Protecting vulnerable customers is no longer a peripheralcompliance issue. Under the FCA’s Consumer Duty, it’s a frontline test ofwhether organisations are genuinely delivering good outcomes; not just meetingprocess requirements. It’s not enough to be broadly fair. Now, firms areexpected to act in good faith, avoid foreseeable harm, and support customers topursue their financial objectives. That expectation lands hardest wherecustomers are at greater risk of harm.
The FCA defines a vulnerable customer as someone who, due totheir personal circumstances, is especially susceptible to harm, particularlywhere a firm is not acting with appropriate levels of care. Vulnerability israrely neat or obvious. It can be temporary or permanent, visible or hidden,and it may be triggered by health issues, bereavement, redundancy, lowfinancial resilience, or limited financial capability. Many customers willnever explicitly identify themselves as vulnerable — which means the responsibilitysits with firms to recognise indicators and respond appropriately throughsystems, processes, and frontline behaviours.
Consumer Duty, introduced through Principle 12, requiresfirms to deliver outcomes that work in practice, not just on paper. Forvulnerable customers, outcomes should be at least as good as those experiencedby other customers. That obligation spans the entire customer journey — productdesign, pricing and value, communications, and support — and it requiresevidence. A policy statement is not evidence. A training log is not evidence.Outcomes are evidenced by what happens when a customer is under pressure.
Product governance is under sharper scrutiny because designchoices can unintentionally disadvantage customers with lower resilience orcapability. Under Consumer Duty, it is no longer sufficient to assumesuitability based on intent. Organisations are expected to demonstratethat foreseeable harm has been identified and mitigated, and that journeys aredesigned to work for real people in real circumstances.
Price and value also needs a vulnerability lens. It’s notjust about what’s written in a fee structure; it’s about what customersactually experience. If people who need more support are more likely to incuravoidable charges, abandon journeys, or accept suboptimal outcomes because theprocess is confusing or inflexible, value is not being delivered evenly. Firmsneed to be able to see those patterns early and act on them.
Communication remains one of the strongest drivers ofoutcomes. The FCA expects firms not only to provide information, but to supportunderstanding. For vulnerable customers, this often means simplifying language,improving signposting, adjusting tone, offering alternative formats, andallowing time for decisions. It also means equipping staff to recognise when acustomer is overwhelmed or struggling and slowing the conversation down ratherthan pushing it to completion.
Consumer support is where vulnerability protections are mostvisibly tested and where gaps between policy and reality tend to appear. Longwaits, rigid scripts, inconsistent handovers, and limited staff confidence canundermine even the best-designed frameworks. By contrast, organisations thatembed vulnerability effectively build capability at the frontline, record andshare vulnerability-related needs consistently (so customers don’t have torepeat distressing circumstances), and give leadership meaningful managementinformation with accountability at board level.
Even with strong governance, regulators are increasinglyasking a simple question: how do you know customers are genuinely receivinggood outcomes, consistently?
This is where independent auditing and mystery shoppingbecome vital tools for Consumer Duty evidence. Internal documentation can showintent, but real-world testing shows whether standards are being applied acrossteams, channels, and pressure points. Structured audits, call and journeyreviews, and mystery shopping scenarios can assess what really matters: whetherstaff listen, adapt, offer appropriate adjustments, and deliver support thatreduces harm rather than adds friction.
At Serve Legal, our vulnerable customer audits and mysteryshopping programmes are designed to translate regulatory expectation intomeasurable outcomes. We can simulate common vulnerability drivers, such asfinancial distress, bereavement, or digital exclusion, and test whethercustomer journeys hold up under real conditions.
The value is not in “catching people out”; it’s inidentifying where processes break under pressure, where staff are forced intorigid responses, where recording is inconsistent, and where handovers fail.These issues are rarely deliberate, they’re operational. But under ConsumerDuty, operational issues still create harm, and harm still drives regulatoryrisk.
Consumer Duty has heightened expectations around monitoring,learning, and improvement. Firms are expected to identify root causes, makechanges that reduce harm, and demonstrate that those changes work. Independentassessment supports that cycle by providing objective insight, comparable dataover time, and clear remediation actions grounded in evidence.
Ultimately, the FCA’s focus is cultural as much asprocedural. It is no longer enough to say a vulnerability policy exists.Organisations need to show that vulnerable customers are identifiedeffectively, supported appropriately, and achieving good outcomes in practice.In an environment where scrutiny is rising, the ability to evidence real-worldoutcomes isn’t just best practice — it’s the defensible position.