Embedding vulnerability in complaint handling: a guide for leaders

This guide is written for complaint handling leaders focused on oversight, MI, and system-level controls.

Systems, data and controls that deliver fair complaint outcomes

Consumer vulnerability is a leadership responsibility that is very much on the regulatory radars.

On 10 October 2024, the FCA fined TSB Bank £10,910,500 for failing to treat customers in arrears fairly. TSB had already paid £99.9 million in redress to 232,849 mortgage, overdraft, credit card and loan customers. The issue was not bad intent. The issue was weak systems and controls that produced poor outcomes for consumers in financial difficulty.

It’s a reminder that regulators don’t only look at outcomes. They look at whether your controls are strong enough to prevent predictable harm.

If you lead a regulated complaints function, the question is simple:

Can your operation detect vulnerability, adapt processes, and evidence fair outcomes every time?

What does vulnerability mean in practice? The FCA definition

It's your firm's responsibility to identify vulnerability, not the customer's.

The FCA defines a vulnerable customer as someone who is especially susceptible to harm because of personal circumstances.

Practically, vulnerability characteristics fall into three categories:

• Permanent: for example, long-term health conditions

• Sporadic: for example, fluctuating mental health or episodic illness

• Temporary: for example, bereavement or job loss

Sporadic and temporary vulnerabilities can be undeclared, which often makes the complaint more complex.

• Sporadic cases require regular reviews and a consistent approach

• Temporary cases need time-limited adjustments with clear review or expiry dates

Where complaint handling breaks down

If frontline teams lack the skills and capability to recognise and respond to vulnerability, the FCA requirements will be missed.

The biggest risks are operational, not ethical, and common pitfalls include:

• In-depth training is reserved for 'specialist teams' when it’s the frontline staff who first need to identify vulnerability markers

• Missed markers because information logged in one channel isn’t visible in another

• Fragmented workflows due to inconsistent policy interpretation

• Weak evidence that won’t withstand FCA or FOS scrutiny

Regulators act when system weaknesses harm vulnerable customers. For example, in May 2022, Ofgem required Western Power Distribution to pay £14.9 million into the Redress Fund, after failing to provide essential services and information to Priority Services Register customers.

Different sector, different regulator, but the same message: system gaps cost both customers and the business.

To support consistent decision making across handlers, you can also use the 5 Cs of complaint handling framework.

FCA vulnerability guidance

Ensuring vulnerability is detected and addressed appropriately is a core part of the FCA’s focus on customer protection. Complaint handling in particular, needs specific attention because these customers are at a higher risk of experiencing, or compounding, financial and emotional harm when a firm fails to act with appropriate care. The FCA’s expectations sets out the standard it holds firms to when they handle complaints from vulnerable customers.

Embed vulnerability frameworks into the workflow

Frameworks work only when embedded into day-to-day systems, not buried in policy manuals.

• TEXAS - manage disclosure and create lawful records

• BRUCE - assess capacity and resilience

• IDEA - build an organisation-wide approach

These models align with FG21/1 expectations and the Money Advice Trust guidance when implemented effectively. The most efficient approach is to embed them into system prompts, templated questions, and signposting libraries so they’re applied in real time with an audit trail.

If you’re a case handler looking for practical guidance on applying vulnerability frameworks, read: A practical guide for complaint case handlers: dealing with vulnerable customers.

Measuring and proving fair outcomes

Under the Consumer Duty, firms must prove that outcomes are fair and consistent for all customers, including those in vulnerable circumstances. This means capturing measurable, comparable data, not just written intentions.

At a minimum, track:

• Average complaint resolution time for each vulnerability type, including the impact of adjustments

• Outcome parity between vulnerable and non-vulnerable cohorts

• Escalation and uphold rates at the Financial Ombudsman Service (FOS)

• Quality of reasoning in case notes and resolution letters

Stating that you are treating vulnerable customers fairly is meaningless without this MI data to evidence it.

The FCA expects firms to provide evidence that they are actively monitoring, analysing, learning, and developing (MALD) to address vulnerability markers.

If you are strengthening reporting and governance, it’s also worth reading what PS25/19 means for complaint MI,because FCA expectations are shifting beyond reporting volume towards insight and oversight.

Technology as the enabler of consistency

Setting good objectives and relying solely on employees to deliver fairness and consistency aren’t bulletproof controls. The best way to safeguard your business and protect your customers is to automate the processes:

• Guided steps in real time that prompt TEXAS or BRUCE actions when risk indicators appear

• A single source of truth, so vulnerability markers travel across all channels

• Automatic audit trails that record every decision and reasoning

• Analytics to spot patterns, forecast risk, and show improvement over time

Specialist complaint management systems guide case handlers step-by-step and capture every action for audit. This is the most reliable way to achieve compliant outcomes.

Vulnerability is not an edge case. It is the sharpest test of whether your systems, culture and leadership actually work.

Frequently asked questions: embedding vulnerability in complaint handling

How do we evidence fair outcomes for vulnerable customers under Consumer Duty?

By being able to consistently show, case by case, how vulnerability is identified, what support or adjustments were applied, how outcomes are reviewed, and what changes are made when harm or repeat issues are found. Evidence needs to show the process worked in practice, not just that a policy exists.

What MI should leaders track for vulnerability in complaint handling?

At a minimum: vulnerability flags, themes by product or root cause, time to resolution, uphold and overturn rates, repeat contact, escalations, and FOS referrals. Most importantly, track whether vulnerability is being identified consistently and whether it changes outcomes or treatment.

How can complaint teams embed vulnerability consistently across handlers?

Consistency comes from system design: workflows that prompt vulnerability checks, required fields for adjustments, guidance embedded into the case journey, QA checks, and MI that highlights gaps. If it relies on memory and good intentions, it will fail under pressure.