FCA Durable Medium: A Simple Compliance Guide for Digital-by-Default Disclosures

From 12 January 2026, the FCA made electronic delivery the default for certain MiFID-derived (Markets in Financial Instruments Directive, MiFID) retail disclosures.

Use this checklist to update delivery controls, customer options, and evidence for oversight.

This is a practical compliance guide for FCA-regulated organisations.

It focuses on what to change in process, controls, and records, rather than on policy narrative.

For a brief summary of digital medium best practices and obligations, you can download the graphic below. ⬇️

Click here to download in high resolution PDF

Contents

• Scope and Key Dates
• Durable Medium Requirements
• Delivery Controls Checklist
• Evidence and Record-Keeping Checklist
• Implementation Checklist

Scope and Key Dates

Key Dates

These are the dates most firms will want in project plans, control updates, and internal sign-off.

• 23 October 2025 - MiFID Organisational Regulation requirements transferred into the FCA Handbook (wider package).
• 12 January 2026 - Durable medium definition change took effect for the relevant MiFID-derived retail disclosure requirements.

PS25/13 should be used as your primary reference point for scope and timing.

Disclosures in Scope

This change is focused on retail disclosures deriving from the MiFID Organisational Regulation framework now reflected in the FCA Handbook.

If your firm sends MiFID-related retail disclosures, treat digital-by-default as the starting position for those items, unless a customer requests paper or another format is more appropriate.

What Stays the Same

Digital-by-default does not remove durable medium expectations. These requirements still apply:

• Firms still need to support paper on request.

• You still need to show you can evidence what was sent, to whom, and when, in a way that stands up to scrutiny.

Durable Medium Requirements

The FCA describes durable medium as follows:

A durable medium is an instrument that enables the recipient to store information addressed personally to them, for future reference, and reproduce it unchanged.

This definition is detailed on the FCA’s Durable medium page.

The Three Durable Medium Tests

When reviewing a channel or communication, test it against the three durable medium requirements below and record how your setup meets each one.

• Personally addressed - the disclosure is delivered to the intended individual.
• Storable and accessible - the individual can keep it and access it for an appropriate period.
• Unchanged reproduction - the individual can reproduce the exact content you issued, and you alter what was provided.

Common Durable Medium Formats

These formats can qualify, but only when the setup supports personal addressing, retention, and content integrity.

• Email can meet the test when implemented with appropriate controls.
• PDFs can support unchanged reproduction when version control is managed properly.
• Secure websites and apps can qualify where content is personally addressed, remains accessible, and supports unchanged reproduction.

If you rely on a portal or app, make sure older versions of content remain accessible and unchanged for the appropriate period.

Delivery Controls Checklist

Use this section to review whether your digital-by-default setup is defensible as durable medium delivery.

Delivery Controls for Secure Email

Focus on identity, protection, access, and failure handling. The goal is consistent delivery that you can evidence later.

• Messages are addressed to the correct recipient, with strong matching of customer identity to email address.
• Sensitive disclosures are protected in transit and at rest, with appropriate encryption and access controls.
• Where risk warrants it, recipient authentication is used to reduce mis-delivery and unauthorised access.
• Attachments and links are controlled so clients can access and store the content, without content being changed later.
• Fallback routing exists for bounces, invalid addresses, and repeated delivery failures.

Document when controls apply by default, and when teams should step up checks based on risk.

"Digital-by-default works best when secure delivery and audit logs are part of the standard disclosure workflow."

Adam Byford, CCO, Beyond Encryption

Content Integrity and Version Controls

Durable medium depends on content being stable once issued. Version control is how you show that stability in practice.

• Disclosures are generated from approved templates, with controlled change management.
• Each issued disclosure can be tied to a version, date, and customer record.
• Issued content is retained in a way that supports unchanged reproduction if challenged later.
• If you use a portal or web link, older versions remain accessible, and access is personally addressed.

Paper and Alternative Format Controls

Digital-by-default still needs a clear, working route for paper and alternative formats when customers need them.

• Customer journeys clearly explain that paper is available on request.
• Requests for paper are recorded, actioned promptly, and visible to customer-facing teams.
• Alternative formats are supported where needed, including for vulnerable customers or accessibility needs.
• Channel switches are documented so you can explain why a specific method was used.

Evidence and Record-Keeping Checklist

Digital-by-default is easier to defend when your records are complete and retrievable.

Minimum Evidence Pack for Each Disclosure

If challenged, you should be able to produce a simple evidence pack for the specific customer/client and disclosure without rebuilding it manually.

• What - the exact disclosure content that was issued (or a verifiable copy).
• Who - customer identity reference and destination address.
• When - timestamp of issue and delivery attempts.
• How - channel used (secure email, paper, portal), and any authentication applied.
• Status - delivery outcome (delivered, bounced, failed), plus follow-up actions taken.

Aim for records that are complete, consistent, and easy to retrieve.

Retention, Retrieval, and Oversight

Decide where records sit, who can access them, and how they are retrieved when time is tight (complaints, audits, supervisory requests).

• Disclosure records are retained in line with your record-keeping approach for regulated communications.
• Records are searchable by customer, date, and disclosure type.
• Access to logs and records is controlled, with appropriate permissions and oversight.
• Export processes are defined for audits, complaints, and supervisory requests.

Monitoring Routines

In an ideal world, monitoring should turn digital-by-default into a managed process rather than a one-off setup.

This includes but is not limited to:

• Bounce reports and invalid addresses are reviewed routinely.
• Delivery failures trigger a defined follow-up path, including channel switching where appropriate.
• Teams review engagement patterns that may indicate customers are not receiving key information, and act accordingly.

Implementation Checklist

This section is designed to help Compliance, Operations, IT, and customer-facing leaders to run as a short project plan.

Step-by-Step Actions

1. Map disclosures - list MiFID-derived retail disclosures you send, and note channel and system owner.
2. Confirm durable medium approach - document how each disclosure meets the three tests in practice.
3. Update preference journeys - set digital as the default for in-scope items, with clear paper options.
4. Harden delivery controls - introduce encryption, access controls, and authentication where risk warrants it.
5. Define failure handling - bounces, incorrect emails, and repeated non-delivery must trigger action.
6. Ensure robust archiving - make sure delivery evidence and disclosure copies are retained and retrievable.
7. Train teams - give front-line staff a short script and escalation route for channel issues.
8. Run a sample audit - test whether you can produce the minimum evidence pack within a reasonable timeframe.

It may help to assign an owner for each step and capture decisions so the approach stays consistent across teams.

Suggested Customer Wording

You may use the suggested wording below as a starting point for preference centres, onboarding, and disclosure emails:

Example Durable Medium Information for Customers

Digital-by-default notice: We will send certain important documents to you electronically as standard.

Paper option: You can ask for paper copies at any time, and we will provide them.

Keeping records: Please save copies of documents for your future reference.

You can tailor the wording to your products and customer journey, and as always, do your own due diligence checks - this is not legal advice.

Secure Email as a Practical Delivery Option

For many organisations, secure email is a straightforward way to support digital-by-default delivery while improving control and evidence.

If you are reviewing options, Mailock secure email supports encrypted delivery, recipient controls, and tracking aligned to regulated communications workflows.

FAQs

Does Digital-by-Default Mean Customers Must Opt In?

No. For in-scope disclosures, electronic delivery is the default, but firms still need to make paper available on request and honour those requests.

Is Standard Email Automatically a Durable Medium?

No. You need to show the delivery method meets the durable medium tests in practice, including client access, storability, and unchanged reproduction.

Do We Still Need Portals?

Portals can support storage and self-service, but you should check that your portal design supports durable medium requirements where you rely on it for regulated disclosures.

What About Vulnerable Customers?

Digital-by-default does not remove responsibilities towards vulnerable customers. You should be ready to provide alternative channels and formats, and record why the approach was appropriate.

References

PS25/13, Financial Conduct Authority

PS25/13 PDF, Financial Conduct Authority

Durable medium, Financial Conduct Authority

Reviewed by

Sam Kendall, 03.02.26