FCA Durable Medium: A Simple Compliance Guide for Digital-by-Default Disclosures

From 12 January 2026, the FCA made electronic delivery the default for certain MiFID-derived (Markets in Financial Instruments Directive, MiFID) retail disclosures.

Use this checklist to update delivery controls, customer options, and evidence for oversight.

This is a practical compliance guide for FCA-regulated organisations reviewing in-scope MiFID-derived retail disclosures.

It focuses on what to change in process, controls, and records, rather than on policy narrative.

For a brief summary of digital medium best practices and obligations, you can download the graphic below.

Download the high-resolution PDF

Contents

• Scope and Key Dates
• Durable Medium Requirements
• Delivery Controls Checklist
• Evidence and Record-Keeping Checklist
• Implementation Checklist

Scope and Key Dates

Key Dates

These are the dates most firms will want in project plans, control updates, and internal sign-off.

• 23 October 2025 - MiFID Organisational Regulation requirements transferred into the FCA Handbook (wider package).
• 12 January 2026 - Durable medium definition change took effect for the relevant MiFID-derived retail disclosure requirements.

PS25/13 and the PS25/13 PDF should be used as your primary reference points for scope and timing.

Disclosures in Scope

This change is focused on retail disclosures deriving from the MiFID Organisational Regulation framework now reflected in the FCA Handbook.

If your firm sends MiFID-related retail disclosures, treat digital-by-default as the starting position for those items, unless a customer requests paper or another format is more appropriate.

What Stays the Same

Digital-by-default does not remove durable medium expectations. These requirements still apply:

• Firms still need to support paper on request.
• You still need to show you can evidence what was sent, to whom, and when, in a way that stands up to scrutiny.

Durable Medium Requirements

The FCA describes durable medium as follows:

A durable medium is an instrument that enables the recipient to store information addressed personally to them, for future reference, and reproduce it unchanged.

This definition is detailed on the FCA’s Durable medium page.

The Three Durable Medium Tests

When reviewing a channel or communication, test it against the three durable medium requirements below and record how your setup meets each one.

• Personally addressed - the disclosure is delivered to the intended individual.
• Storable and accessible - the individual can keep it and access it for an appropriate period.
• Unchanged reproduction - the individual can reproduce the exact content you issued, and you cannot alter what was provided.

Common Durable Medium Formats

These formats can qualify, but only when the setup supports personal addressing, retention, and content integrity.

• Email can meet the test when implemented with appropriate controls.
• PDFs can support unchanged reproduction when version control is managed properly.
• Secure websites and apps can qualify where content is personally addressed, remains accessible, and supports unchanged reproduction.

If you rely on a portal or app, make sure older versions of content remain accessible and unchanged for the appropriate period.

Delivery Controls Checklist

Use this section to review whether your digital-by-default setup is defensible as durable medium delivery.

Delivery Controls for Secure Email

Focus on identity, protection, access, and failure handling. The goal is consistent delivery that you can evidence later.

• Messages are addressed to the correct recipient, with strong matching of customer identity to email address.
• Sensitive disclosures are protected in transit and at rest, with appropriate encryption and access controls.
• Where risk warrants it, recipient authentication is used to reduce mis-delivery and unauthorised access.
• Attachments and links are controlled so clients can access and store the content, without content being changed later.
• Fallback routing exists for bounces, invalid addresses, and repeated delivery failures.

Document when controls apply by default, and when teams should step up checks based on risk.

"Digital-by-default works best when secure delivery and audit trails are part of the standard disclosure workflow."

Adam Byford, COO, Beyond Encryption (Mailock)

Control design should reflect the disclosure types you send most often and the delivery failures you see in practice.

Content Integrity and Version Controls

Durable medium depends on content being stable once issued. Version control is how you show that stability in practice.

• Disclosures are generated from approved templates, with controlled change management.
• Each issued disclosure can be tied to a version, date, and customer record.
• Issued content is retained in a way that supports unchanged reproduction if challenged later.
• If you use a portal or web link, older versions remain accessible, and access is personally addressed.

Paper and Alternative Format Controls

Digital-by-default still needs a clear, working route for paper and alternative formats when customers need them.

• Customer journeys clearly explain that paper is available on request.
• Requests for paper are recorded, actioned promptly, and visible to customer-facing teams.
• Alternative formats are supported where needed, including for vulnerable customers or accessibility needs.
• Channel switches are documented so you can explain why a specific method was used.

Use the lifecycle view to confirm each disclosure type has a named owner, channel, and evidence route.

Evidence and Record-Keeping Checklist

Digital-by-default is easier to defend when your records are complete and retrievable.

Minimum Evidence Pack for Each Disclosure

If challenged, you should be able to produce a simple evidence pack for the specific customer/client and disclosure without rebuilding it manually.

• What - the exact disclosure content that was issued (or a verifiable copy).
• Who - customer identity reference and destination address.
• When - timestamp of issue and delivery attempts.
• How - channel used (secure email, paper, portal), and any authentication applied.
• Status - delivery outcome (delivered, bounced, failed), plus follow-up actions taken.

Aim for records that are complete, consistent, and easy to retrieve.

Retention, Retrieval, and Oversight

Decide where records sit, who can access them, and how they are retrieved when time is tight (complaints, audits, supervisory requests).

• Disclosure records are retained in line with your record-keeping approach for regulated communications.
• Records are searchable by customer, date, and disclosure type.
• Access to logs and records is controlled, with appropriate permissions and oversight.
• Export processes are defined for audits, complaints, and supervisory requests.

"Supervisory questions on durable medium usually come down to whether you can show what left the firm, who received it, and what happened next."

Paul Holland, Founder and CEO, Beyond Encryption (Mailock)

Those retention controls only stay credible if delivery patterns are reviewed after go-live.

Monitoring Routines

Routine monitoring turns digital-by-default into a managed process rather than a one-off setup. Review at least:

• Bounce reports and invalid addresses are reviewed routinely.
• Delivery failures trigger a defined follow-up path, including channel switching where appropriate.
• Teams review engagement patterns that may indicate customers are not receiving key information, and act accordingly.

Implementation Checklist

This section is designed to help Compliance, Operations, IT, and customer-facing leaders run it as a short project plan.

Step-by-Step Actions

1. Map disclosures - list MiFID-derived retail disclosures you send, and note channel and system owner.
2. Confirm durable medium approach - document how each disclosure meets the three tests in practice.
3. Update preference journeys - set digital as the default for in-scope items, with clear paper options.
4. Harden delivery controls - introduce encryption, access controls, and authentication where risk warrants it.
5. Define failure handling - bounces, incorrect emails, and repeated non-delivery must trigger action.
6. Make sure archiving is robust - delivery evidence and disclosure copies are retained and retrievable.
7. Train teams - give front-line staff a short script and escalation route for channel issues.
8. Run a sample audit - test whether you can produce the minimum evidence pack within a reasonable timeframe.

It may help to assign an owner for each step and capture decisions so the approach stays consistent across teams.

Suggested Customer Wording

You may use the suggested wording below as a starting point for preference centres, onboarding, and disclosure emails:

Example Durable Medium Information for Customers

Digital-by-default notice: We will send certain important documents to you electronically as standard.

Paper option: You can ask for paper copies at any time, and we will provide them.

Keeping records: Please save copies of documents for your future reference.

You can tailor the wording to your products and customer journey, and as always, do your own due diligence checks - this is not legal advice.

Secure Email as a Practical Delivery Option

For many organisations, secure email is a straightforward way to support digital-by-default delivery while improving control and evidence.

If you are reviewing options, Mailock secure email supports advanced encryption, recipient authentication, Message Tracker, and audit trails for regulated disclosure workflows.

FAQs

What Does Digital-By-Default Change for Regulated Communications?

It increases the need to evidence delivery, access, durability, and customer suitability when firms move away from paper.

Why Do Durable Medium Requirements Matter?

Customers may need a record they can store, access, and refer back to, so the channel must preserve the right information reliably.

What Should Firms Evidence Before Switching Channels?

Check customer preference, delivery controls, records, accessibility, consent where needed, and escalation paths for customers who cannot use digital channels.

References

PS25/13: MiFID organisational regulation, Financial Conduct Authority, 2025

PS25/13: MiFID organisational regulation (PDF), Financial Conduct Authority, 2025

Durable medium, Financial Conduct Authority, 2023

Reviewed by

Sam Kendall, 29.05.26

This content is for general information only and is not legal advice.