Consumer Vulnerability

What is Consumer Vulnerability?

Consumer vulnerability is not a fixed characteristic of certain people - it is a state that any consumer can enter at any time. A recently bereaved customer phoning a utility company is vulnerable in that interaction even if they are otherwise confident and capable. A bank customer in the early stages of a dementia diagnosis may not yet consider themselves vulnerable but will need additional support to make complex financial decisions. A working parent dealing with a sudden job loss is vulnerable in the weeks that follow, even though their circumstances may stabilise later.

What matters for an organisation is whether its products, services, communications and processes are designed in a way that does not cause harm to consumers when they are in a vulnerable state. A service that assumes every customer has full financial literacy, stable emotional state and time to read the small print will fail some consumers some of the time. A service that recognises vulnerability can arise and has mechanisms to identify and respond to it works better for everyone.

Organisations operating in sectors where harm from vulnerability is significant - financial services, utilities, telecoms, healthcare, essential services - have a particular obligation to design for it. Regulators in these sectors now expect it as a baseline, not as a nice-to-have.

ISO 22458 and the Inclusive Service Framework

ISO 22458 was published in 2022 as the international standard on consumer vulnerability - requirements and guidelines for the design and delivery of inclusive service. It replaces the earlier British Standard BS 18477, which was the UK's original standard on inclusive service and has since been withdrawn.

The standard sets out what an organisation should put in place to make its services work for consumers who are, or who become, vulnerable. At its core it asks the organisation to:

Commit at leadership level to inclusive service and to preventing consumer harm
Understand the consumers it serves and the vulnerabilities that may arise in that population
Design products, services and communications so that vulnerable consumers are not disadvantaged
Train staff to identify indicators of vulnerability and respond appropriately
Monitor outcomes and adjust the service where evidence of unfair outcomes emerges
Involve vulnerable consumers and representative groups in service design and improvement

ISO 22458 is certifiable in the same way as other ISO management system standards. Certification is a growing differentiator in tenders for public-sector and regulated contracts, and is evidence to regulators that the organisation takes consumer protection seriously.

Four Drivers of Vulnerability

The Financial Conduct Authority's widely used framework identifies four drivers of vulnerability, and ISO 22458 aligns with the same approach. Each driver has its own implications for how services should be designed.

Health. Physical health conditions, disabilities, mental health conditions, cognitive impairments or addictions. A consumer may need larger-print communications, audio alternatives, longer call handling times, or the option to have a trusted person present for significant decisions. The organisation's service should not require abilities that exclude a significant fraction of its customer base.

Life events. Bereavement, relationship breakdown, job loss, caring responsibilities, domestic abuse. These are temporary but can make a previously capable consumer unable to cope with interactions that would normally be simple. A service that handles bereaved customers sympathetically - avoiding automated demands for payment, offering human contact, pausing where appropriate - is a service that deals with life events humanely.

Resilience. Low income, over-indebtedness, lack of savings, poor or no insurance, single-income households. Consumers with low financial resilience are more exposed to harm from charges, unexpected costs or service interruption. Price communication, affordability checks and hardship processes matter disproportionately for these customers.

Capability. Low financial, digital or numerical capability, limited English proficiency, limited understanding of the product or service. Many consumers meet this description for at least some products - few people are financially literate across every product they use. Clear, plain-language communications, digital alternatives and access to human help are all part of the response.

Any individual consumer may be affected by more than one driver at once, and vulnerability can arise suddenly or build gradually. The organisation's systems should allow for identifying and responding to vulnerability whenever it arises, not only at the point of sale.

Regulatory Context in the UK

UK regulators have moved consumer vulnerability from a voluntary good-practice topic to an explicit expectation in several sectors.

Financial services - the FCA Consumer Duty. The Financial Conduct Authority's Consumer Duty, which came fully into force in July 2023, requires regulated firms to deliver good outcomes for retail customers and explicitly to pay particular attention to consumers with characteristics of vulnerability. Firms are expected to have processes for identifying vulnerable customers, adapting their service and monitoring outcomes. For FCA-regulated firms, consumer vulnerability management is a regulatory requirement, not a choice.

Energy - Ofgem. Ofgem requires energy suppliers to maintain a Priority Services Register of vulnerable customers who may need additional support, including at times of disconnection or supply interruption. Suppliers are expected to identify and record relevant characteristics and to offer appropriate support such as priority reconnection, free meter reading or accessible billing formats.

Telecoms - Ofcom. Ofcom expects communications providers to identify vulnerable customers and provide services that do not disadvantage them, including affordable tariffs, accessible communications and processes that account for vulnerability in debt management.

Water - Ofwat. Water companies are required to maintain their own priority services registers and to have processes for supporting customers at risk of water debt, medical needs requiring continuous supply and other vulnerabilities.

Organisations outside these explicitly regulated sectors still face obligations under general consumer protection, equality and data protection law, and increasingly face commercial pressure from customers and public-sector procurement to demonstrate consumer protection arrangements. The bar rises year on year.

What a Consumer Vulnerability Management System Looks Like

A working consumer vulnerability management system covers the same broad structure as any other ISO management system, adapted to the subject matter. The main elements are:

Leadership commitment. Top management communicate that inclusive service is a strategic priority, not a compliance afterthought. The consumer vulnerability policy is owned at board level and referenced in customer-facing communications.

Understanding the consumer base. The organisation identifies which vulnerabilities are likely to arise in its customer population, using data it already holds and by engaging with consumer groups. A bank will have a different vulnerability profile among its customers than a mobile phone retailer; both need to understand their own.

Inclusive service design. Products, services, processes and communications are designed so that they do not unintentionally disadvantage vulnerable consumers. Plain-language communications, digital alternatives, accessible formats and simplified decision points all form part of this.

Staff training. Frontline staff are trained to recognise indicators of possible vulnerability and to respond appropriately - slowing down, offering alternatives, escalating where needed. Training includes the limits of their role: staff are not clinicians or counsellors and should know when to refer a consumer to specialist support.

Identification and response. Processes allow staff to record relevant information about a consumer's circumstances so that it is available at future interactions, with appropriate data protection safeguards. The consumer consents to this sharing and can withdraw consent.

Monitoring outcomes. The organisation tracks whether vulnerable consumers experience outcomes comparable to other consumers - complaints, resolution times, product drop-off, debt levels. Evidence of systematically worse outcomes for vulnerable consumers triggers service redesign.

Feedback and improvement. Consumers affected by vulnerability and the organisations that represent them are consulted on service design and on incidents where the organisation's service has caused harm. Findings feed into the improvement loop.

Training, Policies and Staff Empowerment

The single highest-impact action in a consumer vulnerability programme is usually staff training. Frontline staff are the point at which vulnerability is identified, the point at which the organisation's response is delivered, and the point at which good intentions succeed or fail.

Effective training covers three things. Recognition - how to notice indicators of vulnerability in a conversation. Response - what options staff have to adapt the service in that moment. Empowerment - the authority and confidence to use those options without needing escalation for every small adjustment.

Policy alone is not enough. A written policy that promises inclusive service, combined with scripts that penalise call handlers for longer calls or agents who cannot override standard charges, produces frontline staff who know the right answer but cannot deliver it. The service will not match the policy. This is one of the main places consumer vulnerability programmes fail.

Common Mistakes

Several patterns come up repeatedly in organisations starting their consumer vulnerability work.

Treating vulnerability as a marginal issue. Research suggests that around half of adults have at least one characteristic of vulnerability at any given time, and the proportion rises among customers in distress, debt or transition. Designing for vulnerability is designing for mainstream customers, not a minority.

Assuming identification is enough. Knowing a customer is vulnerable does nothing unless the knowledge leads to an adapted response. Organisations that collect vulnerability data but leave their processes unchanged create a record of concern without any practical benefit.

Relying on consumers to self-identify. Many vulnerable consumers will not identify themselves - because they do not consider themselves vulnerable, because of stigma, because they do not trust the organisation with the information. Services need to be designed to work for vulnerable consumers whether or not they have been flagged as such.

Sales incentives that cut across vulnerability response. Sales targets, call-handling-time metrics, product recommendation scripts and similar operational pressures can push frontline staff into behaviours that conflict with the vulnerability policy. Aligning incentives with the policy is more important than writing the policy.

One-off training with no refresh. Consumer vulnerability training dated three years ago is mostly forgotten. Regular refresh, scenario-based practice and feedback from real cases keep staff capability current.

When I work with a client on consumer vulnerability, I start by asking them to describe a recent customer interaction that did not go well. Usually within two or three examples there is a case where the customer was in distress, confused, or simply not equipped to make the decision the process was asking them to make. The response was whatever the script allowed, which was rarely what the customer needed.

The shift that ISO 22458 asks for is to design from the other direction. Start with the most vulnerable customer the organisation reasonably serves and design the service so that it works for them. Designing for the median customer and then trying to retrofit adjustments for the edge cases does not work nearly as well.

I run a small electronics retailer and we had not thought of ourselves as being in the consumer vulnerability space at all - it felt like something for banks and utilities. But bereaved customers spending unexpectedly, people making large purchases while clearly in emotional distress, elderly customers being upsold by enthusiastic staff - that is all consumer vulnerability and it was happening.

We built a basic consumer vulnerability approach into our sales training and our complaints process. We give staff explicit permission to slow a sale down, to suggest the customer come back the next day if a decision looks rushed, to cancel or refund without penalty if a customer later says they were not in a fit state. The commercial impact has been marginal. The reputational benefit and the reduced complaint volume has been significant.

Working toward ISO 22458 gave us the framework to do this in a structured way rather than relying on each member of staff figuring it out for themselves.

When I audit against ISO 22458, I look for evidence that inclusive service is designed in rather than bolted on. That means policies are clear, training is documented and refreshed, monitoring data is collected and used, and there is evidence of service changes made in response to what the monitoring shows.

The test I apply most often is looking at complaints. If the organisation has an inclusive service in practice, its complaints data should not show worse resolution rates or longer waits for customers with recorded vulnerability flags. If it does, the inclusive service is aspiration rather than delivery, and I will follow that finding through.

Practical Compliance Guidance

The ISO 22458 toolkit provides the documented system needed to run an inclusive service programme that meets the standard, and the related forms and registers fit within a wider integrated management system if the organisation holds other ISO certifications.

alphaZ document	How to use it
ISO 22458 Toolkit	Complete documented system for an ISO 22458 inclusive service programme - policies, procedures, training materials, staff briefing and monitoring templates.
ISO 9001 Management System Toolkit	Provides the underlying quality management framework into which the consumer vulnerability programme integrates. ISO 22458 sits naturally alongside ISO 9001 in organisations that hold both.
F-IMS22 Interested Parties Register	Captures consumer groups, representative organisations and advocacy bodies among the organisation's interested parties - essential evidence of engagement with affected communities.
F-IMS23 Opportunities and Risks Register	Logs risks of consumer harm from service design alongside other strategic risks. Reviewed at management review so that inclusive service remains a board-level concern.
F-Q3 Management Review	Includes inclusive service outcomes as a standard review input - complaint patterns, vulnerability indicators, staff training completion, monitoring data.
ER1 Issues and Actions Register	Records incidents of consumer harm, near-misses and improvement actions. Trend analysis feeds into service redesign and policy updates.
ER2 Staff Training and Competency Matrix	Tracks initial and refresher consumer vulnerability training for all staff in consumer-facing or decision-making roles - evidence for both the standard and regulatory assurance.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Which sectors does ISO 22458 apply to?

ISO 22458 is written to be applicable to any organisation providing products or services to consumers. It is most immediately relevant in financial services, utilities, telecoms, healthcare and other essential services where harm from unresponsive service can be significant, but the principles apply to any consumer-facing business. Retail, hospitality, transport and education providers can all benefit from the framework, and an increasing number pursue certification.

Is ISO 22458 certification required by the FCA Consumer Duty?

No. The FCA's Consumer Duty sets its own requirements and does not mandate ISO 22458 certification. However, an organisation operating a management system aligned to ISO 22458 will find it easier to evidence compliance with the Duty's expectations on vulnerable customers, because the standard covers the same ground in a structured and certifiable way. Many firms use ISO 22458 as the operational framework for meeting the Duty.

What happened to BS 18477?

BS 18477 was the British Standard on inclusive service, published in 2010 and widely used in the UK as an early framework for consumer vulnerability. It has been withdrawn and superseded by ISO 22458, which takes the same underlying approach and extends it into an international standard. Organisations previously certified to BS 18477 have migrated or are migrating to ISO 22458.

How does consumer vulnerability fit with data protection law?

Information about a consumer's vulnerability is personal data, and in many cases - health conditions, mental capacity, caring responsibilities - it is special category data under the UK GDPR. Organisations recording and sharing this data need a valid lawful basis, clear consumer consent where required, minimisation (record only what is needed), retention limits and access controls. A consumer vulnerability programme must be designed with data protection built in, not bolted on afterwards.

UK Legislation

Consumer vulnerability sits at the intersection of several UK legal frameworks. The standards and regulatory expectations above are supported by general legislation that applies regardless of ISO certification.

Consumer Rights Act 2015
Equality Act 2010 - includes reasonable adjustment duties for disabled consumers
Mental Capacity Act 2005 - relevant where consumer decisions may be affected by capacity
Data Protection Act 2018 - governs handling of vulnerability information
FCA Guidance - Fair Treatment of Vulnerable Customers (FG21/1)

Further Resources