Untangling the regulatory landscape: How DRCF member regulators are joining forces to tackle scams and fraud

5 December 2025

Online scams and fraud have emerged as persistent threats in the digital era, exacting a heavy emotional and financial toll on individuals and businesses. The rapid evolution of digital platforms and technologies has simultaneously created new opportunities for legitimate enterprises and malicious actors alike.

Within this landscape, the Digital Regulation Cooperation Forum plays a supportive, non-enforcement role, helping its member regulators – Ofcom, the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) – share insights relevant to online fraud and consider emerging harms linked to digital platforms.

A coordinated approach between regulators is essential to degrade the fraud threat. As scams are increasingly committed online and at scale, the National Economic Crime Centre (NECC), which leads the UK’s cross-system operational response to economic crime, acknowledges the collaborative and innovative work of DRCF and its members.

This article sets out how the DRCF regulators are working to tackle online scams and fraud and are collaborating on shared learning and dialogue on areas of mutual interest. It lays out the activities, guidance and powers available between member regulators – linking to key resources and initiatives that support these efforts.

About the article

The article underscores several interconnected themes in the regulatory response to online scams and fraud.

Firstly, the article emphasises regulatory oversight and enforcement, where bodies like the FCA and CMA deploy direct supervision, controls, and enforcement actions against firms and individuals, complemented by Ofcom’s investigations into telecom providers and the ICO’s enforcement against predatory marketing.

Secondly, it highlights business obligations, with regulators issuing guidance and setting requirements to ensure platforms and service providers effectively mitigate fraud—examples include Ofcom’s codes of practice under the Online Safety Act and the ICO’s guidance on lawful data sharing to prevent scams.

Thirdly, it highlights consumer-focused measures, including guidance and remedies to help individuals protect themselves, such as the FCA’s campaigns promoting tools like the Firm Checker and the CMA’s advice on navigating trader recommendation sites.

Finally, it reflects the importance of cross-regulatory and multi-agency collaboration, with liaison between regulators, industry and law enforcement to share intelligence, coordinate actions and adapt to evolving threats.

Together, these themes illustrate a holistic approach combining consumer empowerment, business accountability, proactive regulation, and collaborative enforcement.

DRCF members’ initiatives to tackle scams and fraud

Alongside our cross-regulatory efforts, each DRCF member regulator is delivering its own programme of work to tackle scams and fraud, bringing specific powers, priorities and approaches that support the prevention, detection and disruption of harmful activity.

ICO: enabling responsible data sharing

The ICO is supportive of lawful and responsible data sharing to help prevent, detect, and investigate scams and fraud. In November 2024, the ICO published guidance on sharing personal information when preventing, detecting and investigating scams and fraud. This guidance makes clear that data protection law does not prevent organisations from sharing personal information where they do so in a responsible, fair and proportionate way.  

In early 2026 the ICO will update this existing guidance to reflect the changes to data protection law brought in by the Data (Use and Access) Act (DUAA) 2025. DUAA inserts a new lawful basis into the UK GDPR called ‘recognised legitimate interest’. This new basis covers the use of personal information necessary for detecting, investigating and preventing crime. This will include data sharing where this is necessary for scams and fraud. The aim of recognised legitimate interest is to give you greater confidence when you handle personal information for this purpose. 

The ICO’s updates to the sharing data when preventing, detecting and investigating scams and fraud advice page will take into account this new lawful basis, and other feedback received since the guidance was published.1 Recognised legitimate interest will become effective in early 2026 (subject to parliamentary approval) and the ICO has recently closed its consultation on broader draft guidance2 to help organisations successfully use this new basis. The final version will be published in winter 2026.  

The DUAA also creates a framework for how customer data is accessed, shared and used, including by giving the government the power to create Smart Data schemes, which enable people to share their information between organisations, at their request.3 These schemes have the potential to enable enhanced data access and sharing across digital sectors, including in support of efforts to mitigate financial crime. The ICO is committed to supporting the introduction of Smart Data schemes (starting with the rollout of Open Finance) and will be publishing guidance4 to support the robust design and effective implementation of data portability initiatives.  

The ICO also continues to focus on tackling predatory marketing calls targeting people’s vulnerabilities. This includes taking enforcement against companies for predatory marketing campaigns.5 

Ofcom: embedding fraud mitigation in the Online Safety Act (OSA)

Ofcom is the lead regulator for the OSA,[1] which imposes statutory duties on online platforms to:

  • Assess and mitigate risks of illegal content,[2] including fraud.
  • Remove fraudulent content[3] when identified or reported.
  • Implement the measures recommended in codes of practice[4] for search engines and user-generated content platforms or take alternative measures to achieve their legal duties.

Ofcom’s Online Safety Group has made ‘reducing fraud’ a strategic priority, with the OSA mandating platforms to assess and address harm from illegal content (including fraud). Last year, Ofcom and the FCA set out how they tackle online fraud and scams and seek to reduce consumers’ exposure to fraud online.[5] Ofcom has produced codes of practice[6] setting out an expectation that providers of online services take several actions in relation to fraud including:

  • Assessing the risk of fraud occurring on their services[7] [8] and reporting on these risks to senior governance bodies;
  • Taking down fraudulent content swiftly when they become aware of it;
  • Where their services pose a high risk of fraud, training their content moderation teams so that they are able to recognise and effectively deal with this content; and
  • Establishing a dedicated reporting channel for trusted flaggers.

Ofcom has recently consulted on adding measures on the use of proactive tech to detect fraud[9] to its codes of practice.[10] In addition, Ofcom is working on a consultation on a code of practice outlining how categorised services can comply with their obligations to prevent and minimise user exposure to fraudulent advertising.[11]

Ofcom research such as the deep dive into the scale and impact of online fraud and research on deepfakes and their role in digital deception further demonstrate a foundation for evidence-based regulation as regards the implementation of the OSA. 

Ofcom’s strategy to tackle fraud also includes telecoms channels, recognising that criminals often move between online and telecom services when engaging with potential victims. Ofcom has rules and guidance to prevent the use of telephone numbers for scams. In October 2025, it published a consultation on new rules and guidance to require communications providers to take specific action to combat scam mobile messages, including to identify and block scam messages and to apply strong due diligence to business messaging. It has also recently consulted on further guidance related to number spoofing. Ofcom’s enforcement team has opened investigations into two providers, relating to whether they have taken appropriate steps to ensure that phone numbers allocated to them are not being misused, including to perpetrate scams.

Looking forward, it will explore the impact of AI on telecoms-originated scams and on counter-scam technologies and how to further enhance the integrity of the numbering system, in particular, to stop scammers gaining access to number-based VoIP services to make calls.

FCA: tackling financial crime using available tools to protect consumers

The FCA’s approach to fraud is embedded in its statutory objectives to protect consumers and reduce financial crime. Fighting financial crime, including online fraud, authorised push payment and money laundering is a core focus of the FCA’s activities and a core pillar of the FCA’s Strategy 2025-2030.

The FCA uses all available tools to protect consumers from fraud. This includes:

  • proactive and reactive supervision of systems and controls in the financial sector,
  • scanning 100,000 websites every day to identify potential scams,
  • issuing scam alerts (the FCA has issued over 14,000 potential scam alerts),
  • working closely with partner agencies to prevent harm and support consumers if things go wrong,
  • taking enforcement action against firms and individuals.

For example, following ongoing engagement with the FCA, all major tech services – including Google, Bing (Microsoft), Meta, X and TikTok – have changed their policies to only permit paid-for ads for financial services by firms and individuals authorised by the FCA. 

This has significantly reduced the volume of paid-for scam ads on these services.  However, illegal financial promotions in content not subject to such policies, such as ‘organic’ content promoting investments or other financial services, still remain prevalent and cause harm for consumers. As such, this has been a key area of focus for the FCA in the last two years:

  • In March 2024, the FCA published Finalised guidance on financial promotions on social media (FG24/1), clarifying rules and highlighting that unauthorised firms and individuals (including influencers) who promote regulated financial products or services without the approval of an FCA authorised person may be committing a criminal offence.
  • Across weeks of actions in May 2024, October 2024, and June 2025 the FCA led world-first action against ‘finfluencers’ (‘financial influencers’) illegally promoting unauthorised investments: charging nine individuals and interviewing under caution a further 20 influencers. Leading an international crackdown with regulators from Italy, Canada, the United Arab Emirates, Hong Kong and Australia, the FCA issued take down requests for 650 social media posts and more than 50 websites promoting unregulated financial services and advice.
  • The FCA regularly engages and reports suspicious content to online services and is listed as a ‘trusted flagger’ under the Online Safety regime, which is currently being implemented by Ofcom.

To further support consumers to protect themselves from fraud, the FCA will be launching a new campaign to encourage increased use of the Firm Checker, a key tool to help consumers confirm whether a firm or individual promoting a financial product online is regulated by the FCA.

CMA: consumer protection and partnership working 

The CMA’s core purpose is to promote competition and protect consumers.  The CMA shares important responsibilities across both the competition and consumer protection aspects of its role – and its decisions about when and where to act are often informed by these shared responsibilities.

The CMA has taken direct action in multiple online markets to promote compliance with consumer law and tackle bad practices.

For example, the CMA has acted to:

  • clamp down on fake reviews on the biggest platforms like Apple and Google;16
  • address unfair privacy practices in online dating;17
  • promote fair terms in online gambling;18
  • improve transparency and fairness in online ticket resale; and
  • ensure accurate information when shopping online19 20.

Following work in collaboration with NTS, Trading Standards Scotland, Scottish Trading Standards Services and Trading Standards Northern Ireland, the CMA issued tips to consumers to help them navigate trader recommendation sites, and advice for the sites themselves including advice in vetting and monitoring traders on their sites.21

The DRCF’s Online Choice Architecture project set out a joint position between the CMA and ICO about how online choice architecture practices can undermine consumer choice and control over personal information.

More details on the CMA’s approach to consumer protection can be found in the Approach document published in April 2025.22

The CMA has also examined the role of new technologies, notably foundation models23 and the impact they may have on consumer protection and published clear principles on how foundation models can deliver good outcomes for consumers. In particular in relation to scams and fraud on:

  • fake reviews
  • phishing
  • deep fakes
  • hidden advertising.

The CMA works proactively and collaboratively with its partners such as Trading Standards, the Advertising Standards Authority (ASA), and sector regulators, who share consumer enforcement powers with the CMA.  Local Authority Trading Standards deliver frontline enforcement and fraud disruption and the lead on scams sits with National Trading Standards who undertake work covering e-crime, targeting online fraud and mass marketed scams.

The CMA is also an active member of the Consumer Protection Partnership (CPP) which brings together consumer focused organisations to better identify, prioritise and coordinate action to tackle consumer harms.

These efforts show that collaboration across the consumer landscape can yield strong outcomes and impact.

Future direction and cross-regulatory collaboration

The fight against online scams and fraud in the UK is multifaceted, dynamic and increasingly collaborative. As digital threats continue to evolve, so too must the strategies deployed to counter them.

As individual regulators progress with their own enforcement, consumer protection and policy work, the DRCF will continue to support these wider efforts by providing a shared space for dialogue and insight on emerging digital harms. This includes sharing regulatory learnings and deepening connections with organisations doing important work in the scams and fraud space. 

[1] https://www.ofcom.org.uk/online-safety

[2] Note that, in this context, “illegal content” does not, on a search service, include any paid-for advertisements and does not, on user-to-user service, include any paid for advertisements save for those that are user-generated content. Such advertisements are subject to separate duties which apply only to category 1 and 2A services. Those duties require those categorised services, among other things, to use proportionate systems and processes to prevent individuals encountering fraudulent advertising on the service but do not require those services to assess, or mitigate, risks arising from fraudulent advertising.

[3] Including paid-for advertising.

[4] Note that the illegal content codes of practice (which are in force) and the fraudulent advertising code of practice (which is under development) cover different types of (mutually exclusive) fraudulent content.

[5] https://www.drcf.org.uk/publications/blogs/tackling-online-fraud-and-scams-ofcom-and-fca-collaboration

[6] https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/statement-protecting-people-from-illegal-harms-online

[7] https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/enforcing-the-online-safety-act-scrutinising-illegal-harms-risk-assessments

[8] Note that these are not required to cover harm arising from fraudulent advertising. Fraudulent advertising is, on a search service, paid-for advertising that amounts to one of the specified fraud offences and, on a user-to-user service, paid-for advertising that amounts to one of the specified fraud offences and is not user-generated content.

[9] See footnote [2] above.

[10] https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/online-safety-additional-safety-measures

[11] See Ofcom call for evidence for the third phase of online safety regulation.

Back to top