FCA Vulnerability Guidance 2026: What's Changed and Why AI Matters Now

TL;DR: The FCA's March 2025 review found 44% of vulnerable customers reported negative experiences with financial services firms, and only 39% of firms had formal governance overseeing vulnerability outcomes. Regulators now demand consistent, documented detection across every adviser interaction using four drivers: health, life events, resilience, and capability. For large advice networks and consolidators, manual documentation creates Consumer Duty risk because the weakest file note defines your regulatory exposure. Evie automates meeting notes capturing vulnerability indicators, Emma standardises suitability reports, and Colin checks compliance against FCA requirements before documents leave the desk, providing firm-wide consistency without adding post-meeting hours. Atlas connects all of this in a single conversational interface, allowing advisers to surface a client's full vulnerability history before a meeting starts. No competitor offers this capability.

A comprehensive vulnerable customer policy no longer protects your firm. Consistent, documented meeting evidence does. The FCA's March 2025 thematic review of vulnerability handling made that clear. Regulators are no longer asking whether firms have a policy in place. They're examining whether every adviser interaction produces evidence that vulnerability was considered, whether a client discussed a recent bereavement, disclosed a health condition, or showed signs of low financial resilience. For operations leaders managing documentation across multiple advisers and paraplanners, that's an operational data problem as much as a compliance one.

What Has Changed in FCA Vulnerability Guidance for 2026?

The FCA's FG21/1 guidance established the four-driver framework and set out what firms should do to treat vulnerable customers fairly. Consumer Duty, which took effect in July 2023 for open products and services, raised the bar by requiring firms to demonstrate good outcomes rather than simply follow processes. The March 2025 review marks the next step: the FCA is examining whether firms are delivering on that standard in practice, not just on paper.

Why the March 2025 Review Changes the Stakes

The FCA's four drivers haven't changed since FG21/1 in 2021. What has changed is how the regulator examines whether firms are delivering on them. The March 2025 review found 44% of vulnerable customers reporting negative experiences and only 39% of firms with formal governance overseeing outcomes. The enforcement message is clear: comprehensive policies no longer demonstrate compliance. File-level documentation does.

What changed in 2025 is the FCA's enforcement focus: regulators are now examining whether every adviser interaction produces documented evidence of vulnerability consideration, not whether firms have organisation-wide policies in place. The March 2025 review made clear that process compliance doesn't equal outcome delivery.

The FCA's four key drivers of vulnerability remain the operational framework for every client interaction:

• Health: Conditions affecting an individual's ability to carry out day-to-day tasks, including mental health issues, cognitive disability, and sensory impairments. Many health vulnerabilities are harder to identify than physical conditions because clients rarely disclose them directly.

• Life events: Circumstances such as bereavement, job loss, relationship breakdown, or leaving care that may negatively affect a client's decision-making capacity at the time of advice.

• Resilience: Low ability to withstand financial or emotional shocks. The FCA describes adults with low financial resilience as those who could not sustain household costs for even a week if their main income stopped, or who would struggle with rent or mortgage increases of less than £50 per month.

• Capability: Low knowledge of financial matters, low confidence managing money, or limited literacy and digital skills that affect a client's ability to engage meaningfully with advice.

The FCA's proposed FOS reforms introduce a 10-year absolute time limit for bringing complaints to the Financial Ombudsman Service, measured from the date of the conduct complained of. For longer-term products such as pensions and mortgages, exceptions to that limit may apply. Firms should maintain comprehensive audit trails of vulnerability documentation to support potential complaint handling during this extended window.

New Consumer Duty Compliance Demands

The shift from FG21/1 to Consumer Duty represents a meaningful change in what the FCA expects firms to demonstrate. The table below captures the key differences.

Preparing for FCA Vulnerability 2026

The FCA explicitly calls on firms to undertake a full review of their approach, systems, and processes, and to centralise vulnerability operations to ensure consistent outcomes and a joined-up approach. For multi-adviser firms, three immediate priorities emerge: auditing where vulnerability detection sits in your documentation workflow, identifying where adviser-by-adviser variation creates gaps, and establishing formal governance oversight of vulnerability outcomes. The March 2025 review found only 39% of firms had formal governance bodies or committees overseeing those outcomes, leaving the majority exposed to direct regulatory scrutiny.

Why Is the FCA Emphasising Consistency in Vulnerability Detection?

The March 2025 review identified a clear pattern: firms can have organisation-wide vulnerability policies and still produce highly inconsistent outcomes at the adviser level. Consumer research commissioned for the review found that 44% of vulnerable customers reported negative experiences with financial services firms, compared to 33% of non-vulnerable customers. That gap is not explained by policy shortfalls. It's explained by execution gaps at the point of advice delivery.

Inconsistencies Found in FCA Vulnerability Reviews

The March 2025 findings reveal several consistent failure patterns across the firms reviewed. While 79% of firms reported senior leadership actively reviewed governance arrangements, only 39% had formal governance committees specifically overseeing vulnerability outcomes, meaning senior leaders were often aware of the issue without the management information to act on it. Only 54% of firms with training in place for non-frontline staff had specific vulnerability guidance, leaving paraplanners and back-office teams processing documentation without structured guidance on what to record or flag. The FCA also noted that firms consistently "underestimated the depth of monitoring required" and chose "only to monitor readily available data," focusing on process outputs rather than customer outcomes. The FCA has stated that all firms will likely deal with vulnerable customers, expressing surprise that some firms believe otherwise, a position that is no longer defensible under Consumer Duty. The broader debate about adviser capacity constraints driving these gaps is covered in the AdvisoryAI advice gap analysis.

Your Consumer Duty Blind Spots

The documentation bottleneck creates a specific compliance risk for multi-adviser firms. When the post-meeting write-up takes 1.5 hours or more per meeting, advisers prioritise capturing recommendation rationale and action items. Vulnerability indicators discussed informally, a client mentioning a recent bereavement or expressing anxiety about managing finances following a period of illness, often fail to reach the final file note. Consumer Duty requires firms to evidence that vulnerability was considered and acted upon at every interaction. If it's not in the file note, for regulatory purposes, it didn't happen.

Implementing FCA-Ready Vulnerability Detection Processes

FCA-Ready Vulnerable Client ID

Consistent vulnerability detection starts with structured questioning at every client meeting. Practical approaches include:

• Opening review meetings with open-ended questions about life changes since the last meeting, covering both professional and personal circumstances.

• Asking explicitly but sensitively about health changes that may affect financial decision-making capacity.

• Including a financial resilience check as part of the fact-find update, covering emergency savings, income security, and appetite for financial shocks.

• Asking about confidence levels with financial products before discussing online platforms or service changes.

FG21/1 notes that mental health issues and cognitive vulnerabilities are among the hardest to identify because clients rarely disclose them directly. Advisers need to recognise indirect signals such as reduced engagement, inconsistencies in recall, expressed anxiety, or significant changes in financial behaviour between review meetings. The Financial Planner Life Podcast discussion on AI and compliance covers how these behavioural detection skills interact with documentation requirements for paraplanners and advisers.

FCA-Ready Documentation Standards

The audit trail the FCA expects covers four elements for every client interaction:

1. Identification: What vulnerability indicators were present or considered during the meeting, even where none were ultimately identified?

2. Action taken: What adjustments were made to the advice process, communication style, or product recommendation as a result?

3. Outcome monitoring: What follow-up was arranged to confirm the client understood and was satisfied with the outcome?

4. Record: A structured file note capturing all of the above, linked directly to the suitability report.

Colin performs a final compliance check on the finished report before it leaves the adviser's desk, flagging any missing vulnerability assessments or documentation gaps against FCA Consumer Duty requirements and COBS standards.

All files must be maintained in line with your firm's record retention policy and FCA requirements, with the proposed FOS reforms introducing a 10-year absolute time limit for bringing complaints measured from the date of the conduct complained of.

How AI Tools Help Firms Meet Vulnerability Detection Requirements

Evie, Emma, and Colin are capabilities within Atlas, AdvisoryAI's single conversational interface that connects meeting transcripts, suitability reports, uploaded documents, and client data, so the outputs from each capability feed into a unified client record rather than sitting in separate tools.

No competitor offers a unified interface that connects live meeting transcripts, historical suitability reports, uploaded client documents, and fact-find data in a single queryable record. For vulnerability handling specifically, that connection matters: the context an adviser needs before a meeting, and the audit trail a compliance team needs after it, exist in the same place.

AI for Vulnerable Client Detection in Meetings

When vulnerability indicators emerge during a meeting, a client mentioning a recent bereavement or expressing anxiety about managing finances independently, manual note-taking means those details often fail to reach the final file note. AdvisoryAI automates the entire advice workflow from meeting preparation through to final documentation. Before the meeting starts, Atlas surfaces a client's full vulnerability history, including prior health disclosures, life events, and resilience indicators from past fact-finds, so advisers enter each interaction with the context they need to ask the right questions. During the meeting, Evie records and transcribes via Microsoft Teams, Zoom, or Google Meet, then generates structured notes that capture objectives, circumstances, recommendations, next steps, and action items, including vulnerability disclosures that advisers might otherwise miss during manual write-ups. The Evie meeting notes feature explains how Evie is built to understand financial terminology and UK dialects, capturing tone and minute details in conversations, not just the spoken words.

A Chartered Financial Planner at Brooks Macdonald reported that meeting note time dropped from 1.5 hours to 15 minutes per meeting with Evie during an annual review. Across a 20-meeting month, that's 25 hours recovered per adviser, and more complete vulnerability documentation captured in each note because the adviser reviews a draft rather than writes from memory. You can see how Evie captures vulnerability context in a full review meeting in this FCA-compliant meeting notes demo. Evie also integrates directly with back-office systems, including Intelliflo, Plannr, Curo, and Iress Xplan, pushing structured notes and client information directly into the fact-find without manual re-entry. For clients who prefer not to be recorded, the client consent and recording guide covers how firms handle opt-outs without losing productivity. Some firms using AdvisoryAI have adjusted pricing models to reflect the efficiency gains from recorded meetings, charging lower fees for clients who consent to recording.

Consistent Documentation for Consumer Duty

Emma generates suitability reports from your firm's existing templates, matching your firm's advice style, tonality, and formatting preferences, whether that means bullet points, flowing paragraphs, or structured tables, so vulnerability support strategies are documented in the same format across every adviser. As the Emma paraplanning guide explains, Emma cites every statement back to its source document, creating a clear audit trail from client disclosure to recommendation. Bluecoat Wealth Management reduced suitability report time by 80% using Emma, with what used to take 4 to 6 hours now taking under an hour, while maintaining comprehensive coverage of risk profiles, investment recommendations, and client-specific financial planning elements. For operations leaders, Emma's customisation goes beyond templates to include advice style, tonality, and formatting preferences, ensuring vulnerability documentation sections appear consistently across all suitability reports regardless of which adviser produced them, without requiring advisers to relearn a new document structure. Watch Emma generate a complete report in five minutes to see how this works in practice. For firms processing large volumes of LOA packs, Finsource Partners reduced LOA review time by 80% using Emma, with the same structured source-citing approach applied to provider documents.

Minimising FCA Vulnerability Risk

Colin checks your documents against FCA Consumer Duty requirements and COBS standards before they leave the adviser's desk, providing pass/fail verdicts alongside suggested fixes. The Colin compliance demonstration shows how it flags specific documentation gaps, including missing vulnerability assessments, before a report reaches the client or a compliance review.

Colin is system-agnostic and works on any suitability report, not just those generated within AdvisoryAI. Colin checks documents quickly, completing what a manual compliance check takes two hours or more to accomplish. For a firm reviewing several hundred reports per month, that's the difference between checking every document every time versus spot-checking a sample and hoping the weakest files don't surface during an FCA visit.

How to Improve Vulnerable Customer Detection

1. Evaluate FCA Vulnerability Workflows

Audit your current documentation process before configuring any tool. The FCA explicitly recommends a full review of your approach, systems, and processes. A practical firm-level checklist:

• Does every client meeting produce a structured file note referencing all four vulnerability drivers, even where none were identified?

• Are vulnerability disclosures captured consistently in suitability reports across all advisers?

• Does your firm have a formal governance body overseeing vulnerability outcomes (not just a policy document)?

• Is vulnerability training in place for non-frontline staff including paraplanners and back-office teams?

• Can you produce outcome monitoring data showing disclosure rates and outcome variance between vulnerable and non-vulnerable clients?

• Are your client files audit-ready for a 10-year period following the advice delivery date?

2. Standardise Vulnerability Assessment Questions

Build a consistent questioning framework into every annual review and new client meeting. Cover all four drivers using open-ended questions rather than a checkbox format, which can feel clinical and may inhibit disclosure. "Since we last spoke, have there been any significant changes in your personal or professional life that might affect your financial plans?" covers life events and resilience without prompting a specific answer. FG21/1 notes that health conditions and cognitive vulnerabilities are particularly difficult to identify because clients often do not disclose them directly, so training advisers to recognise indirect signals and capture them in structured notes is equally important. The Evie AI assistant walkthrough shows how this structured capture approach works in practice during a full client meeting.

3. Flag Vulnerabilities During Meetings Using Evie

Standardised questions create the conditions for disclosure. Evie ensures what clients disclose during the meeting reaches the file note.

Vulnerability indicators rarely arrive as formal declarations. A client mentioning they have been signed off work, expressing uncertainty about managing finances independently, or becoming less engaged when discussing product complexity are the kinds of signals that structured questioning may surface but manual note-taking often fails to capture. When an adviser is focused on the conversation, those details can be missed in the write-up entirely.

Evie records the meeting via Microsoft Teams, Zoom, or Google Meet and generates structured notes that capture objectives, circumstances, recommendations, next steps, and action items, including vulnerability disclosures that emerge indirectly during the meeting. It is built to understand financial terminology and UK dialects, and to capture tone and the detail of what is said, not just the headline points. Health disclosures, life event references, resilience concerns, and capability indicators are reflected in the structured output rather than lost between the meeting and the write-up.

That structured note becomes the audit trail the FCA expects: a documented record that vulnerability was considered at every interaction, created at the point of advice delivery rather than reconstructed from memory an hour later. The Evie meeting notes feature explains how this structured capture works in practice.

4. Automate FCA Vulnerability Checks

The cost comparison is direct. Manual compliance reviews require significant paraplanner time per report. Colin at £99 per user per month checks every document, every time, covering that cost across dozens of reports per month.

The enforcement context reinforces the stakes. TSB Bank was fined £10.9 million in October 2024 for failing to fairly treat over 232,000 customers in financial difficulty, with total customer redress reaching £99.9 million. The FCA fined HSBC and Marks and Spencer Bank £6.28 million for similar vulnerability handling failures, with redress reaching £185 million across 1.5 million customers.

5. Consistent Adviser Training on New Rules

Update training materials to reflect the March 2025 review findings, particularly the shift from process monitoring to outcome monitoring. Advisers and paraplanners need to understand that vulnerability documentation is not a box-ticking exercise. It's the evidence base the FCA will examine if a complaint is raised under the proposed 10-year FOS time limit, and it's the data your operations team needs to monitor outcomes across the firm. The suitability report automation demo shows how structured templates reinforce consistent documentation habits across the adviser team.

Consequences of Failing FCA Vulnerability Rules

FCA enforcement activity in 2024-2025 included 37 Final Notices, 5 criminal convictions, £180.1 million in penalties, and 1,516 cancelled firm authorisations. The March 2025 vulnerability review signals that vulnerability handling is moving up the enforcement agenda, with the FCA expecting firms to take remedial action and monitor improvements where poor outcomes are identified, requiring firms to continue monitoring whether outcomes improve rather than treating implementation as a one-time exercise.

Beyond direct fines, Consumer Duty failures create three categories of operational cost. First, client redress: the HSBC and M&S Bank case involved £185 million and affected 1.5 million customers. Second, operational disruption from regulatory investigations and remediation is consuming senior leadership and compliance team capacity. Third, reputational damage from public enforcement notices. Volkswagen Financial Services paid a £5.4 million fine alongside £21.5 million in customer redress for vulnerability-related failures, with those costs dwarfing any technology investment required to close the documentation gap.

Clarifying New FCA Vulnerability Rules

AI for Reliable Vulnerability Detection

Atlas connects meeting transcripts, suitability reports, and uploaded client documents in a single conversational interface, allowing advisers to query client history before a meeting to surface historical vulnerability context. An adviser preparing for an annual review can ask Atlas about prior health disclosures, life events recorded in previous meeting notes, or resilience indicators from past fact-finds, before the meeting starts.

Atlas can also surface resilience patterns and capability indicators across a client's full history, not just the most recent meeting, giving advisers the context to ask the right questions before vulnerability becomes a complaint. For Operations Directors monitoring firm-wide outcomes, Atlas connects documentation across all advisers in a single queryable interface, giving compliance and operations teams the client history they need to identify outcome variance between vulnerable and non-vulnerable clients without manually pulling records from separate systems. No competitor offers this capability.

You can see how the full platform connects these capabilities in the AdvisoryAI platform walkthrough.

What Documentation Firms Need for FCA Compliance

The minimum audit trail for each client interaction under Consumer Duty includes:

• A structured file note capturing any vulnerability indicators considered and whether any were identified

• The adjustments made to the advice process or communication style as a result

• The suitability report with the vulnerability strategy is documented consistently

• A record of the client outcome and any follow-up arranged

All files must be maintained in line with your firm's record retention policy and FCA requirements, with the proposed FOS reforms introducing a 10-year absolute time limit for bringing complaints measured from the date of the conduct complained of.

Evie costs £99 per user per month, Emma costs £299 per user per month, and Colin costs £99 per user per month. Bundle pricing is available for Evie and Colin at £150 per user per month. AdvisoryAI offers a 14-day free trial with no credit card required, a monthly rolling agreement with no lock-in, and a 30-day money-back guarantee. Annual commitments include a 10% discount. Or request a demo to see how it works with your workflow.

FAQs

What Are the FCA's Four Drivers of Vulnerability?

The FCA defines vulnerability through four drivers: health (conditions affecting the ability to carry out day-to-day tasks), life events (such as bereavement or job loss), resilience (low ability to withstand financial or emotional shocks), and capability (low knowledge of financial matters or digital skills). These are defined in FG21/1 and remain the operative framework under Consumer Duty.

What Did the FCA Find in Its March 2025 Vulnerability Review?

The FCA found that 44% of vulnerable customers reported negative experiences with financial services firms, compared with 33% of non-vulnerable customers, and that only 39% of firms had formal governance bodies overseeing vulnerability outcomes. The review also identified widespread weaknesses in outcomes monitoring and in vulnerability training for non-frontline staff, including paraplanners.

Does FCA Vulnerability Guidance Apply to IFAs and Advice Networks?

Yes. FG21/1 applies to all firms where the FCA's Principles apply, including IFAs, restricted advisers, appointed representatives, networks, and consolidators. The FCA has stated explicitly that all firms will likely deal with vulnerable customers.

When Did Consumer Duty Take Effect for Advice Firms?

Consumer Duty took effect in July 2023 for new and existing open products and services, with the extension to closed products completing in July 2024. The March 2025 review represents the first major thematic feedback on how firms are performing against that standard in practice.

How Long Must Firms Retain Vulnerability Documentation?

The proposed FOS reforms introduce a 10-year absolute time limit for bringing complaints, measured from the date of the conduct complained of. For longer-term products such as pensions and mortgages, exceptions may extend that period further. Firms should maintain comprehensive audit trails to support potential complaint handling during this extended window.

How Does Colin Check for Vulnerability Compliance?

Colin reviews suitability reports against FCA Consumer Duty requirements and COBS standards, providing pass/fail verdicts and flagging specific gaps including missing vulnerability assessments. Colin is system-agnostic and works on any suitability report regardless of which platform produced it.

What Is Atlas and How Does It Support Vulnerability Compliance?

Atlas is AdvisoryAI's single conversational interface connecting meeting transcripts, suitability reports, uploaded documents, and client data in one place. For vulnerability handling, Atlas allows advisers to query a client's full disclosure history, including prior health events, life event disclosures, and resilience indicators from past fact-finds, before a meeting starts. It also supports firm-wide outcome monitoring by connecting documentation across all advisers. No competitor offers this capability.

What Is the Cost of Colin Compared to Manual Compliance Checks?

Colin costs £99 per user per month and checks every document every time. Manual compliance reviews require significant paraplanner time per report. For firms processing high volumes of suitability reports, Colin removes the inconsistency risk of selective spot-checking while providing comprehensive coverage.

Key Terms Glossary

Consumer Duty: The FCA regulatory framework, effective July 2023, requiring firms to deliver good outcomes for retail customers across four outcome areas: products and services, price and value, consumer understanding, and consumer support.

FG21/1: The FCA's Finalised Guidance on the fair treatment of vulnerable customers, published in February 2021, defining the four drivers of vulnerability and setting out expected firm behaviours.

Four drivers of vulnerability: The FCA's framework classifying vulnerability into health, life events, resilience, and capability, as defined in FG21/1 and referenced throughout Consumer Duty guidance.

File note: A structured record of a client meeting capturing the discussion, recommendations, vulnerability considerations, and action items, forming part of the regulatory audit trail.

COBS: Conduct of Business Sourcebook, the FCA's rules governing how firms conduct investment business with clients, including suitability requirements for advice.

FOS: Financial Ombudsman Service, the independent body resolving disputes between consumers and financial services firms, subject to proposed reforms introducing a 10-year absolute complaint time limit.

Back office: The software systems used by financial advice firms to manage client records, including Intelliflo, Plannr, Curo, and Iress Xplan.