Customer vulnerability FAQs: identification
How do you identify vulnerable customers?
The FCA’s Financial Lives survey suggests around half of all UK adults show signs of vulnerability at any one time, while Watermelon Research puts the figure closer to 56%. These questions were drawn from an extensive industry Q&A; they explore how firms can accurately identify those customers in order to meet the expectations set by the Consumer Duty.
What is the FCA’s position on the likely percentage of customers who might be considered vulnerable?
The percentage will not be identical for every firm, customer base or product. That said, the FCA’s Financial Lives survey showed that around 50% of consumers are in some way vulnerable at any one time. This figure is reinforced by separate data points: work in the utilities sector shows roughly half of customers are on the Priority Services Register, and firms using MARS (the MorganAsh Resilience System) typically benchmark at similar levels. MARS has benchmarking built in – so firms can compare themselves with the Financial Lives survey and with other firms using MARS.
Some firms will see higher or lower figures depending on their products and customer profile, but variances are rarely huge. The lowest proportion seen among MARS users is in the low thirties.
It is important to note that not all of that vulnerable 50% will require intervention. A useful analogy is sight: people are not simply blind or sighted. Many people are partially sighted or have visual impairments, cope well, and require no adjustment from firms. Even those who are fully blind often use assistive technology and support from family and friends. The point is that firms still need to identify and record these characteristics, because circumstances change. What is not an issue today may become one later, or may be relevant in a different context. Vulnerabilities can be temporary, permanent or progressive.
If firms find that the number of vulnerable customers identified is far lower than 50%, what can they do to turn this around?
Many firms have identified fewer than 10% of their customers as vulnerable, sometimes significantly fewer. While the true percentage can vary, figures in single digits are so far from the expected range that something is clearly amiss – and this should sound alarm bells.
The first step is to check whether the 50% benchmark is valid. It is not just the Financial Lives survey that supports this number; utilities sector data, statistics from Watermelon Research and Age UK, and direct assessment data from MorganAsh’s MARS users all point to similar proportions.
The most common reasons for under-identification are all linked to how vulnerability data is captured:
Firms may only assess those customers who get in touch, or only record information when customers volunteer it. This is a reactive approach, and – given that people can go years without contacting their bank, building society, financial adviser or utility firm – it leaves the greater majority of customers unassessed.
Firms may record customers’ vulnerability information only through limited channels, for example only during phone calls or at the claims stage.
Assessments may be carried out at the wrong moment, or the firm may ask the wrong questions. Staff focused on sales may under-report for fear of adding friction to the sales process.
Some firms still limit their assessments to financial vulnerability and have no means to identify health and lifestyle issues, or fail to record mild vulnerabilities at all. Financial resilience can have some bearing on overall resilience, but it is far from being a protective shield.
The 50% figure encompasses all forms of customer vulnerability, including health and lifestyle, and spans severe, mild, temporary, progressive and permanent issues.
Once firms recognise that low identification is typically a symptom of limited assessment, the fix becomes clear. Assessments need to be proactive and cover all customers, not just those who contact the firm. They should be regular, generally at least once a year – in which case they can comfortably sit within an existing annual review. They should not be dropped in casually as a side element of another process driven by different goals. They should go well beyond financial vulnerability, since even wealthy customers experience bereavement, divorce and life-limiting illness. And severity should be captured and monitored over time rather than customer vulnerability being treated as a binary issue.
Does the expected 50% figure include profiled or inferred vulnerabilities, or just those customers explicitly tell us about?
The 50% includes all vulnerabilities and all severities. Firms need to identify and record the full range, but only a smaller proportion of that 50% will require specific action or could result in harm. Because customers may only volunteer a small percentage of their vulnerabilities, it is essential to ask.
What are the different methods of identifying and monitoring vulnerable customers?
This is an area where many firms struggle, but there are several established methods. No single approach does everything, and most firms should combine more than one.
At the firm level, companies can run surveys, which can be anonymous, to understand the prevalence of vulnerabilities within their target market. This provides extremely useful top-level information but does not help to identify individuals.
At the individual level, identification methods fall into two broad categories. Indirect methods infer vulnerability from other data sources, such as credit reference data, open banking data, or voice analytics that detect patterns in speech. The challenge is that no indirect data source is complete: there is reasonable coverage of financial vulnerability, but very limited information on health, lifestyle and life events. Direct methods engage the customer for their vulnerability information through an assessment – which may be an email, a phone call, a video call, or face-to-face contact. These typically work well.
Methods can also be classified as reactive or proactive.
Reactive assessments wait for consumers to get in touch and either volunteer information or respond to a small number of in-context questions. Voice analytics and human call centre assessment are typical reactive approaches; they can only capture information from those who call in or volunteer it, so the subset reached is narrow. Some reactive touchpoints are poorly timed, for example assessing someone at the claims stage, when they are almost certainly vulnerable anyway.
Proactive assessments are where the firm takes charge and engages the customer directly; this provably and consistently delivers much better results. Well-run proactive programmes typically achieve response rates of 80% to 90%. Some firms have made the assessment a mandatory part of their onboard and review processes and achieve close to 100%.
Most firms will use a combination of methods over the lifetime of a product, making use of different interaction opportunities such as onboarding, review, claims and complaints. Relying on one method, or on methods that inherently lack coverage, will only ever identify a fraction of vulnerable customers.
Firms sometimes avoid direct, proactive methods because they worry that customers will find the questions personal or intrusive. In practice, that fear is misplaced. Over two decades of assessing tens of thousands of people, MorganAsh has found that consumers are often actually far more comfortable discussing their personal circumstances than their finances – which financial services firms ask about all the time.
How should a firm interpret what constitutes a vulnerable consumer, in a way that aligns with regulatory expectations?
The regulatory framework is clear. The FCA requires firms to understand every customer’s characteristics and mitigate any potential harms; monitor customers throughout the lifetime of the product or service; report on outcomes for vulnerable cohorts compared with resilient ones; assess and report on the fair value received by vulnerable cohorts compared with resilient ones; and maintain evidence of all of these.
A useful mindset is to recognise that, since roughly half of all customers are likely to be vulnerable at any point, processes should assume that anyone may be vulnerable rather than assuming everyone may be resilient. A firm which believes fewer than 10% of its customers are vulnerable is almost certainly overlooking most of them. The only certain way to find the vulnerable half is to ask everyone.
What are some key markers to watch for, to help front-line staff identify vulnerable customers?
This question often assumes that identifying customers’ vulnerabilities is primarily the responsibility of front-line staff. Many firms have gone down the route of training those staff extensively, because Consumer Duty placed considerable emphasis on training. In practice, firms have found this approach to be inadequate on its own, and the FCA has since clarified that it expects firms to identify vulnerabilities across all customers, not just those who happen to call in. It is not the consumers’ responsibility to declare that they are vulnerable; it is the firms’ responsibility to identify this.
Even with good training, human assessment is inherently subjective and inconsistent. Customers’ vulnerabilities are numerous, and span a wide range of severities; it’s a tall order to expect front-line staff to become customer vulnerability experts alongside their main role. Training does have a genuine role to play, but technology designed specifically for this purpose is more accurate, more consistent, less subjective, and more likely to identify more people. The two work best together – or combined with other approaches.
There is also a question of what is meant by ‘key markers’. Stress patterns in the voice are often cited, but a person who has been blind since birth is not stressed by what is their normal condition. Likewise, unusual spending patterns may flag a coercion issue but it could be simply because someone has booked a holiday for another family member. Voice analytics can be genuinely valuable for flagging issues such as domestic abuse or coercive control, but it will never be a complete solution.
Markers that staff can usefully watch for include communication challenges such as language barriers, speech impairments, forgetfulness or difficulty understanding information; emotional distress such as anxiety, upset or uncertainty; behavioural indicators such as overreaction or avoiding questions; signs of neglect, frailty or mobility issues where the customer can be seen; signs of loneliness, isolation, coercion, or control; indicators of recent life changes such as bereavement or divorce; reluctance to provide personal information; and signs of exploitation, including one party answering on behalf of another or fearful behaviour.
This is a lot to watch for, and some of these cues, such as reluctance to disclose information or overreaction, should not automatically be flagged as vulnerability. Training can help, but it needs to be backed up by other – joined up – processes.
What are examples of good practice in data capture for customer vulnerability?
Going directly to the customer and asking them questions produces very high-quality data. It also paves the way for any changes you might need to make in how you deal with them subsequently.
A small proportion of people will decline to provide this information, and a small proportion will provide inaccurate answers. Over more than twenty years of assessing vulnerable people, MorganAsh has found both of these groups to be very small. Even allowing for this, the data gathered through direct assessment is far more accurate and up-to-date than information inferred from other data sources. It is straightforward, transparent, and it works.
The data itself needs to be detailed enough to be useful. A simple flag of ‘vulnerable’ or ‘not vulnerable’ delivers little value. It does not tell you whether the vulnerability will change, what kind of vulnerability it is, or how severe it is. Recording ‘eyesight issue’ is similarly inadequate; the customer might simply need glasses for driving, they might be colour blind, they might have macular degeneration, or they might be entirely blind. Each of these has very different implications.
This is why MARS assesses around 100 characteristics of vulnerability. The assessment is not onerous and typically takes just a few minutes, because customers simply check off what applies to them, skipping over what doesn’t. A top-level ‘yes’ triggers follow-up questions to capture detail in context. The result is a detailed, accurate picture of each customer’s resilience or vulnerability.
How do you identify how many of your customers are vulnerable?
A better question is which of your customers are vulnerable. Knowing how many can help shape products, services and processes, but it does not enable proactive support for individuals. Surveys are useful for top-level information, but they tend to lack granularity –they do not tell you who.
To go further, the most effective solution is to ask customers directly. This tells you not just how many are vulnerable but who, and in which ways. Since around 50% of consumers are likely to be vulnerable but we do not know which ones, best practice is to try to assess all customers in order to find that 50%. The most cost-effective and reliable way to do this is to engage actively with consumers and ask them.
Firms vary in where they begin, starting at claims, complaints, onboarding or review, with the aim of building up full coverage over time. The risk with starting at a single touchpoint is that coverage may remain thin, particularly if the firm is waiting for the customer to initiate contact. A proactive, direct approach to all customers, executed with good customer engagement, almost always correctly identifies around 50%. Many firms worry that this will delay a sale or feel intrusive, but in practice this is not the case, provided the assessment methods and communications used are well designed. A structured direct approach also captures temporary and permanent characteristics, their severity, and the associated needs.
How can firms help their staff better identify and manage vulnerable customers where training alone is not landing?
Training can only go so far with a subject as broad and complex as customer vulnerability. Because the FCA originally emphasised the training of front-line staff, many firms made training their first move. Those firms are now finding that training is not a silver bullet. The issue is the sheer breadth of the skill set involved – on top of an already demanding role.
Training still matters, but it is unrealistic to expect it to be the complete solution. There are too many types of vulnerability, each with its own range of severities. Also, human judgement is always subjective and inconsistent, as research on even highly trained ‘unbiased’ professionals such as doctors and judges has shown (judges with at least one daughter are 7% to 9% more likely to vote in favour of a female, for example). Staff turnover means training has to be ongoing – and people forget things in any case.
As with many other areas of business, the more scalable approach is to use good technology (such as MARS) and then focus training on how to use it, how to interpret the data, and how to act on it. Significantly less training is required, and what remains can focus on what people do better than computers, such as providing empathy and understanding. This approach is less expensive, more scalable, more consistent, and generates far richer data for management reporting and compliance.
How do firms encourage customer disclosure – when recorded customer vulnerability rates still fall well below the 50% benchmark?
How the conversation is positioned with the customer has a significant effect on disclosure rates. The word ‘encourage’ matters. Firms should use wording that explains they want to understand more about the customer’s personal circumstances in order to provide a better service and avoid putting them at risk. Customers generally respond well to this framing. The independent website itswhoiam.me has been developed specifically to help position the purpose of assessment from the customer’s perspective.
What works much less well is positioning the assessment as a regulatory hurdle, red tape, or an attempt to ‘find out who is vulnerable’. The word ‘vulnerable’ itself is loaded. Different people understand it differently. Some reject the label out of pride. Others are genuinely vulnerable but, because they cope day to day, do not see themselves that way. Some assume vulnerability applies only to others. And some fear that disclosing a vulnerability might lead to a disadvantageous outcome.
Communications and assessments should feel like a natural part of engagement. It should be clear that the purpose is to benefit the customer and that knowing more about them allows the firm to meet their needs appropriately. Firms should also be clear about GDPR and privacy, explaining how customers’ data will be used and stored.
MorganAsh has assessed vulnerable people for more than twenty years and consistently achieves high disclosure rates. MARS benchmarking is broadly consistent with the 50% figure from the Financial Lives survey. High disclosure is achievable.
How does Consumer Duty affect the definition and identification of vulnerable customers? Should all customers go through an initial assessment?
Consumer Duty broadens the scope of what counts as vulnerability. The FCA identifies four key drivers:
Health covers physical or mental conditions that affect a customer’s ability to engage with services.
Life events covers personal circumstances such as bereavement, job loss or relationship breakdown.
Resilience covers a customer’s financial or emotional capacity to withstand shocks.
Capability covers low confidence in managing financial matters or limited access to digital services.
Consumer Duty emphasises that customer vulnerability is a spectrum, not a fixed category. People can be vulnerable in different ways and to differing degrees, and firms should consider not only those who are currently vulnerable but also those at risk of becoming so, due to changing circumstances.
Whether all customers go through an initial assessment is a firm-level decision, but it is widely considered best practice. Most firms using MARS do this, and some mandate it before accepting a client. Assessing everyone is the most practical and economical way to identify the 50% who are vulnerable. At present, there is no other way to obtain the level of unified detail required on health and lifestyle. The FCA is ultimately most interested in preventing bad outcomes – and firms cannot treat vulnerable customers appropriately if they do not know who they are.
The FCA says it is more interested in the case-by-case support firms give and how they respond to vulnerable customers’ needs, but it also looks at the number of vulnerable customers identified. Which should firms focus on more?
Both. To support vulnerable customers meaningfully, firms need to know exactly who is vulnerable, in which ways, and to what degree of severity. Gathering vulnerability data directly from customers provides an accurate picture of the numbers and also supports meaningful, individualised support. It is also what underpins accurate outcomes reporting. The two goals are inseparable.
What expectations are there for recording perceived customer vulnerabilities versus those customers have specifically disclosed? How proactive does the FCA expect firms to be?
Only a fraction of customers will – unprompted – identify themselves as vulnerable, which is why asking everyone makes sense. The FCA has issued the following clarification: “Under the Duty we expect firms to actively encourage customers to share information about their needs or circumstances, where relevant.” In effect, the FCA does not accept that firms can simply wait for disclosure: being proactive is expected.
What is deemed ‘enough contact’?
Many firms have historically taken a reactive approach, relying on customers to volunteer information, picking up customers’ vulnerability through phone calls (either manually or via voice analytics), or asking staff to judge whether someone is vulnerable. These approaches typically identify only single-digit percentages of vulnerable customers. Firms need to move towards actively engaging with all customers to understand their characteristics and identify those who are vulnerable. Firms that have done this report identification rates close to the expected 50%.
How much engagement is appropriate depends on outcomes for vulnerable cohorts. If, for example, divorcees are receiving poor outcomes and their circumstances are not being identified early enough, firms should look at how to improve identification for that cohort. If a vulnerable cohort is not receiving poor outcomes and the existing process is working, there is no pressing need to change it.
As for frequency, this depends on the firm and the product, and on whether it is short term and high risk or long term and low risk. For most, an annual review works well and is generally frequent enough to capture meaningful changes in health and circumstances. A triggering interaction, such as a claim, is an opportunity to update the data and check in with the customer – rather than being the only time the customer is assessed.
For an existing customer base, would you recommend sending out surveys to all customers or having conversations with them, posing questions about vulnerability one-to-one?
Both are valid, and MARS supports email assessments and one-to-one conversations. Some firms, particularly those with smaller customer bases, prefer to speak with each customer personally, which is a good opportunity to build trust. For others (especially larger firms) this is simply too time-consuming, so an email assessment typically achieves a very good response rate, with one-to-one conversations used for the remaining customers. MARS also supports independent assessments by a qualified nurse, which is useful in rare cases where, for example, mental capacity may be in doubt or sensitive issues are known to exist. MARS can also check against the Vulnerability Registration Service.
Timing is a firm-level decision, driven by products and customer profile. If triggering events (such as renewals, defaults or claims) happen infrequently, they will not provide enough coverage, and by the time they occur the customer may already be in distress and vulnerable. It is far better to assess everyone first and then decide on a reassessment strategy for each customer, so that no one slips through the net.
Do firms have a duty to ask about all possible vulnerabilities? Should they always ask about debts, life events and so on?
In short, yes. The more a firm knows, the more robust its reporting and the better its ability to act. Consumer Duty does not suggest that firms only need to find out about a fraction of vulnerabilities.
Much of what is recorded will not require remedial action. Around 50% of customers may be vulnerable, but only a smaller proportion of that group will be at risk or require intervention. The challenge is that, without asking about everything, a firm cannot know which cases matter. This is particularly important given that vulnerabilities can change and progress.
This does not need to be onerous. MARS assessment questionnaires can be completed quickly through a straightforward check-box format, with follow-up questions triggered automatically when a vulnerability is identified. The assessment covers many characteristics across health, wealth, life events, financial capability and understanding, engagement capability, and support network – and it assesses permanency and how characteristics change over time. It is thorough, but it is quick.
How can firms spot vulnerabilities that are not obvious?
Structured assessment is the answer to most of this. Many vulnerabilities cannot be spotted simply by observing someone or listening to them on the phone. Dyscalculia, for example, is not visible, yet is highly relevant to a customer's understanding of financial services products, and around 6% of customers will have it. Asking customers directly works; MARS benchmarks as comparable to the Financial Lives survey in the percentages it identifies.
Some vulnerabilities are very difficult to spot, either because the customer is actively hiding them or because they do not feel the label applies to them. Coercive control and forms of economic abuse are particularly hard to detect outright, but structured assessment can still identify them or, at least, flag the need to look further.
Given that around 50% of customers may be vulnerable, should firms proactively segment customers they have not spoken to, for example flagging everyone over 80? What are the GDPR considerations?
It is risky to assume that an entire group is vulnerable purely because of a shared characteristic. Likelihood of customers’ vulnerabilities is a long way from certainty. A postcode may statistically show a higher incidence of early death from cancer, but it cannot be assumed that everyone in the area will develop it. Similarly, it cannot be assumed that everyone over 80 is vulnerable simply because of their age. Age-based segmentation is too simplistic.
A better approach is to assume that every customer is vulnerable until the data shows otherwise, rather than assuming they are all resilient until proven otherwise. Segmentation can, however, be useful for prioritising outreach: age or socio-economic data can help firms decide the order in which to gather customers’ characteristics and circumstances, which is efficient and sensible.
On GDPR, applying a vulnerability flag based on assumption rather than fact risks storing and sharing information that is not factually correct, without having sought permission to do so. This is another reason direct assessment works well: GDPR permissions can be secured at the outset, alongside the data itself.
Should firms record vulnerabilities even if there is no customer detriment?
Yes, for two reasons. First, circumstances change. A condition that is mild at the point of assessment may become relevant years later, perhaps when another product is being purchased. If a mild vulnerability was dismissed and not recorded, the firm may be unaware that the customer is later being put at risk. Second, recorded characteristics provide evidence should a complaint or claim arise.
Many organisations do not have the engagement levels of high-street banks and may never understand the true level of customer vulnerability. When is enough contact enough?
High-street banks have a high volume of transactions, but many customers still go years without direct engagement, so they are not necessarily a useful benchmark. Every regulated firm needs to understand its customers’ vulnerabilities and treat them appropriately. If data is missing, it needs to be gathered.
Frequency depends on the firm and its products. Financial advisers often review annually, which is generally a sensible timescale – frequent enough to catch most changes without being intrusive. Some firms may need reviews more or less often than this. What the FCA requires is that the process happens and is evidenced, with outcomes reported for vulnerable cohorts against those of the resilient. If assessments are too infrequent, outcomes will show it, which in turn helps firms calibrate their timing.
What is the FCA’s thinking on financial vulnerability? Does it expect proactive action before a customer falls into the regular collections process?
The FCA has updated its guidance to require firms to ‘actively engage’ to understand customers’ vulnerabilities. Reactive approaches – waiting for people to volunteer issues, or only capturing them at the claims stage – do not work; they often catch the issue too late, when harm is already occurring or has occurred. The FCA’s expectation is that firms act proactively.
What is the distinction between a customer being vulnerable and a customer receiving a poor outcome for which they are being remediated?
The 50% figure includes both transient and permanent vulnerabilities. In practice, flagging people simply as vulnerable or not, or splitting them into temporarily vulnerable versus permanently vulnerable, is far too crude. Hearing, for example, generally deteriorates with age. MARS uses around 100 characteristics, each with a severity rating from 1 to 10 and an indication of whether it is likely to improve or worsen. Other methods exist, but without something comprehensive and detailed, there is no consistency, and management information suffers.
If a customer has made a complaint and experienced financial loss, that is a life event in itself. It should be recorded and taken into account. A customer making a claim is, almost by definition, vulnerable at that point, regardless of anything else. Once their situation is resolved, their vulnerability status may change, which is why regular reassessment matters.
Are there software solutions which integrate healthcare expertise to assess customer vulnerabilities?
The clearest example in the UK market is MARS from MorganAsh, which was built specifically around clinical expertise rather than being a general-purpose CRM adapted for the job. That distinction matters because assessing customers’ vulnerabilities isn’t just a data exercise. It involves understanding health conditions, how they affect decision-making and day-to-day life, how they interact with financial circumstances, and when someone needs a different kind of support altogether. Software built without that clinical grounding tends to miss the nuance.
MARS was designed using the knowledge of healthcare professionals – specifically, qualified nurses – and it draws on more than twenty years’ real-world experience of identifying and helping vulnerable people. That experience is baked into how assessments are structured, what questions are asked, how answers are interpreted, and how risk is scored. The result is a tool that produces consistent, clinically-informed vulnerability assessments across an organisation, rather than leaving front-line staff to make judgement calls with varying levels of training and confidence.
One of the more distinctive features is that MARS offers flexibility in how assessments are carried out. Customers can complete an online self-assessment, or an assessment can be agent-led by front-line staff using the software as a guide. In specific circumstances, though – for example, where mental capacity is in doubt, or where the situation is genuinely complex – there is the option to escalate to a qualified nurse. This three-tier approach (online, agent-led, nurse-led) means firms aren’t forced to choose between scale and depth. Most customers can be handled efficiently through the digital or agent routes, while the cases that genuinely need clinical judgement get it.
The nurse case managers at MorganAsh bring extensive experience of supporting vulnerable people in ways that go well beyond a one-off assessment. Their background includes work such as helping people return to work after long-term sickness absence, providing crisis support, and carrying out mental capacity assessments. That depth of practical experience – working directly with people in difficulty, not just theorising about them – is what informs the software’s design and the service wrapped around it.
The practical effect for financial firms is that they get a system which is consistent, auditable and scalable, while retaining access to genuine clinical expertise for the cases that need it. That combination is hard to replicate with generic tooling, and it’s a meaningful answer to the broader challenge of identifying and supporting vulnerable customers in a way that regulators, and more importantly customers themselves, would recognise as doing the job properly.