How AI Detects Vulnerable Customers in Financial Advice: A Guide to the FCA's Four Key Drivers

Updated April 6, 2026

TL;DR: Manual compliance sampling leaves advice firms exposed to Consumer Duty breaches because it only reviews a fraction of client files. Colin reviews meeting transcripts and documents for indicators aligned with the FCA's four vulnerability drivers: health, life events, resilience, and capability. This gives Operations Directors complete oversight, standardises documentation across all advisers, and catches subtle indicators before the suitability report is drafted. Our AI does not replace professional judgment; it ensures the adviser has every flagged indicator in front of them before they sign off the file.

The biggest Consumer Duty risk in most advice firms is not the recommendation an adviser gives. It is the passing comment in minute 42 of a client meeting, "I've been back and forth to the hospital lately," that the adviser never captures in the file note because they were focused on the investment review.

That comment does not just represent a missed vulnerability indicator. Under Consumer Duty, it represents a gap in the fact-find, the pre-report document that must reflect the client's full circumstances at the point of advice. Evie captures the complete meeting transcript, including how a client responds to adviser prompts, not only the explicit statements they volunteer. A hesitation, a deflection, a passing remark before the client moves the conversation on: all of it is preserved in the structured note and available for the paraplanner building the file before the suitability report is drafted.

FCA FG21/1 explicitly requires firms to identify vulnerability indicators and reflect them in their advice and documentation. Yet most firms still rely on manual compliance sampling to catch gaps, which typically means only a fraction of files receive detailed review before they reach clients. Under Consumer Duty, that exposure is not theoretical. It is a documented operational risk.

This article breaks down how natural language processing (NLP) screens every client interaction against the FCA's four drivers of vulnerability, how that maps to your existing workflow through Evie and Colin, and what the measurable operational impact looks like for multi-adviser firms.

The FCA Definition of a Vulnerable Customer Under Consumer Duty

The FCA's finalised guidance FG21/1 defines a vulnerable customer as someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.

Three points in that definition carry direct operational weight:

• "Especially susceptible to harm": places the obligation on the firm to act, not to wait for a client to self-identify.

• "Personal circumstances": means the assessment must be individualised, not based on demographic categories alone.

• "Appropriate levels of care": connects directly to Consumer Duty's requirement to evidence good outcomes for each client.

The FCA treats vulnerability as a spectrum, not a binary state. A client can be temporarily vulnerable following a bereavement and return to a lower-risk state months later. FCA Financial Lives 2022 early survey insights indicated that roughly half of UK adults may show one or more characteristics of vulnerability at any given time, though this figure is drawn from preliminary data rather than the finalised report. If even a substantial proportion of your client book carries at least one indicator at any point, manual detection leaves material compliance exposure rather than mitigating risk.

Consumer Duty (PS22/9) adds the monitoring requirement: firms must not only identify vulnerable customers at the point of advice but actively monitor outcomes for these groups at each point of contact and whenever circumstances change materially. Every file note, every suitability report, and every annual review document needs to reflect the client's current vulnerability status, not the status recorded two years ago. The vulnerability guide and checklist provides a practical framework for mapping those requirements to documentation standards.

Traditional Vulnerability Detection vs. AI-Assisted Screening

Manual compliance processes create a structural gap between the FCA's expectation and what most firms can practically deliver. Resource constraints prevent firms from reviewing every advice file manually. The result is sample-based checking: a proportion of files receive scrutiny, and the rest go out unchecked.

The table below compares the two approaches across the dimensions that matter most:

NLP screening is not infallible. False positives will occur, and the system may miss indicators expressed in ways it has not been trained on. That is why every Colin flag routes to the adviser for review, not to an automated decision. The reduction in risk comes from consistent coverage across 100% of files combined with professional review, not from replacing professional judgment with algorithmic certainty.

The gap in coverage is the core operational problem. When an adviser conducts 20 client meetings per month and the compliance team manually reviews two or three files, 17 or 18 of those meetings leave the firm with no systematic check for missed vulnerability indicators. Colin makes 100% document coverage the operational default rather than an aspirational goal, as covered in IFA Magazine's launch review.

One important framing: our AI-assisted screening does not replace the adviser's professional judgment. It acts as the consistency engine that ensures the adviser has every flagged indicator in front of them before they sign off the suitability report. Think of it as the author-to-editor shift applied at the compliance level. The adviser still owns every outcome judgment. What AI removes is the risk that a critical indicator never reached the adviser's desk at all.

How AI Maps to the FCA's Four Drivers of Vulnerability

The FCA identifies four drivers of vulnerability: health, life events, resilience, and capability. Each requires a different set of indicators captured during the client meeting and documented in the client file before the paraplanner begins drafting. Evie and Colin run as a pipeline across all four drivers, capturing indicators in the transcript, flagging them against the relevant driver, and populating the corresponding fact-find fields in Intelliflo Office, Plannr, and Curo at the point of meeting rather than being reconstructed later.

Health

Indicators tied to the health driver rarely arrive as direct disclosures. A client may reference fatigue, mention a recent diagnosis in passing, or describe difficulty concentrating during the meeting. Evie captures these moments in the structured transcript so they are available for review rather than reliant on the adviser's recollection after the meeting ends. Colin flags language patterns associated with the health driver and surfaces them alongside the relevant suitability report sections, giving the adviser a documented basis for adjusting how information is presented.

Life Events

Bereavement, divorce, redundancy, and retirement transitions each carry documented links to vulnerability under Consumer Duty. Clients do not always present these as formal disclosures: a reference to a recent change in circumstances, a mention of a spouse in the past tense, or a comment about an unexpected change in income may be the only signal in the meeting. Evie captures the full meeting context in structured notes, preserving the language and sequence of these disclosures so nothing is reconstructed from memory. Life event indicators captured in the transcript populate the relevant fact-find fields in Intelliflo Office, Plannr, and Curo at the point of meeting, so the client record reflects the disclosed circumstances before the paraplanner opens the report template.

Resilience

Financial resilience indicators include low liquid reserves relative to outgoings, over-reliance on a single income source, and significant outstanding debt alongside investment decisions. These signals often emerge during the fact-finding conversation rather than as explicit client statements. When Evie captures stress markers and resilience-related disclosures in the transcript, those indicators populate the corresponding fields in the back office system, so the paraplanner has a complete financial resilience picture before they begin the suitability assessment, rather than a verbal summary from the adviser delivered the following day.

Capability

The capability driver covers financial literacy, confidence in decision-making, and the client's ability to engage with complex information. Indicators include expressions of confusion, deference to a third party for financial decisions, or statements about limited digital access. Colin detects these patterns in the meeting transcript and flags them against the capability driver, providing the adviser with a documented basis for adjusting how information is presented in the suitability report. Capability indicators flagged in the transcript populate the relevant fact-find fields in the back office system, so the paraplanner has a documented capability record before they open the report template, removing the dependence on a verbal briefing from the adviser that may never arrive.

The four-driver framework only works if the indicators identified during the meeting reach the client file before the paraplanner starts drafting. That is the gap Evie closes.

Across all four drivers, the sequence is the same: Evie captures the indicators during the meeting, they are flagged in the structured output, and the relevant fact-find fields in Intelliflo Office, Plannr, and Curo are populated before anyone opens the report template. The vulnerability record does not depend on the adviser remembering to transfer observations after the fact.

That sequence matters for evidencing Consumer Duty. The vulnerability record is not reconstructed at review or assembled under time pressure before an audit. It is created at the point of advice, carried through to the CRM, and available to the paraplanner as documented context rather than verbal briefing.

The Technology Behind the Screening: NLP and Sentiment Analysis

Consider two statements: "I'm going to the hospital to work" and "I'm going to the hospital for tests." A keyword-based system flags both identically. Contextual NLP rather than keyword matching is what separates the two, reading the surrounding conversation to determine which interpretation applies and whether either maps to a vulnerability driver.

That distinction matters for compliance purposes. Tools that produce a plain-text transcript do not apply regulatory frameworks to the language. NLP applies the FCA's definitional categories as interpretive filters, so every phrase is evaluated not just for its surface meaning but for whether it maps to a specific vulnerability driver. NLP analyses the surrounding conversational context to make that determination consistently across every transcript, not only when an adviser manually reviews the file.

Sentiment analysis extends this to what a client is communicating through tone rather than through the words alone. A client who says "I suppose I'll just have to trust you on this" may be expressing resignation, deference, or anxiety, none of which appear as explicit vulnerability statements but all of which are relevant to the capability and resilience drivers. NLP distinguishes emotional context in these cases, flagging passages where the sentiment warrants closer review rather than passing over them because no keyword matched. AML and sanctions screening systems use the same contextual NLP approach to distinguish genuine risk indicators from false positives, and the same principle applies here.

The practical output is a structured compliance flag rather than a transcript annotation, linked to the specific passage, categorised by vulnerability driver, and mapped to the relevant Consumer Duty outcome. Colin's compliance checking applies this framework by reading the meeting notes and supporting documents, then producing pass/fail verdicts with the source reference attached.

Integrating Vulnerability Checks into Your Advice Workflow

The practical value of AI vulnerability screening depends entirely on where it sits in the advice process. Catching a missed indicator after the suitability report has gone to the client serves no one. The screening works best when it happens between the meeting and the paraplanner's first draft.

The sequence runs as follows:

0. Pre-meeting preparation: Before an annual review with a client who has prior vulnerability flags on record, Atlas lets you query across previous meeting transcripts, suitability reports, and uploaded client documents to surface relevant context in one place. Rather than opening multiple files or relying on memory, the adviser can ask Atlas directly: "What vulnerability indicators were noted in this client's last two reviews?" and receive a referenced summary drawn from the source documents, with the relevant passage cited so you can verify the original context before the meeting. You can also ask Atlas to compare how the client responded to specific topics across consecutive reviews, for example, "Did this client express any health-related concerns in the last three meetings?" or "Were any capability indicators noted in previous fact-finds?" Atlas draws the answer from everything Evie, Emma, and Colin have already produced for that client, without the adviser having to search manually across the file. Entering the meeting with that context already to hand means the adviser can open the conversation with the informed awareness the FCA expects under Consumer Duty, rather than discovering relevant history only after the fact.

   
   

1. Meeting capture: Evie joins the client meeting on Microsoft Teams, Zoom, or Google Meet and transcribes the conversation. No adviser action is required during the meeting itself.

   
   

2. Structured note generation: Evie generates structured meeting notes, action items, and a draft follow-up email directly from the transcript. Notes are available to the whole team within minutes of the meeting ending. Because the notes are drawn from the full transcript, they capture not only what the client said but how they responded to adviser prompts, including hesitation, qualifications, and passing remarks that would not appear in a manually typed summary. This detail is relevant to fact-find completeness: the FCA expects pre-report documentation to be as thorough and accurate as possible, and context around client responses is part of that record.

   
   

3. Back office update: Where the firm uses Intelliflo Office or Plannr, Evie updates the client record automatically. The Intelliflo integration populates fact-find fields from the meeting data rather than requiring manual re-entry, as detailed in the Intelliflo integration walkthrough.

   
   

4. Compliance screening: Colin reviews the structured notes and transcript against FCA Consumer Duty requirements and the relevant COBS standards. Colin flags vulnerability indicators with source passages and suggested corrective actions. This check takes minutes, not hours.

   
   

5. Adviser review: The adviser receives Colin's flagged items and addresses any gaps before the paraplanner begins the suitability report. If a health indicator was mentioned in passing and not captured in the notes, the adviser adds it at this stage rather than discovering the gap at a compliance review.

   
   

6. Report generation: Emma generates the suitability report from the firm's existing templates, incorporating the vulnerability context captured and reviewed in the preceding steps.

   
   

7. Final report compliance check: Colin checks the completed suitability report against FCA Consumer Duty requirements and COBS standards before it goes to the client. Where Step 4 checked the structured notes and meeting transcript, this check applies to the finished output: the language used, the consistency of the vulnerability context across sections, and whether the documented rationale meets the evidencing requirements your firm needs at audit. Colin flags specific gaps with suggested fixes rather than a binary pass or fail, so the adviser can address any remaining inconsistencies before sign-off. The sign-off decision stays with the adviser. Colin provides a time-stamped compliance record at the output stage to sit alongside the input-stage check completed in Step 4.

Using Atlas to Manage Vulnerability Across Your Client Book

The per-meeting workflow above addresses vulnerability at the individual client level. Atlas extends that capability to the firm-wide level, giving Operations Directors and compliance leads a way to monitor vulnerability patterns across the entire client book rather than case by case.

Once Evie, Emma, and Colin have processed meetings and produced documented outcomes, Atlas holds that structured data in a queryable form. The practical consequence is that a question like "which clients have active health or life event flags recorded in the last 12 months?" or "which clients triggered multiple vulnerability drivers across consecutive reviews?" returns a list rather than requiring a manual audit of individual files. That matters for Consumer Duty outcomes monitoring, where firms need to demonstrate they are identifying and responding to vulnerability at a population level, not just at the point of advice.

Three applications follow from this:

Identifying patterns across the book. Atlas can surface clients who have accumulated multiple vulnerability indicators over time, which is harder to detect when data lives in separate meeting notes or CRM fields. A client who flagged a bereavement in one review and a health concern in the next may not appear on any single flagging report but shows up clearly when Atlas queries for consecutive triggers. This gives compliance leads a starting point for oversight that goes beyond the most recent review.

Proactive outreach between advice events. Consumer Duty requires firms to consider whether vulnerable clients are receiving fair outcomes, not just at scheduled review points. Atlas allows advisers or support staff to query flagged clients and identify those who have not had a touchpoint since a vulnerability was recorded, enabling targeted outreach rather than waiting for the next calendar review. The output is a prioritised contact list, not a compliance report: names, last contact dates, and the specific flags recorded.

Structuring differentiated service. Firms with a documented vulnerability policy often struggle to operationalise the commitment at the individual client level. Atlas provides the data layer that makes differentiation practical. Clients with active capability indicators, such as early cognitive decline or literacy concerns noted in a fact-find, can be tagged for simplified document formats, more frequent touchpoints, or a designated support contact. The adviser sets the service response. Atlas ensures the relevant clients are consistently surfaced rather than overlooked between reviews.

This is not a replacement for the compliance framework or adviser judgment. It is the connective layer that makes what Evie, Emma, and Colin have already documented usable at a firm-wide level, so Consumer Duty outcomes monitoring becomes a structured process rather than a periodic manual exercise.

Ensuring Explainability, Transparency, and Data Security

Operations Directors who have evaluated compliance technology before know the "black box" problem: a system flags something as non-compliant but cannot explain why in terms the FCA would accept. That is not a usable compliance tool. It creates a liability.

Three mechanisms address this for regulatory defensibility:

• Cited source references. Every compliance flag includes the specific passage from the meeting transcript or document that triggered it, mapped to the relevant COBS rule or Consumer Duty outcome. Colin checks adviser documents against FCA Consumer Duty requirements and relevant COBS standards, mapping each statement to applicable rules and outcomes.

• Pass/fail verdicts with corrective guidance. We do not produce ambiguous warnings. Each Colin check produces a clear outcome and, where a flag is raised, specific guidance on what is missing and how to address it. This output is directly usable by the adviser making the correction and auditable by the compliance team reviewing the process.

• UK data residency and security certifications. Client meeting transcripts contain some of the most sensitive personal data a firm holds. We hold Cyber Essentials certification and apply end-to-end encryption for data at rest and in transit, with all data held within the UK. For firms with enterprise procurement requirements, confirm current certification status before finalising a vendor decision.

The FCA does not require firms to use AI for compliance monitoring, but it does require firms to evidence that their monitoring processes are effective and consistent. A documented, cited, time-stamped audit trail from a purpose-built compliance tool defends against regulatory challenge considerably better than a statement that "our compliance team samples files regularly."

Implementation Steps and ROI for Multi-Practice Firms

For a firm with 10 to 20 advisers, the ROI case sits at the intersection of time recovered, compliance risk reduced, and capacity released for client-facing work.

Evie costs £99 per user per month. Colin costs £99 per user per month. Emma costs £299 per user per month. Firms running Evie and Colin together pay £150 per user per month as a bundle, compared to £198 at individual pricing, a saving of £48 per user per month. Bundle pricing of £369 per user per month applies to two-tool combinations that include Emma, such as Emma and Evie or Emma and Colin, a saving of £29 on individual pricing. The complete suite costs £429 per user per month. Full detail is on the AdvisoryAI pricing page. No credit card is required for the 14-day free trial.

Firms using our platform report measurable documentation efficiency gains:

• Brooks Macdonald (formerly LIFT-Financial Group): post-meeting note time reportedly dropped from 1.5 hours to 15 minutes with Evie, as detailed in our published case studies.

• Bluecoat Wealth Management: 80% reduction in suitability report time, reportedly from four to six hours per report to under one hour.

Phased rollout checklist for Operations Directors:

AdvisoryAI holds Cyber Essentials certification, stores all data within the UK, and has ISO 27001 certification in progress.

Preparation and pilot:

• Audit current documentation templates and identify the most frequently used across advisers

• Define success metrics before go-live: target time per meeting note, documents processed per week, compliance pass rate

• Identify a pilot cohort of three to five advisers representing different experience levels and meeting volumes

• Run training sessions for Evie and Colin, focusing on the post-meeting review workflow

• Confirm CRM integration with Intelliflo Office or Plannr and test fact-find field population

Scale and monitor:

• Review KPIs weekly for the first month: time per note, compliance flags raised and resolved, turnaround from meeting to completed suitability report

• Conduct quality spot-checks on a sample of AI-generated outputs each week

• Plan the wider firm rollout based on pilot outcomes, practice by practice

At individual pricing, a 10-adviser firm running Evie and Colin separately pays £198 per user per month (£99 each), or £1,980 per month. The Evie and Colin bundle brings that to £150 per user per month, or £1,500 per month for 10 users, saving £48 per user. The complete suite costs £429 per user per month (£4,290 per month for 10 users), which represents a saving on £497 individual pricing when Emma is included. Compare that to a single paraplanner hire at £30,000 to £40,000 per year: the software covers 100% of files, runs continuously, and carries no employment overheads. The more relevant comparison is the current cost of unchecked vulnerability indicators reaching a Consumer Duty review.

Request a Demo

Request a demo to see how Colin checks your firm's documents against FCA Consumer Duty requirements, including vulnerability indicator detection across all four drivers. Or start a 14-day free trial. No credit card required.

Specific FAQs

What percentage of client files does AI compliance screening cover compared to manual sampling?
AI screening covers 100% of files processed through the platform. Manual compliance sampling at most UK advice firms covers an estimated 10-20% of files, based on the time constraints file reviewers face.

What COBS rules does Colin check documents against?
Colin maps document statements to COBS 9.4.7R, PROD requirements, and Consumer Duty outcomes.

Does AdvisoryAI hold client data outside the UK?
No. We hold all client data within the UK. The platform is Cyber Essentials certified, ISO 27001 certification is in progress, and we encrypt data at rest and in transit.

What does vulnerability screening cost per user on bundle pricing?
Evie and Colin each cost £99 per user per month at individual pricing, so purchasing both separately comes to £198 per user per month. The bundle price for Evie and Colin together is £150 per user per month, saving £48 per user against individual pricing. Bundle pricing also applies when Emma is included: Emma and Evie together, or Emma and Colin together, cost £369 per user per month, saving £29 per user against individual pricing of £398. The complete suite including Evie, Emma, and Colin costs £429 per user per month, saving £68 per user compared to individual pricing.

Key Terms Glossary

Consumer Duty: FCA regulatory framework (PS22/9) requiring firms to evidence good outcomes for retail customers, including appropriate treatment of vulnerable customers across all stages of the client relationship.

FG21/1: FCA finalised guidance on the fair treatment of vulnerable customers, published July 2021, which defines the four drivers of vulnerability and sets out the standards firms must meet.

COBS 9.4.7R: The FCA's Conduct of Business Sourcebook rule that requires firms to take reasonable steps to ensure suitability of advice, including consideration of the client's personal circumstances.

NLP (Natural Language Processing): A branch of AI that enables machines to understand and interpret human language in context, detecting vulnerability indicators from conversational transcript data.

Consumer Duty outcomes monitoring: The FCA's requirement that firms actively track and evidence whether their processes deliver good outcomes for different client groups, including those with vulnerability characteristics, on an ongoing basis.

File review sampling: A compliance process in which a proportion of advice files are reviewed against regulatory standards to check documentation quality. Industry practice typically reviews 10-20% of files, leaving the remainder unchecked.

Sentiment analysis: An NLP technique that identifies the emotional register of language, used in vulnerability screening to detect stress, anxiety, or confusion indicators that signal resilience or capability drivers.

Audit trail: A time-stamped record of compliance checks, flags, and resolutions that can be produced to the FCA during a supervisory review or section 166 skilled person review.