Identifying is one box.
The other twelve come later.
FG21/1 wants re-assessment every 12 months, adapted communications recorded, fair-outcome evidence per client per year. Most firms tick the identification box. The audit fails on what comes after.
The four vulnerability drivers.
A vulnerable consumer is someone who, due to personal circumstances, is especially susceptible to harm. The FCA identifies four drivers (all of which can be temporary or permanent).
Health
Physical or mental illness, disability, or addiction that affects the client's ability to make or act on financial decisions. Includes cognitive decline in older clients and anxiety that affects understanding. Where firms fail: the adviser notices cognitive decline in the meeting but never formally records it; the next adviser meets the client cold.
Life Events
Recent bereavement, relationship breakdown, job loss, or other significant life changes that may affect financial resilience or decision-making capacity. Typically temporary, but must be monitored. Where firms fail: temporary vulnerabilities aren't re-assessed when they resolve; the client stays on a "vulnerable" flag for years.
Resilience
Low financial resilience: over-indebtedness, low or no savings, or dependence on credit for day-to-day living. Clients in this category are more exposed to harm from unsuitable products or market volatility. Where firms fail: resilience is binary in the system (vulnerable / not); the underlying signal (debt level, savings depth) isn't tracked over time.
Capability
Low financial literacy, limited understanding of English, or difficulty understanding information in standard formats. Requires adapted communications and additional verification that advice was understood. Where firms fail: adaptations are made informally in the meeting; the firm has no record that the standard process was deviated from.
What FG21/1 and Consumer Duty require for vulnerable clients
Identifying a client as vulnerable creates a compliance obligation that runs across every subsequent interaction, not just the initial assessment.
- ✓ Formal identification (FG21/1): Vulnerability must be recorded with the driver identified, the date, and how it was established. A verbal note is not sufficient.
- ✓ Consumer Duty outcome assessment (PS22/9): Documented evidence that the advice outcome was fair given the client's vulnerability, separate from the standard suitability report.
- ✓ Adapted approach documented (FG21/1): Evidence that communications, timelines, and advice were adapted to the client's specific vulnerability, not just that a standard process was followed.
- ✓ Ongoing re-assessment (FG21/1, 12-month threshold): Vulnerability status must be reviewed at every client interaction. Status changes must be recorded and any related documentation updated immediately.
Amaea treats vulnerability data as Article 9 special category. Never logged in the clear, never sent to the LLM in raw form. The 12-month re-assessment fires on the day it's due, not the day it's missed.
Book a demoThe specific bits the FCA examines.
Vulnerability is the FCA's top supervisory priority. Amaea treats the data as Article 9 special category, fires the 12-month re-assessment on the day it's due, and escalates the high-risk combinations Final Notices most often cite.
Driver (Health / Life Events / Resilience / Capability), severity, date identified, evidence document, adviser who established it. Each field is required. The system won't let you mark a client vulnerable without all five.
A nightly cron raises a re-assessment flag the day a vulnerable client crosses the 12-month FG21/1 threshold. The flag carries the client's last assessment date and adaptation history, so the adviser knows what's already been done before they pick it up.
Vulnerability data is Article 9 special-category data under UK GDPR. Amaea holds it in-process: never logged in the clear, never written to telemetry, never sent to the LLM in raw form. Where the AI does need to reason about a vulnerability flag, the field is redacted to category-only ("health vulnerability present") before the prompt is built.
A vulnerable client + overdue review + missing Consumer Duty outcome doc is the combination FCA Final Notices flag most often. The system raises this as a single critical flag, not three separate ones. The compliance team sees it as one priority item instead of buried in the queue.