There is a version of vulnerable customer compliance that exists entirely on paper. It lives in policy documents, in training completion logs, in board-level attestations, and in the carefully worded sections of annual reports that speak to a firm's commitment to treating customers fairly.
This is not a cynical observation. Most of the people who write these policies, review them, and sign them off genuinely care about doing right by customers. The problem is structural rather than motivational.
The gap between a policy that says the right things and an organisation that actually does the right things is wider than most insurers would be comfortable admitting, and it is a gap that is becoming increasingly difficult to ignore as the FCA turns its attention not just to what firms have documented, but to what customers are actually experiencing.
Understanding how that gap forms, why it persists, and what it genuinely takes to close it is the purpose of this piece.
This is not a cynical observation. Most of the people who write these policies, review them, and sign them off genuinely care about doing right by customers. The problem is structural rather than motivational.
The gap between a policy that says the right things and an organisation that actually does the right things is wider than most insurers would be comfortable admitting, and it is a gap that is becoming increasingly difficult to ignore as the FCA turns its attention not just to what firms have documented, but to what customers are actually experiencing.
Understanding how that gap forms, why it persists, and what it genuinely takes to close it is the purpose of this piece.
What the FCA actually means by vulnerability
Before examining whether policies are being followed, it is worth being precise about what those policies are supposed to address. The word "vulnerable" carries a colloquial weight that can mislead insurers into a narrower interpretation than regulators intend.
The FCA's Financial Lives survey, most recently conducted in 2022, found that around 47% of UK adults, approximately 24 million people, display one or more characteristics of potential vulnerability. That is not a niche category of customer requiring specialist handling. It is close to half of the adults your business interacts with on any given day.
The regulator defines vulnerability in terms of four broad drivers: health, which includes physical illness, mental health conditions, cognitive impairment, and disability; life events, which includes bereavement, relationship breakdown, job loss, and financial shock; resilience, which refers to low emotional or financial reserves that make someone less able to absorb setbacks; and capability, which covers low financial literacy, limited English language proficiency, or low confidence dealing with financial products.
Critically, vulnerability is understood to be dynamic rather than fixed. A customer who is perfectly capable of engaging with a complex insurance product in April may be in a very different position in October after being made redundant or receiving a difficult medical diagnosis. The same person can move in and out of vulnerability depending on circumstance, and the period during which they are most at risk is often the period during which they most urgently need to interact with their insurer to make a claim, to change a policy, to dispute a decision.
This has a direct implication for how insurers should approach the problem. Vulnerability cannot be identified once at the point of sale and filed away. It needs to be recognised or at least actively listened for in every meaningful interaction, because any interaction could be the one where a customer is silently struggling.
The FCA's Financial Lives survey, most recently conducted in 2022, found that around 47% of UK adults, approximately 24 million people, display one or more characteristics of potential vulnerability. That is not a niche category of customer requiring specialist handling. It is close to half of the adults your business interacts with on any given day.
The regulator defines vulnerability in terms of four broad drivers: health, which includes physical illness, mental health conditions, cognitive impairment, and disability; life events, which includes bereavement, relationship breakdown, job loss, and financial shock; resilience, which refers to low emotional or financial reserves that make someone less able to absorb setbacks; and capability, which covers low financial literacy, limited English language proficiency, or low confidence dealing with financial products.
Critically, vulnerability is understood to be dynamic rather than fixed. A customer who is perfectly capable of engaging with a complex insurance product in April may be in a very different position in October after being made redundant or receiving a difficult medical diagnosis. The same person can move in and out of vulnerability depending on circumstance, and the period during which they are most at risk is often the period during which they most urgently need to interact with their insurer to make a claim, to change a policy, to dispute a decision.
This has a direct implication for how insurers should approach the problem. Vulnerability cannot be identified once at the point of sale and filed away. It needs to be recognised or at least actively listened for in every meaningful interaction, because any interaction could be the one where a customer is silently struggling.
The regulatory framework and where it leaves insurers
The FCA's Consumer Duty, which became effective for closed book products in July 2024 having applied to open book products since July 2023, represents a significant evolution in the regulatory approach to consumer protection. Where previous frameworks like Treating Customers Fairly focused primarily on process did you follow the right steps, did you have the right documentation, Consumer Duty focuses on outcomes. The question is no longer only whether you had a fair process, but whether the customer actually received a good outcome.
For vulnerable customers, the Duty crystallises into four outcome areas. The Products and Services outcome requires that products be designed with the needs of the target market in mind, including customers with vulnerability characteristics. The Price and Value outcome requires that the value delivered to customers is reasonable relative to what they pay, with particular attention to whether certain groups including vulnerable customers are systematically receiving worse value.
The Consumer Understanding outcome requires that communications be clear and comprehensible to the customers receiving them, recognising that complexity which is navigable for a financially confident customer may be a significant barrier for someone with lower capability. And the Consumer Support outcome requires that firms provide support which meets the diverse needs of their customers, including those in vulnerable circumstances.
What makes Consumer Duty substantively different from previous regulation is the evidential obligation it creates. The FCA expects firms to be able to monitor outcomes across their customer base, to identify where outcomes are poor, and to act on that information. It expects boards to receive regular management information on customer outcomes. It expects firms to conduct consumer outcome testing. In short, it expects firms not just to have policies but to be able to demonstrate, with evidence, that those policies are translating into real-world results.
That is a meaningfully higher bar than most firms had previously operated to, and it is one that many are still working out how to meet.
For vulnerable customers, the Duty crystallises into four outcome areas. The Products and Services outcome requires that products be designed with the needs of the target market in mind, including customers with vulnerability characteristics. The Price and Value outcome requires that the value delivered to customers is reasonable relative to what they pay, with particular attention to whether certain groups including vulnerable customers are systematically receiving worse value.
The Consumer Understanding outcome requires that communications be clear and comprehensible to the customers receiving them, recognising that complexity which is navigable for a financially confident customer may be a significant barrier for someone with lower capability. And the Consumer Support outcome requires that firms provide support which meets the diverse needs of their customers, including those in vulnerable circumstances.
What makes Consumer Duty substantively different from previous regulation is the evidential obligation it creates. The FCA expects firms to be able to monitor outcomes across their customer base, to identify where outcomes are poor, and to act on that information. It expects boards to receive regular management information on customer outcomes. It expects firms to conduct consumer outcome testing. In short, it expects firms not just to have policies but to be able to demonstrate, with evidence, that those policies are translating into real-world results.
That is a meaningfully higher bar than most firms had previously operated to, and it is one that many are still working out how to meet.
Why good policies fail at the frontline
The theory of how a vulnerable customer policy works is straightforward enough. A firm identifies the characteristics of vulnerability, trains its agents to recognise them, establishes processes for adapting the interaction when vulnerability is detected, and monitors to ensure those processes are followed. The reality is considerably more complicated.
Frontline agents in insurance contact centres handle high volumes of calls, often under time pressure, against average handling time metrics that create an implicit incentive to move quickly rather than carefully. They are working from scripts and process flows that have been designed, quite reasonably, around the majority of interactions which are straightforward. They may have received training on vulnerability, a module in an online learning system, a team brief, a laminated aide-memoire on their desk, but training is not the same as skill development, and skill development requires practice, feedback, and reinforcement over time.
The nature of vulnerability also makes it genuinely difficult to identify. Some customers will disclose directly: they will say they are in hospital, or that they have just lost a family member, or that they are struggling with anxiety. But many will not, either because they do not see themselves as vulnerable, because they feel embarrassed or reluctant to disclose, or simply because the disclosure never becomes necessary in a transactional call that resolves quickly. What an agent needs to be listening for is often subtle: a longer-than-usual pause before answering a question, a slight catch in the voice, language that suggests confusion or distress, repeated requests for clarification on something that should be simple, an unusual urgency that might indicate financial pressure.
These are human signals. Picking them up consistently requires a quality of attention that is hard to sustain across forty or fifty calls in a day, and harder still to train systematically without a structured feedback mechanism.
There is also the question of what agents are supposed to do once they have identified potential vulnerability. Good policy frameworks specify that agents should adapt their communication style, allow more time, avoid pushing for immediate decisions, signpost relevant support, and in some cases flag the interaction for follow-up.
But adapting a call in these ways requires a degree of confidence and autonomy that not all agents feel. If the process is structured around completing specific steps in a specific order, deviating from that structure to give a distressed caller more space takes a kind of judgment and courage that requires active organisational permission modelled by supervisors, reinforced in coaching, and not inadvertently undermined by the metrics agents are managed against.
Frontline agents in insurance contact centres handle high volumes of calls, often under time pressure, against average handling time metrics that create an implicit incentive to move quickly rather than carefully. They are working from scripts and process flows that have been designed, quite reasonably, around the majority of interactions which are straightforward. They may have received training on vulnerability, a module in an online learning system, a team brief, a laminated aide-memoire on their desk, but training is not the same as skill development, and skill development requires practice, feedback, and reinforcement over time.
The nature of vulnerability also makes it genuinely difficult to identify. Some customers will disclose directly: they will say they are in hospital, or that they have just lost a family member, or that they are struggling with anxiety. But many will not, either because they do not see themselves as vulnerable, because they feel embarrassed or reluctant to disclose, or simply because the disclosure never becomes necessary in a transactional call that resolves quickly. What an agent needs to be listening for is often subtle: a longer-than-usual pause before answering a question, a slight catch in the voice, language that suggests confusion or distress, repeated requests for clarification on something that should be simple, an unusual urgency that might indicate financial pressure.
These are human signals. Picking them up consistently requires a quality of attention that is hard to sustain across forty or fifty calls in a day, and harder still to train systematically without a structured feedback mechanism.
There is also the question of what agents are supposed to do once they have identified potential vulnerability. Good policy frameworks specify that agents should adapt their communication style, allow more time, avoid pushing for immediate decisions, signpost relevant support, and in some cases flag the interaction for follow-up.
But adapting a call in these ways requires a degree of confidence and autonomy that not all agents feel. If the process is structured around completing specific steps in a specific order, deviating from that structure to give a distressed caller more space takes a kind of judgment and courage that requires active organisational permission modelled by supervisors, reinforced in coaching, and not inadvertently undermined by the metrics agents are managed against.
The oversight model most insurers are still using
Against this backdrop, the quality assurance and oversight mechanisms that most insurers still operate feel inadequate to the task they are being asked to perform.
The dominant model is post-call sampling. A quality team, typically small relative to the frontline workforce, listens to a selection of completed calls, scores them against a quality framework, and uses that data to generate reports and identify coaching needs. In some firms this process is supplemented by targeted listening when a complaint or escalation draws attention to a specific agent or interaction type. In others it is augmented by mystery shopping or periodic deep-dive reviews. But the fundamental approach is the same: a small sample of interactions is reviewed retrospectively, at some delay after they occurred.
The problems with this model are well understood by most quality and compliance professionals, even where the model has not yet changed. Sampling rates in most contact centres are low, commonly in the range of two to five calls per agent per month, representing a fraction of a percent of total interaction volume. At these rates, the sample is not reliably representative of actual performance. An agent who handles vulnerability poorly in one in every twenty calls may never have that call reviewed. A pattern of systemic failure in a particular call type; renewals, claims, complaints may take months to surface in sampled data, if it surfaces at all.
Beyond volume, manual review introduces inconsistency. Vulnerability assessment is inherently subjective. Two experienced quality reviewers listening to the same call may reach genuinely different conclusions about whether the agent responded appropriately to signals of distress, and those differences compound across a team. Without calibration sessions and tightly defined criteria, quality scores can reflect the preferences and instincts of individual reviewers as much as the actual quality of the interaction.
The feedback loop is also slow. If a call is reviewed two weeks after it happened, and the coaching conversation happens a week after that, the agent is being given feedback on behaviour that is now three weeks in the past. The connection between the feedback and the actual interaction is attenuated. And because sampling rates are low, the same agent may only receive detailed feedback on vulnerability handling a handful of times in a year, which is not nearly enough to build the kind of reliable skill and consistent habit that good vulnerable customer handling requires.
The dominant model is post-call sampling. A quality team, typically small relative to the frontline workforce, listens to a selection of completed calls, scores them against a quality framework, and uses that data to generate reports and identify coaching needs. In some firms this process is supplemented by targeted listening when a complaint or escalation draws attention to a specific agent or interaction type. In others it is augmented by mystery shopping or periodic deep-dive reviews. But the fundamental approach is the same: a small sample of interactions is reviewed retrospectively, at some delay after they occurred.
The problems with this model are well understood by most quality and compliance professionals, even where the model has not yet changed. Sampling rates in most contact centres are low, commonly in the range of two to five calls per agent per month, representing a fraction of a percent of total interaction volume. At these rates, the sample is not reliably representative of actual performance. An agent who handles vulnerability poorly in one in every twenty calls may never have that call reviewed. A pattern of systemic failure in a particular call type; renewals, claims, complaints may take months to surface in sampled data, if it surfaces at all.
Beyond volume, manual review introduces inconsistency. Vulnerability assessment is inherently subjective. Two experienced quality reviewers listening to the same call may reach genuinely different conclusions about whether the agent responded appropriately to signals of distress, and those differences compound across a team. Without calibration sessions and tightly defined criteria, quality scores can reflect the preferences and instincts of individual reviewers as much as the actual quality of the interaction.
The feedback loop is also slow. If a call is reviewed two weeks after it happened, and the coaching conversation happens a week after that, the agent is being given feedback on behaviour that is now three weeks in the past. The connection between the feedback and the actual interaction is attenuated. And because sampling rates are low, the same agent may only receive detailed feedback on vulnerability handling a handful of times in a year, which is not nearly enough to build the kind of reliable skill and consistent habit that good vulnerable customer handling requires.
What systematic oversight actually looks like
The alternative to this model is not simply doing more of the same at greater scale, though greater scale is part of it. The more fundamental shift is from retrospective sampling to systematic listening from reviewing a selection of what has already happened to continuously monitoring what is happening across the full range of customer interactions.
This involves a combination of technology and process that has become considerably more accessible to insurers in recent years. Conversation intelligence platforms tools that use speech analytics and natural language processing to analyse voice calls and digital interactions can now review and flag interactions at a scale that no manual team could match. Rather than a quality reviewer listening to three calls per agent per month, it becomes possible to analyse every call, or a very high proportion of calls, and surface the interactions that most warrant human attention.
The value here is not that technology replaces human judgment in assessing vulnerability. It does not, and should not. Human review remains essential for the nuanced assessment of interactions where vulnerability may have been present. The value is that technology makes it possible to direct that human review where it matters most to identify which interactions warrant closer attention, to flag agents who may need support, to track patterns across call types and times and teams, and to give compliance and quality leaders a genuinely representative picture of what is happening across the business rather than a small, potentially unrepresentative sample.
Done well, this kind of systematic approach also changes the nature of the coaching conversation. Instead of a team leader sitting down with an agent and saying "I listened to three of your calls this month and here is what I noticed," the conversation becomes grounded in a much richer set of data. The agent and team leader can explore patterns together are there particular types of caller that the agent struggles to read, particular points in the call where vulnerability indicators are being missed, particular times of day when performance drops? That is a qualitatively different coaching experience, and it is one that is more likely to produce lasting improvement.
At the management and compliance level, the same data serves a different purpose. Rather than receiving a report that says "we reviewed 200 calls this month and 87% met the required standard on vulnerable customer handling," a compliance director can see how that 87% breaks down across teams, call types, products, and time periods. They can see whether the 13% that did not meet the standard represents a handful of specific agents or a pattern distributed across the business. They can see whether performance is improving over time or plateauing. And critically, they can see all of this in something close to real time rather than after a month-long lag.
This is the kind of visibility that Consumer Duty asks for, even if it does not prescribe exactly how to achieve it. The FCA expects firms to be monitoring outcomes and acting on what they find, and it increasingly expects firms to be able to demonstrate with evidence, not just process descriptions that those outcomes are good. That expectation is difficult to meet if your visibility into what is actually happening in customer interactions is limited to a small sampled fraction of them.
This involves a combination of technology and process that has become considerably more accessible to insurers in recent years. Conversation intelligence platforms tools that use speech analytics and natural language processing to analyse voice calls and digital interactions can now review and flag interactions at a scale that no manual team could match. Rather than a quality reviewer listening to three calls per agent per month, it becomes possible to analyse every call, or a very high proportion of calls, and surface the interactions that most warrant human attention.
The value here is not that technology replaces human judgment in assessing vulnerability. It does not, and should not. Human review remains essential for the nuanced assessment of interactions where vulnerability may have been present. The value is that technology makes it possible to direct that human review where it matters most to identify which interactions warrant closer attention, to flag agents who may need support, to track patterns across call types and times and teams, and to give compliance and quality leaders a genuinely representative picture of what is happening across the business rather than a small, potentially unrepresentative sample.
Done well, this kind of systematic approach also changes the nature of the coaching conversation. Instead of a team leader sitting down with an agent and saying "I listened to three of your calls this month and here is what I noticed," the conversation becomes grounded in a much richer set of data. The agent and team leader can explore patterns together are there particular types of caller that the agent struggles to read, particular points in the call where vulnerability indicators are being missed, particular times of day when performance drops? That is a qualitatively different coaching experience, and it is one that is more likely to produce lasting improvement.
At the management and compliance level, the same data serves a different purpose. Rather than receiving a report that says "we reviewed 200 calls this month and 87% met the required standard on vulnerable customer handling," a compliance director can see how that 87% breaks down across teams, call types, products, and time periods. They can see whether the 13% that did not meet the standard represents a handful of specific agents or a pattern distributed across the business. They can see whether performance is improving over time or plateauing. And critically, they can see all of this in something close to real time rather than after a month-long lag.
This is the kind of visibility that Consumer Duty asks for, even if it does not prescribe exactly how to achieve it. The FCA expects firms to be monitoring outcomes and acting on what they find, and it increasingly expects firms to be able to demonstrate with evidence, not just process descriptions that those outcomes are good. That expectation is difficult to meet if your visibility into what is actually happening in customer interactions is limited to a small sampled fraction of them.
Practical steps toward genuine compliance
For insurers looking to move from well-intentioned policy to demonstrable practice, the path involves several interconnected elements.
The starting point is an honest assessment of current visibility.
The starting point is an honest assessment of current visibility.
- How much of your customer interaction data are you actually analysing?
- Of the interactions you are reviewing, how representative are they of your full interaction volume and variety?
- How long does it take for patterns in that data to surface and reach the attention of people who can act on them?
The answers to these questions will reveal the true extent of the oversight gap, and may be more uncomfortable than expected.
The next step is developing a precise definition of what good vulnerable customer handling looks like in your specific context. This sounds straightforward but is often underdeveloped in practice. Most quality frameworks include a line about vulnerable customers, but the specific behaviours that constitute good handling, the things an agent should do differently when they detect signals of vulnerability are rarely defined with the precision needed to assess them consistently. Building that definition requires input from frontline agents who have experience of real interactions, from people with expertise in the relevant vulnerability characteristics, and from customers themselves where possible.
With a clearer definition in place, it becomes possible to design quality frameworks and monitoring approaches that can actually capture and assess those behaviours. This is where technology plays its most valuable role not as a replacement for human judgment, but as a means of scaling the review process to the point where findings are genuinely representative and patterns can be identified with confidence.
Building the feedback loops that convert insight into improvement is the final and in some ways most demanding element. Data that sits in a dashboard but does not change behaviour is of limited value. The test of a good oversight mechanism is whether it generates coaching conversations that help agents improve, whether it informs training that addresses real skill gaps rather than assumed ones, and whether it gives leaders the evidence they need to make good decisions about resource, process, and support.
The next step is developing a precise definition of what good vulnerable customer handling looks like in your specific context. This sounds straightforward but is often underdeveloped in practice. Most quality frameworks include a line about vulnerable customers, but the specific behaviours that constitute good handling, the things an agent should do differently when they detect signals of vulnerability are rarely defined with the precision needed to assess them consistently. Building that definition requires input from frontline agents who have experience of real interactions, from people with expertise in the relevant vulnerability characteristics, and from customers themselves where possible.
With a clearer definition in place, it becomes possible to design quality frameworks and monitoring approaches that can actually capture and assess those behaviours. This is where technology plays its most valuable role not as a replacement for human judgment, but as a means of scaling the review process to the point where findings are genuinely representative and patterns can be identified with confidence.
Building the feedback loops that convert insight into improvement is the final and in some ways most demanding element. Data that sits in a dashboard but does not change behaviour is of limited value. The test of a good oversight mechanism is whether it generates coaching conversations that help agents improve, whether it informs training that addresses real skill gaps rather than assumed ones, and whether it gives leaders the evidence they need to make good decisions about resource, process, and support.
Where Insights360 fits into this
We have written this piece primarily as an educational resource, and we want to be careful not to collapse the argument into a sales proposition. The issues described here are real and important regardless of how any particular firm chooses to address them.
That said, the work Insights360 does with insurance clients is directly relevant to the challenges described in this piece. Our focus is on giving insurers genuine visibility into what is happening in their customer interactions, the ability to analyse calls and contacts at scale, to surface vulnerability indicators, to track quality performance across teams and call types, and to produce the kind of evidence-based reporting that Consumer Duty increasingly demands. We work with compliance teams, quality functions, and operations leaders to build oversight approaches that are both technically capable and culturally embedded, because we have found that the technology alone does not produce lasting change without the right organisational conditions around it.
If any of the gaps described in this piece are ones you recognise in your own organisation, we are happy to have a practical conversation about what addressing them might look like.
That said, the work Insights360 does with insurance clients is directly relevant to the challenges described in this piece. Our focus is on giving insurers genuine visibility into what is happening in their customer interactions, the ability to analyse calls and contacts at scale, to surface vulnerability indicators, to track quality performance across teams and call types, and to produce the kind of evidence-based reporting that Consumer Duty increasingly demands. We work with compliance teams, quality functions, and operations leaders to build oversight approaches that are both technically capable and culturally embedded, because we have found that the technology alone does not produce lasting change without the right organisational conditions around it.
If any of the gaps described in this piece are ones you recognise in your own organisation, we are happy to have a practical conversation about what addressing them might look like.
A final thought
The FCA's direction of travel is clear. The era in which a firm could satisfy its vulnerable customer obligations by producing good documentation and conducting periodic call reviews is passing. What regulators now expect and what customers deserve is genuine evidence that the intentions expressed in policy documents are being realised in the day-to-day handling of real interactions with real people.
That is a higher standard. It is also, ultimately, the right one. The customers who are most at risk when they interact with their insurer, those dealing with illness, bereavement, financial crisis, cognitive decline are also those who most need to trust that the organisation they are dealing with will treat them with appropriate care. A policy that exists to protect them but is never meaningfully enforced is not protection. It is the appearance of protection, which for the people it is supposed to serve is far less valuable than the real thing.
The question of whether your vulnerable customer policy is actually being followed is, in the end, not primarily a compliance question. It is a question about what kind of organisation you want to be.
That is a higher standard. It is also, ultimately, the right one. The customers who are most at risk when they interact with their insurer, those dealing with illness, bereavement, financial crisis, cognitive decline are also those who most need to trust that the organisation they are dealing with will treat them with appropriate care. A policy that exists to protect them but is never meaningfully enforced is not protection. It is the appearance of protection, which for the people it is supposed to serve is far less valuable than the real thing.
The question of whether your vulnerable customer policy is actually being followed is, in the end, not primarily a compliance question. It is a question about what kind of organisation you want to be.
Insights360 works with insurance firms to improve visibility into customer interactions, supporting vulnerable customer identification, quality assurance, and Consumer Duty compliance.
