top of page

FCA Vulnerability Guidance – Practical Steps

The FCA define vulnerability as “someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care”. The latter part of the definition under the new Vulnerable Customer Guidance (FG21/1: Guidance for firms on the fair treatment of vulnerable customers ( indicates a requirement that firms offer a different level of care to customers who are vulnerable.

FCA Vulnerability Guidance – Practical Steps




Firms have long been under the requirement, and moral obligation, to ensure that staff can identify vulnerable customers and offer appropriate support. This requirement remains under the new guidance. The new obligations focus mainly on firm level steps that can be taken to ensure better support for the typical vulnerable customers your firm may service.

As a consultancy firm we are focused on providing our clients with practical support whenever new regulations come in, as such we have analysed the guidance to strip it back to a few, key steps, firms can take.

Step 1: Identify vulnerability in your customer base or target market

An exercise should be conducted to analyse your customer base and identify the nature and scale of vulnerability present, for example, your firm might supply a service typically used by older persons, as such you can identify they are more likely to suffer from health related vulnerability. Conversely your firm might offer products typically used by people with low financial education or resilience. Using your product information as well as MI you should aim to understand the nature of vulnerability and approximately the number of customers impacted. To assist you can refer to the four main drivers of vulnerability identified by the FCA within their guidance document.

Step 2: Conduct a vulnerable customer needs gap-analysis

You can start by understanding the impact the vulnerability has, whether this is a reduced ability to understand information, financial impacts, behavioural bias, increased time-pressures, pre-occupation of thoughts causing a lack of focus on the service, impact of medication such as remembering less information, finding it difficult to access the service, becoming reckless or scarcity mindset (Mullainathan & Shafir, 2013, Scarcity: Why having too little means so much).

Once you understand the customers needs you can start of investigate mitigation, in much the same way you would mitigate a risk. Possible mitigation could include designing your online systems to encourage disclosure, making customers aware of support available through additions to your standard letters or by other means, simplifying products, simplifying standard correspondence (many adults have a reading age of a 7-11 year old), building flexibility into products and communication.

You will then be able to identify whether you already have the mitigation in place, or whether there are further steps you can take. Where you have a gap you should be able to assess the severity and number of customers it might impact and thus apply a risk based approach to resolving identified gaps.

Step 3: Vulnerable customer support by design and default

Taking a leaf from GDPR, we should, according to the FCA’s Vulnerable Customer Guidance, have vulnerable customers in mind at each stage of the development cycle from initial idea through to implementation. Perhaps the easiest way to think of this is similar to data protection by design and default where a data controller would, as part of their change management process, consider data protection as part of the design process, usually with the support of a DPIA. The FCA don’t say it in those terms, but their requirement to assess the impact on vulnerable customers throughout the design process can be equated to the GDPR requirement.

Positive indicators that vulnerability has been considered at the design stage include the use of focus groups or consulting with experts. This could result in flexibility being built into products, such as payment deferrals where the customer base tends to be of lower financial resilience. Empowering staff to escape automated processes is another indicator as is designing sales processes to encourage customers to obtain advice (or signposting those at greater risk of harm), using a range of distribution channels, designing online systems so customers can notify a firm of their situation and/or easily provide third party authority.

Firms can then stress test their product or service through a range of scenarios to see how it might perform, mitigating identified harms would be fantastic evidence of compliance.

Step 4: Staff training and support

Firms already do a lot to train their staff members in respect of vulnerability, we know as it is one of our best selling e-learning courses, but too often the focus is on front line staff. This guidance makes it clear we should consider the training relevant to the role of the individual, meaning firms need to start looking at back-office functions more closely. Another interesting addition is the need to offer emotional support to staff who have been helping vulnerable customers. No doubt that one of the best ways you can ensure the right culture of your firm is by treating your team members in the same way.

Step 5: Monitor and Review

Finally the FCA require firms to regularly monitor the success of its vulnerable customer arrangements, review relevant MI and take action to improve. We see this as very much part of the governance arrangements firms should already have in place.


Conduct Rules Training.png
Corporate Compliance Training

Our online compliance training platform is specially designed for firms looking to book a number of learners on our courses

Stacked Books
Compliance Resources

Our online compliance resources provide all the information you need to know in relation to compliance hot topics.

bottom of page