CMA's New Powers: What UK Boards Must Act On Before Being Fined

CMA’s New Powers: What UK Boards Must Act On Before Being Fined

ByThe Informd Editorial Team

The Competition and Markets Authority can now fine UK companies up to 10% of global annual turnover without going to court — and it already has. With the Digital Markets, Competition and Consumers Act 2024 (DMCCA) direct enforcement regime active since April 2025 and the CMA’s first £4.2 million fine issued in April 2026, consumer law compliance is no longer an operational matter. It is a board-level strategic risk with personal consequences for directors.

What Has Changed Since April 2025 — and Why Does It Matter Now?

The DMCCA 2024 represents the most significant overhaul of UK consumer and competition law in a generation. Before April 2025, the CMA had to obtain a court order before penalising a company for consumer law breaches — a slow, costly process that limited deterrence and kept enforcement at arm’s length from the boardroom. The DMCCA abolished that requirement entirely.

The CMA can now investigate, reach findings, and impose financial penalties directly — without court involvement. Companies found to have infringed consumer protection law face fines of up to 10% of their global annual group turnover. For a UK business with £100 million in global revenues, that is a potential £10 million liability for practices that boards may never previously have treated as a governance concern.

The CMA’s Annual Plan 2025–26 makes its enforcement intent explicit: the authority will use its new direct consumer protection powers to promote consumer trust and deter “poor corporate practices.” According to analysis from A&O Shearman, these powers represent the most significant expansion of UK consumer enforcement capability in decades.

Executive Action

  • Commission an immediate audit of consumer-facing practices — pricing, contracts, subscription terms and auto-renewals — against the DMCCA framework
  • Ensure your legal team has mapped DMCCA exposure across every customer-facing touchpoint and commercial channel
  • Brief the board on the enforcement trajectory before an investigation opens, not after

What Does the CMA’s First £4.2m Fine Signal to Your Board?

In April 2026, the CMA issued its first fine under the new direct consumer enforcement regime. AA Driving School and BSM Driving School admitted liability for drip pricing and agreed to refund over £760,000 to affected learner drivers. The AA was fined £4.2 million. These are not the outcomes of a regulator testing its powers quietly — they are the opening move of an active enforcement programme.

The significance extends well beyond the driving instruction sector. The CMA’s Direct Consumer Enforcement: One Year On report, published April 2026, signals that the authority is moving from investigation to sanction at pace. In November 2025, the CMA announced eight simultaneous investigations into drip pricing, pressure selling and automatic opt-ins — practices embedded in the pricing and checkout flows of retailers, subscription businesses, travel operators, utilities and financial services providers across the UK economy.

Research suggests that drip pricing alone costs UK consumers hundreds of millions of pounds annually. Boards that treat the AA fine as a sector-specific outcome are misreading the signal.

Executive Action

  • Review every customer journey for drip pricing: are all mandatory charges displayed upfront in the headline price shown to customers?
  • Audit subscription and auto-renewal flows against the DMCCA’s specific requirements on consent, clarity and cancellation rights
  • Add the CMA’s active investigations to your board risk register as a forward indicator of enforcement direction

What Personal Liability Do Your Directors Face Under the DMCCA?

The DMCCA does not target only corporate entities. Where consumer law infringements are sufficiently serious, the CMA can pursue criminal prosecution against individual directors and officers — with outcomes ranging from financial penalties to imprisonment. Director disqualification orders are available in parallel. These are not theoretical risks: the CMA has an established track record of pursuing individuals in competition enforcement, and its consumer enforcement powers carry equivalent authority.

According to legal analysis from Womble Bond Dickinson, the DMCCA gives the CMA a significantly enhanced enforcement toolkit — including procedural penalties, interim measures and the ability to accept binding commitments. Boards that delegate consumer law compliance entirely to commercial or legal teams, without maintaining governance oversight, expose their directors to personal accountability should an investigation find systemic failure.

The parallel with data protection governance is instructive: just as the ICO expects boards to demonstrate active governance of UK GDPR obligations, the CMA now expects the same for consumer law. Use INFORMD’s free executive assessment tools to benchmark your governance posture across both regulatory domains.

Executive Action

  • Ensure your board agenda includes a standing consumer law compliance item alongside data protection and financial controls
  • Document board oversight of consumer-facing commercial practices — governance records are now a critical element of any defence in a CMA investigation
  • If your business operates subscription services, review your processes against the DMCCA subscription contract provisions before your next board cycle

Which Business Practices Are Now Under the CMA’s Active Scrutiny?

The CMA’s enforcement focus from its eight November 2025 investigations identifies three priority practice areas. Drip pricing: displaying a lower headline price and adding mandatory charges — booking fees, service fees, card surcharges — at later stages of the purchase journey. Pressure selling: deploying artificial urgency through messaging such as “only two remaining” or countdown timers designed to accelerate consumer decisions before proper consideration. Automatic opt-ins: pre-selected add-ons, default subscription enrolments or renewals without sufficiently prominent, active consumer consent.

These practices are prevalent across e-commerce, travel, insurance, software, media, and financial services. According to research cited in CMA guidance, automatic opt-ins and drip pricing remain widespread across UK consumer markets despite prior guidance. If any of these describe your customer experience — or that of subsidiaries or intermediaries who sell on your behalf — the DMCCA enforcement pipeline should be on your board’s agenda now. Explore INFORMD’s board strategy templates for a structured framework to assess commercial practice risk.

Executive Action

  • Instruct commercial teams to audit all digital and telephony customer journeys for DMCCA compliance, with findings reported to the board within 60 days
  • Ensure pricing pages, checkout flows and subscription contracts have been reviewed by counsel with specific DMCCA expertise, not just general commercial lawyers
  • Extend your compliance review to partners, resellers and intermediaries who sell your products or services to end consumers

INFORMD provides intelligence briefings, tools and frameworks for senior business leaders across technology, finance, strategy and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full briefing library or access our free assessment tools.

Stay ahead. Subscribe to INFORMD’s weekly executive briefing at informd.co.uk.

FAQ: What is the DMCCA and when did it come into force?

The Digital Markets, Competition and Consumers Act 2024 (DMCCA) is UK legislation that fundamentally reformed consumer protection and competition enforcement. The direct consumer enforcement provisions — giving the CMA power to fine companies without court involvement — came into force on 6 April 2025. Additional provisions covering digital markets and Strategic Market Status designations are being phased in through 2025 and 2026.

FAQ: Can the CMA fine my company even if we did not intend to mislead consumers?

Yes. The DMCCA does not require the CMA to prove intent in order to find a consumer law infringement. If your commercial practices — pricing presentation, subscription flows, opt-in mechanisms — fail to meet the standards set out in UK consumer protection law, the CMA can investigate and fine regardless of whether the breach was deliberate. This makes proactive compliance audit critical, rather than reactive response to complaints.

FAQ: Which sectors are most at risk from the CMA’s current enforcement focus?

The CMA’s November 2025 investigations and the April 2026 AA fine indicate that any sector with consumer-facing subscription models, multi-step checkout flows, or urgency-based marketing is under active scrutiny. This includes e-commerce, travel, insurance, streaming and software services, utilities, financial products and professional training providers. No sector should treat itself as exempt.

FAQ: Where can I find a framework for assessing my board’s regulatory compliance posture?

INFORMD’s tools and assessments page provides free executive self-assessments covering AI governance, technology strategy and compliance posture. For broader regulatory frameworks and board-level templates, visit the templates library and the executive briefings archive. These resources are designed specifically for UK CEOs, CFOs, board members and NEDs navigating complex regulatory environments.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *