Skip to main content

The three peaks of customer protection: How ‘operational resilience’ enables compliance with the ‘Consumer Duty’ and ‘Vulnerable Customers’

02 June 2023

This article was first published by Thomson Reuters.


This article is the first in a series designed to highlight how, across different financial services industries, Operational Resilience is not merely an ongoing theme or project for compliance, or an end in itself, but is also an essential pathway to meet the requirements of the Consumer Duty and Vulnerable Customers frameworks.

This first article introduces the key concepts and seeks to illustrate them by reference to the FCA’s Operational Resilience insights as to good and bad Operational Resilience practices in the insurance sector

The essentials

Under SYSC 15A.2 a firm (the next article will address the application of Operational Resilience in more detail; for present purposes, the applicable firms can be described as banks and insurers, plus larger FCA-regulated intermediaries and payment services / e-money businesses) must:

  • Identify the ‘important business services’ which it provides (or are provided on its behalf) to any clients and which, if disrupted, could
    • “cause intolerable levels of harm” to any client (in short, financial or non-financial “harm from which consumers cannot easily recover” – see FCA Policy Statement 21/3; the next article will address practical indicators in this regard) or
    • “pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets”;

(for convenience, the above harms and risks referred to collectively below as “intolerable occurrence”) and

  • for each such important business service, set an ‘impact tolerance’, being the maximum level of disruption, in terms of duration and otherwise, after which there would be an intolerable occurrence.

The lessons from insurance

The Financial Conduct Authority (“FCA”) says it “requested information on a voluntary basis from... 47 [insurance] firms... [including] insurers and intermediaries from the wholesale, retail and life insurance sectors... [which the FCA] analysed... in collaboration [as applicable] with the Prudential Regulation Authority...”

The FCA “assessed the answers... [against] 3 criteria...:

  • the reasonableness of the important business services and impact tolerances selected
  • consideration of consumer harm differentiated by product type or distribution channel
  • consideration of consumer harm according to customer type or vulnerability.”

The FCA said that “some” (clearly not all, and possibly only a minority) of the firms “demonstrated a clear understanding of [the] rules”.

Key aspects of good and bad practices involved:

  • understanding FCA and Prudential Regulation Authority guidelines and applying these fully to operational resilience programmes 
  • identifying all the important business services within a firm’s business model, and not seeking to take account of internal services or “irrelevant businesses services”
  • considering possible harms at each point of the customer journey including:
    •  purchasing, amending and renewing a policy – having “correctly identified that no intolerable harm arose from their services being unavailable as similar products were available and easy to substitute”, and “considering the impact of unavailable important business services on [VCs]”; and
    • making a claim or a complaint
  • deploying considered examples of the types of harm a consumer may experience, differentiated by:
    •  product type
    • customer profile, including commercial and retail customers
    • distribution method
  • articulating carefully calibrated impact tolerances – in terms of nature, complexity, duration and severity – with accompanying rationales and possible alternatives
  • taking proper account:
    •  of the impact on the financial stability of the UK economy (at least in the case of “firms identified by the PRA as other systemically important institutions and insurers with gross written premiums exceeding £15 billion or technical provisions [in short, claims reserves] exceeding £75 billion, both on a three-year rolling average” – see section 3.15 of PRA Policy Statement 6/21), and 
    • of safety and soundness and policyholder protection, including (see section 2.5 of PRA Supervisory Statement 1/21) with respect to:
      • “the potential to cause knock-on effects for counterparties, particularly those that provide financial market infrastructure or critical national infrastructure ...
      • impact on the firm’s profit and loss ...
      • the potential to cause legal or regulatory censure ...
      • the significance to the policyholder of the risk insured ... and ...
      • the potential for significant adverse effects on policyholders if cover were to be withdrawn or policies not honoured.”
  • The ramifications of harm and customer characterisation


    The concept of preventing customer harm is central to the Consumer Duty.

    In particular, the “Cross-cutting obligation” at PRIN 2A.2.8 R provides that: “A firm must avoid causing foreseeable harm to retail customers” (in insurance, these are, broadly speaking, individuals and small corporates).

    ‘Foreseeable harm’ is not defined, but there is non-Handbook guidance in the FCA’s Finalised Guidance (“FG”) 22/5 in this regard – this guidance is of particular, but not exclusive, relevance for insurance (as per the FCA’s focus above):

    • “consumers being unable to cancel a product...
    • products and services... [which] have not been appropriately tested in a range of market scenarios ...
    • [the distribution] of products... to customers for whom they were not designed...
    • consumers incurring overly high charges on a product because they do not understand [its] charging structure or how [this structure] impacts on the [product’s] value...”

    That the FCA is not merely hypothesizing the above types of harm can be seen from its General Insurance and Pure Protection sectors Consumer Duty Portfolio letter and its explicit reference to its “review of business interruption insurance claims handling” (the “BII Review”). The latter included findings that “some firms did not:

    • Produce clear and robust conduct management information, which affected their ability to identify and address delays in the claims process.
    • Have records of policy wordings that were easily accessible for claims handlers, which resulted in delays for customers...” 

    The above factors indicate that undertaking Operational Resilience analysis should reveal “harms in the customer journey”. These harms will therefore be at least ‘foreseeable’ for the purposes of assessing firms’ compliance with the Consumer Duty. The next article will address the concept of harm that is both foreseeable and from which an easy recovery may not be made.

    Customer characterisation: vulnerability 

    The guidance at SYSC 15A is explicit about identifying customer vulnerability as a factor in Operational Resilience compliance – see e.g. SYSC 15A.2.4:

    (1) the nature of the client base, including any vulnerabilities that would make [a client] more susceptible to harm from a disruption ...”

    In their Operational Resilience insights, the FCA and Prudential Regulation Authority highlighted that some firms did not “meaningfully consider the impact of unavailable important business services on Vulnerable Customers”. This concept reflects the example of a form of ‘consumer duty’ harm given in FG22/5 expressed as: “consumers with characteristics of vulnerability being unable to access and use a product or service properly because [of unsuitable]... customer support...”

    Addressing customer vulnerability under SYSC 15A can be assisted through looking at more specific circumstances addressed in the FCA’s Consumer Duty supervisory correspondence (portfolio / sector letters). Again, taking general insurance as an example, the portfolio letter (see above) referred to the BII Review’s finding that “[firms did not] [a]dequately identify Vulnerable Customers or [firms] took an inconsistent approach in dealing with the needs of Vulnerable Customers”.


    It is clear from the shared concepts between the Operational Resilience, Consumer Duty and Vulnerable Customers frameworks that, for larger firms at least, Operational Resilience is a means of ‘across-the-board’ compliance on customer treatment. Further articles will address how smaller firms can benefit from taking an Operational Resilience perspective.

    Read part 2

Key contacts

Key contacts

Jeremy Irving


+44 (0)20 7337 1010

View profile
Can we help you? Contact Jeremy

Tom Murrell


+44 (0)330 045 2648

View Profile
Can we help you? Contact Tom

You may be interested in...