Vulnerability Assessment: FCA Guidance, Consumer Duty & Practical Implementation

What It Is

The FCA's approach to customer vulnerability is primarily set out in FG21/1, its finalised guidance published in February 2021. The guidance defines a vulnerable customer as someone who, due to their personal circumstances, is especially susceptible to harm — particularly when a firm is not acting with appropriate levels of care.

FG21/1 identifies four key drivers of vulnerability: health (physical or mental health conditions), life events (bereavement, job loss, relationship breakdown), resilience (irregular income, over-indebtedness, lack of savings), and capability (low literacy, numeracy, digital skills, or limited financial knowledge).

The guidance is not rules-based, but since Consumer Duty came into force in July 2023, vulnerability requirements have become significantly harder-edged. The duty's cross-cutting rules and four consumer outcomes all demand that firms design processes around customers who are, or may become, vulnerable. A firm that fails on vulnerability will almost certainly breach Consumer Duty.

Vulnerability is no longer a standalone compliance exercise. It is embedded in product design, communications, complaint handling, and service delivery. The FCA expects it to be part of a firm's culture, not a tick-box process.

Why the FCA Cares

Vulnerable customers consistently experience worse outcomes. FCA research shows they are more likely to struggle accessing services, less likely to shop around, more likely to accumulate arrears, and less likely to complain — meaning harm goes undetected longer.

The FCA sees vulnerability as a systemic risk, not an edge case. Its Financial Lives Survey found approximately 47% of UK adults displayed one or more characteristics of vulnerability in 2022. This is close to half the market, not a small population to be handled through exceptions.

Consumer Duty enforcement actions have already referenced vulnerability failures. Firms that cannot demonstrate a coherent framework are exposed to multi-firm reviews, data requests, and thematic supervisory work.

Who It Affects

Every FCA-regulated firm that deals with retail customers is expected to comply with FG21/1 and Consumer Duty's vulnerability-related requirements. This includes:

• Consumer credit firms — lenders, brokers, and debt collectors, where vulnerability intersects heavily with affordability and collections.
• Insurance firms and brokers — where vulnerability affects the ability to disclose material facts, understand policy terms, and navigate claims.
• Mortgage advisers and lenders — where customers in financial difficulty or with health conditions may need adjusted communication and forbearance.
• Claims management companies — which serve a disproportionately high number of customers experiencing vulnerability.
• Wealth managers and financial advisers — where cognitive decline, bereavement, and capacity concerns are particularly relevant.

The FCA does not distinguish between large and small firms in its expectations, although implementation should be proportionate to size and customer base.

What Firms Get Wrong

Common failures identified through FCA supervisory work and thematic reviews include:

• Treating vulnerability as a category, not a spectrum. Firms create a binary flag without capturing type, severity, or impact. This produces meaningless MI and prevents tailored responses.
• Relying on customer self-identification. Firms wait for customers to disclose vulnerability rather than proactively identifying indicators through staff interactions and data analytics.
• Failing to act on identified vulnerability. Staff record vulnerability but systems trigger no adjusted treatment. Identification without action is worse than useless — it creates a record of the firm knowing and doing nothing.
• Inadequate staff training. Training is infrequent, generic, or purely theoretical. Staff lack the practical skills to have sensitive conversations and respond appropriately.
• No outcome monitoring. Firms do not track whether vulnerable customers achieve comparable outcomes to non-vulnerable customers. Without this data, Consumer Duty compliance cannot be demonstrated.
• Siloed approach. Vulnerability data captured at one touchpoint is not visible at others. A customer who discloses a health condition to a call centre agent should not have to repeat themselves to the complaints team.

What Evidence the FCA Expects

The FCA expects firms to maintain evidence across several areas:

• A vulnerability policy approved by the board, setting out the firm's approach to identifying, recording, and responding to vulnerability.
• Training records demonstrating that all customer-facing and relevant back-office staff receive initial and ongoing vulnerability training.
• A recording mechanism capturing vulnerability data in a structured way, linked to customer records and accessible across the firm's systems.
• Outcome data and MI comparing vulnerable and non-vulnerable customer outcomes across key metrics: complaint resolution times, arrears and defaults, claim acceptance rates, and satisfaction.
• Board or committee reporting showing senior management regularly reviews vulnerability MI and acts on it.
• Process documentation showing how standard processes are adjusted for vulnerable customers — alternative communication formats, extended deadlines, additional explanations.
• Product design evidence demonstrating vulnerability considerations were factored into development, pricing, and distribution as required by Consumer Duty.

Good Implementation

A firm with a strong vulnerability framework will demonstrate several characteristics:

• Vulnerability identification is embedded in everyday interactions, not confined to a single onboarding questionnaire. Staff are empowered to explore indicators at any touchpoint.
• The firm uses a structured assessment capturing the vulnerability driver, its impact, and the actions the firm will take. Assessments are reviewed periodically, not treated as permanent.
• Customer records include vulnerability flags visible to all relevant staff, with notes on adjusted treatment agreed.
• Outcomes are monitored through regular MI, with gaps identified and corrective action taken. Board reporting includes vulnerability as a standing item.
• Communications are tested with representative groups including those with vulnerability characteristics, meeting Consumer Duty's consumer understanding outcome.
• Complaints handling actively considers vulnerability, and complaint data is analysed for systemic issues.

How Our Tool Helps

MEMA's Vulnerability Support Checker enables firms to conduct structured assessments aligned with FG21/1's four-driver framework. The tool guides users through a systematic evaluation of health, life events, financial resilience, and capability factors, producing documented output that attaches to the customer record. It moves firms beyond binary flags to a nuanced approach that captures the type and impact of vulnerability and suggests appropriate responses. The enhanced version includes Consumer Duty alignment checks, connecting assessments directly to duty obligations.

How Our Service Helps

Our Consumer Duty and compliance outsourcing services provide end-to-end vulnerability implementation support. We build vulnerability policies, design sector-specific staff training, and help firms establish MI frameworks that satisfy FCA expectations on outcome monitoring. We conduct gap analyses against FG21/1 and Consumer Duty, identifying shortfalls and providing a prioritised remediation plan. For firms undergoing supervisory engagement or thematic review, we provide preparation support including mock interviews, document review, and MI analysis.

Relevant Sectors

While vulnerability requirements apply across all regulated sectors, certain areas face particular scrutiny:

• Consumer credit firms manage customers often in financial difficulty, making resilience-related vulnerability a core concern. Collections processes must be designed with vulnerability in mind, and affordability assessments must account for vulnerability drivers.
• Insurance brokers deal with customers at points of stress — making claims after accidents, illness, or property damage. Vulnerability may affect a customer's ability to understand policy terms or navigate claims.
• Mortgage advisers encounter vulnerability through financial difficulty, relationship breakdown, bereavement, and health conditions. Rate rises since 2022 have increased customer distress, making vulnerability identification in arrears and forbearance especially critical.
• Claims management companies by their nature serve customers who have experienced harm or loss. The FCA has specifically highlighted CMCs as a sector where vulnerability must be central to service design.