Identifying vulnerable customers: A regulatory expectation – and a moral obligation
If you’re responsible for QA, compliance, or operations in a financial services contact centre, chances are you’re asking a tough but vital question:
Are our teams consistently spotting vulnerable customers – and can we evidence the action we’ve taken?
With the FCA’s heightened focus on consumer outcomes, getting this right is no longer a “nice to have.” It’s a core business responsibility. But in many contact centres, the accuracy of alerts is patchy, QA teams are stretched, and well-meaning agents miss subtle but serious signs.
The good news? These challenges are common and fixable. They’re a sign that even well-run teams may need more modern tools to keep pace with evolving risk.
The reality: Why vulnerability is still being missed
You likely already have policies, training, and monitoring in place. But even strong compliance frameworks can fall short in the day-to-day.
According to the FCA’s March 2024 Vulnerability Review:
- Only 19% of customers felt encouraged by their provider to disclose their personal circumstances or needs.
- 1 in 4 vulnerable customers didn’t feel comfortable sharing their personal situation with their provider.
- Talking to a real person does not automatically offer the tailored support that customers need – with reported experiences customer of talking to agents that failed to demonstrate empathy or sounded as if they were reading from a script.
From what we’ve seen across UK-regulated firms, these breakdowns are often caused by:
- Low QA coverage: Typically only 2-5% of calls are reviewed, meaning 95% go unaudited – often including high-risk cases.
- Over-reliance on keywords: Real-life vulnerability cues don’t follow a script.
- Inconsistent agent judgment: One team member may flag a concern, another may dismiss it.
- Lack of evidence trails: Even if the right thing is done, it’s not always documented for audit or FCA review.
These gaps are understandable – but they’re increasingly risky.
How to spot when your QA alerts are missing the mark
Want to assess where your current process might be falling short? Start with these signs:
1. You’re learning about risk too late
If vulnerability is often identified via complaints or cancellations, rather than proactively, there’s a detection gap.
2. Alerts are too vague – or too frequent
High volumes of non-prioritised alerts create noise, not clarity. Teams stop paying attention.
3. QA data doesn’t match what managers see on the ground
If your MI suggests “no issues,” but complaints or agent escalations tell a different story, something’s being missed.
4. You rely on customers to self-disclose
Many don’t. If your system only flags vulnerability when someone says “I’m struggling,” silent need goes unnoticed.
5. You’re seeing too many false positives – or too few
The best systems reduce noise – not just flag more. If your alerts feel random or repetitive, they’re not helping.
6. You can’t easily show what action was taken
In a world of increasing regulatory scrutiny, evidence matters. Can you track the full journey from detection → support → resolution?
What you can do to strengthen vulnerability detection - without adding more work
Whether you’re looking to catch more subtle cues, respond more consistently, or build a stronger audit trail, here are five high-impact actions you can take today.
✅ Review more calls – not just a sliver
Why: Most QA teams still only sample 2-5% of calls, meaning 95% of potential risk is never reviewed.
What to do: Use an analytics or call monitoring tool to automatically monitor 100% of calls for risk signals – like tone, hesitation, or trigger phrases.
Tip: Focus on high-risk journeys first (e.g. affordability, cancellations, complaints). You’ll catch more early-warning signs without needing more reviewers.
✅ Look beyond keywords
Why: Disclosures don’t always sound like “I’m struggling.” Customers often reveal vulnerability through confusion, hesitations, or repeating themselves.
What to do: Train your agents to recognise verbal cues like long pauses, breathless speech, or repeated requests for clarification.
Tip: Use flagged call examples in coaching sessions so agents can hear what subtle vulnerability sounds like in real conversations.
✅ Prioritise what matters most
Why: Teams can be overwhelmed by alerts that all look equally urgent.
What to do: Set rules to triage flagged calls by risk level – for example, prioritise calls with emotional distress, complaints, or payment difficulty.
Tip: Start simple: split alerts into High/Medium/Low urgency. Then focus human review on the High group.
✅ Turn insights into better frontline behaviour
Why: Agents want to do the right thing – but they need clarity on what “good” sounds like. By training agents on vulnerability, one of our customers improved customer outcomes from 88% → 96%, improving risk identification by 9% and saving £23k in potential complaints.
What to do: Use real (anonymised) calls where vulnerability was handled well or missed, and build them into coaching sessions.
Tip: Reinforce small habits – like slowing the pace, checking understanding, or offering to repeat key information.
✅ Keep a clean audit trail
Why: The FCA expects firms to evidence how vulnerable customers were supported and that their outcomes were fair – not just that a policy exists.
What to do: Make sure every vulnerability flag results in a documented action, review, and clearly evidenced outcome – even if it’s “no further support needed.”
Tip: Use a shared tracker or case note template that links directly to the flagged call and what was done in response.
What to do next & FAQs
A quick check-in for leaders
Compliance management in 2025 is more than a legal obligation, it’s an opportunity for business excellence. By embracing AI, automation, ESG strategies, and cybersecurity best practices, organisations can turn compliance into a competitive advantage. Compliance managers who adapt to these changes will be at the forefront of innovation, resilience, and long-term success.
You don’t need to overhaul your QA programme overnight. But here’s where you can begin:
1. Audit your current alerts
Are they accurate? Timely? Prioritised? Backed by clear logic?
2. Identify blind spots
Which types of calls or customers get the least review coverage? What risks could be hiding there?
3.Review your evidence trail
Can you clearly demonstrate how a vulnerable customer was supported – and that they received a fair outcome – from detection through to resolution?
4. Check how insights feed behaviour
Are your alerts driving agent coaching and improvement – or just sitting in dashboards?
5. Bring your people in
QA, Compliance, and Ops teams often know where the cracks are. Collaborative review builds trust and better processes.
FAQs
What does the FCA say about vulnerability detection?
Under the Consumer Duty, the FCA expects firms to consistently identify and support vulnerable customers – and ensure their outcomes are fair. This requires systems that are proactive, tailored, and evidenced. Read the FCA guidance for examples of good and poor practice.
What counts as a vulnerability signal in a call?
It can include tone, confusion, language barriers, financial stress, health disclosures, or emotional distress. Not all cues are explicit, subtlety matters.
Why does reviewing 100% of calls help?
Because it uncovers patterns and risk indicators missed by manual sampling. It also helps firms spot repeat issues and build robust MI.
Are keywords enough?
Not on their own. Keyword spotting has some value, but it’s not sufficient to meet FCA expectations. The most effective systems assess speech patterns, tone, pace, and conversational cues to build a fuller picture of vulnerability risk.
How can we scale this without overwhelming QA?
Modern tools surface high-risk calls while suppressing false positives – so your team focuses on where action is needed most.
Want to dig deeper?
📘 Download the 2024 Voyc Vulnerable Customers White Paper for more insights and practical steps to modernise your compliance monitoring.
