ICO Fines KRA Consultancy £300,000 Over Unlawful Debt Texts

23rd Jun 2026
The Information Commissioner’s Office has fined KRA Consultancy Ltd £300,000 after finding that the Manchester-based debt-solutions marketer sent more than 5.5 million unlawful text messages to people already in financial difficulty. The enforcement action, announced on 23 June 2026, is notable not only for the scale of the messaging campaign, but for the alleged use of fabricated bailiff threats designed to frighten recipients into engaging with the company’s services. KRA sent 5,575,715 unsolicited direct marketing texts between April 2022 and May 2025, promoting debt solutions to people who had already been declined for loans. The ICO said the campaign generated more than 60,000 complaints to the regulator and Mobile UK’s 7726 spam reporting service. Some messages were sent using the sender ID “DEMAND” and warned recipients that an enforcement agent would attend within 48 hours to remove goods “as per Court Order”, language the regulator treated as part of a deliberate pressure strategy rather than ordinary marketing. Regulatory context matters because the Privacy and Electronic Communications Regulations 2003 do not simply govern irritating sales messages; they impose consent rules on direct electronic marketing and sit alongside broader consumer protection and financial services compliance duties. The ICO also said KRA was not registered with the Financial Conduct Authority, despite directing people towards debt solutions. That point gives the case wider importance for lawyers advising lead generators, claims businesses, debt advisers and financial services intermediaries, where marketing permissions, regulatory perimeter issues and customer vulnerability can overlap. The evidence described by the ICO points to a compliance failure that went beyond poor record-keeping. Search warrants were conducted at KRA’s offices and at the home of Khuram Rezvan Ahmad, and the regulator said KRA resumed unlawful marketing after those warrants, leading to a further 161 complaints. Internal WhatsApp messages cited by the ICO referred to “coaching”, which the regulator characterised as a euphemism for the fake threat process. Andy Curry, the ICO’s Head of Investigations, described the conduct as a calculated unlawful scheme that caused fear and distress to people already struggling with debt. For in-house counsel, the lesson is that direct marketing risk is now inseparable from conduct risk. It is not enough to ask whether a dataset can be bought, whether a campaign converts, or whether a supplier claims consent was obtained. Lawyers need evidence of consent, checks on data age and provenance, controls over sender IDs, and escalation processes when complaints emerge. The ICO’s public advice also points consumers towards the Telephone Preference Service for nuisance calls, showing how marketing enforcement can quickly become a wider consumer protection issue. The ICO enforcement notice against KRA Consultancy Ltd should prompt legal and compliance teams advising debt, credit and lead-generation businesses to audit PECR consent records and FCA perimeter exposure before the regulator treats marketing conduct as evidence of wider customer harm.