What counts as a vulnerable customer under FCA rules?

The FCA defines a vulnerable customer as someone who, due to their personal circumstances, is especially susceptible to harm — particularly when a firm is not acting with appropriate levels of care. FG21/1 sets out four drivers: health (physical or mental conditions affecting daily activities), life events (bereavement, divorce, job loss, ill health diagnosis), resilience (low ability to withstand financial or emotional shocks), and capability (low knowledge of financial matters, low confidence in managing money, poor literacy or numeracy, low English-language skills, low digital skills).

How do I record vulnerability without breaching GDPR?

Health-related vulnerability information is special-category personal data under UK GDPR. You need a lawful basis under Article 6 (typically performance of contract or legitimate interest) and a condition under Article 9 (typically substantial public interest under Schedule 1 of the Data Protection Act 2018, with appropriate-policy-document requirements). The FCA and ICO have published joint guidance making clear that fair treatment of vulnerable customers and data-protection obligations are complementary, not conflicting. Get explicit consent where possible, limit the field to what is operationally needed, restrict access, and document the lawful basis in your privacy notice and processing record.

Should every CRM record have a vulnerability flag?

Yes — as a structured field, even if most flags are "no indicators". A binary or three-state flag (yes / no / suspected) plus a short structured-category list (health / life event / resilience / capability) is the minimum. Free-text notes are appropriate for the nuance. The reason every record needs it is that the firm needs to be able to report at portfolio level: how many vulnerable clients does the firm serve, in which categories, what adaptations have been made. Without a structured flag, that report is impossible.

What happens when a client refuses to be flagged as vulnerable?

Vulnerability identification is not a binary the client must agree to. The firm can record observed indicators and the adaptations made, with appropriate notes that distinguish observation from formal categorisation. The client's wishes about how their vulnerability is recorded should be respected to the extent compatible with fair treatment. If the client doesn't want a label but the firm is making adaptations (clearer language, longer meeting times, written follow-up summary), record the adaptations even if the formal flag is not set.

How often should the vulnerability assessment be revisited?

At every meaningful client contact — annual review, change in circumstances notified, suitability re-assessment, complaint or query that surfaces something. Many drivers are transient (life events resolve, health conditions improve or worsen) and the assessment is a snapshot. The annual review is the natural cadence. The firm's board report should show how many clients moved between vulnerability states over the year.

Do all vulnerable clients need a different service?

No. The rule is that vulnerability must not lead to worse outcomes — it does not mean every vulnerable client needs a fundamentally different service. Some need significant adaptations (a trusted third party at meetings, large-print documents, recorded summaries). Some need a small change (longer meeting times, plain-English re-explanation of key terms). Many vulnerable customers want, and are entitled to, exactly the same service everyone else gets, delivered with the same respect. The firm's job is to ensure the outcome is the same.

How to identify a vulnerable client — practical FCA-aligned guide for UK IFAs

Identifying vulnerable clients well is partly a question of process and partly a question of skill. The process bit is the easier half: at every meaningful client interaction the firm runs through the four FCA-defined drivers — health, life events, resilience, capability — asks open questions that surface them, records the answers in a structured way in the client record, and reviews the picture annually. The skill bit is the harder half: knowing what to look for, hearing what's not said, distinguishing a transient life event from an enduring vulnerability, and adapting the service without being patronising. This piece is the practical guide for partners and paraplanners doing the work, anchored in FG21/1 and the FCA-ICO joint guidance on vulnerability data.

A truth most IFA partners agree on, off the record. You can read the FCA guidance on vulnerable customers and still not be sure what to do with the older client who insists they're fine, the recently-bereaved widow who's making a decision two weeks after the funeral, or the client who's just had a terminal diagnosis and wants to redo the whole plan tomorrow. The guidance tells you the principle. It doesn't tell you the meeting.

This piece is the meeting.

The four drivers — what to listen for

FG21/1 defines four drivers of vulnerability. They overlap. A client can have one driver, several, or — at high-risk life points — all four at once. Knowing the drivers cold is the first qualification for spotting them.

Health

Conditions that affect a client's ability to carry out day-to-day activities. The obvious cases are cognitive decline, mental-health conditions, physical disability and serious illness. The less-obvious cases are hearing loss not yet adapted to (the client nods along but isn't following), poor mobility on the day of the meeting (chronic-pain effects), medication side-effects that change capacity hour-to-hour, and the not-yet-disclosed early stage of a condition the client doesn't want to name.

What to listen for: difficulty with documents in normal-sized type, repeated questions about the same topic in one meeting, fatigue mid-meeting, a partner or family member doing most of the speaking.

Life events

Bereavement, divorce, redundancy, retirement (yes — even planned retirement), a terminal diagnosis, becoming a carer, the birth of a child, the death of an adult child, a serious change in a partner's health. Life events are usually transient. They produce vulnerability at a specific period and then resolve, sometimes leaving lasting changes and sometimes not.

What to listen for: "this week", "since the funeral", "since the diagnosis", "since the divorce" — temporal anchors that mark a recent change. The first 6–12 months after a major event is the sensitive window.

Resilience

Low ability to withstand financial or emotional shocks. A client can be a high-net-worth individual and still have low resilience — usually because their wealth is concentrated, illiquid, or psychologically tied to an outcome they need to protect (school fees, an inheritance to pass on, a property they don't want to sell).

What to listen for: anxiety expressed around the irreversibility of a decision, focus on worst-case scenarios disproportionate to their probability, decisions framed by what the client can't afford to lose rather than what they want to achieve.

Capability

Low knowledge of financial matters, low confidence, poor literacy or numeracy, English as a second language, low digital skills. Capability is the driver that most often goes undetected because clients hide it. A client who has accumulated significant wealth without learning the underlying mechanics is, on capability grounds, vulnerable in a financial-advice context — even if their wealth would suggest the opposite.

What to listen for: agreement without questions, deferral to the firm on every choice ("whatever you think is best"), a hesitation around numbers in a meeting, requests for plain-English re-explanation that the client treats as embarrassing.

The questions that surface them

Open questions, ideally early in the meeting, that give the client room to disclose without pressure.

"Is there anything going on at the moment that might affect how we should approach this conversation?"
"How are you finding it managing the financial side of things at the moment?"
"Is there anyone else who'd be helpful to include in these discussions?"
"How do you prefer to receive information — written, talked through, both?"
"Is there anything in the documents we've sent you that you'd like me to go through in more detail?"

These questions sound like polite meeting-opening fillers. They are, in fact, structured vulnerability triggers. A well-trained adviser asks them at every meeting and listens for the answers that need following up.

Recording it without breaching GDPR

Vulnerability data — especially health-related — is special-category personal data under UK GDPR. The FCA-ICO joint guidance on this point has been explicit: fair treatment of vulnerable customers and data-protection obligations are complementary, not in conflict, and firms that fail to record relevant vulnerability information because they're "worried about GDPR" are getting the balance wrong.

The practical setup:

Structured vulnerability flag on the client record (yes / no / suspected, plus driver category)
Free-text notes for the nuance — what was observed, what was disclosed, what adaptations were made
Access restricted to staff with a need (the client's adviser, paraplanner, compliance)
Lawful basis under Article 6 documented in your privacy notice (typically performance of contract or legitimate interest)
Condition under Article 9 / DPA 2018 Schedule 1 documented in your processing record, with the required appropriate-policy document where applicable
Annual review of which records still need the flag, with a documented process for declassifying

The bar is: record enough to deliver fair treatment, with appropriate safeguards. Recording nothing is the worse risk.

Adaptations that actually help

The point of identification is the adaptation, not the label. Adaptations sit on a spectrum from light to substantial.

Light adaptations: longer meeting times (60 minutes scheduled where the firm's standard is 45), written follow-up summary of decisions taken, large-print or plain-language versions of standard documents, calls timed to the client's energy patterns, a stated preference for fewer-but-deeper interactions.

Moderate adaptations: a trusted third party — an adult child, a sibling, a solicitor — invited to meetings with the client's consent, a "two-stage" approach to important decisions (meeting one to discuss, meeting two to confirm, with the gap allowing reflection), a structured cooling-off period built into onboarding.

Substantial adaptations: full advocacy support, joint meetings with a power-of-attorney holder, decisions deferred until the client has had the chance to seek a second opinion, in extreme cases referral to specialist advice or escalation to a relative or social-services contact if the firm has serious concerns about the client's capacity.

The Consumer Duty's expectation is that the outcome for a vulnerable client is the same as for any other client. Not "less service because they're vulnerable" — and equally not "they got something different so the comparison doesn't apply". The adaptation makes the same outcome reachable.

What the year-2 Consumer Duty board report should say about vulnerability

A defensible vulnerable-customer section in the annual report contains:

The count of clients flagged as vulnerable, by driver category, with year-on-year change
The adaptations made and the consumers benefiting from each
Outcomes data — are vulnerable clients receiving the same outcomes as non-vulnerable clients in the same segment, on the metrics the firm tracks
Training the firm has done with advisers and paraplanners on identification and adaptation
The firm's process for staff to escalate concerns about a client's capacity

The most damning finding in any s.166 of an IFA firm is a firm that says it has no vulnerable clients. The British population of advised clients skews older. The probability that no client of a 200-client book has any of the four drivers is effectively zero. A firm reporting nil is reporting that it hasn't asked.

Common questions

{item.question}

{item.answer}

Where Wealth Analytica fits

Structured vulnerability flags belong on the client record. The fact-find and review workflow in Wealth Analyticaincludes prompts aligned to the four FCA drivers so the data is captured in a structured field at the point the conversation happens — not retrofitted in a spreadsheet afterwards. Outcomes monitoring then segments on the flag automatically, which is what the year-2 board report needs.

Every Wealth Analytica article is fact-checked against primary sources where applicable. Read our editorial policy for our sourcing and review standards.