UKGI Compliance Manual

H.5.2 – Identifying and Recording Vulnerability

Jul 1, 2025

The rules and principles which apply

Characteristics of  vulnerability can make it much harder for customers to choose, purchase, access, use, communicate about, pay for or benefit from a product or service and often require additional or tailored support to help them. However vulnerability is not always obvious and one of the biggest challenges firms face in being able to provide appropriate support is awareness of when a customer is actually in vulnerable circumstances.

The FCA requires firms to consider the vulnerabilities that are known to exist or have the potential to exist within the firms target market and to put in place suitable adaptations and support mechanisms, which are outlined in more detail in Section H.5.3. However, ensuring that support reaches customers who need it most can be a challenge particularly if customers have fears around disclosure or simply don’t disclose because they feel that it is not worth it or that it could result in moral judgement, restrictions or poorer outcomes if they do.

All firms can however, take simple steps to develop safe disclosure environments which can help to overcome barriers to the disclosure of vulnerable circumstances by:

  • encouraging and facilitating disclosure from new business stage onwards so consumers’ support needs are known and met from the outset (for example by asking the customer if they have any additional support needs or requirements as part of the quotation process and letting the customer know that if their circumstances change for any reason that they can always contact the firm for help and support).
  • building-in simple opportunities for disclosure across support channels, journeys and platforms, to enable disclosure to be made at any point during the life of the customer relationship, and
  • routinely sending signals to consumers that indicate both that disclosure is welcome and showing how disclosed information will be protected and used to improve customer experience.

How this may affect firms

For most firms their customer base may include only some customers who have characteristics of vulnerability or customers who may experience vulnerability only for a limited time, this will not always be clear to the firm at the outset of the dealings with the customer and most firms will need to rely on their ability to identify a vulnerability in order to provide additional or tailored support as needed.

Firms will need to ensure that they are encouraging customer disclosure by providing customers with clear opportunities to disclose accompanied by information on how that disclosure can result in better outcomes and ensuring that any tailored support offered is actioned promptly and consistently. For example:

  • Making it as easy as possible for customers to disclose a vulnerability across a range of different channels with examples of the types of support available and clear instructions of how to ask for or request further support (for example having a dedicated section on a firms website or including a factsheet or dedicated support paragraph with written communications).
  • Where channels are restricted providing alternative channels for example if the firm only deals on-line having a dedicated telephone support line that customers can access if they experience out of the ordinary circumstances.
  • Training staff on:
    • how to identify signs of vulnerability,
    • the breadth of vulnerability support that can be offered; and
    • How that support can benefit the customer
  • Recording information to the customers vulnerability (with customer consent) to ensure that customers do not have to repeat themselves or make multiple disclosures when accessing different products and services offered by the firm
  • Consistently meeting support needs across all future contacts with the firm building confidence and trust in how the disclosure is providing better outcomes.
  • Signposting where external organisations can provide supplementary support e.g. not for profit debt charities for customers experiencing financial difficulties.
  • Targeted support, for example using AI or other applications/software to identify signs of vulnerability and support needs or monitoring transactional patterns that allow firms to target support messages/communications to groups of customers who show particular signs of vulnerability.
  • Understanding that customer circumstances may change over time, therefore it is prudent to consider touchpoints throughout the customer journey where it would be useful to update information on customer’s needs, for example, prompting customers at renewal.

It is very important that in encouraging and dealing with disclosures of vulnerability that staff treat those disclosures respectfully and impartially  (See Section H.5.3 for further information on the skills and capability of staff and Section H.5.3.1 for guidance on interacting with vulnerable customers).

Recording and accessing information

Firms must ensure that they are able to record information on customer vulnerability and that this information can be readily accessed when dealing with customers to ensure that their needs are met promptly, consistently and fairly often referred to as ‘tell us once’ systems.

For example, if a customer with a sight impairment requests a document in large print and this is provided, but this is not recorded for future reference then any further communications sent may not be tailored to meet the customers’ needs i.e., the firm may send out important information that the customer cannot read.

Firms may need to update their client management systems to ensure that vulnerabilities and the steps taken to address these can be recorded and accessed for future reference and that staff are aware of how to access this information and the ways in which appropriate adaptions can be made to support those customers who require them.

Firms may also need to consider where blanket communications are sent to clients that contain important information or calls to action,  that they are able to identify vulnerabilities from mailing lists to ensure that vulnerable customers receive communications that are consistent with the way in which a firm has adapted its approach to aide communication and understanding.

Personal data must only be processed where there is a lawful basis for doing so as defined under Article 6 of the UK GDPR. Where personal data also includes sensitive information relating to an individual’s health (including for example a medical condition, physical disability, cognitive impairment, learning disability or mental health issue) this is classed as ‘Special Category’ data.

Special Category data requires both a lawful basis AND an additional condition for processing under Article 9 of the UK GDPR. 

Whilst there are a number of permitted lawful bases and additional processing conditions available, most of these are very specific or limited in scope. Vulnerability disclosures can be wide and varied in nature and not always directly relevant to the rating of an insurance risk or legal performance of the insurance contract itself for example.

Therefore in order to ensure compliance with data protection law it is typically necessary to obtain explicit consent from the customer to record and process data relating to vulnerability disclosures.

Explicit consent must be:

  • Specific to the data and purpose of processing – i.e. if a customer consents to their data being processed for one purpose that does not mean they consent to their data being used for another.
  • Informed – it must be clear to the customer what data will be processed and why.
  • Prominent – consent requests must be clear and unambiguous.
  • Freely given – which means that the customer must be able to make a genuine choice about whether their data is recorded and used for that purpose.
  • Recorded – you must keep a record of what the customer consented to and when and this must be done clearly and sensitively.

Firms may choose to adopt the TEXAS model which is outlined in Section H.5.3.1 to help them with achieving this.

Firms are reminded that where consent is relied upon customers must be given the option to update or withdraw their consent at any time in the future should they wish.

In a situation where a customer is physically  unable to provide consent and/or you feel that the customer is at risk of serious harm including situations which may be life threatening or the customers physical safety or financial wellbeing is at risk, we recommend that those cases should be referred to a Senior Manager immediately to determine whether it is in the customer’s vital interests that action is taken to prevent harm.

As with all customer data vulnerability records should be stored and processed in accordance with data protection legislation (See Section K.2) and these should be regularly reviewed and updated to reflect changing circumstances, for example records of short term vulnerabilities should only be kept for as long as is appropriate