FCA and ICO Joint Statement: Vulnerability Data, Consumer Duty, and the Data Protection Intersection

Written By Rishika Raj

Credit: Zendata

The first joint statement from the FCA and the Information Commissioner's Office on vulnerable customers sets out a clear framework and the message is that good data sharing and good data protection are compatible.

Context:

On 27 March 2026, the Financial Conduct Authority and the Information Commissioner's Office (ICO) published a joint statement on regulatory expectations regarding firms' approaches to vulnerability-related data. The statement is the product of collaboration through the Digital Regulation Cooperation Forum (DRCF) and the UK Regulators Network (UKRN), and represents the first coordinated guidance from the two regulators on how firms should navigate the apparent tension between their Consumer Duty obligations to support vulnerable customers and their data protection obligations under the UK GDPR.

The context is the FCA's Consumer Duty, which requires all regulated firms to deliver good outcomes for retail consumers, including those in vulnerable circumstances. The FCA's vulnerability guidance (FG21/1) is explicit that firms must identify and appropriately respond to customers who may be vulnerable. This requires firms to collect, process, and share information about vulnerability indicators, which creates genuine data protection questions that many firms have found difficult to resolve without explicit regulatory guidance.

The statement is designed to give firms the confidence to collect and use vulnerability data for the purpose of delivering better consumer outcomes, while providing clear parameters within which that processing is lawful and proportionate. The joint FCA/ICO framing is deliberate: it signals that the two regulators are aligned and that firms should not use data protection law as an excuse for failing to support vulnerable customers adequately.

Rules and Guidelines:

The joint statement covers three areas. First, supporting consumers in vulnerable circumstances: firms are expected to identify vulnerability indicators within their customer base and design products, communications, and support that respond appropriately. The statement confirms that collecting vulnerability-related data is lawful where it has a clear purpose, uses an appropriate legal basis under UK GDPR (consent, substantial public interest for special category data, or legitimate interests where applicable), and is proportionate. Data Protection Impact Assessments (DPIAs) are recommended for high-risk processing of vulnerability-related data.

Second, sharing data across distribution chains: the statement guides manufacturers and distributors, manufacturers (such as lenders and payment networks) and distributors (such as intermediaries and advisers) have shared responsibilities under Consumer Duty to identify and respond to vulnerability. The statement clarifies that data about vulnerable customers can be shared across distribution chains where it is necessary to deliver good outcomes, subject to appropriate data minimisation, purpose limitation, and contractual protections. The FCA intends to do further work on how Consumer Duty applies through distribution chains in 2026.

Third, monitoring customer outcomes: firms must have systems in place to monitor whether their approaches to supporting vulnerable customers are working, including through analysis of complaints, contact data, and product outcome metrics. The statement clarifies that this monitoring can involve personal data, subject to appropriate anonymisation or aggregation where possible and proportionate safeguards where individual-level data is needed.

Businesses Affected:

  • All FCA-regulated firms providing products and services to retail consumers, including banks, building societies, insurers, investment firms, and consumer credit providers.

  • Compliance and data protection teams must operationalise the joint statement's guidance within their Consumer Duty frameworks.

  • Firms operating in distribution chains (both as manufacturers and distributors) that need to design contractual and technical frameworks for lawful vulnerability data sharing.

  • Customer experience, product design, and communications teams whose processes for identifying and responding to vulnerabilities must be reviewed against the joint statement.

Next Steps:

  • Review your firm's vulnerability identification and data collection processes against the UK GDPR legal basis and proportionality framework set out in the joint statement. Document the legal basis for each category of vulnerability data processing.

  • Assess whether DPIAs are required for existing vulnerability data processing activities. Where processing is high-risk, for example, automated decision-making using inferred vulnerability indicators.

  • Review distribution chain contracts for Consumer Duty compliance on vulnerability. Ensure that downstream distributors have both the obligation and the information they need to identify and support vulnerable customers.

  • Monitor the FCA's planned 2026 work on how Consumer Duty applies through the distribution chain. This will complement the joint statement and may include further guidance on data sharing standards.

Source | FCA | Joint FCA and ICO Statement

Rishika Raj
Previous

FCA Annual Work Programme 2026/27 - Four Strategic Priorities & AI Integration

Next

PSR Annual Plan 2026/27 - Card Fees, APP Fraud & Open Banking Reform