Identifying vulnerable customers is only the beginning. What matters is what happens next. If your vulnerability data is not driving different outcomes, it is not doing its job.
Many firms in financial services have invested heavily in identifying vulnerable customers. Flags are recorded. Disclosures are logged. Identification rates are tracked and reported. On paper, the firm knows who its vulnerable customers are.
But the FCA is increasingly asking a harder question: what are you doing with that information? Identification without action is not a vulnerability strategy. It is a data collection exercise that’s also a GDPR breach.
The identification trap
There is a pattern we see across financial services. A firm builds a good identification process. Colleagues are trained to recognise vulnerability. A flag is added to the customer record. The firm can report that a certain percentage of its base has been identified as vulnerable.
The problem is what happens after the flag. In too many firms, nothing changes. The customer continues through the same journey. The same letters are sent. The same collections process applies. The same digital-only channel is offered. The flag exists, but it does not trigger a different experience.
FCA vulnerability guidance, including FG21/1, makes it clear that firms must go beyond identification. They must understand the needs of vulnerable customers and respond to those needs in ways that lead to good customer outcomes. Reducing vulnerability risk means designing journeys that adapt when vulnerability is present, not simply recording its existence.
This matters at the individual and systemic levels. An individual flag that does not lead to a different outcome is a missed opportunity. Thousands of flags that do not lead to different outcomes is a systemic failure that regulators will increasingly scrutinise.
What the data should be doing
Vulnerability data has three jobs. First, it should change what happens for the individual customer. A flag should route the customer differently, adjust the communication, extend a deadline, or connect them to a support service. If the flag does not lead to a tangible difference in the customer’s experience, it is not serving its purpose.
Second, vulnerability data should inform how you design and improve your services. When you aggregate the data, patterns emerge. You can see which journeys create the most difficulty for vulnerable customers, which touchpoints generate the most repeat contacts, and where foreseeable harm is most likely to occur. This is the foundation of vulnerability-led service design: using the evidence to redesign services around the customers who find them hardest to use.
Third, vulnerability data should feed your governance. It should give your board a clear view of whether vulnerable customers are receiving good outcomes, where the gaps are, and what is being done about them. This is what good vulnerability governance looks like in practice: data that drives decisions, not data that fills a report.
The data quality question
None of this works if the data itself is unreliable. We often find that firms have invested in identification but not in the quality of what is being recorded. Vulnerability flags are binary when they should capture nuance. Categories are too broad to be actionable. Records are not updated when circumstances change and instead reflect characteristics of vulnerability rather than actionable needs.
There is also the question of what you are not capturing. Solicited and unsolicited insights from colleagues, from customer feedback, from journey data, and from repeat contact patterns all contribute to a fuller picture of vulnerability across your customer base. If your data strategy relies solely on what customers disclose, you are missing the customers whose vulnerability is never stated but clearly visible in how they interact with your service.
The best firms combine disclosure data with behavioural signals. They look for patterns in how vulnerable customers use their services, not just whether they have been flagged. Repeat contacts, journey abandonment, late payments following a life event: these are all indicators that vulnerability may be present, even where no disclosure has been made.
From data to accountability
The firms that use vulnerability data well treat it as an operational tool, not a reporting metric. They connect identification to action at the individual level, use aggregate data to prioritise service improvements, and build vulnerability into their governance frameworks so that accountability sits at the right level.
This is not about collecting more data. It is about making the data you already have work harder. If your vulnerability data can answer three questions, you are in a strong position: what did we do differently for this customer, what does the data tell us about where our journeys fail vulnerable customers, and what are we doing about it?
If it cannot answer those questions, the data is not the problem. The connection between data and action is.
Let’s talk
If you want to understand whether your vulnerability data is driving the right outcomes, a Vulnerability Review will assess how identification, data, and action connect across your vulnerable customer journeys. We work across financial services and beyond, from retail banking and insurance to lending and wealth management.