The Deep dive: UK regulators back data sharing to better protect vulnerable customers

By Puja Sharma

The deep dive’ is our bi-weekly exploration of a relevant topic, hot trend, or new product. For Prime subscribers only.

How does it work?

Regulators back vulnerability data sharing in FinTech

A customer struggling to keep up with repayments logs into their banking app. Instead of friction or silence, the system adapts—offering tailored support, flagging risk patterns, and quietly sharing relevant insights across the value chain to ensure the right intervention at the right time. The experience feels seamless, not intrusive. Behind the scenes, data is being used carefully, lawfully, and transparently—not avoided but applied with purpose. This is the shift regulators are reinforcing: under the FCA’s Consumer Duty, firms are expected to actively identify and support vulnerable customers—and data, handled responsibly, is what makes that possible.

Customer vulnerability specialists MorganAsh have welcomed a joint statement from the FCA and the Information Commissioner’s Office (ICO) reiterating that data protection rules do not prevent firms from collecting, recording and sharing customer vulnerability data.

The statement provides fresh clarity for financial services firms, confirming once again that GDPR and the Data Protection Act do not stop firms from delivering good outcomes and should not be seen as a barrier to identifying and supporting customers in vulnerable circumstances.

Who is under the radar?

In the statement, the regulator has repeated its expectations for firms to recognise indicators of vulnerability, record the issues and monitor and review them over the lifetime of products. It also calls on firms to respond to the needs of vulnerable customers and report on this with clear evidence.

Meanwhile, the ICO reiterates that data protection rules do not prevent firms from using personal information where it is appropriate and necessary to protect individuals or provide them with vital support. It sets out several lawful bases for firms to process data to identify consumers in vulnerable circumstances.

Crucially, the FCA and the ICO also emphasise the importance of collaboration between manufacturers and distributors, calling on firms to share information where necessary to ensure customers receive appropriate support throughout the product lifecycle.

To achieve this, MorganAsh argued that firms need robust processes to gather the quality of data required to share and transfer in a structured format. Given the requirement of firms to keep this data accurate and secure, MorganAsh believed firms must invest in the necessary IT systems to manage and store this information properly.

Why does it matter now?

The statement reinforces key principles set out by both the FCA and the ICO in previous communications – dating back as far as 2015 – as well as by MorganAsh, which is now embedded in recent guidance from the CII and the PFS.

Andrew Gething, managing director of MorganAsh, said: “The fear of non-compliance with GDPR has stalled progress on Consumer Duty and its requirements for customer vulnerability management. This joint guidance from the FCA and the ICO not only reiterates that firms can hold and process vulnerability data in line with data protection laws, but they are actively encouraged to share it within the distribution chain to improve outcomes.

“To do this, firms need good data that can be transferred and in a structured format. Holding vulnerability data that is subjective, inconsistent and found in free-text boxes in CRMs will make this far harder to achieve. Robust IT systems will enable firms to not only gather the necessary information in an objective and consistent way, but ensure it’s up to date, secure and fully auditable, ready for reporting to the regulator or for any future subject access requests.

“We are pleased to be working closely with the CII, contributing to their data sharing task force and supporting the further development of practical guidance in this area.”

MorganAsh is a specialist in Consumer Duty and customer vulnerability. The firm launched its multi-award-winning MorganAsh Resilience System (MARS) to help firms understand and monitor vulnerable customers and deliver good outcomes – as required by Consumer Duty. It is in use across financial services and the utilities sector, enabling businesses to adopt a consistent approach to identifying vulnerable characteristics and generate an objective Resilience Rating – much like a credit score.

Not only can this objective measure be shared across the value chain, but it also provides a top-level indication of a customer’s vulnerability without sharing extensive personal data, answering concerns some have about data protection.