Customer vulnerability FAQs: managing risk

How do firms manage risk when managing vulnerable customers?

Customer vulnerability is increasingly a business risk as well as a customer-care issue. Under Consumer Duty, firms can be exposed on multiple fronts at once: product design, discrimination, access to services, reputational damage, investor scrutiny, and the slow-moving risk of enforcement. These questions, drawn from an industry Q&A, work through how firms should be managing these risks – not just the day-to-day operational question of helping individual customers, but the broader question of what a well-run firm’s vulnerability risk position looks like.

Is it discrimination if we set a lower transaction limit or cap for a potentially vulnerable customer group?

It depends how it’s done, but in most cases, this is a problem area worth steering away from.

Firms are allowed to undertake genuine risk management. An insurer can underwrite based on health, a lender can assess creditworthiness, and a firm can set sensible controls to limit foreseeable harm. What’s not allowed is discriminating against a protected group without proper justification. The Equality Act 2010 draws the line – direct discrimination on the basis of a protected characteristic is unlawful, and indirect discrimination (a neutral-looking rule that disadvantages a protected group disproportionately) is unlawful unless it can be objectively justified as a proportionate means of achieving a legitimate aim.

Consumer Duty brings this into sharper focus. PRIN 2A requires firms to monitor their compliance with the Equality Act, which means understanding the proportion of customers with protected characteristics and reporting on outcomes by those characteristics. Charities and advocacy groups have long suspected that firms have been acting in ways that look like discrimination, and the FCA has made clear that the data now needs to be collected and the evidence now needs to stand up.

A few practical points:

  • Firms are free to choose their target market, and to define who a product is and isn’t suited to. What they have to do is communicate that clearly – so if a product has limits that effectively exclude or cap a particular group, that has to be part of the target market definition, not a quiet control buried in operational procedure. Customers should know what they’re buying.

  • Where a cap or limit is being considered, the test is whether it’s based on genuine evidence of risk and whether it applies proportionately. A limit based on an underwriting factor that correlates with a protected characteristic – age, for instance – needs to stand up to scrutiny. ‘We do it because we’ve always done it’ rarely does.

  • Where it becomes necessary to disengage from an existing customer, firms need to be especially careful. Disengagement that disproportionately affects a protected group, without a defensible basis, is a serious compliance exposure.

The practical direction is to steer away from applying product limits or caps based on vulnerability as a proxy. If there’s a legitimate underwriting or risk-management reason for a limit, document it with evidence, apply it consistently, and communicate it clearly. If the only reason is that a cohort has been identified as vulnerable, reconsider.

How should we handle a vulnerable customer who keeps missing payments – what’s the line between forbearance and disengagement?

This is one of the most common operational questions in consumer credit, insurance and banking, and the answer isn’t a formula – it’s a structured judgement, documented as you go.

The FCA’s expectations are set out most clearly in the Consumer Credit Sourcebook and in the Borrowers in Financial Difficulty work programme. Firms must treat customers in financial difficulty with forbearance and due consideration, assess affordability meaningfully, and document the basis for decisions. The Equality Act 2010 continues to apply, and Consumer Duty requires that outcomes for vulnerable cohorts are comparable to those for resilient customers.

A practical framing:

  • Forbearance should be the starting point, not the last resort. Payment breaks, reduced payments, interest freezes, term extensions, and referrals to free debt advice are the main tools. For a customer in temporary difficulty – redundancy, illness, bereavement – these usually carry them through to a return to normal payment. The evidence is consistent that light-touch forbearance often prevents far worse outcomes later.

  • Affordability is the underlying test. If a customer can’t afford the current arrangement but could afford a varied one, the firm’s job is to find the varied arrangement, not to push for payment they can’t make. Pushing a customer into further arrears to protect current-period collections is almost always a poor outcome.

  • Engagement matters. Forbearance works where the customer engages with the firm – explains what’s going on, accepts support, and keeps to revised arrangements. Non-engagement is different from non-affordability, and warrants a different response (more outreach, more channels, more patience before moving to collection).

  • The bar for disengagement is high. A customer in persistent financial difficulty isn’t, in itself, a reason to disengage. Even a customer who has missed many payments can often be supported back to stability through appropriate forbearance. Disengagement tends to be warranted only where the underlying affordability position is genuinely unsustainable over any realistic timeframe, where the customer has been unwilling to engage despite reasonable and varied outreach, or where the product itself is causing harm, and ending the relationship is the best available outcome.

  • Where disengagement is necessary, do it well. Follow disengagement principles: clear documentation of what support was offered, reasonable notice, accessible communications, signposting to free debt advice (StepChange, National Debtline, Citizens Advice, Money and Pensions Service), and a clear picture that the decision isn’t discriminatory. Evidence the customer had genuine opportunity to engage, and that disengagement is a last resort.

  • Document throughout. What was offered, what was taken up, what worked, what didn’t, what alternatives were considered, and the reasoning at each step. If the case ever reaches the Financial Ombudsman Service or an FCA review, the quality of the documentation is usually the difference between a defensible outcome and a difficult one.

One specific point worth being explicit about. Customers in persistent debt aren’t all ‘just not paying’ – many are genuinely trying, within real constraints, and the firm’s response has a direct effect on how that plays out. The FCA’s reviews have been consistently critical of firms that move to collection and disengagement too quickly, and the Financial Ombudsman Service has upheld a steady stream of complaints where firms ended relationships without adequate support first.

How are firms handling disengagement when it becomes necessary and the customer happens to be vulnerable?

Carefully, slowly, and with a clear record of why. Disengaging from a vulnerable customer is one of the highest-risk things a firm can do, both in terms of harm to the customer and in terms of exposure for the firm.

A few principles that tend to distinguish firms doing this well:

  • The first is that disengagement should never be the first response. Before ending a relationship, firms should have evidenced what they’ve done to support the customer, what adjustments have been offered, and what alternatives have been considered. A record that shows the firm tried hard to help first is essential, both for the customer’s sake and for any later scrutiny.

  • The second is that the reason for disengagement has to be defensible on its merits. A customer being vulnerable is not, in itself, a lawful basis for ending the relationship – if anything, it’s a reason for particular care. The underlying reason has to stand up independently of the customer’s vulnerability. Commercial unviability, regulatory requirement, fundamental breakdown of the relationship, or non-payment after reasonable forbearance are all potentially defensible; vulnerability itself is not.

  • The third is that the process matters as much as the decision. Adequate notice, clarity about why, information about what the customer can do next, signposting to alternatives, and practical help making the transition. The FCA has been explicit that abrupt disengagement from vulnerable customers – particularly in banking, credit and insurance contexts – is an area of active supervisory concern. Abrupt exits without support are much more likely to attract regulatory attention.

  • The fourth is reasonable adjustment during the process itself. Even while disengaging, the Equality Act’s duty to make reasonable adjustments continues to apply. Notices in accessible formats, longer timelines where appropriate, support through the transition. Disengagement isn’t a moment where normal duties fall away.

  • The fifth is evidence of non-discrimination. Firms should be able to demonstrate, at a portfolio level, that disengagement patterns aren’t disproportionately affecting protected groups or vulnerable cohorts. If the data shows a pattern, the firm needs either a credible explanation or a change of practice.

  • And finally, escalation and governance. Disengaging from a vulnerable customer is a decision that shouldn’t be made by a single front-line staff member. A clear escalation process, with named decision-makers and proper documentation, protects both the customer and the firm.

Where disengagement is necessary and proportionate, it can be done in a way that respects the customer and the regulatory framework. Where it’s driven by a desire to move a difficult case off the books, or applied without care, it’s a significant risk.

A vulnerable customer wants to buy a product we don’t think is suitable for them. Can we refuse?

Usually, you can, and sometimes you should. But this is an area where firms need a proper process, not an individual staff decision, and the reasoning has to hold up.

The position under Consumer Duty is that firms should avoid foreseeable harm to retail customers. If a firm can see that a product would cause harm to a specific customer, selling it anyway is hard to defend. PRIN 2A and FG22/5 make this explicit in the context of product and service outcomes: the product needs to be suitable for the customer, not just the target market.

A few practical approaches:

  • For advised products, the answer is often straightforward. An adviser has a professional duty not to recommend unsuitable products, and that duty is heightened where the customer is vulnerable. If the right advice is ‘this product isn’t suitable for you’, that’s the advice to give. The customer can still disagree, but the adviser’s position is clear.

  • For non-advised products, the position is slightly different. The firm isn’t recommending, so the duty isn’t to give advice. But Consumer Duty still requires the firm to consider whether the product is reasonably suited to the customer and to avoid foreseeable harm. If the customer is clearly unsuitable – affordability that doesn’t stack up, circumstances that make the product inappropriate, a clear vulnerability that the product can’t accommodate – pausing the transaction and engaging with the customer is reasonable.

  • The ‘insistent client’ framework is useful for advised sales. Where a customer wants to proceed against advice, there’s a recognised process: give the advice in writing, explain why the product isn’t recommended, document the customer’s wish to proceed anyway, and complete the transaction only if the customer confirms understanding of the risks. The process exists precisely to handle this situation. Where mental capacity is in doubt, an independent capacity assessment is often the right next step before proceeding.

  • Capacity is the other line. If there’s a reasonable concern that the customer lacks capacity to understand the decision, the firm shouldn’t proceed without an appropriate assessment. A qualified nurse or medical assessment, an attorney under a lasting power of attorney, or a referral for the customer to take independent advice are all options. Proceeding with a transaction with a customer who doesn’t understand it is exposing the firm and potentially harming the customer.

  • Document the reasoning. Whatever decision is made – proceed, refuse, pause, request more information – the documentation needs to show the reasoning, the alternatives considered, and the basis for the outcome. A refusal that looks discriminatory or unsupported is a regulatory exposure.

  • Don’t refuse as the default for vulnerable customers. Refusing to serve a customer because they’re vulnerable, when a well-designed product or an appropriate adjustment would make the transaction work, is itself a Consumer Duty problem – and potentially an Equality Act issue. The right answer is usually to make the adjustment or redesign the product, not to turn the customer away.

Some firms have become overcautious in this space, refusing to serve customers who’ve disclosed vulnerabilities because staff don’t feel confident handling the interaction. This is a training and process problem, not a regulatory requirement. Vulnerability shouldn’t block access to financial services; poor handling of vulnerable customers should be the thing that triggers change.

What considerations do you make when designing and reviewing products for vulnerable customers?

Good product design starts from the understanding that vulnerability is the norm, not the exception. Roughly half of customers are showing signs of vulnerability at any given time, and products designed for an idealised resilient customer will systematically fail that half.

A few principles shape how firms do this well:

  • Understand the target market properly. Consumer Duty expects firms to define their target market and make sure the product works for it. That definition needs to include a realistic picture of customer vulnerability within the intended customer base – characteristics, severities, and the kinds of circumstances that might affect how the product is used. Surveys, customer research, and analysis of the firm’s existing book all feed into this.

  • Bring in lived experience. Firms designing well in this space often involve people with direct experience of the vulnerabilities the product might encounter – sometimes described as ‘lived experts’ or customer advisory panels. A product intended to serve older customers benefits from older customers being involved in its design. A product that might be used by people in financial hardship benefits from input from advocates and people who’ve been there. This changes the design in ways that market research alone doesn’t.

  • Design inclusively from the start. The cheapest and most effective vulnerability adjustments are the ones built into the product itself rather than bolted on afterwards. Communications in plain English. Documents in multiple formats as standard. Digital journeys that work for assistive technologies. Decision points with built-in pauses. Defaults that don’t disadvantage anyone. Inclusive design removes the need for many individual accommodations.

  • Think about the full customer journey. Products don’t just need to be sold well – they need to be serviced well, claimed well, amended well, and exited well. Each stage has its own vulnerability implications. A life insurance product that’s easy to buy but hard to claim when the holder has died is a product that fails at the moment it matters most.

  • Stress-test against real customer types. Walk through how a product works for a customer with dyslexia, a customer with a recent bereavement, a customer with mild cognitive impairment, a customer in financial stress, a customer without digital access. If the design breaks for any of these at any stage, there’s work to do.

  • Review continuously, not just at product approval. Once a product is in market, the vulnerability dimension needs to be part of the ongoing review. Outcomes data by cohort, complaints analysis, feedback from front-line staff and advocates, changes in the customer base over time. Product reviews that only examine sales and commercial metrics miss the outcome story.

  • Be realistic about what digital can and can’t do. The shift to digital channels, largely designed for resilient and digitally capable customers, has in many cases made life harder for vulnerable groups. The human who used to adapt to an individual’s needs isn’t there. For some vulnerabilities, digital is actually a good fit – a customer who can’t hear may find digital easier than phone. But for many, pure digital is a poor fit, and firms should be cautious about eliminating human channels entirely. See the later question on digital channels for more on this.

  • Document the design decisions. A good product file shows the target market, the vulnerability considerations, the design decisions taken as a result, and the evidence that supports them. This is both a Consumer Duty requirement under product governance and offers practical protection for the firm in the longer term.

The CII’s 2025 guidance on managing customer vulnerability sets out similar principles and is worth consulting for practical implementation detail.

What are best practices for building customer vulnerability into early-stage product development?

Good customer vulnerability thinking belongs at the start of product development, not at the end. Embedding it well costs less than retrofitting later, and the product that emerges is usually better for all customers, not just vulnerable ones.

A few practices that characterise firms doing this well:

  • Customer vulnerability as a named input to the product brief. Alongside the usual commercial, regulatory and technical inputs, the brief includes an explicit section on vulnerability considerations – who the target market includes, what kinds of vulnerability are likely in that market, what the product needs to do to serve them well.

  • A customer vulnerability specialist at the design table. Someone whose job is to bring the vulnerability perspective into the room – either an internal customer vulnerability lead or an external advisor. Their role isn’t to veto; it’s to raise questions the commercial and product teams might not otherwise ask.

  • Lived experience involvement early, not late. Bringing people with relevant experience into the design process during development, not after the product is largely baked. A focus group at the end can confirm decisions or flag issues; involvement from the start shapes the product itself.

  • Inclusive design by default. Plain English and accessible formats are the starting point, not options. Digital journeys are tested with assistive technologies as part of normal quality assurance. Communications are tested for comprehension across different literacy and cognitive levels. The design assumes a wide range of users, not an idealised customer.

  • Stress-testing during development. Before launch, the product gets walked through with a range of customer scenarios – not just ‘happy path’ resilient buyers, but specific vulnerable customer types navigating each stage. Gaps identified at this stage can be fixed. Gaps identified after launch become remediation projects.

  • Explicit governance through the development lifecycle. Customer vulnerability-related decisions get documented as the product progresses – what was considered, what was decided, what was evidenced. Product approval includes sign-off on the vulnerability considerations, not just the commercial and regulatory ones.

  • Plans for learning after launch. No product’s vulnerable customer design is perfect on day one. What matters is whether the firm has a plan to learn – outcome monitoring by cohort, feedback loops from front-line staff, a clear process for making changes when the data shows something’s wrong.

The FCA’s product governance expectations under Consumer Duty make much of this explicit, and the direction of travel is clearly towards more structured, evidenced vulnerability thinking at the design stage. Firms that treat this as optional are accumulating risk; firms that embed it are generally finding that the resulting products work better commercially too.

Would it be better to offer specific products aimed only at vulnerable customers?

Usually no. Products specifically aimed at vulnerable customers can look appealing on paper but tend to create as many problems as they solve.

A few reasons to be cautious:

  • Customer vulnerability is too broad a category to support a sensible product definition. A product that works for a customer with dyslexia is different from one that suits a recently bereaved customer, which is different again from one for a customer in financial hardship or with a long-term health condition. Trying to design ‘a product for vulnerable customers’ treats a very diverse group as homogeneous, and ends up serving none of them particularly well.

  • It risks stigmatising customers and creating a separate track. Many vulnerable customers navigate life and services perfectly well with appropriate adjustments. Labelling products as ‘for vulnerable customers’ can feel othering, which undermines trust and deters take-up. Research consistently shows that customers resist being placed in a separate category.

  • It can undermine inclusive design elsewhere. If ‘special’ products exist for vulnerable customers, there’s a temptation to leave mainstream products designed narrowly for resilient customers. The broader benefit of inclusive design – that it helps all customers, not just vulnerable ones – is lost.

  • It risks creating access problems. A customer who needs a product designed for their circumstances may have to identify themselves as vulnerable to access it, which many won’t want to do. Restrictions on access, eligibility criteria, and self-identification requirements all add friction at the worst possible moment.

  • It can create unhelpful cross-subsidies and pricing problems. If a ‘vulnerable customer product’ is priced differently from the mainstream equivalent, fair value questions emerge quickly. If the ‘vulnerable’ product is more expensive, it’s hard to defend. If it’s subsidised by other customers, the governance is complicated. Either way, it’s a harder fair value assessment than a single, inclusively designed mainstream product.

There are some specific contexts where dedicated products make sense. Products designed for people with a specific, well-defined need – cover for people with specific health conditions, accounts designed for a customer base known to include particular circumstances – can genuinely serve a market. Second-chance credit products for people rebuilding after financial difficulty are a legitimate market. But these are exceptions, and in each case the product exists because of a specific, well-evidenced need, not because a general ‘vulnerable’ label has been applied.

The better default is to design mainstream products that genuinely work for the whole target market, including vulnerable customers, with the flexibility and adjustments needed to accommodate individual circumstances. That’s what Consumer Duty is pointing firms towards, and it tends to produce better outcomes than segregated product lines.

Is there a way to prevent customers ‘using’ customer vulnerability claims to obtain preferred treatment? Are we putting too much emphasis on vulnerability?

This question comes up increasingly, and it has two parts worth addressing separately.

On whether there’s too much emphasis. Probably not, given where firms are starting from. The consistent finding of the FCA’s multi-firm reviews, and of independent research, is that vulnerable customers continue to receive worse outcomes than resilient ones in many contexts – not because of too much focus, but because of too little. The regulatory direction is towards more, not less, and the evidence suggests that’s warranted. If it feels like firms talk about vulnerability constantly, that’s largely because years of under-investment are being corrected in a compressed window.

That said, implementation can absolutely be heavy-handed. Processes that label customers as vulnerable without their input, add friction to interactions, or treat a broad cohort as needing intervention they don’t actually need – these are real operational problems. Good vulnerability management is invisible to most vulnerable customers most of the time; it’s the right adjustment at the right moment, not a separate track. If the firm’s front-line staff feel they ‘do nothing but talk about vulnerability’, that might be a signal that processes are poorly designed rather than that the focus is wrong.

On abuse of support systems. This does happen, and may grow as customers as customers become more aware of what’s available. There are documented cases of people claiming vulnerability to access preferential treatment they wouldn't otherwise qualify for. There are also reports of advisers coaching clients to present themselves in particular ways.

The practical defences are straightforward:

  • Objective, structured assessment rather than self-declaration. When a customer’s vulnerability is identified through a proper assessment that captures characteristics, severity and impact – rather than simply asked ‘are you vulnerable?’ – it’s much harder to game. A person claiming dyslexia has to answer specific, behaviour-focused questions about how they interact with written information; someone claiming a recent bereavement has to provide a timeline and context. Structured assessment doesn’t prevent abuse, but it raises the bar considerably.

  • Consistent recording and cross-referencing. If a customer presents different vulnerability claims in different interactions, the record should show it. Patterns that don’t stack up are worth investigating. Firms with fragmented records and free-text notes struggle to see these patterns; firms with structured vulnerability data see them easily.

  • Appropriate verification where material. Some customer vulnerability claims carry significant consequences – accessing a specific product, receiving substantial forbearance, triggering a claim. For material decisions, reasonable verification is fair. The Equality Act doesn’t prevent firms asking for evidence where it’s proportionate; it prevents unreasonable barriers.

  • Independent assessment where capacity is genuinely in doubt. Where mental capacity is at issue, a qualified nurse or medical assessment is often the right answer – it takes the subjectivity and emotion out of the conversation and gives the firm a defensible position.

  • Clear policy on what vulnerability status does and doesn’t entitle customers to. Not every vulnerability triggers the same response. Being transparent about what adjustments are available for what circumstances, on what evidence, makes abuse much harder than a vague promise of ‘extra help for vulnerable customers’.

The underlying point: good customer vulnerability management protects genuine vulnerable customers and makes abuse harder at the same time. Firms with weak processes get hit both ways – the people who need help don’t get it, and those who don’t need it find it easy to access. Structure and evidence are the answer to both problems.

How do we manage the risk that AI systems treat vulnerable customers unfairly?

AI in financial services introduces specific fairness risks for vulnerable customers, and the risk-management framework has to be genuinely proactive – bias that emerges from training data or model design can scale quickly, and once it’s in production, unpicking it is harder than preventing it.

The underlying regulatory framework sits across several regimes. UK GDPR’s Article 22 restricts solely automated decision-making that produces significant effects for individuals. The Equality Act 2010 prevents direct and indirect discrimination, including discrimination that emerges from automated systems. Consumer Duty requires firms to avoid foreseeable harm and deliver comparable outcomes for vulnerable cohorts. The FCA has made clear that existing regulatory expectations apply to AI-enabled processes as much as to any other. The ICO has issued specific guidance on AI and data protection.

Within that framework, a handful of risk management disciplines matter most:

  • Understand where AI is actually being used. Many firms have AI in more places than they realise – scoring models, routing algorithms, chatbots, fraud detection, affordability assessment, call analytics, underwriting, pricing. Each of these can affect vulnerable customers differently. The first step is a clear inventory of where AI or automated decisioning is in the customer journey.

  • Assess each use for vulnerability-specific risk. For each AI use, ask: could this disadvantage customers with particular vulnerabilities? A fraud detection model trained on patterns of ‘normal’ behaviour may flag unusual behaviour from customers with cognitive impairment as suspicious. An affordability model may penalise customers with fluctuating income patterns (common in mental health conditions). A chatbot may route customers in mental health crisis into loops with no human handover. Each potential harm needs to be identified and addressed.

  • Check training data for bias. Models trained on historic data reflect historic patterns – including patterns of discrimination or under-service. If vulnerable customers have been poorly served in the past, a model trained on that data will tend to reproduce the poor service. Training data needs to be examined for representativeness, for bias, and for the specific cohorts the firm serves.

  • Monitor outcomes by cohort in production. Once a model is live, monitor how it performs for vulnerable versus resilient cohorts on the outcomes that matter. Significant and persistent gaps are a signal that the model is behaving unfairly, and need to trigger investigation. ‘We assumed the model was fair because we designed it carefully’ isn’t enough; the data in production is what matters.

  • Keep human oversight in material decisions. Article 22 requires meaningful human involvement in decisions with significant effects. For decisions affecting vulnerable customers specifically, firms should lean cautious. Automated decisioning with no human oversight for cases affecting vulnerable customers is high-risk and often unnecessary.

  • Explain and contest. Customers affected by AI decisions need to be able to understand the logic and challenge the outcome. This is a GDPR requirement and a Consumer Duty one. For vulnerable customers specifically, explanations need to be genuinely accessible – not buried in technical language, and with clear routes to human review. A customer who can’t understand why they’ve been refused can’t effectively contest it.

  • Governance over model lifecycle. Risk assessment before deployment, monitoring in production, triggers for review, clear process for retiring or adjusting models where they’re shown to be causing harm. Most firms have model governance for prudential and fraud-detection purposes; fewer have it for customer outcomes. That needs to change.

  • Be cautious about using AI to identify customer vulnerability. Predictive vulnerability scoring – where AI infers vulnerability from behavioural or transactional data – is an area of particular risk. The training data often doesn’t exist to do this reliably, false positives and false negatives both have significant consequences, and customers may not realise they’ve been classified in this way. Use AI to support human identification and analysis rather than to make vulnerability determinations on its own. Keep humans in the loop, particularly for decisions that affect how the customer will be treated.

  • Remediation capacity. Where an AI system is found to have treated a vulnerable cohort unfairly, firms need to be able to identify who was affected and remediate. This means logging decisions in a form that supports later review – not just for regulatory inspection, but for the firm’s own remediation if something goes wrong.

The practical position: AI can genuinely help firms serve vulnerable customers better when used well, but it can cause harm at scale when used poorly. The risk management discipline is the same as for any other high-impact process – identify the risks, design to avoid them, monitor in production, and have a clear plan for when something goes wrong. What's different about AI is the speed at which problems can propagate and the difficulty of explaining what's happening; both warrant particular care.

Firms should expect the regulatory environment around AI to tighten over the next few years. The FCA and ICO have both signalled increasing interest in AI fairness and accountability, and cross-regulator work through the Digital Regulation Cooperation Forum is likely to produce more specific expectations. Firms treating this as a compliance issue to minimise are accumulating risk; firms building genuine AI risk management for customer outcomes are in a much better position.

What do investors and owners expect from Consumer Duty oversight, and how does it affect reputational risk?

Consumer Duty is here to stay, and it’s increasingly a material consideration for investors, acquirers and professional indemnity insurers looking at UK financial services firms.

The core point is that Consumer Duty is a prerequisite for operating in UK financial services. A firm can’t opt out, and non-compliance carries real and growing consequences – FCA enforcement, customer remediation costs, reputational damage, and the loss of permissions. Firms have already made major changes to fee structures, product ranges, and service models because of it, and that process isn’t finished.

For investors and owners, a few things matter:

  • Compliance as a material risk. The FCA has signalled that enforcement activity on Consumer Duty is increasing. Multi-firm reviews have been consistently critical. Public ‘Dear CEO’ letters have been explicit about expectations. A firm showing weak vulnerability management is a firm exposed to enforcement risk, remediation costs, and potentially to restrictions on its permissions. Investors and acquirers are starting to treat this as material due diligence.

  • Differentiation in acquisitions and funding. Mergers and acquisitions processes are increasingly including Consumer Duty compliance, including specific vulnerability management, as part of diligence. Firms with strong processes are differentiated from those without, sometimes with direct pricing consequences. Professional indemnity insurers are starting to ask more searching questions about Consumer Duty exposure, with similar effects on cover and pricing.

  • Board accountability. Senior Manager responsibility for Consumer Duty outcomes, combined with the Senior Managers and Certification Regime, creates personal accountability for senior executives. Investors increasingly expect to see clear board-level ownership of vulnerability and Consumer Duty outcomes, with meaningful governance behind it.

  • Reputational exposure. High-profile failures in vulnerability management can become public quickly – through complaints, Ombudsman decisions, charity sector reporting, and media coverage. The reputational consequences can be significant. Investors in consumer-facing firms have become more attentive to this risk since Consumer Duty came in.

  • Quality of data and reporting as a governance signal. A firm that can’t produce credible cohort-level outcomes reporting is telling investors something about the quality of its internal systems and controls more broadly. Conversely, a firm with strong Consumer Duty reporting is usually a firm with well-run systems generally.

The practical implication is that vulnerability management has moved from being a customer-care issue to being a governance and risk issue with direct investor and acquirer relevance. Firms that treat it as a compliance cost to minimise are accumulating risk that shows up in valuations, in insurance pricing, and in the attractiveness of the firm to sophisticated investors. Firms that treat it as part of running a well-governed business are generally finding the opposite.

How should we cost a credible customer vulnerability programme, and what’s the return?

Firms consistently struggle with the business case for vulnerability investment, partly because the upside is often indirect and partly because the risk of not investing is easy to underestimate. A reasonable framing has two parts: what does a credible programme actually cost, and what does the firm gain (or avoid losing) by running one?

What it costs. The main cost components are usually:

  • Technology. A purpose-built vulnerability assessment and management system – covering data capture, categorisation, severity scoring, mitigation tracking, reporting – sits at the core. Licensed platforms are typically in the low tens of thousands per year for smaller firms, scaling with customer base for larger ones. Building in-house is an order of magnitude more expensive and takes considerably longer.

  • Assessment capacity. Getting through the book to assess customers takes time – either front-line staff time with training, or automation with occasional specialist support. The ongoing cost is usually modest per customer once systems and processes are in place.

  • Governance and reporting. Board-level ownership, documented policies, data protection impact assessments, privacy notices, management information production. Most of this is time taken from existing compliance, conduct, risk and operations resource rather than new headcount, but it’s not free.

  • Training. Initial training for relevant staff, ongoing refresh, and specialist training for teams working closely with vulnerable customers. Scale with headcount.

  • Third-party support where needed. Specialist capacity for complex cases (independent nurse assessments, for instance), particularly for firms without that expertise in-house.

For most firms, a credible programme typically runs in the tens to low hundreds of thousands per year, depending on scale. For a very large firm, it’s a seven-figure programme, but the cost per customer is small. The CII’s 2025 guidance on managing customer vulnerability gives useful context on typical implementation cost ranges.

What it returns. Direct returns are usually modest and indirect ones are often significant:

  • Avoided enforcement cost. FCA enforcement actions on conduct and Consumer Duty matters can run into very substantial sums – fines, remediation costs, required systems work, legal costs. The cost of enforcement tends to dwarf the cost of prevention by a considerable margin. Firms that can’t evidence their vulnerability management are at materially higher risk.

  • Avoided remediation cost. Where vulnerable customers have been sold inappropriate products, or charged unfair prices, or not provided with adequate support, the firm may need to remediate. Past sector-wide remediation exercises (PPI, pensions mis-selling, GI pricing) show how expensive this can become. Good vulnerability management reduces the population of customers who might later trigger remediation claims.

  • Reduced complaint volumes and handling costs. Vulnerable customers who receive appropriate support complain less, and their complaints are easier to resolve. The direct operational saving is typically measurable within a year of a programme being properly established.

  • Lower lapse and cancellation rates among vulnerable cohorts. Customers who feel well-served stay. For products where persistency has a clear commercial value (insurance, investments, long-term credit), the retention benefit of good vulnerability management tends to be material.

  • Better product design. Customer vulnerability insights feed into product governance and usually produce products that work better for the whole customer base, not just vulnerable cohorts. The commercial benefit of ‘this product works’ over ‘this product is merely acceptable’ is often underestimated.

  • Reputational value and customer loyalty. Consistently treated well, customers tell others. Charity sector partnerships, positive media, and word-of-mouth all have some value, hard to measure but real.

  • Differentiation in investor and acquirer due diligence. As covered earlier, customer vulnerability management is increasingly material in mergers and acquisitions – and investor assessment. Firms with strong programmes carry a premium; firms without carry a discount.

  • Professional indemnity cover. Insurers are increasingly sensitive to Consumer Duty exposure, and vulnerability management quality is becoming a factor in pricing and terms.

The honest framing: the risk of not investing is larger than the cost of investing, for most firms of any scale. The FCA has made clear that enforcement is becoming more direct, and firms without credible programmes are exposed. The cost of getting this wrong – in enforcement, remediation, complaints, commercial reputation, and investor perception – meaningfully exceeds the cost of getting it right.

At the same time, the direct commercial return is rarely the headline benefit. Firms investing for the direct upside alone often find it harder to justify the programme than firms investing against the downside risk. The combination of both perspectives tends to support a solid business case.

A practical test: a board which can’t sign off a credible vulnerability programme on the risk-adjusted case probably hasn’t had the risks explained properly. The downside of inaction is genuinely significant, and it’s getting more so each year.

What trends in customer vulnerability have emerged across financial services?

A few have become noticeable over the last few years. The most significant, and the most consistent across the sector, is the gap between what Consumer Duty asks firms to do and what most firms are actually delivering.

  • Poor identification, widely. The most common finding across FCA multi-firm reviews is that firms identify vulnerable customers at rates far below the roughly 50% population benchmark. Many firms are still in single-digit percentages, which the FCA has made clear indicates systematic under-identification rather than genuinely low-vulnerability customer bases.

  • Weak evidence of outcomes. A related trend: firms can often show what they’ve done in customer vulnerability management (training delivered, policies updated, support offered) but can’t evidence what customers actually received as outcomes. Activity is being measured; impact isn’t. The FCA has been vocal that inputs aren’t enough.

  • Digital shift creating accessibility gaps. The move to digital channels, driven largely by cost and efficiency for firms, has created real problems for vulnerable customers who struggle with pure digital journeys – whether because of capability, sensory impairment, cognitive issues, or simply lack of digital access. Firms that have cut human channels without adequate replacement are increasingly exposed.

  • Growth of vulnerability awareness in the customer base. Customers are more aware than they used to be of what support is available, and more willing to ask for it. This is largely positive – more customers who need help are asking for it. It also means the distinction between customer service issues and genuine vulnerability needs to be clearer. A customer frustrated by multiple layers of digital engagement or chatbots is experiencing a customer service problem; a customer whose specific vulnerability is being poorly accommodated is experiencing a Consumer Duty problem. These need different responses.

  • Communication preferences matter more than channel labels. It’s too simplistic to say digital channels or chatbots are bad for vulnerable customers. Some vulnerabilities are better served by digital – customers who are non-verbal, for instance, may find digital easier than phone. Some vulnerabilities are badly served by chatbots – a customer in mental health crisis doesn’t need to route through an AI gatekeeper. The trend is towards recognising that different vulnerabilities need different channels, and that firms need to offer genuine choice.

  • Growing convergence across sectors. Financial services vulnerability management is being influenced by practice in other sectors – utilities (with Priority Services Registers), telecoms, healthcare. The FCA is working with other regulators through the UK Regulators Network on cross-sector approaches. The direction of travel is towards more standardisation of how vulnerability is identified, supported and shared.

  • Technology maturing fast. Dedicated vulnerability technology is becoming more capable, more affordable and more widely adopted. What was leading-edge two or three years ago is now mainstream, and firms still operating with tick-box CRM fields or free-text notes are noticeably behind the curve.

  • Growing investor interest. As noted in the previous question, vulnerability management is increasingly on the radar of investors, acquirers and professional indemnity insurers. That investor pressure is becoming a driver of change in its own right.

  • Regulatory emphasis showing in enforcement. The FCA’s moves from ‘Dear CEO’ letters and public reviews towards more direct interventions are starting to become visible. Firms should expect this trend to continue.

One underlying point worth being clear about: customer vulnerability should not block access to finance. That only happens when implementation is crude – blanket limits, poorly designed controls, over-use of vulnerability as a reason to refuse service. Done well, vulnerability management opens access by making products and services usable by people who previously struggled with them. Done badly, it closes doors. The trend across the sector is towards the former, but the patchiness of implementation means some customers are still experiencing the latter.

Is the growing use of digital channels for servicing good or bad for vulnerable customers?

Both, depending on what the firm actually does with it. Digital has significant benefits for some vulnerable customers and creates real barriers for others, and the mix depends on how well the channels are designed and what alternatives remain.

  • Where digital can genuinely help. For customers with certain vulnerabilities, digital is objectively better than the alternatives. People who are deaf or hard of hearing often find digital written channels easier than phone. People who are mute may find digital better than voice channels. People with social anxiety or certain cognitive conditions may prefer the pace and reviewability of digital interactions. People in coercive or abusive relationships may find digital channels safer than ones that could be overheard. People with limited mobility may find digital easier than face-to-face. When digital is well designed for accessibility, it can be a genuine improvement.

  • Where digital creates barriers. For a lot of vulnerabilities, digital is harder, not easier. Customers with dyslexia, low literacy, or cognitive impairment may struggle with text-heavy digital journeys. Older customers without strong digital skills often find digital channels hard to use confidently. People in mental health crisis often need a human voice. Customers without reliable digital access – people living in poverty, people in rural areas with poor connectivity, people without up-to-date devices – are effectively excluded from digital-only services.

  • Chatbots specifically. The growing reliance on chatbots as a first layer of service is a particular concern. For routine queries from resilient customers, they’re fine. For customers in distress, customers who need nuance, customers whose issue doesn’t fit a standard script, a chatbot layer before human contact is a meaningful barrier. The FCA hasn’t specifically ruled on chatbot gating, but repeated complaints about customers unable to reach human support suggest this is on the regulator’s radar.

A few things distinguish firms doing digital servicing well.

  • Genuine choice of channel. Digital is offered but not imposed. Phone, letter, face-to-face where appropriate, and email remain accessible for customers who need them. Routes to human contact are clearly signposted and work – not buried behind menu trees that are themselves a barrier.

  • Accessibility built in by default. Digital journeys meet Web Content Accessibility Guidelines standards, work with screen readers, work with keyboard navigation, use plain language, offer multiple formats, avoid time-outs for customers who need longer, and don’t assume everyone can use drag-and-drop or video. Accessibility is tested as part of normal quality assurance, not as a specialist afterthought.

  • Graceful fallback. When a customer can’t complete something digitally, there’s a clear and easy path to human help. The fallback isn’t punished – a customer using the phone route isn’t charged more or waiting longer than the digital route.

  • Monitoring by cohort. Digital completion rates, abandonment rates, and outcomes are measured by vulnerability cohort. If specific cohorts are abandoning digital journeys at higher rates, that’s a signal, not a feature.

  • Specific accommodations where the standard digital journey won’t work. For some vulnerabilities, standard digital journeys simply aren’t going to work regardless of how well-designed they are. In those cases, specific alternatives need to be available as of right, not as a grudging exception.

The practical question isn’t ‘is digital good or bad for vulnerable customers?’ – it’s ‘is our digital offering designed to work for the range of customers who might use it, and do we have genuine alternatives for those who can’t?’ Firms that can answer yes to both are generally in a reasonable position. Firms that have pushed customers towards digital primarily to cut costs, without corresponding investment in accessibility or alternatives, are exposed.

The longer-term direction is towards digitally delivered personalisation – services that adapt to the individual customer, with human support available where it matters, and AI filling in around the edges as it matures. But that’s the destination, not the starting point. Most firms are still working through the basics of making digital work for their full customer base.

Will the FCA’s reviews of customer vulnerability lead to additional requirements beyond FG21/1?

Probably not significant additional requirements, but firms should expect clarifications, examples, and a noticeably sharper enforcement stance. The underlying framework is unlikely to change; the emphasis on implementation almost certainly will.

The background. FG21/1 – the FCA’s Finalised Guidance on the fair treatment of vulnerable customers – was issued in February 2021. The FCA has indicated it’s reviewing implementation, in line with its typical three-year review cycle. That review has drawn on survey work with firms of varying sizes, supplemented by the multi-firm reviews and thematic work the FCA has been publishing since Consumer Duty came into force.

What’s likely to come out of it:

  • Clarifications rather than new requirements. The underlying regulatory framework – FG21/1 sitting under Consumer Duty – isn’t expected to be rewritten. What firms are more likely to see is clarification of expectations, worked examples of good and poor practice, and more specific guidance on areas where firms have been getting it wrong. The FCA’s recent pattern has been to add specificity rather than add obligations, so firms should expect similar.

  • Sharper enforcement. This is the big change. The FCA has been increasingly vocal about poor implementation, and the pattern of ‘Dear CEO’ letters, public reviews, and explicit criticism suggests a move from persuasion to enforcement. Firms that have treated vulnerability implementation as optional have been told, in effect, that they shouldn’t keep doing so. The recent report on insurance firms’ Consumer Duty board reports was notably unflattering, and the signal is that the FCA is preparing to use its powers more directly.

  • Continued focus on data and evidence. The consistent theme across FCA communications is that firms need to evidence what they’re doing – not just describe it. Firms that have relied on training, policies and generalised support without capturing structured data on identification, mitigation and outcomes are the most exposed. The FCA’s direction is towards demanding hard evidence, and firms should expect this to intensify.

  • Possible sector-specific guidance. The FCA has already issued sector-specific thematic work (on consumer credit, general insurance pricing, and others). The customer vulnerability review may produce more detailed expectations for particular sectors where implementation has been weakest.

  • Alignment with other regulators. Customer vulnerability is increasingly a cross-regulator topic, with the UK Regulators Network working on shared approaches across finance, utilities, telecoms and other sectors. Firms should expect growing alignment between the FCA’s expectations and those of other UK regulators, rather than each operating in isolation.

The FCA’s most consistent concern has been the lack of progress on implementation by many firms. Bluntly, too many firms treated vulnerability as something that could be handled through customer service team training alone. They’re now discovering, sometimes in public, that this isn’t enough. The changes they need to make – in systems, processes, data capture, and governance – take time and investment, and many are only now starting that work.

The practical message: firms shouldn’t wait for revised guidance to act. The direction is clear, and the firms that invest now in structured identification, proper outcomes data, and credible reporting will find the next phase much easier than those still holding a watching brief. The regulatory framework isn’t changing significantly; the regulator’s willingness to enforce it is.

What is the FCA most concerned about?

Based on the pattern of its published reviews, ‘Dear CEO’ letters, and public communications over the last two years, a hierarchy of concerns has emerged.

  • First: firms not identifying vulnerable customers. The persistent gap between identification rates at many firms (often in single digits) and the roughly 50% population benchmark is the most frequently-raised concern. Without identification, none of the rest of Consumer Duty works – firms can’t report on outcomes, can’t provide appropriate support, and can’t evidence compliance.

  • Second: firms not evidencing outcomes. Even where firms have identified vulnerable customers and offered them support, most struggle to evidence that vulnerable cohorts are actually receiving outcomes comparable to resilient ones. The FCA’s interest is in outcomes, not inputs, and the lack of cohort-level outcome data is a persistent gap.

  • Third: poor fair value assessments for vulnerable cohorts. The April 2025 multi-firm review on consumer support and value was particularly pointed about fair value assessments that treat customers as a single population rather than properly examining how vulnerable cohorts are being served. Differential pricing, cross-subsidies, and fees that effectively fall on vulnerable customers without justification are areas of specific concern.

  • Fourth: weak board engagement. Consumer Duty requires annual board-level reporting on outcomes, and the FCA has been explicit that board reports need to be substantive rather than performative. Reports that describe activity without evidencing outcomes, reports that are produced in the week before the board meeting rather than representing continuous monitoring, and boards that receive the report without meaningful engagement – all of these have been publicly criticised.

  • Fifth: reliance on training as a complete response. The FCA has been consistent that training is necessary but not sufficient. Firms that have responded to vulnerability requirements primarily by training front-line staff, without corresponding investment in systems, processes and data capture, are specifically called out.

  • Sixth: fragmentation across the distribution chain. Manufacturers unable to demonstrate outcomes across their distribution, distributors unclear what to share with manufacturers, and customers having to repeat sensitive information every time they interact with a different firm – all of these are areas the FCA has flagged.

  • Seventh: abrupt disengagement from vulnerable customers. Particularly in banking, credit and insurance, the FCA has been vocal about firms ending relationships with vulnerable customers in ways that look disproportionate or poorly supported. This has been flagged as an active supervisory concern.

  • Eighth: digital channels that don’t work for vulnerable customers. The shift to digital, particularly where it’s been primarily cost-driven, has created real access problems for vulnerable cohorts. Firms that have eliminated or degraded human channels without adequate alternatives are facing increasing scrutiny.

  • Ninth: weak data and poor management information. Underpinning almost everything else, the FCA is concerned about firms that can’t produce credible data on who their vulnerable customers are, what’s been done for them, and what outcomes they’re achieving. Data quality is the foundation of everything else, and gaps here tend to correlate with gaps elsewhere.

  • Tenth: the slow pace of change overall. Consumer Duty has been in force since July 2023, and vulnerability guidance has been in place since 2021. The FCA has indicated it’s losing patience with firms still at the planning stage on things that should have been implemented by now. The move from persuasion to enforcement is being signalled clearly.

The underlying message across all of these is that the FCA expects firms to have moved beyond good intentions into credible, evidenced delivery. Firms still at the intentions stage should expect the regulatory environment to become progressively more uncomfortable.