Helping leaders embed vulnerability into regulated complaint handling

This guide is written for complaint handling leaders responsible for oversight, MI, and system-level controls.

Systems, data and controls that deliver fair complaint outcomes

Consumer vulnerability is a leadership responsibility and firmly on the FCA’s radar.

On 10 October 2024, the FCA fined TSB Bank £10,910,500 for failing to treat customers in arrears fairly. TSB had already paid £99.9 million in redress to 232,849 mortgage, overdraft, credit card and loan customers. The issue wasn’t bad intent by TSB, it was weak systems and controls that produced poor outcomes for consumers in financial difficulty.

It’s a reminder that regulators don’t only look at outcomes. They look at whether your controls are strong enough to prevent predictable harm.

If you lead a regulated complaints function, the question is simple:

Can your operation detect vulnerability, adapt processes, and evidence fair outcomes every time?

What does being vulnerable mean: the FCA definition

The FCA Handbook defines a vulnerable customer as someone who is especially susceptible to harm because of personal circumstances.

In practice, firms need to categorise vulnerability as:

• Permanent: for example, long-term health conditions

• Sporadic: for example, fluctuating mental health or episodic illness

• Temporary: for example, bereavement or job loss

Sporadic and temporary vulnerabilities can be undeclared, which often makes the complaint more complex.

• Sporadic cases require regular reviews and a consistent approach

• Temporary cases need time-limited adjustments with clear review or expiry dates

The FCA places the responsibility of identifying vulnerability squarely on the firm: they don’t expect the customer to declare it.

Specialist teams aren’t necessarily the answer to protecting vulnerable customers

If frontline teams lack the skills and capability to recognise and respond to vulnerability, it’s obvious that the FCA requirements will be missed. Many firms have created specialist vulnerability teams, believing this solves the problem. It may feel like the right thing to do on paper, but I don't necessarily agree with this approach.

If teams are constantly shielded from these situations, they'll never develop the experience to recognise what isn’t being said, but really matters. The responsibility to look after vulnerable customers shouldn’t sit with one team. Instead, it should be shared across the business, with clear frameworks, training, and support.

We all know that detecting when customer needs additional support isn’t as simple as reading through a list of symptoms and ticking a box. It’s a skill that requires being able to spot the nuances of vulnerability triggers, and then understand how to respond.

If you’re looking for practical guidance on applying vulnerability frameworks for your team, read: A practical guide for complaint case handlers: dealing with vulnerable customers.

The FCA doesn’t get it right every time either

Despite issuing fairly lengthy guidance on vulnerability, the FCA doesn’t always get right.

The documents they publish for consumers often contain language that’s too complex for people with literacy difficulties to understand. For an example, in the case of the motor finance redress scheme, the FCA has published information often using language above the reading age of a 10 year old - the recommended reading age for consumer communications.

Where complaint handling for vulnerable customers breaks down

If complaint teams are constantly firefighting their way through a backlog of cases, the chances of missing a vulnerability marker are higher, because they simply don’t have the time to look, or listen out for them.

The operational risks in complaint handling heighten when the support needed by a vulnerable customer falls short. Needs often weren’t met earlier on in their journey, and missing a second chance will compound the problem.

This is more of a common issue than you might think, and common pitfalls include:

• In-depth training isn’t provided, or is too infrequent

• Missed markers because information logged in one channel isn’t visible in another

• Inconsistent policy interpretation

• Unrealiable reporting and root cause analysis

• Weak evidence that won’t withstand FCA or FOS scrutiny

Regulators act when system weaknesses harm vulnerable customers, which is why it’s important to embed vulnerability frameworks into the workflow.

For example, in May 2022, Ofgem required Western Power Distribution to pay £14.9 million into the Redress Fund, after failing to provide essential services and information to Priority Services Register customers.

A different sector with a different regulator, but the message is the same: system and process gaps cost both customers and regulated firms.

If the decisions being made by your teams aren’t always consistent across case handlers, you can use the 5 Cs of complaint handling framework, to add structure to their approach.

FCA vulnerability guidance for complaint handling

Ensuring vulnerability is detected, addressed appropriately, and recorded is a core part of the FCA’s focus on customer protection, and complaint handling in particular, needs specific attention. This is because customers showing vulnerability are at a higher risk of experiencing, or compounding, financial and emotional harm when a firm fails to act with appropriate care. The FCA’s expectations set out the standard it holds firms to when they handle complaints from vulnerable customers.

Embed vulnerability frameworks into complaint workflows

Frameworks work only when embedded into day-to-day systems, not buried in policy manuals.

• TEXAS - manage disclosure and create lawful records

• BRUCE - assess capacity and resilience

• IDEA - build an organisation-wide approach

These models align with FG21/1 expectations and the Money Advice Trust guidance when implemented effectively. The most efficient approach is to embed them into system prompts, templated questions, and signposting libraries so they’re applied in real time with an audit trail.

Data protection law doesn’t prevent firms from supporting customers in vulnerable circumstances

This is reinforced by the FCA’s joint March 2026 statement with the ICO on vulnerability related data.

It makes clear that data protection law doesn’t prevent firms from supporting customers in vulnerable circumstances under Consumer Duty. It also strengthens the case for systems and processes that help firms recognise vulnerability, support disclosure, record and access relevant information appropriately, tailor communications, share information responsibly across the distribution chain, and monitor outcomes consistently.

Build communication adjustments into complaint workflows

It’s not enough to expect case handlers to remember every possible vulnerability adjustment in the moment, especially if they aren’t frequently exposed to these types of complaints.

Leaders can help by making sure common support options are built into the process itself. This includes communication channel choices, accessible formats, plain language prompts, written summaries after key calls, and clear ways to record when a trusted third party is involved.

When these adjustments are built into workflows, templates, QA checks, and management reviews, firms are less likely to rely on individual judgement alone. This improves consistency, strengthens the audit trail, and makes it easier to evidence fair treatment later.

Measuring and evidencing fair outcomes

Under the Consumer Duty, firms must prove that outcomes are fair and consistent for all customers, including those in vulnerable circumstances.

This means capturing measurable and comparable data.

At a minimum, track:

• Average complaint resolution time for each vulnerability type, including the impact of adjustments

• Outcome parity between vulnerable and non-vulnerable cohorts

• Escalation and uphold rates at the Financial Ombudsman Service (FOS)

• Quality of reasoning in case notes and resolution letters

You can have comprehensive policies in place, have the best of intentions, and be consistent, but how you are practically treating vulnerable customers is meaningless without this MI data to evidence it.

The FCA expects firms to provide evidence that they are actively monitoring, analysing, learning, and developing (MALD) to address vulnerability markers.

This expectation is now reinforced by the FCA and ICO’s March 2026 statement.

If you’re currently strengthening reporting and governance, or would like to know more, it’s also worth reading what PS25/19 means for complaint MI. The FCA’s expectations are shifting beyond reporting volume towards insight and oversight.

Using technology to improve consistency in complaint handling for vulnerable customers

Setting good objectives and relying solely on employees to deliver fairness and consistency aren’t bulletproof controls. You can have a great team, but when the pressure’s on, it’s easy for people to forget, or miss a vulnerability marker.

The more reliable and consistent way to safeguard your business and protect your vulnerable customers is to automate complaint handling workflows designed especially for them:

• System flags and notes that are always visible

• Guided steps in real time that prompt TEXAS or BRUCE actions when risk indicators appear

• A single source of truth, so vulnerability markers travel across all channels

• Automatic audit trails that record every decision and reasoning

• Good quality reports to spot patterns, forecast risk, and show improvement over time

Specialist complaint management systems can help guide case handlers step-by-step through the workflow. They also help and capture decisions clearly for audit. Used well, they make consistent, evidenced complaint handling far easier to achieve.

Vulnerability is not an edge case. It is the sharpest test of whether your systems, culture and leadership actually work.

Frequently asked questions: embedding vulnerability in complaint handling for vulnerable customers

How do we evidence fair outcomes for vulnerable customers under Consumer Duty?

By being able to consistently show, case by case, how vulnerability is identified, what support or adjustments are applied, how outcomes are reviewed, and what changes are made when harm or repeat issues are found. Evidence needs to show the process worked in practice, not just that a policy exists.

What MI should leaders track for vulnerability in complaint handling?

At a minimum: vulnerability flags, themes by product or root cause, time to resolution, uphold and overturn rates, repeat contact, escalations, and FOS referrals. Most importantly, track whether vulnerability is being identified consistently, and whether it changes outcomes, or treatment.

How can complaint teams embed vulnerability consistently across handlers?

Consistency comes from system design: workflows that prompt vulnerability checks, flags and notes that are always visible, extra fields to prompt and record vulnerability adjustments, guidance embedded into the case journey, QA checks, and MI that highlights gaps. If it relies on memory and good intentions, it will fail under pressure.

How can a complaint management system help complaint teams embed vulnerability consistently?

A complaint management system helps complaint teams embed vulnerability by guiding handlers through consistent workflows, prompting vulnerability checks, and making adjustment options clear. It keeps vulnerability information visible across channels, creates an audit trail of decisions, and helps teams spot patterns, forecast risk, and evidence fair treatment. It also reduces cognitive load and makes complaints easier to track and manage.

What reasonable adjustments should leaders build into complaint handling for vulnerable customers?

Leaders should build practical adjustments into complaint handling, including different communication channels, accessible formats, plain language, written summaries, support from a trusted third party where appropriate, and review points for changing needs. The aim is to make support easy to apply, record, and review, not to create a separate process for every case. Teams also need the training and confidence to use these adjustments consistently, otherwise vulnerable customers are more at risk of harm.