Vulnerable customer categories include those suffering from physical disability, physical / mental health difficulties, cognitive disorders, lower financial capabilities, those at risk of financial abuse or as a result of a life event e.g. bereavement.  Now more than ever is the time for financial services companies to focus their efforts on identifying and assisting vulnerable customers, writes Gillian Kelly, Head of Conduct Risk Services.

Financial services firms should have a good understanding of their customer population and be able to identify actual or potential vulnerability characteristics.  Establishing a Vulnerable Customer Framework will enable firms to do this and consider the treatment of these customer across their business.  Those who do not focus on good customer outcomes may face additional regulatory focus, as we have seen in the UK, where the Financial Conduct Authority has imposed fines for poor arrears and complaints handling, as well as unfair customer treatment.

Findings from a 2018 survey published by the Banking and Payments Federation Ireland (hereinafter “BPFI”) and University College Dublin show that 66.5% of respondents in banking institutions have suspected that a customer is experiencing some form of financial abuse.

Financial abuse is defined by the Health Service Executive (hereinafter “HSE”) as theft, fraud, exploitation, pressure in connection with wills, property, inheritance or financial transactions, or the misuse or misappropriation of property, possessions or benefits.


The Consumer Protection Code (hereinafter “CPC”) defines a vulnerable customer as a natural person who:

  • Has the capacity to make his or her own decisions but who, because of individual circumstances, may require assistance to do so (for example, hearing impaired or visually impaired persons); and / or
  • Has limited capacity to make his or her own decisions and who requires assistance to do so (for example, persons with intellectual disabilities or mental health difficulties).

Section 3.1 of the CPC provides for the treatment of vulnerable customer across financial services. It requires firms to provide customers, who have been identified as vulnerable, with reasonable arrangements / assistance to facilitate them in their dealings with the firm.

The Assisted Decision-Making (Capacity) Act 2015 reforms the law relating to persons who require / may require assistance in decision-making and sets out a functional test for the assessment of a person’s capacity. The Act provides a flexible approach to capacity, acknowledging that it can fluctuate in certain cases. A number of provisions of the Act have not been commenced to date, however, can be referenced to guide best practice.

New category of vulnerability

The impact of COVID-19 has resulted in the growth of the number of customers entering the category of vulnerable (e.g. elderly members of society who are cocooning), as well as exacerbating the impact on those already considered vulnerable (e.g. those suffering from mental health issues / financial issues). Media reports have indicated that the pandemic has seen a rise in the number of people experiencing loneliness, depression and anxiety.

The pandemic has restricted our movements and this has resulted in a change in customer behaviour. Online shopping has sharply risen in 2020 with many customers buying online both for the first time and for their basic and immediate needs (e.g. completing their grocery shopping online or ordering their prescription from the pharmacy). Higher reliance during the crisis on online channels has brought to light the issues facing the digitally disadvantaged. Additionally, we have seen a significant rise in the number of online scams throughout the pandemic, which tend to target those less digitally educated, typically the elderly. Another question facing companies today is how they can identify vulnerability in customers who conduct their journey end-to-end through digital channels. Firms must consider the appropriateness of online sales channels for vulnerable customers, in light of the complexity of the financial product being offered.

The Central Bank of Ireland has stated that insurance firms must have processes in place to engage with customers experiencing financial difficulties in the payment of premiums as a result of the pandemic. Proactive customer communication regarding levels of cover is required and the prominent display of key information related to COVID-19. Firms must be sensitive to any change in circumstances which may have left customers financially vulnerable and ensure customer facing functions are adequately resourced to respond to queries in a timely manner. The BPFI has an established a Vulnerable Customer Forum which enables members to adopt a best practice approach for customers finding themselves in vulnerable circumstances. In response to the COVID-19 crisis, the Forum is meeting weekly to identify and monitor issues facing customers as a result of the crisis.

A number of European institutions have taken measures to address these issues emerging as a result of the pandemic, particularly the move to online customer engagement channels. The importance of digital technology during the pandemic has been highlighted by the European Commission as part of the new Consumer Agenda and it has stressed the importance of an enhanced level of customer protection during this time. The Council of the European Union has noted that customers remain vulnerable due to increased digitalisation. This is not solely as a result of the pandemic but also due to the increased speed at which customers can purchase financial products online and targeted marketing. The Council has noted that while the objective of the Distance Marketing Directive is to foster customer protection, the change brought about by digitalisation mean that some customer needs are not fully addressed (e.g. the presentation of pre-contractual information online in a standardised format).

Identifying vulnerable customers

In order to address the new category of vulnerability emerging, firms should reconsider their current definition of vulnerable customers. Vulnerabilities may not be immediately apparent when engaging with customers and customers may not offer this information freely due to its personal nature (e.g. bereavement / mental illness). Firms should provide staff with the tools to enable them to consistently and effectively identify vulnerable customers. Firms should be aware of patterns, warnings signs and other indicators as a means to identify vulnerable customers. Key considerations in identifying these customers include:

  • Do you have a clear definition of actual / potentially vulnerable customers which is communicated to your staff at all levels?
  • Is training provided to staff both at induction and on an on-going basis?
  • Do you actively monitor customer behaviour and consider potential vulnerability in all customer interactions?
  • Are you hosting focus groups with operational management to walkthrough vulnerability journeys and identify learning points for the firm?

Awareness of the touchpoints across the customer journey is key in the approach to identifying vulnerable customers. Firms should analyse products, processes and all customer journeys to identify where they may particularly affect vulnerable customers and where the nature of the process may cause customers to become vulnerable. Operational staff will interact with customers as part of their day-to-day service offering, however, there are points of the customer journey which are likely to provide greater insight into the financial and / or personal circumstances of customers:

Office workers using laptops
  • Sales / product suitability: Staff will engage with customers during the sales process and in discussions regarding product suitability. This provides firms with an opportunity to identify, from the outset of customer engagement, any vulnerabilities / potential vulnerabilities impacting the customer (e.g. cognitive disorders or physical health difficulties);
  • Arrears / pre-arrears: Financial difficulty may be an indicator of a change in personal circumstances (e.g. a period of unemployment);
  • Complaints: The complaints process may provide insight into the circumstances of the customer and highlight areas where firms must increase their focus on / awareness of potential vulnerabilities. Firms must ensure a drive for continuous improvement in their approach to vulnerable customers, including learning from complaints root cause analysis;
  • Claims handling: This process requires customer engagement at a time when a financial shock may have been experienced. The nature of the financial shock / life event will determine any actual / potential vulnerability impacting the customer and its timeframe (e.g. a long term / short term period of unemployment); and
  • Bereavement: Due to the nature of financial service products (e.g. home insurance / lending products), customers are likely to engage with firms where they have suffered a bereavement. Financial services firms must ensure that they have appropriate processes in place in these circumstances.

Three steps to a Vulnerable Customer Framework:

  1. Proactive steps: Actions to limit the impact of vulnerability when it does arise (e.g. consideration as part of the product / process design);
  2. Detective steps: Understanding the types of vulnerability that may emerge and the triggers which indicate actual / potential vulnerability; and
  3. Reactive steps: Once identified these steps involve the treatment of vulnerable customers (e.g. monitoring of customer engagement with the firm).

Vulnerable Customer Framework

In order to ensure that vulnerable customers are treated appropriately, firms must embed their Vulnerable Customer Framework in their operations. This Framework should focus on providing supports and fair treatment to those customers impacted by a vulnerability. Below are the areas firms should consider when developing / enhancing their Vulnerable Customer Framework:


  • Are your Board and Senior Management Team engaged and receiving regular reports / updates?

Strategy & policy

  • Do you have a detailed and embedded vulnerable customer policy with clear expectations?
  • Do you evaluate your strategy and policy regularly to ensure they remain relevant and up to date?
  • How do you capture vulnerability risk in product design?
  • Do you perform risk and control assessments to identify existing controls for vulnerable customers and any control gaps that exist?

Recording vulnerability

  • Does your record keeping system allow a sufficient level of detail to be recorded regarding the nature of the customer’s vulnerability?
  • Does your recording allow for periodic vulnerability reviews, taking into consideration the changing nature of certain vulnerabilities?
  • Do you use a risk score for vulnerabilities to support treatment strategies?

Management information

  • Does your data show which products / processes are impacting vulnerable customers?
  • Are your Management Information (hereinafter “MI”) metrics aligned to risk and control assessments, as well as risk scores applied to vulnerabilities?
  • Are you providing a holistic customer view to your Senior Management Team and taking proactive steps to address MI metrics which are outside the accepted tolerance level?

Handling vulnerable customers

  • Is there a clear point of contact for vulnerable customers with a specialised support team with experienced staff providing guidance / advice?
  • Are you tailoring communications to the needs of vulnerable customers?
  • Have you engaged with the HSE Safeguarding and Protection Team in your treatment of elderly customers who are at risk of financial abuse / with cognitive challenges?


  • Are all your staff trained on vulnerable customer policy and approach?
  • Does your training programme encourage decision making that will lead to good customer outcomes?
  • Does your training programme incorporate on-the-job learnings from experienced staff?
  • Do your staff view vulnerability as ever changing and do they consistently monitor customer behaviours?


  • How are you supporting customers who are digitally disadvantaged?
  • How do you assist vulnerable customers in gaining remote and digital access to services?
  • Does your presentation of information online allow for sufficient clarity to all customers?
  • Do you make your customers aware of potential / actual fraud and have a treatment strategy where this occurs?

How can KPMG help?

Have you considered how your firm treats its vulnerable customers? KPMG provide risk and regulatory advice, proposition design, operational risk and control optimisation services across the financial services sector. We can help ensure you have an appropriate Vulnerable Customer Framework in place to ensure that you are both identifying vulnerable customers and ensuring good customer outcomes once identified. Examples of how our team of experts can assist include:

  • Identify a suitable owner for a vulnerability programme including the design of an appropriate governance framework;
  • End-to-end customer journey mapping, identifying vulnerable customer touchpoints and designing appropriate controls to reduce the risk of customers receiving poor outcomes;
  • Identify the roles and responsibilities within a customer journey that give rise to a requirement for additional staff training. Our team will support you in training your staff through a variety of training techniques;
  • Review your risk assessment framework, including a focus on digitalisation and the impact this has on your customer base;
  • Develop a customer treatment policy for all categories of vulnerability; and
  • Design a reporting framework with quantitative and qualitative MI, to demonstrate trends as well as the characteristics of vulnerability and potential vulnerability.

Get in touch

For further information, please contact Gillian Kelly of our Risk Consulting practice. 

More in Risk