Financial advisers and IFAs handle client instructions, transfers and sensitive suitability data by email, under an FCA regime that expects operational resilience. If your domain can be impersonated, a criminal can pose as your firm to clients, providers and platforms.
A client receives updated payment or transfer instructions that look like they came from you. Pension and investment sums are large and often one-off, exactly what fraudsters want.
Fake emails in your name reach providers and platforms, or fake provider emails reach you, to redirect funds or harvest login details.
The FCA expects firms to manage the risk of disruption and fraud. A spoofable domain is a known, avoidable weakness that is hard to justify after an incident.
Under the Senior Managers regime, responsibility for these controls sits with named individuals. "We assumed IT had it" is not a comfortable position to defend.
A client emailed their adviser to move a lump sum into a new pension. A day later they received a reply, from what looked exactly like the adviser, with "corrected" bank details. It was a spoof: the firm domain had no DMARC enforcement. The client sent the money to a criminal and held the firm responsible.
Those secure their own logins. Email authentication is set on your firm domain and is a separate control that is often missing. The free check shows your domain status whatever platform you use.
Not by name, but it expects appropriate measures against fraud and disruption. Email authentication is a recognised, low-cost control. If client money were lost to a spoof and your domain had no protection, that gap would be difficult to defend.
Under SM&CR the accountability stays with your senior managers even when the work is outsourced. Run the free check, then give the result to your IT provider and confirm they have closed any gaps.
Run the free check above to see whether your firm domain can be impersonated, and get a plain-English list your IT team can action.