Customer vulnerability FAQs: engaging
How do you best engage with vulnerable customers?
The FCA’s Financial Lives survey puts the proportion of UK adults showing signs of vulnerability at around half of all people at any one time – and Watermelon Research reckons it’s a little higher, nearer 56%. Whichever figure you lean on, the point is the same: customer vulnerability isn’t a niche concern. These questions, which were drawn from an extensive industry Q&A, look at how firms engage with those customers – identifying them, talking to them, supporting them, and evidencing all of it.
How can firms proactively identify vulnerabilities in a non-face-to-face, execution-only business model?
Every regulated firm – whether intermediary or manufacturer, online or bricks-and-mortar – needs to understand its customers, treat them appropriately, monitor them over the lifetime of the product, and understand the outcomes for vulnerable cohorts. So, every firm needs a method for gathering that information.
Either the intermediary or the manufacturer can do the work, or both can share it. It doesn’t matter which, as long as someone does it. The problem is when firms assume the other party is handling it, don’t discuss it, and we end up with no one doing it. Working together in this way may be a significant change of process for some firms and it takes cooperation. Bluntly, the whole point of Consumer Duty is to stop products being sold without regard for whether they suit the customer – and that responsibility sits with firms, not consumers.
The FCA doesn’t prescribe how this is done, only that it’s done. Each firm can build the process around its own engagement model. The trick is to look at the customer journey and find the most effective point for an assessment – and to work out when and how reassessments should happen, so that monitoring continues over the product’s life. It isn’t as hard as it sounds. Firms with front-line staff can build the assessment into those conversations, or have staff invite the customer to complete one. Firms with digital journeys can embed a digital assessment, with some human oversight where it helps.
MorganAsh’s vulnerable customer management software, MARS, was built to support all of these routes: an online self-assessment which the consumer can complete themselves; an agent- or adviser-led assessment; and, in rare cases where perhaps mental capacity is in doubt, or there are similar sensitive issues, an assessment can be undertaken by a MorganAsh nurse. MARS also checks against the Vulnerability Registration Service. It offers highly flexible tailoring of question sets, which can be quickly set up for each firm. Intermediary, manufacturer, or both – it’s covered.
However you do it and whenever you do it, the responsibility is always there, so intermediaries and manufacturers must talk to each other, share information where appropriate, and make sure nothing falls between the cracks.
How do you identify vulnerable customers when you’re onboarding thousands of customers a month?
Any conversation about customer vulnerability at scale must involve technology.
The first instinct for many firms has been to train front-line staff – usually because that is a familiar solution to many problems – and hope that covers it. There are a few problems with that, and scalability is the obvious one. The bigger your customer base, the more staff you need, and the more training they need. You wouldn’t solve an accounting problem by hiring more mathematicians – you’d use software. Customer vulnerability is no different. Technology doesn’t care how many customers you have, and it doesn’t get less accurate or more stressed as the numbers climb.
Implementing this kind of technology may mean tweaking your current customer journey, but the changes don’t need to be heavy-handed. Digital and analogue channels can both use digital questionnaires, supported by human activity where it’s needed – and some firms are already doing this well. It’s quick for the customer and it’s cheap and effective for the firm. There’s a separate conversation to be had about disclosure rates across different channels, and benchmarking between channels, firms and sectors will sharpen that picture over time.
It’s hard to get consumers to share vulnerability information for unadvised products such as insurance. Any thoughts?
The principle doesn’t change by product: if you’re selling a financial services product, it’s covered by Consumer Duty, and you should understand the customer’s characteristics of vulnerability. Plenty of insurance products look low risk from a customer vulnerability perspective, but that’s not the same as saying there’s no chance of a poor outcome, or that the customer doesn’t need to be understood.
On the idea that it’s hard to get the information – honestly, that hasn’t been our experience, and MorganAsh has more than twenty years of assessing and helping vulnerable people. Once people understand why they’re being asked, most are more than happy to share. The key is to frame it as a positive: for example, saying that “knowing more about you helps us give you better service and more relevant products”. Take-up rates on our MARS assessments are very high – typically 80%–90%.
It’s understandable that firms don’t want to add friction to the sales process, so how you embed assessments into the customer journey matters. But the responsibility to understand customers, monitor them over time, and report on outcomes doesn’t go away.
Should we categorise severity? We’re recording the nature of the vulnerability alongside the FCA’s four categories, but not severity as a distinct field.
Yes, and frankly, you need quite a bit more than that.
To mitigate issues and monitor them over the life of the product, firms need to capture detail well beyond ‘vulnerable or not’ or the FCA’s four high-level drivers. No one is simply resilient or not, any more than people are either rich or poor. The most useful approach is to break down customer vulnerability into its constituent parts: the consumer’s characteristics (specific to them – poor vision, bereavement, dyscalculia, whatever it is) and the interaction with the firm (specific to the product or service – a pension, a short-term loan, a motor policy). It’s the combination of these two which creates the potential for harm.
You need the characteristics because they often change over time. You need the interaction because the vulnerability should be monitored in context. And you need severity because it materially changes the action required. Someone with a gambling addiction probably isn’t at risk when buying an insurance policy, but might be very much at risk with a short-term loan. Severity and context together tell you where to focus.
How far should a contact centre agent go when signposting a vulnerable customer?
How firms approach signposting, in terms of how specific it gets, is up to them. The regulations don’t say you have to do anything beyond understanding consumers, considering their vulnerabilities, and making sure they aren’t put into preventable harm.
That said, helping a customer is part of keeping them out of harm’s way, and helping them become more resilient is good for the firm as well as the customer. There’s a strong case for helping – and this also pays off in loyalty and advocacy, so it isn’t purely altruistic. Equally, some signposting doesn’t move the needle. Most people with an addiction already know the relevant charities, and ‘we sent them a leaflet’ isn’t the kind of evidence that’ll stand up to much scrutiny.
The FCA talks about different cohorts. Is it too granular to break customers down by vulnerability type, and then by the support offered?
Not at all – and the evidence you gather from doing it will be useful, especially if feedback from customers prompts process changes for a particular cohort.
Start by breaking customers down by type of vulnerability and then by the support actions you’ve recorded (at MorganAsh, we call these ‘pathways’). Go further than type, though – capture severity as well (for example, people with eyesight issues aren’t all blind) and the interaction (the product). MARS users have given us some great examples of information they didn’t previously have and how they acted on it. One involved a financial adviser whose long-standing client turned out to have dyslexia. That’s not something you can see, and it’s not the sort of thing people automatically volunteer – they’re not hiding it, but to them it’s just who they are. The adviser had been assuming the client was reading and absorbing written documents in the usual way; in reality he wasn’t. They switched to sending the advice and breakdowns as short videos – quick, inexpensive, effective – and both the client and his family were delighted. That’s captured as a pathway, and the outcome is captured alongside it.
How are firms capturing vulnerability information as the vulnerability itself, or as the action needed? For example, recording ‘send documents in braille’ rather than ‘customer is blind’.
Some firms are doing it this way, but the approach has real weaknesses.
It’s usually driven by a couple of assumptions that don’t hold up: that clients won’t disclose personal information, or that storing it cuts across GDPR. Neither is true. People are often more comfortable talking about personal circumstances than finances, which firms ask about as a matter of course. GDPR isn’t a barrier either – it’s a question of getting the right consent and using the data appropriately.
To be fair, ‘send documents in braille’ does rather give away that the customer is either fully blind or nearly so, so it isn’t exactly disguising the characteristic. And, in simple cases, this approach can get you through the day. But it falls down as soon as things get more nuanced.
Take ‘send large print’. You have no idea whether that’s because the customer has poor eyesight, a learning difficulty, poor reading skills, dyslexia, ADHD, autism – or several of those at once. You’d end up recording thousands of potential actions and asking staff to memorise them. And the way the need shows up in practice could be very different from what you’d assumed – and can change depending on the interaction or the product. Also, some of these characteristics persist, while others may progress. Far better to record the characteristic, so it can be understood in context, monitored over time, and – importantly – reported on by cohort. You can’t record by cohort if you only record the required action – period.
Some would say that there’s a reasonable argument for recording the need rather than the characteristic: it’s what the firm needs to know in the moment, it avoids subjective assessments, it sidesteps some of the data-handling concerns, and it doesn’t require individual staff to understand complex medical conditions. These are fair points. But recording only the need has significant drawbacks:
It’s hard to monitor over the lifetime of a product (often years) because characteristics change, the firm’s products may change, and without knowing the underlying reason, you may miss a later action that becomes necessary.
You’ll develop new mitigations over time that you can’t apply retrospectively if you don’t know who they’d help.
Customers often don’t know what mitigations are available or what the implications are for their financial products – someone going through bereavement or divorce rarely understands how that should affect the advice or service they’re getting.
If you haven’t recorded the characteristic, you can’t really report by cohort.
The cleanest answer is to record the characteristic, its severity, the product or service in question, the mitigation you put in place, and whether it was taken up. If you want to record the need alongside, that’s fine – you’ve covered all the angles.
How do you get a consistent set of definitions for categorising vulnerable customers?
You need an objective method of defining customers’ vulnerability characteristics, a shared vocabulary to describe them, and a way of capturing severity. Without that, you’re relying on individual assessments and opinions – which means no consistency, plenty of scope for preconception or prejudice, and very little ability to monitor a customer over time. It also makes gathering and producing management information slow, manual and expensive.
MorganAsh has spent several years building the set of definitions at the heart of MARS. Customer vulnerabilities are categorised at several levels.
The top level covers broad areas such as health, wealth and life events.
The next level breaks these down – for health, you’d see physical and mental health, for example.
Below that, things get specific.
The result is a rich, detailed and objective set of definitions with no ambiguity.
Because the MARS assessment is built around simple questions which the customer answers about themselves, neither the customer nor the firm has to make a judgement. MARS applies the definitions and ratings. Nobody is asked “do you think you’re a nine?”. They are simply asked to identify their characteristics – everything else takes place under the bonnet. That keeps assessments consistent, makes cohort reporting easy, and lets data be shared in line with GDPR – most users with data access see only the top level, fewer see the second, and only a few see the underlying detail. Data is shared only on a need-to-know basis.
You could build this kind of system yourself, in theory. In practice, it doesn’t make a lot of sense to – you wouldn’t want to build your own car. It takes months or years of development and debate, and you’d be re-running work that others – especially those with healthcare expertise – have already done. And you don’t know what you don’t know. Better to use the experience of others than to spend ages gathering that knowledge. Build it and you’re facing a long, snakes-and-ladders process. Buy it and you’re up and running in days.
Some customers take exception to the word ‘vulnerable’. How should that be handled?
Avoid the word in customer communications. It’s loaded. Plenty of people who have characteristics of vulnerability wouldn’t describe themselves that way, because they navigate life perfectly well despite those characteristics. Others find the term offensive, or worry that being labelled that way means being treated differently – or being refused service altogether. The research is pretty consistent: avoid the term when you’re talking to the customer.
It’s worse if a firm only has a binary view – vulnerable and not vulnerable – because then the vulnerable become ‘others’. That cuts against the goals and spirit of Consumer Duty. A 2023 paper called Rethinking the word ‘vulnerable’ puts it well: “Widespread, indiscriminate use of the term ‘vulnerable’ is problematic. When used as a term to describe certain individuals or populations in a nondescript and vague manner, the reader ‘fills in the blanks’ of why a certain individual or group is vulnerable. Being vulnerable could be seen as an intrinsic deficit, inferiority or inability to protect the individual’s own best interests. This can in turn reduce both perceived and actual agency of the individual or group, depicting them as ‘others’ who are powerless and in need of protection. This may also result in further stigmatisation and exclusion of these individuals and groups.”
Within the industry, you can’t really avoid the word – that’s how the regulations are written – but with customers, you don’t have to use it.
Handling customer vulnerability well takes empathy, and it isn’t easy. Specialist training helps. Rather than labelling anyone as vulnerable, focus on understanding customers as individuals so you can offer them a better service, more relevant products and clearer communications. Wording like “We want to understand your personal circumstances so we can serve you better”, or even just “are you OK?”, builds trust and invites people to take part. Our customer-facing portal, itswhoiam.me, was designed around exactly that approach.
How do you deal with such a sensitive subject without informing the customer?
Why would you not inform them? If the goal is not to tell the customer, you’re presumably relying on third-party data such as open banking or socio-economic profiling. That data can be useful, but it’s nowhere near comprehensive enough to identify individual vulnerabilities on its own – and you run a very real risk of making a judgement behind someone’s back, based on incomplete information, which can go very wrong indeed.
If you’re gathering the information from the customer directly, which is currently the most reliable way to identify customers’ vulnerabilities, you need their permission to store that data – so you have to tell them you’re doing it anyway. And the whole point of the exercise is to improve the outcome for the customer. These are their consumer rights. There really isn’t a reason to do it covertly and it is an opportunity to create trust, which working covertly cuts entirely against.
What matters is how it’s positioned. Frame it as customer understanding: the more we know, the more we can do. “We need to know more about you as an individual, so we can treat you as an individual.” If the message is positive, most customers are happy to take part. There’s a commercial case too – firms that can do this well have a real differentiator.
Staff can be afraid to signpost or offer support in case they offend. How do you handle sensitive conversations?
This is unfamiliar territory for many front-line staff, and – like anything new – it takes time. Staff are generally comfortable discussing products; working with vulnerable people is a different skill set, and – without the right tools and training – they’ll understandably struggle.
Plenty of firms have leaned heavily on training, which is reasonable because it’s what they’re used to. But they’re now finding that training alone doesn’t get them close to where they need to be. Many still record their vulnerable customer numbers in single percentage digits when the reality is, on average, closer to half. That’s a gap which training alone can’t close.
Customer vulnerability is a complex topic, and it’s a big ask to expect front-line staff to become experts. It would take a lot of training just to identify every vulnerability, never mind assess the different severity ranges for each one. Staff churn, so the training treadmill never stops either. Some training is essential, but much of the heavy lifting can be done by systems that help identify and manage vulnerable consumers. It’s like any other business process.
With the right systems providing the right information, and training focused on using them well (with empathy layered on top) and the firm’s vulnerable customer strategy, those conversations get a lot, lot easier. Staff are equipped instead of exposed.
That isn’t to downplay how difficult some conversations can be. For those cases, MARS users can call on an experienced nurse to carry out the assessment – something MorganAsh has been doing for over twenty years.
Is evidencing customer vulnerability optional? What’s reasonable?
It isn’t optional. At a minimum, firms must record evidence that they’ve tried to assess a customer’s vulnerability. Even if the customer didn’t engage, you need a record that you tried. At the point of a claim or dispute, that evidence really matters – without it, a firm is exposed. The FCA’s reviews have been clear that lack of evidence is a big issue.
The practical challenges are real: how do you identify a customer’s characteristics of vulnerability, how do you categorise them so you can report, and how do you store all of this in line with GDPR? These are precisely the questions MARS was designed to answer, and it’s built from the ground up to gather the information and produce the reporting – which makes managing customer vulnerability considerably easier.
What’s the most effective reporting or evidence of good vulnerable-client outcomes, beyond complaints data?
Complaints data is useful, but by its nature it's lagging – the bad outcome has already happened – and a low complaint rate isn't the same as a good outcome: plenty of vulnerable customers won’t complain, even when things have gone wrong. Real evidence comes from looking at the whole journey and comparing outcomes between vulnerable and resilient cohorts. That’s exactly what the FCA’s Consumer Duty expects firms to report on at board level.
The most useful categories of evidence tend to fall into a few buckets.
Coverage and identification. How many customers have been assessed? How does your identification rate compare with the roughly 50% benchmark from Financial Lives and comparable sources? A firm identifying 6% of customers as vulnerable is almost certainly missing most of them, and that in itself is evidence that something needs to change.
Treatments and their take-up. For each identified customer vulnerability, what adjustment or support was offered? Was it taken up? Did it work? Recording the characteristic, the mitigation, and the outcome gives you a chain of evidence that demonstrates the process is doing its job.
Outcomes across the four Consumer Duty outcomes, segmented by cohort. Product and service outcomes (are vulnerable customers ending up in products that fit them?), price and value (are they getting fair value, or paying more for worse service?), consumer understanding (did they actually grasp the communications?), and consumer support (are they getting through to help, and is it resolving things?). Each of these can be measured – completion rates, persistency, lapse rates, claim acceptance rates, call handling times, first-contact resolution – and then compared between cohorts.
Direct customer feedback by cohort. Net promoter score (NPS), customer satisfaction (CSAT) and short outcome surveys, broken down between vulnerable and resilient cohorts, tell you far more than aggregate scores. If vulnerable customers consistently score lower, you’ve got a clear signal.
Accessibility metrics. Take-up of alternative formats, use of accessibility features, and requests for additional support all indicate whether your inclusive design is actually reaching people.
Governance evidence. Board reports, vulnerable-customer management information, training records, and documented changes to products or processes in response to cohort data.
The point is that the FCA’s interest is in whether vulnerable customers are receiving good outcomes – and whether you can demonstrate it. Complaints data alone can’t answer that. Structured, comparative data, with the chain from identification to treatment to outcome, can.
How much detail is needed to evidence support?
There isn’t a single answer to this – support strategies differ, and will differ again by product and service. Some firms treat ‘sent leaflet’ as sufficient; others want to see evidence that the customer received it and acted on it. There’s also a live debate within firms about how far their responsibility runs – whether it’s enough to note the vulnerability and behave accordingly, or whether they should actively help.
As a principle, going further makes customers better customers, so it isn’t purely altruistic. How far you go is up to you. Some cohorts can be supported together: around 10% of people are dyslexic and roughly 6% have dyscalculia, which is a significant slice of the customer base, and their characteristics materially affect how well they can understand the information you give them. Offering suitable alternatives – or, better, designing the core materials inclusively – makes commercial as well as ethical sense. In that example, you could evidence identification, the provision of information in the right way, and verification that the customer understood it. Work out what you think good support looks like, and then deliver it consistently.
How can firms show they’re managing vulnerable clients well and getting good outcomes?
It sounds glib, but by documenting their approach, their actions and their outcomes. The reason this question comes up so often is that the lack of structure in many firms’ approach to customer vulnerability makes documentation hard. Where firms have good processes and good tools, they can demonstrate what they’re doing almost as a by-product. If you can’t document and demonstrate it, the process probably needs a rethink.
Is the FCA’s view on customer vulnerability the same for small firms?
Yes. Every regulated firm has to understand its customers’ vulnerabilities, mitigate potential harms, and monitor customers through the product’s life. That said, how a small firm goes about it may look different: larger firms have more resources; smaller firms can personalise more easily. Both benefit from technology such as MARS, which takes a meaningful bite out of the administrative and reporting burden at any scale.
What’s are reasonable ‘best endeavours’ for customers who won’t confirm they’re vulnerable?
First, drop the word ‘vulnerable’ from the conversation. Ask instead about their personal circumstances and why it helps to understand them. It’s inclusive, it shows empathy, and it positions the process as something that works for the customer rather than against them. The label itself can create resistance, which is counterproductive.
This is one reason our automated assessments work well. Take-up is high because the questions are about characteristics rather than labels – nobody is asked whether they’re vulnerable. They simply answer straightforward questions about themselves, and the system does the categorisation behind the scenes. Customers are often happier to disclose things this way than they would be in a more loaded and potentially awkward conversation.
That said, there are situations where you may need to go further. If you’ve got a gambler in denial who’s investing recklessly, an ‘insistent client’ policy to escalate and manage the case is likely appropriate. These aren’t easy interactions, and the scale of potential harm matters – it’s the driver of how far you push. Where mental capacity is in doubt, an independent assessment is often the right answer, which is why MARS offers a service where mental capacity can be assessed by a qualified nurse.
If a client is in a vulnerable circumstance but doesn’t believe they’re vulnerable, what action should we take?
Treat them according to their characteristics, not their self-identification. The FCA’s FG21/1 is explicit that firms should give appropriate care to customers with characteristics of vulnerability whether or not the customer identifies as vulnerable – and Consumer Duty reinforces that.
Practically, that means a few things. Record the characteristic, its severity and the context – the same as you would for anyone else – so your systems know what’s there, and so future colleagues have the picture too. Don’t use the word ‘vulnerable’ with the customer; frame any adjustments as service options or preferences rather than special treatment. Where you can, lean on inclusive design: communications in plain English, multiple formats as standard, clear signposting to support, extra time to consider decisions. These benefit everyone and don’t single anyone out.
If there’s a specific adjustment that the customer would benefit from, offer it as a choice and let them decide. Most people will accept helpful adjustments when they’re offered neutrally; resistance is usually to the label, not to the help offered. Check in again at the next review – circumstances and willingness to engage both change over time. Also, customers typically respond well to suppliers acting on their personal needs.
If the customer actively declines adjustments, document that too. You’ve acted on what you know, you’ve offered support, and you’ve respected their autonomy. That’s a defensible position. The only exception is where you have a well-founded concern that mental capacity is in doubt, or that someone’s safety is at risk – in which case an independent assessment (a qualified nurse, for example) takes the decision out of the emotional frame and into a clinical one.
A customer displays signs of a mental health issue but completely denies it. Can we record the discussion in their account notes, from a GDPR perspective?
Although the question is framed around GDPR, it pulls in a few other issues worth touching on. In short, yes – you can record the information, because it’s in the interests of the consumer. Other data protection officers may take a different view, and it’s not really our place to advise any firm on how it handles data privacy, but the direction of travel is clear.
Think about it practically. If the customer is later sold a product that turns out to be unsuitable, and a family member who was aware of the issue takes legal or regulatory action, the absence of any record leaves you with no defence. Also, if the condition worsens and there’s a pattern, you can’t spot the pattern unless you’re recording it, and you may continue providing services that put the customer at risk. Without the record, you can’t support them either.
Depending on the product or service, an independent mental capacity test may help. It takes the subjectivity and emotion out of the conversation. MARS users can add this as an option – a qualified nurse carries out the assessment as an independent third party, and because they work with people in these situations routinely, they’re able to put the customer at ease.
When a vulnerable client won’t follow advice, how do you balance duty of care with respecting their wishes?
This one is genuinely hard. You can only go so far. If you’re demonstrably trying, there comes a point where you’ve done what you can and have to respect the customer’s wishes. Record it, though – their view may change, and at a later date (a claim, for example) you may need to evidence that you raised the issue, offered support, and documented the response.
The one clear distinction we’d draw is around risk to life. If there’s a credible and immediate threat to someone’s safety, it should be reported to the police regardless of the customer’s wishes. That’s a different situation from an investment decision you don’t agree with.
Can you share any example assessment questions we can ask clients?
We’ve got lots – and the questions are customised for each firm. But the questions on their own don’t carry much inherent value. What makes them work is the categorisation of the answers and the objective scoring that produces consistent results. The way MARS assessment works is that people flag a high-level issue and only then are further questions asked. Asking these questions and recording them manually would be laborious and not result in structured data anyway.
Categorisation is what turns raw answers into meaning, and that’s where most of the effort in building MARS has gone. Having the questions without the categorisation is a bit like having a dictionary with the definitions removed – you can read the words but not agree on what they mean. The objective scoring is what keeps results consistent across customers, advisers and firms, and takes human subjectivity out of the equation.
Consumer Duty seems to call for personalised solutions, but firms have less face-to-face time than they used to. How should they tackle the need for personalisation?
Broadly, there are two ways to support vulnerable consumers:
Inclusive design – providing the same service to everyone, designed so it works for as many people as possible.
Personalisation – which provides specific mitigating services to those who need them. In practice both have their place.
In the longer term, firms’ activity supporting vulnerable customers will probably shift towards personalised services. If you think about it, many organisations have had this capability for years, but it’s been focused on sales and marketing – the marketing functions of large firms have enormous numbers of data points that they use to target customers on a one-to-one basis, but at scale. The process is similar; it’s the data, the purposes and the measurement that differ.
At the moment, personalised services are mostly delivered by humans. Over the next few years that’ll move towards digitally delivered, segmented services, with human support available as a back-up. A lot of digital journeys were originally designed around cost and efficiency for the firm rather than experience for the customer. There’s no reason that can’t be reversed – some digital journeys are already outstanding – and no reason digital can’t be excellent for the consumer. We see the direction of travel as digitally delivered personalisation, with human support on hand where it matters, and chatbots and AI gradually filling in around the edges as they get better.
How do you balance commercial interests with Consumer Duty’s vulnerable customer obligations?
The question assumes the two are in tension, and they needn’t be. The goal of Consumer Duty is to make things better for customers, which isn’t actually at odds with commercial interests. The regulation exists either way. Firms can treat it as an overhead or as an opportunity. The FCA is explicitly trying to drive a culture change – the most useful thing you can do is look at what Consumer Duty is trying to achieve and work out how to use it to unlock opportunities and create a differentiator. Firms that do the work well end up with more loyal customers, better data, sharper products, and a clear story to tell regulators. That isn’t a cost; it’s a business case.