The Intermediary –- May 2026 - Flipbook - Page 35
RESIDENTIAL
Opinion
Setting the
record straight
M
any firms have
historically
struggled with
collecting
customer
vulnerability
data due to a perceived conflict
between the Financial Conduct
Authority’s (FCA) Consumer Duty
regulations and GDPR. Feedback from
firms has consistently highlighted
uncertainty in this area, with some
even reluctant to collect customers’
vulnerability data at all.
That hesitation is now becoming
increasingly difficult to justify. A
recent joint statement from the FCA
and the Information Commissioner’s
Office (ICO) has provided fresh clarity:
data protection rules do not prevent
firms from collecting, recording or
sharing vulnerability data. In fact,
they should not be seen as a barrier to
delivering good customer outcomes.
Cementing its position
This stance certainly isn’t new. As
far back as 2015, the FCA made it
clear that firms can and should
capture customers’ vulnerability
data. However, despite this guidance,
uncertainty has remained – oen
driven by fear of GDPR enforcement.
Back in 2024, the ICO issued a
statement to say that Consumer
Duty does not require firms to act in
a way that is ‘incompatible’ with any
regulatory requirements.This latest
joint statement with the FCA only
reinforces this position.
With Consumer Duty now firmly
embedded, this reminds firms of their
commitments to recognise indicators
of vulnerability, record the issues
and monitor and review them over
the lifetime of products. It also calls
on firms to respond to the needs of
vulnerable customers and report on
this with clear evidence.
Data protection law allows firms
to use personal information where
it is necessary to protect individuals
or provide appropriate support. The
ICO, in the recent FCA/ICO joint
statement, even sets out several
lawful bases for firms to process data
to identify consumers in vulnerable
circumstances. For most financial
services firms, the most suitable will
be explicit consent.
This means obtaining clear consent,
recording how and when this was
obtained and being transparent
with clients about how the data
will be used.
Quality is key
While many firms have focused on
whether they can collect vulnerability
data, the actual challenge is how well
they collect it.
We know that some firms use
simplistic vulnerability ‘flags’,
drop-down lists or even open textboxes in their customer relationship
management systems (CRMs).
These require a lot of staff training
to ensure identical assessment and
identification criteria – otherwise
results are subjective and inconsistent,
which is clearly at odds with GDPR’s
accuracy and integrity requirements.
In our view, the best place to start
is with objective and consistent
assessment of all customers to
understand a firm’s true proportion
of vulnerable customers and gather
the robust data required by both
GDPR and Consumer Duty. The most
logical way to do so is through digital
customer vulnerability management
and by utilising one of the purposebuilt systems already on the market.
Staying secure
Adopting a digital-first approach
becomes equally important when you
consider the security requirements
for sensitive information. Robust
IT systems enable firms to not only
gather the necessary information
in an objective manner, but ensure
it is fully auditable and ready
for reporting to the regulator.
ANDREW GETHING
is managing director
at MorganAsh
The right systems will allow
firms to capture detailed objective
vulnerability data, while producing
summarised or scored outputs
that can be shared across the
distribution chain.
In our case, with the MorganAsh
Resilience System (MARS), we call
it a Resilience Rating. It provides a
top-level indication of a customer’s
vulnerability without sharing
extensive personal data.
The call to share
Creating a secure ecosystem for
sharing customers’ vulnerability
data is a significant opportunity to
improve outcomes.
Firms are actively encouraged to
collaborate across the distribution
chain, sharing individual consumer
vulnerability information to ensure
customers receive appropriate support
throughout the product lifecycle.
This aligns with our current work
with the CII, contributing to its data
sharing taskforce to help develop
more standardised data formats and
practical guidance. Effective data
sharing depends on good quality
data and hopefully we can take our
learnings from MARS to assist firms
in this area.
This joint statement should remove
any remaining doubt. Firms are not
only permied to collect and use
vulnerability data – they are expected
to do so, and to share it where this
improves outcomes.
While the fear of GDPR has slowed
progress, it should not be a barrier.
The real risk now lies in failing to
act. Firms that invest in structured
data and consistent processes will be
beer placed, not only demonstrate
compliance on both sides, but to
deliver good outcomes. ●
May 2026 | The Intermediary
33
