FCA/ICO Statement on Consumer Duty and Data Protection for Vulnerable Consumers

- Consumer Duty

This statement aims to help firms understand and apply the FCA’s expectations for delivering good outcomes for retail consumers in vulnerable circumstances, in line with the Consumer Duty, while also maintaining confidence in the lawful, fair and responsible use of personal information in line with the information Commissioner’s Office’s (ICO) expectations.

Share

• 
  Quick tip Highlight content for instant share

  Joint FCA and ICO statement on regulatory expectations regarding firms’ approaches to vulnerability related data

• 1. Introduction

• 2. Supporting consumers in vulnerable circumstances

  • 2.1. FCA expectations
  • 2.2. Data protection considerations

• 3. Sharing data across distribution chains

  • 3.1. FCA expectations
  • 3.2. Data protection considerations

• 4. Monitoring customer outcomes

  • 4.1. FCA expectations
  • 4.2. Data protection considerations

• 5. Final comments and next steps

This statement aims to help firms understand and apply the FCA’s expectations for delivering good outcomes for retail consumers in vulnerable circumstances, in line with the Consumer Duty, while also maintaining confidence in the lawful, fair and responsible use of personal information in line with the information Commissioner’s Office’s (ICO) expectations.

---

1. Introduction

The FCA requires regulated firms to act to deliver good outcomes for all consumers, including those in vulnerable circumstances. In practice, this can involve processing personal information, and where appropriate, sharing data related to vulnerability.

A consumer in vulnerable circumstances refers to someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.

UK data protection laws, including the UK General Data Protection Regulations (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR), do not stop firms from delivering good consumer outcomes under the Consumer Duty. However, firms must make sure they comply with data protection requirements.

This statement aims to help firms understand the relevant FCA and ICO expectations around data processing in terms of:

• Supporting consumers in vulnerable circumstances.
• Sharing vulnerability related data appropriately across the distribution chain.
• Monitoring outcomes for these consumers. Setting out these expectations, alongside relevant data protection law requirements and guidance will help firms support consumers in a confident, responsible and compliant way.

---

2. Supporting consumers in vulnerable circumstances

2.1. FCA expectations

The FCA wants firms to understand the needs of customers in vulnerable circumstances and act to meet those needs where relevant to deliver good outcomes for them.

Firms’ approaches to the treatment of customers in vulnerable circumstances will depend on their role in the distribution chain. For example, product manufacturers should consider how the design of products could cause foreseeable harm to customers in vulnerable circumstances. Whereas distributors that deal directly with consumers will need to ensure their communications and support processes respond to the needs of customers with characteristics of vulnerability.

Where relevant, the FCA expects firms to take steps to:

• Understand the characteristics of vulnerability that may exist within their customer base and target market.
• Recognise indicators of vulnerability and respond appropriately to address customers’ needs. Indicators can appear across different channels and points of the customer journey. For example, through customer interactions or disclosures before purchasing a product, or through analysing product usage or transaction data that may indicate behavioural patterns.
• Set up systems and processes that enable customers in vulnerable circumstances to disclose their needs.
• Design and deliver support that meets the needs of customers, including a flexible approach that takes account of the needs of customers in vulnerable circumstances. Firms dealing with customers directly must decide what information they record to meet their obligations when supporting customers in vulnerable circumstances under the Consumer Duty. In doing so, firms should refer to previous FCA Guidance for firms on the fair treatment of vulnerable customers and where appropriate, consider taking independent legal advice.

Knowing how to record and access this information, and when it is appropriate to do so, will enable firms to meet consumer needs promptly, consistently and fairly. Without this, firms’ customer service and communications may not meet customers’ needs and could lead them to experience harm.

Firms should also make sure their communications meet the information needs of customers, including by tailoring them to the characteristics of the intended audience. This may include characteristics of vulnerability. This expectation also applies where firms must communicate complex information, such as when complying with disclosure requirements. Firms should consider what additional steps they can take to support consumer understanding, for example, using cover letters to explain key information.

---

Example: Identifying and supporting customers in vulnerable circumstances

A wealth management firm records information about individual clients during its onboarding process, and it uses this opportunity to assess indicators of vulnerability. It also conducts periodic reviews of the client’s information and circumstances to ensure its records are up to date and accurately reflect the client’s situation. Where a client is presenting indicators of vulnerability, or conversations indicate a change in circumstance, cases are assessed by the firm. Steps are taken to ensure only appropriate products and services are offered to the client, and in a way that suits their needs. This small firm monitors the needs of their consumers and regularly checks to ensure that their offer to their clients is appropriate (FG21/1, 3.20).

Example: Identifying and supporting customers in vulnerable circumstances in a digital journey

A digital firm allows consumers to enter text into a box in its app to inform them about their personal circumstances, and how these might affect how they manage their finances or use their account (FG21/1, 4.61)

One firm applied data analytics to both transactions and chat to drive a potential vulnerability ‘score’. This score was then used to adjust specific customers’ support offering to better meet their needs (Consumer support good and poor practice publication).

---

2.2. Data protection considerations

The UK GDPR and DPA 2018 do not prevent organisations from sharing or using personal information where it is appropriate and necessary to protect individuals or provide them with the support they need.

Data protection principles

The UK GDPR sets out key principles that must lie at the heart of a firm’s approach to processing personal information. Firms must be able to demonstrate they are complying with these principles when sharing or processing people’s data.

Applying these principles helps ensure that any data processing used to identify consumers in vulnerable circumstances is responsible, proportionate and centred on the individual’s rights. These principles set clear expectations on:

• Lawfulness, Fairness and Transparency: Firms must identify valid grounds under the UK GDPR (see ‘lawful basis’ below) for collecting and using personal data. Firms must use personal information in a way that is fair. Firms must be clear, open and honest with consumers from the start about how they will use their personal information.
• Purpose limitation: Firms must be clear with individuals about the purpose for processing personal information to identify consumers in vulnerable circumstances, understand their needs and act to meet those needs. Firms must specify them in privacy information for individuals.
• Accuracy: Firms should take all reasonable steps to ensure the personal information they hold on consumers in vulnerable circumstances is not incorrect or misleading as to any matter of fact and ensure that it is up to date.
• Data minimisation and storage limitation: Firms should identify the minimum amount of personal information they will need to fulfil their purpose when supporting consumers in vulnerable circumstances, ensuring it is sufficient to fulfil the purpose, has a relevant link to that purpose and is limited to what is necessary. Firms must not keep personal information longer than they need it.
• Security and accountability: Firms must have appropriate security measures in place to protect the personal information they hold; and take responsibility for what they do with personal information and how they comply with other principles. Firms must have appropriate measures and records in place to be able to demonstrate compliance.

Lawful basis

Firms must also choose the appropriate lawful basis to process personal information, including when sharing this data. There are several lawful bases under Article 6 of the UK GDPR that may be relevant when firms process data to identify consumers in vulnerable circumstances.

For example:

• Consent: where the individual has given clear consent for the firm to process their personal information for a specific purpose, and they can easily withdraw their consent.
• Contract: where the processing is necessary for the fulfilment of a contract the firm has with the individual, or because they have asked the firm to take specific steps before entering into a contract.
• Legal obligation: where the processing is necessary for the firm to comply with the law (not including contractual obligations).
• Vital interests: where the processing is necessary to protect someone’s life.
• Legitimate interests: where the processing is necessary for the firm’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal information which overrides those legitimate interests.
• Recognised legitimate interest: where the processing is a specified purpose for handling personal information that is in the public interest. These pre-approved purposes are the recognised legitimate interest conditions.

Special category data

Data protection law recognises that some data is particularly sensitive (for example, health data) and requires organisations to apply extra protections when processing this special category data. Firms may need to process special category data when processing information about consumers in vulnerable circumstances.

In order to lawfully process special category data, a firm must identify both a lawful basis (under Article 6 of UK GDPR) and a separate condition (under Article 9 of UK GDPR), such as explicit consent or reasons of substantial public interest (with a basis in law).

Substantial public interest is a condition in Article 9 that may be relevant to firms as a basis for processing special category data to support consumers in vulnerable circumstances.

If a firm wants to rely on the substantial public interest condition in Article 9, the firm also needs to meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018. For example, the following conditions may be relevant:

• Safeguarding of children and individuals at risk (paragraph 18).
• Safeguarding of economic well-being of certain individuals (paragraph 19).

Data protection impact assessments (DPIA)

Firms must be aware of the risks of processing consumers personal information, including special category data. They will need to complete a data protection impact assessment (DPIA) for any type of processing that is likely to be high risk.

ICO guidance sets out when firms must do a DPIA, including (but not limited to):

• When processing special category data on a large scale.
• When using special category data to decide on individuals’ access to services.
• When using systematic and extensive profiling or automated decision making to make significant decisions about people. It is good practice to do a DPIA for any new major project involving the use of personal data.

Automated decision making and profiling

If firms use automated decision making (making a decision solely by automated means without any human involvement) or profiling (automated processing of personal information to evaluate certain things about an individual), when seeking to support consumers in vulnerable circumstances specific UK GDPR requirements apply.

Articles 22A-22C of the UK GDPR have additional rules to protect individuals if firms are carrying out solely automated decision making that has legal or similarly significant effects on them. Firms must identify whether any processing falls under Articles 22A-22C and, if so, make sure that they:

• Give individuals information about the decisions based solely on automated processing.
• Introduce simple ways for them to request human intervention in relation to such decisions, make representations about the decision or challenge the decision.

• Carry out regular checks to make sure that their systems are working as intended.
  Where the data processed is special category data, the firms must also ensure one of the conditions for processing set out in Article 22B is met:

• It is done with explicit consent.

• It is necessary for entering into, or performing, a contract between the individual and the firm.

• It is required or authorised by law and Article 9(2)(g) applies (i.e. is necessary for reasons of substantial public interest).
  Firms should also consider any new regulations that the Secretary of State may have introduced through their powers under Article 22D.

---

---

3. Sharing data across distribution chains

3.1. FCA expectations

Under the Consumer Duty, the FCA expects manufacturers (such as lenders and payment networks) and distributors (such as intermediaries and financial advisers) to work collaboratively, sharing relevant information as necessary to deliver good outcomes for consumers.

Firms will need to use their judgment to apply the Consumer Duty in a proportionate way and determine when it is appropriate to share information in the distribution chain. By ‘distribution chain’, we mean all firms involved in the manufacture, provision, sale and ongoing administration and management of a product or service to the end retail customer.

This includes, but is not limited, to:

• Manufacturers considering what information would be relevant and helpful to carry out product and service reviews and taking reasonable steps to gather it. For example, this could include asking distributors for high level information on any issues different groups of customers with characteristics of vulnerability may have experienced with a particular product.
• Distributors sharing anonymised or aggregate information about customers with characteristics of vulnerability with manufacturers, to support product reviews.
• Certain scenarios where firms share information about the needs or characteristics of individual customers so that partners can provide appropriate support and meet those needs. This may be necessary to avoid causing foreseeable harm to customers. Where firms are exploring ways to share individual customer data, including for example through 'tell us once' services, they should ensure these approaches are designed and operated in line with data protection requirements.

---

Example: Sharing data to support good outcomes for customers in vulnerable circumstances

A trade association has worked with industry to develop a 'tell us once' service which allows consumers to notify a number banks and building societies of a person’s death, at the same time. This trade association has put in place a system which reduces the stress of a difficult and sensitive situation (FG21/1, 4.61).

---

3.2. Data protection considerations

The ICO’s Data Sharing Code of Practice demonstrates that data protection law is an enabler to responsible data sharing. The code is a practical guide for organisations about how to share personal information in compliance with data protection law. It covers sharing between organisations (including when giving access to data to a third party), whether it be in a routine scheduled way or on a one-off basis.

Sharing information about consumers in vulnerable circumstances may help manufacturers and distributors build a better understanding of how these consumers engage with financial products and services. This improved understanding can, in turn, support firms in assessing and evidencing the outcomes experienced by consumers in vulnerable circumstances.

When sharing personal information, the data protection principles mentioned above will apply. There are also additional considerations to take into account, including:

• Considering whether the information being shared can be anonymised so it is no longer personal data and is not subject to the obligations of the UK GDPR. Anonymisation will not always be appropriate and firms should take care not to confuse pseudonymisation with anonymisation.
• If anonymisation is implemented, firms must have a lawful basis for the processing required to anonymise the data and set out the technical and organisational measures they will apply to achieve effective anonymisation.
• Considering using privacy-enhancing technologies (PETs) to help ensure firms are taking a ‘data protection by design and default’ approach when complying with data protection law.
• Upholding people’s right to be informed by providing consumers with privacy information about the data sharing taking place including the purposes for processing their personal data, retention periods for that personal data, and who it will be shared with. This is a key transparency requirement under the UK GDPR, and requires:
  • Being clear, open and honest with consumers when a firm decides to share personal information.
  • When a firm receives data from a third party, being clear open and honest with consumers about where they got such data from and ensure they have a lawful basis to process the data.

• Ensuring the accuracy of information is particularly important where a firm is sharing information with or has received information from a third party, rather than having collected the information itself directly from a consumer. Firms involved in data sharing should make sure that the data being shared is accurate, for example, by checking data records are accurate and up to date and requiring periodic sampling exercises and data quality analysis.
  The ICO recommends carrying out a DPIA to help assess any risks in planned data sharing and to promote public trust in this processing. As noted above, firms are obliged to carry out a DPIA for data sharing that is likely to result in a high risk to individuals. Examples of high risk processing that may require a DPIA in the context of data sharing across distribution chains include, but are not limited to:

• Data matching (combining, comparing or matching personal information from multiple sources i.e. suppliers).

• Invisible processing (processing data not obtained directly from the data subject).

• Targeting of consumers in vulnerable circumstances for marketing, profiling for automated decision making or the offer of online services.
  It is good practice to have data sharing agreements in place which set out the purpose of the data sharing, and what happens to the personal information at each stage. It helps all parties involved in data sharing to be clear on their roles and responsibilities, such as who is a controller, joint controller or processor.

The parties may also be required to have a contract, processing agreement or arrangement in place under Article 26 or 28 of the UK GDPR.

Where personal information will be shared outside the UK, a firm must consider if such an international transfer would be a restricted transfer and, if so, must ensure that the transfer is covered by one of the following:

• UK adequacy regulations.
• Appropriate safeguards.
• An exception. A transfer isn’t just about sending personal information. It can also mean making personal information accessible. For example, by allowing remote access to a firm’s systems.

---

---

4. Monitoring customer outcomes

4.1. FCA expectations

Under the Consumer Duty, the FCA expects:

• Firms to regularly monitor factors including:
  • The outcomes retail customers receive from the products and services they use.
  • Firms’ communications with retail customers.
  • The customer support that firm provides.
• Firms’ monitoring should help firms identify where groups of customers, such as customers in vulnerable circumstances, get worse outcomes than others. In such cases, we expect firms to investigate the root cause, taking appropriate action to address the situation where necessary.
• Boards should be able to challenge findings and to oversee the actions taken in response to identified issues. Firms are not expected to systematically collect or create new data on customers’ protected characteristics (for example, by asking about ethnicity) to meet FCA monitoring requirements. However, where such data is already collected, firms should use it, where possible, to monitor differences in outcomes across groups.

The Final non-Handbook Guidance for firms on the Consumer Duty includes a list of data and insight sources firms can consider for their outcomes-monitoring activities. This includes customer complaints, data on customer usage and behaviour, insights from reviewing customer files, and auditing customer journeys for particular groups of consumers.

---

Example: Monitoring outcomes for customers in vulnerable circumstances

The FCA’s review of firms’ board reports found that some firms’ reports set out their approaches to quality assurance and associated results in their reports to measure the effectiveness of the firm’s vulnerability framework. For example, 1 firm stated that quality assurance is conducted on at least 20 cases per month relating to customers who either self-identified as vulnerable or were defined as such by customer care teams (Consumer Duty board reports good and poor practice publication).

Example: Monitoring outcomes for customers in vulnerable circumstances

A lender cross-referenced credit application rejection data by customer support needs captured in the application process. This revealed that customers with extra mobility needs were being automatically declined at a high rate, indicating they might be receiving poor outcomes. This triggered an investigation, which discovered that customers with mobility needs who stated their main source of income as benefits were automatically declined due to an auto-decisioning policy. Based on this insight, the lender reviewed this policy to make sure customers with mobility needs would receive fair outcomes in the future (Vulnerability good and poor practice publication).

---

4.2. Data protection considerations

Effectively monitoring customer outcomes is key to firms being able to support those in vulnerable circumstances. All personal information processed for monitoring customer outcomes must be done in compliance with data protection law.

The principles in Article 5 of the UK GDPR (including the considerations and requirements set out earlier in this joint statement) provide a framework for guiding good data protection practice that will be key in firms’ compliance when monitoring customer outcomes.

---

---

5. Final comments and next steps

The FCA will continue to help firms understand its expectations, including through work this year on how the Consumer Duty applies through the distribution chain.

The ICO welcomes continued engagement with stakeholders - including firms, industry bodies and consumer organisations - to help identify where further clarity may be useful and ensure that our regulatory expectations remain responsive to how firms are supporting consumers in vulnerable circumstances.

The FCA and ICO will continue to work together, including through the Digital Regulation Cooperation Forum (DRCF) and the UK Regulators Network (UKRN), so regulatory expectations are clear.

---

Was this page useful? Yes No What can we do to improve pages like this? What did you find helpful? Submit Feedback