a small percentage of reports resulted in “significant action.” There are no blockbuster enforcement announcements that dominate the headlines.
But for compliance leaders and boards, this report is not about volume. It is about how whistleblowing intelligence is shaping supervision, enforcement strategy and regulatory risk profiling behind the scenes.
Lower volume, high impact
Between October and December 2025, the FCA:
- Received 281 new whistleblowing reports
- Down from 405 in Q3 2025
- Down slightly from 292 in Q4 2024
- Down from 405 in Q3 2025
- Closed 282 reports during the quarter
- Assessed 788 individual allegations
On paper, volumes are volatile and slightly reduced. But the outcome data is more revealing.
Of the 282 reports closed:
- 3% (9 reports) led to significant action
- 34% (96 reports) led to action to reduce harm
- 58% (164 reports) informed supervisory or preventative work
- 5% (13 reports) were recorded but not considered indicative of harm
It’s easy to focus on the 3%. But in reality, 92% of reports were used in regulatory activity, either through direct intervention or by informing supervisory and preventative work.
What actually are whistleblowers reporting?
The most common allegations were not obscure technical breaches. They were foundational governance issues:
- compliance failures (109 allegations)
- fitness and propriety concerns (99)
- organisational culture (67)
- systems and controls weaknesses (58)
- consumer detriment, including consumer duty-related issues
This is significant.Whistleblowers are flagging precisely the areas the FCA has repeatedly emphasised in speeches, Dear CEO letters and enforcement outcomes. They focus on culture, accountability, control frameworks and consumer protection. The data reinforces the point that internal culture and governance are now major enforcement risks.
It’s not about the 3%
Only nine reports led to what the FCA describes as “significant action”, such as enforcement investigations, section 166 skilled person reviews, or restrictions on firms or individuals.
Some commentators have suggested this explains the decline in reports. If only 3% lead to serious outcomes, potential whistleblowers may conclude the personal risk outweighs the reward. But for firms, the more important statistic is the 34% that led to harm-reduction action.
This category includes supervisory visits, information requests, attestation demands and targeted engagement with firms. These are not minor administrative responses. They are often early-stage regulatory interventions that can escalate if weaknesses are not addressed.
In practice, this means whistleblowing is directly feeding targeted supervision, risk profiling, thematic reviews and future enforcement pipelines. A firm may never see a public enforcement action but it may still experience intensified scrutiny as a result of whistleblower intelligence.
What you don’t know can still hurt you
The FCA is restricted by the Financial Services and Markets Act 2000 in what it can disclose about whistleblowing cases. This creates an asymmetry of information.
Firms may not know whether a whistleblowing report has been made, how many reports reference the same issue, whether intelligence is being aggregated across multiple sources or how concerns are influencing supervisory risk assessments.
From a risk management perspective, this matters. It increases the importance of proactive internal controls and credible internal reporting frameworks. Assume the regulator may already have more intelligence than you think.
Culture as a regulatory risk indicator
One of the interesting aspects of the Q4 data is the prominence of culture-related allegations. Culture is no longer an abstract concept but a measurable regulatory concern.
Two-thirds of whistleblowers (66%) disclosed their identity to the FCA. That is a powerful signal. It suggests employees are willing to attach their names to allegations. If staff feel compelled to bypass internal channels, the regulator may reasonably ask why. Boards should consider that question.
It is also important to remember that whistleblowing carries a parallel employment law dimension. Under the Employment Rights Act 1996, workers who make protected disclosures are shielded from detriment and dismissal. Mishandling an internal complaint can therefore generate both regulatory exposure and employment tribunal risk. In an environment where the FCA is scrutinising culture and governance, retaliation or the perception of it can amplify supervisory concern.
What should businesses take from this report?
Whistleblowing reports are shaping how firms are perceived and engaged by the regulator. They inform supervisory conversations, influence firm risk ratings, and feed directly into preventative regulatory work. A whistleblowing disclosure may never become an enforcement headline, but it can recalibrate a firm’s supervisory profile. This means that firms should approach every supervisory interaction with the understanding that it may be intelligence-driven.
This also means that governance documentation is under sharper scrutiny. Allegations relating to systems and controls or fitness and propriety go directly to the heart of SMCR accountability and consumer duty obligations. If weaknesses are suggested, regulators will want to see evidence. Firms need to ensure that records genuinely reflect challenge and oversight, that certification processes are robust and defensible, and that consumer duty monitoring is demonstrable, not just aspirational. Remedial steps should be documented promptly and clearly. If a firm is asked to attest to compliance, it must be able to substantiate that statement with contemporaneous evidence.
Internal speak-up arrangements have also evolved from a procedural requirement into a strategic control. A well-designed whistleblowing framework can serve as an early-warning system, identifying risks before they crystallise into regulatory issues. Firms should periodically review whether reporting channels are accessible and trusted, whether investigations are thorough and independent, whether response times are appropriate, and whether reporters receive meaningful feedback. Just as importantly, anti-retaliation safeguards must be credible in both policy and practice. An effective internal framework is not simply a matter of good governance. It is a core component of regulatory risk mitigation.
Cultural indicators should also be treated as compliance data rather than soft metrics. Exit interview themes, grievance patterns, conduct breaches and staff survey trust scores can all reveal underlying tensions or governance gaps. These signals often mirror the categories of concern raised with the regulator. Firms that monitor and act on these indicators internally are far better positioned to address emerging issues before they become external disclosures.
The Q4 2025 data reinforces the FCA’s current preventative, intelligence-driven, and culture-focused regulatory model. The absence of headline enforcement simply means intervention is happening earlier and more quietly.
Our whistleblowing course is designed to help employees speak out against fraud and other wrongdoing by explaining what whistleblowing means and does, and how it is protected by law. Learners will gain an understanding of whistleblowing and equip them with the knowledge they need to understand the whistleblowing process. Try it now.
