In a recent blog on the UK’s Payment Systems Regulator (PSR) consultancy seeking comment to finalize the regulations on reimbursement for Authorized Push Payment (APP) scams, I highlighted the efforts to define how to treat vulnerable customers and how to define gross negligence, which if occurs, there is no reimbursement.
Defining customer vulnerability is no easy task. But to help define this term, the UK’s Financial Conduct Authority (FCA) recently published The Financial Lives 2022, a survey of UK adults using financial services. This is important research that includes key findings on UK adults with vulnerabilities. Let’s unpack this comprehensive research to better understand financial vulnerability and see how this information could impact how the PSR, or other regulators, could make use of consumer financial vulnerability information in determining regulation.
The FCA defines a vulnerable consumer as “somebody who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.”
Initially the FCA has defined four categories/drivers of vulnerability:
- Poor health, including cancer, multiple sclerosis, or HIV infection.
- Experiencing a negative life event, including income shock, relationship breakdown/separation/divorce and financial abuse.
- Low resilience, including low financial resilience and low emotional resilience, causing difficulty to recover from negative experience/financial shocks.
- Low capability, including weak financial knowledge (difficult to manage money), poor digital skills, learning impairment and low English skills.
Table 1 from the FCA Finalised Guidance for Firms on the Fair Treatment of Vulnerable Customers highlights some of the characteristics of each category/driver of vulnerability.
The FCA 2022 report shows that “52% of UK adults showed one or more characteristics of vulnerability.”
Figure 3.3 from the FCA report shows the percentage of UK adults having one of these four vulnerabilities.
Figure 3.4 from the FCA report shows the percentage of UK adults with each category of vulnerability (e.g., life event= 21.6%) and the proportion of adults with overlapping categories of vulnerability.
Clearly when a person has more than one category of vulnerability, they are considered even more vulnerable. Luckily, it is a smaller percentage of adults having multiple categories of vulnerability, but in absolute terms, it becomes noticeable. As an example, adults with “resilience plus life event” is only 4.4% of UK adults, but when that figure is applied to the overall population, it represents approximately 2.4 million people. Overall, the report noted that 14% of UK adults showed characteristics under two drivers, 5% under three drivers, and 1% under four drivers.
Another separate category of vulnerability is the elderly. In most banking regulation and policy, the elderly population is already carved out for special protection, and this has a clear demarcation line of a minimum age (e.g., 65). So, we acknowledge the elderly but move on since this is well-defined and verifiable.
As you can see when you start to define general consumer vulnerability, it can get difficult. And most of these vulnerabilities are not visible to the financial institution staff. When 52% of UK adults have a vulnerability, as defined by the FCA, it can become challenging to administer an APP scam reimbursement plan where the vulnerable must be treated with special exceptions.
Also, when you define gross negligence as part of the APP scam reimbursement, the reality is that the vulnerabilities of the victim must be considered when assessing if gross negligence occurred by the consumer. And since most of the vulnerabilities are not visible, how do you do this? If a scam victim has a combination of a life event and low resilience, can they be considered grossly negligent in a scam activity?
As we talk about vulnerable customers, we need to remember that these vulnerable customers are the very ones ‘primed’ to be victims of financial scams. In some cases, the fraudsters will access breached data to identify vulnerable consumers and then target them. They may even just buy a list of consumers over 65 and target them. The vulnerabilities these people have make them very susceptible to a financial scam. In fact, the absolute number of vulnerable people is what makes these scams so effective.
The remaining 48% of UK adults (college professor, tech exec, retail staff, etc.) do not have vulnerabilities, but they are still susceptible to scams. These folks can still be hurried, lonely or looking to increase their wealth. The problem for financial institutions, when a scam is in process or there is an unrecoverable loss, is to figure out quickly how to engage with the customer. The more they know about the customer, the better they can interact with them. The fraud analyst needs to be a ‘people’ investigator, because the more they learn at the point of the scam alert, the better chance to convince the customer the transaction is a scam and retain the money. Unfortunately, if the money is gone, then the fraud analyst is more in a forensic mode to determine if the consumer is vulnerable, under the FCA definition, and to figure out how the person’s vulnerability status could affect reimbursement for an APP scam.
It appears that the PSR is accepting the FCA definition of vulnerability, along with the criteria/drivers of vulnerability. So, UK financial institutions need to be prepared to be part psychologist/doctor/financial advisor when determining APP reimbursements.
This discussion is important to all financial institutions around the world to realize that many of their customers are vulnerable and how do you equitably deal with them, especially when it comes to the ever-growing scam losses. At minimum, financial institutions should have sound scam controls, effective scam education, and trained analysts to effectively interact with customers that have characteristics of vulnerability.
My surprise takeaway in doing the research for this blog was the high number of UK adults deemed vulnerable (52%). Was it for you too? And what percent of your customer base do you think would be considered vulnerable under the FCA definition?