Nor is it usually possible to define individual customers as either vulnerable or not vulnerable. Essentially, vulnerability extends along a range, applying to a greater or lesser extent to individuals in different circumstances, like being rich or poor.
Businesses that have tried to add vulnerability flags to their processes have struggled for these very reasons. Some companies are seeking to apply a 'resilience rating' – the word resilience being seen as more consumer friendly than vulnerability.
Essentially, this is an attempt to capture the extent to which consumers may be resilient because of a range of characteristics, including health, wealth, financial capability, engagement, understanding of their circumstances and the product being presented to them and other factors.
Sources of information
Potentially, there are many sources of data about consumers that may be obtained directly from them or indirectly from other sources.
Readily available sources of information about vulnerability include credit scores and data, but there are other forms of vulnerability that are much more difficult to measure. Some socio-economic data sets can give indications of potential vulnerability, but these tend to be at a postcode rather than a personal level.
The challenge for businesses is that any meaningful measure of vulnerability has to be personal. This implies a role for triage, particularly to assess existing customers, but the process becomes very difficult if there is not sufficient personal information for a proper vulnerability assessment.
The Vulnerability Registration Service is essentially a database of vulnerable customers. But while it is growing, its coverage at this stage is modest and not sufficient to be relied upon.
Some utility companies operate a 'preference service', which is essentially a list of vulnerable people. But they may be registered with a service like this because they have a specific type of vulnerability, perhaps as a result of being prone to flooding or because they live alone. But this may be completely irrelevant to any vulnerability they have as a result of the provision of different kinds of financial services.
And while this may sound attractive as a source of some potentially useful information about vulnerability, it is unfortunately not available in a single database. Rather, it is a collection of data-sharing arrangements between different utility companies and may also differ between regions and companies.
Another frustration is that a lot of the data is retained under different regimes for GDPR than typically used in the financial services sector. So, it may not be very useful.
Open banking data has potential, not only as a source of financial information but also in providing triggers of change in behaviour. A drawback, however, is that open banking requires the permission of the consumer, and currently needs to be re-validated every 90 days.
