Vulnerable Customers Under Consumer Duty: A Complete Guide

FG21/1, the Four Drivers, and Operational Delivery for FCA-Regulated Firms

Vulnerable customers — those whose circumstances make them especially susceptible to harm — sit at the intersection of two of the FCA’s most consequential conduct frameworks: the 2021 Vulnerable Customer Guidance (FG21/1) and the 2023 Consumer Duty regime (PS22/9). Together, these frameworks impose substantive obligations on regulated firms to identify customers in vulnerable circumstances, adapt their products, services and communications appropriately, and ensure that vulnerable customers achieve outcomes at least as good as other customers. The FCA has been increasingly explicit that these are not aspirational standards — they are operational requirements with real supervisory consequences when firms fall short.

This guide explains how the vulnerable customer framework operates in practice — the FG21/1 four drivers, how Consumer Duty has elevated the standard since 2023, what good operational delivery looks like, and the recurring pitfalls that surface during FCA supervisory dialogue. It also covers the recruitment dimension — the specialist roles that have emerged in larger firms and the senior compliance leadership that owns the framework overall.

What’s missing from most online guidance is the operational detail. The frameworks describe what firms must achieve; this guide describes what good actually looks like — how vulnerability is identified at scale, what training programmes deliver, what MI demonstrates fair outcomes, and how senior management ownership operates effectively.

The Regulatory Framework — FG21/1 and Consumer Duty

The vulnerable customer framework rests on two complementary regulatory components:

FG21/1 — Guidance for Firms on the Fair Treatment of Vulnerable Customers (February 2021)

FG21/1 sets out the FCA’s expectations on how firms should identify and respond to customer vulnerability. It defines vulnerability through four “drivers” (health, life events, resilience, capability), establishes expectations around culture, training, and product/service design, and provides examples of good and poor practice. As Handbook guidance, FG21/1 informs how the FCA assesses firms’ compliance with broader rules — particularly the Conduct Rules and Consumer Duty.

Consumer Duty (PS22/9, July 2023)

Consumer Duty elevates the vulnerable customer obligation by integrating it across the four outcomes and three cross-cutting rules. PRIN 2A explicitly requires firms to consider how their products, prices, communications and support work for vulnerable customers — and to ensure outcomes for vulnerable customers are at least as good as for other customers. See our Consumer Duty Guide and Four Outcomes Guide.

The interaction matters: FG21/1 provides the substantive framework for identifying and responding to vulnerability; Consumer Duty raises the standard at which firms must demonstrate that the framework is delivering fair outcomes.

The Four Drivers of Vulnerability (FG21/1)

FG21/1 identifies four drivers of vulnerability — circumstances that make customers especially susceptible to harm. The drivers are not mutually exclusive (many vulnerable customers experience more than one) and not permanent (vulnerability can be transient or persistent).

1. Health

Health-related vulnerability includes physical health conditions, mental health conditions, cognitive impairments, and disability. Examples:

• Long-term physical illness affecting daily functioning or income capacity
• Mental health conditions including depression, anxiety, and severe conditions
• Cognitive impairments including dementia and learning difficulties
• Disability — visual, auditory, mobility, communication-related
• Severe terminal illness
• Recent diagnosis of conditions affecting financial capacity

2. Life Events

Life event vulnerability includes circumstances that affect customers temporarily or permanently. Examples:

• Bereavement
• Relationship breakdown including divorce
• Job loss or significant income change
• Caring responsibilities
• Domestic abuse including economic abuse
• Becoming a victim of fraud or scam
• Major life transitions (retirement, becoming a parent, etc.)

3. Resilience

Resilience vulnerability relates to the customer’s ability to withstand financial or emotional shocks. Examples:

• Low or unstable income
• Limited or no savings
• High debt-to-income ratio
• Limited social support network
• Financial commitments significantly exceeding income flexibility

4. Capability

Capability vulnerability relates to the customer’s ability to engage with financial products and services effectively. Examples:

• Low financial literacy
• Low literacy or numeracy
• Poor English language skills
• Limited digital literacy or access
• Limited experience with financial products
• Cognitive load from other circumstances reducing capacity

Identifying Vulnerable Customers Operationally

Identifying vulnerability at scale is one of the most operationally challenging aspects of the framework. Firms typically use a combination of approaches:

Customer self-disclosure

Encouraging customers to disclose circumstances affecting their needs — through onboarding questions, ongoing service interactions, dedicated vulnerability disclosure channels, and adjustments tools. Self-disclosure is often the most reliable identification mechanism but depends on customer awareness and willingness to disclose.

Behavioural indicators

Identifying vulnerability through observable behaviours during interactions — confusion in conversation, multiple repeated calls about the same issue, communication difficulties, indications of financial stress in transaction patterns, or specific life events disclosed in passing.

Data-based indicators

Using customer data — including transaction patterns, demographic data (with appropriate care), product usage patterns, and service interaction patterns — to identify potential vulnerability indicators.

Staff-driven identification

Trained customer-facing staff identifying vulnerability indicators during interactions and recording them appropriately. This is operationally challenging at scale but particularly valuable for severe or complex vulnerability.

Third-party referrals

Indications from third parties — family members, advisers, support organisations — that customers may need adapted support. Operationally complex (data protection considerations apply) but valuable in specific cases.

Recording Vulnerability and Customer Consent

How firms record vulnerability information is operationally and legally significant. The framework must:

• Comply with data protection law — particularly UK GDPR Article 9 special category data requirements where health data is involved
• Operate with appropriate customer consent for the use of vulnerability data
• Be retained appropriately and used only for the customer’s benefit
• Be accessible to staff who need to provide adapted support
• Be reviewed and updated as customer circumstances change
• Be deletable on customer request consistent with regulatory record-keeping requirements

Strong frameworks combine clear customer-facing consent processes, robust data security, and accessible staff tools — typically through specialist vulnerable customer technology integrated with the firm’s CRM.

Adapted Support — What Firms Must Provide

Once vulnerability is identified, firms must provide adapted support appropriate to the customer’s circumstances. The specific adaptations depend on the vulnerability driver and the firm’s products, but typically include:

Communication adaptations

• Alternative communication formats (large print, audio, easy-read versions)
• Alternative channels (phone for customers who cannot use digital, in-person where appropriate)
• Additional time for decisions where capacity is reduced
• Repeat communications and structured comprehension checks
• Translation or interpretation services where language is a barrier

Process adaptations

• Extended response times for decisions
• Specialist team escalation for complex situations
• Adapted authentication processes for customers with cognitive or capacity issues
• Forbearance for customers in financial difficulty
• Bereavement-specific processes including dedicated support

Product adaptations

• Product modifications appropriate to vulnerability circumstances
• Alternative product options where standard products are unsuitable
• Withdrawal or modification of features that cause harm to vulnerable customers

Specialist support

• Dedicated specialist teams for severe or complex vulnerability
• Referrals to external support organisations (StepChange, Citizens Advice, MIND, Macmillan, Samaritans, etc.)
• Internal mental health-trained staff for sensitive interactions

Training — The Foundation of the Framework

Customer-facing staff training is one of the most consequential aspects of the vulnerable customer framework. Effective training typically includes:

• Vulnerability awareness — what vulnerability is, the four drivers, the prevalence in the customer base
• Recognition skills — how to identify vulnerability indicators during interactions
• Conversation skills — how to handle disclosure conversations, including sensitive topics like mental health, bereavement, abuse
• Adaptation tools — what specific adaptations are available and when to apply them
• Escalation — when and how to escalate to specialist teams
• Self-care — supporting staff dealing with emotionally difficult interactions
• Record-keeping — how to capture vulnerability information appropriately

Training quality varies substantially across the regulated population. Firms with strong frameworks invest in specialist training — often delivered by external partners with vulnerability expertise — and refresh regularly. Firms with weaker frameworks rely on annual e-learning that produces awareness without operational capability.

MI and Outcome Monitoring

Demonstrating that vulnerable customers actually receive good outcomes requires substantive MI. Strong frameworks include:

• Vulnerable customer identification rates by channel and segment
• Adapted support take-up rates
• Outcome metrics for vulnerable customers compared to other customers (complaint rates, claim outcomes, product persistency, financial difficulty rates, etc.)
• Customer satisfaction specifically among identified vulnerable customers
• Staff training completion and capability metrics
• External support referral patterns and outcomes
• Trends in vulnerability identification over time

The annual Consumer Duty Board Report (see our Four Outcomes Guide) must address vulnerable customer outcomes substantively — not just confirm that a framework exists.

Sector-Specific Vulnerable Customer Frameworks

Banks and credit institutions

Banking vulnerability frameworks operate at scale across retail banking, focusing on bereavement support, financial difficulty (forbearance and arrears), fraud and scam victims (particularly authorised push payment fraud), and digital exclusion. Specialist bereavement teams and financial difficulty teams are increasingly common.

Insurance and protection firms

Insurance vulnerability is particularly engaged at point of claim (where the trigger event itself often creates vulnerability), with specific frameworks for bereavement claims, mental health-related claims, terminal illness claims, and customers in domestic abuse situations. Adapted claim processes are central.

Consumer credit firms

Consumer credit vulnerability focuses heavily on financial difficulty — affordability assessment, forbearance, debt advice referrals, and arrears handling. The FCA has been particularly active in supervising consumer credit vulnerable customer frameworks.

Wealth management and advice firms

Wealth management vulnerability includes cognitive decline in elderly clients, bereavement (where surviving spouses may have limited engagement with the family finances), and capability differences in clients with limited investment experience.

Pensions firms

Pensions vulnerability includes capability issues at decision points (drawdown vs annuity, transfer decisions), cognitive decline in older customers, and bereavement (death benefit decisions).

FCA Supervisory Focus

The FCA’s supervisory dialogue on vulnerable customers has intensified through 2024 and 2025. Key focuses include:

Substantive outcome assessment. Whether vulnerable customers actually receive outcomes at least as good as other customers — measured through MI, not just confirmed in policy.

Training effectiveness. Whether training delivers operational capability, not just awareness. Sample interactions, mystery shopping, and customer feedback all contribute to assessment.

Senior management engagement. Whether the framework has substantive board-level ownership, with vulnerable customer outcomes a regular board agenda item.

Identification rates. Whether vulnerability identification rates are realistic given Financial Lives Survey data — firms identifying very low vulnerability rates relative to their customer base are flagged.

Closed product books. Following the July 2024 closed product extension, vulnerability frameworks must address customers in closed books — not just active relationships.

Specific high-risk areas. Bereavement handling, financial difficulty, fraud victims, and elder financial abuse have all received specific FCA attention.

Common Pitfalls in Vulnerable Customer Implementation

Vulnerability identification rates that don’t match the data. Firms identifying 2-5% of their customer base as vulnerable when Financial Lives Survey data suggests 50%+ have vulnerability characteristics are likely under-identifying.

Training that produces awareness without capability. Annual e-learning typically achieves the former without the latter.

Frameworks that exist on paper. Policies, procedures and training documented but not embedded in operational practice.

Vulnerability data not used to adapt support. Customers identified as vulnerable but receiving standard service is one of the most common operational failures.

Inadequate specialist support. Frontline staff trained for awareness but no specialist team to escalate complex cases to.

Outcome metrics absent. Frameworks measuring inputs (training delivered, identifications recorded) without outcome metrics (vulnerable customer satisfaction, complaint rates, outcome comparisons).

Senior management engagement weak. Vulnerable customer matters not regularly on the board agenda, with senior management challenge weak.

Closed book customers excluded. Vulnerability frameworks designed for active customers but not extended to closed books.

Vulnerable Customer Recruitment

The vulnerable customer framework has created specific specialist roles in larger UK regulated firms:

• Head of Vulnerable Customers — increasingly common in larger retail-focused firms
• Vulnerability framework leads — owning the firm-wide framework design and oversight
• Specialist team leaders — running dedicated bereavement, financial difficulty, or vulnerable customer teams
• Vulnerability training specialists — designing and delivering staff capability programmes
• Vulnerable customer outcomes analysts — focused on MI and outcome assessment

For senior compliance leadership specifically, the SMF16 (Compliance Oversight) typically owns the vulnerable customer framework — see our SMF16 Guide. The framework is also a recurring focus of FCA dialogue, so SMF16 candidates should expect to discuss their experience leading vulnerable customer programmes during interview.

Further Reading and Authoritative Sources

For the FCA’s authoritative guidance on vulnerable customers, see FG21/1. For Consumer Duty, see the FCA’s Consumer Duty pages. The Financial Lives Survey provides authoritative data on vulnerability prevalence in the UK.

Related Guides: Consumer Duty and Conduct

Part of FD Capital’s series of practical guides for FCA-regulated firms: Consumer Duty — Pillar Guide | The Four Consumer Duty Outcomes | Cross-Cutting Rules & Principle 12 | TCF and Consumer Duty | FCA Conduct Rules — Pillar | Individual Conduct Rules (Tier 1) | SMF16 — Compliance Oversight Function