What is vulnerable customer detection in financial services?

Vulnerable customer detection is the process of identifying customers who are at risk of harm due to personal circumstances — financial difficulty, bereavement, cognitive impairment, health conditions, or life events such as divorce or redundancy. FCA Consumer Duty (effective July 2023) requires firms to proactively identify vulnerability rather than relying on self-declaration. AI-based detection analyses communication signals in customer interactions to surface these indicators automatically.

What signals does AI analyse to detect vulnerable customers?

EchoDepth analyses three signal types in customer interactions: voice pattern signals (speech rate changes, hesitation, cognitive load indicators in language), text linguistic signals (complexity of expression, coherence, emotional keywords beneath neutral language), and interaction pattern signals (response delays, topic avoidance, escalating distress signals across the interaction). These are analysed at the interaction level — not used to build persistent profiles of individual customers.

Does AI vulnerable customer detection satisfy FCA Consumer Duty requirements?

AI-based vulnerability detection directly addresses the FCA's requirement for proactive identification. The FCA explicitly states that firms must not rely solely on customer self-declaration. EchoDepth generates timestamped interaction-level vulnerability flags with signal evidence — creating the auditable documentation trail that the FCA expects firms to produce on request. Human review remains part of the process; the AI identifies the signal, the trained colleague responds.

Is AI vulnerable customer detection GDPR compliant?

Yes, when implemented correctly. Analysis occurs at the interaction level under legitimate interests (Article 6(1)(f)) — specifically the obligation to comply with FCA Consumer Duty. No persistent biometric profile is built. Outputs are vulnerability risk flags attached to the interaction record, not to a permanent customer profile. A DPIA is conducted for each deployment. EchoDepth is ICO registered (ZB915623) and all clients operate under signed DPAs.

What does adequate vulnerable customer evidence look like for FCA?

Adequate evidence under FCA Consumer Duty includes: documented processes for proactive vulnerability identification, interaction-level records showing vulnerability assessment occurred, outcomes monitoring data showing vulnerable customers received appropriate treatment, and staff training records. EchoDepth generates timestamped vulnerability flags with signal evidence for each flagged interaction — providing the auditable record the FCA expects, across 100% of covered interactions rather than the 2-3% typically reviewed by QA teams.

Financial Services

How AI detects vulnerable customers in financial services

FCA Consumer Duty requires firms to proactively identify vulnerable customers — not wait for self-declaration. Here is exactly what AI analyses, what signals it detects, and how the output satisfies the FCA's evidencing requirement.

Jonathan Prescott · Founder & CEO, Cavefish · 1 May 2026 · 9 min read

The regulatory position

FCA Consumer Duty (PS22/9, effective July 2023) requires firms to demonstrate proactive vulnerable customer identification. The FCA is explicit: firms must not rely solely on customers self-identifying as vulnerable. They must have systems and processes that identify vulnerability signals regardless of whether the customer volunteers that information.

Why self-declaration is structurally insufficient

The FCA Consumer Duty guidance distinguishes between reactive and proactive identification of vulnerable customers. Reactive identification — where the firm identifies vulnerability only when the customer explicitly discloses it — does not satisfy the Duty. The FCA expects firms to demonstrate they have identified customers who may not have disclosed vulnerability or who may not even recognise their own vulnerability.

This creates a measurement problem that standard QA processes cannot solve. Most contact centre QA reviews 2–3% of interactions, selected manually or randomly. Even within that 2–3%, the primary vulnerability identification mechanism is still the customer saying something that a trained colleague recognises. Customers who are cognitively impaired, in financial difficulty, or in acute emotional distress do not reliably self-declare. They are, in fact, the customers least likely to do so.

AI-based vulnerability detection operates on 100% of covered interactions, analysing signals that neither the customer nor the colleague may consciously recognise — and generates auditable evidence that the assessment occurred.

What AI analyses: the three signal categories

🎙

Voice patterns

→Speech rate changes — sudden slowing or acceleration indicating cognitive strain

→Extended pauses and hesitation patterns beyond normal processing time

→Vocal tremor or emotional distress signals in prosody

→Language simplification under cognitive load — reduction in sentence complexity

→Contradiction between spoken content and vocal emotional signal

💬

Language signals

→Confusion indicators — repeated questions, contradictory statements, topic drift

→Distress language beneath surface composure — text-emotion divergence in written communications

→Financial vulnerability keywords embedded in otherwise routine queries

→Coherence breakdown — responses that lose logical thread mid-interaction

→Avoidance patterns — topic deflection when sensitive subjects arise

📊

Interaction patterns

→Escalating agitation or distress trajectory across the interaction

→Decision avoidance — inability to make straightforward choices

→Uncharacteristic repeat contact on the same issue without resolution

→Discrepancy between stated understanding and actual comprehension signals

→Emotional state change at specific trigger points — debt discussion, product complexity

See the solution

Request a free analysis of a customer interaction — receive a vulnerability signal report within 5 working days.

Request free analysis →

What happens when a vulnerability signal is detected

EchoDepth does not make decisions. It generates a timestamped vulnerability flag for the interaction, identifies the specific signal type detected, and assigns a risk level (Elevated, High, Urgent). The flag is routed to the appropriate response pathway — a trained colleague review, an escalation to a specialist team, or a follow-up protocol depending on the risk level.

The human remains in the loop. The AI identifies the signal; the trained colleague responds. This is both ethically correct and operationally pragmatic — vulnerability is complex, contextual and requires human judgment to respond to appropriately.

Timestamped flag attached to the interaction record

Signal evidence documented — which specific indicators triggered the flag

Risk level assigned (Elevated / High / Urgent)

Response pathway initiated — colleague review or escalation

Outcome recorded — action taken and result

What this produces as FCA evidence

The FCA expects firms to be able to demonstrate on request that vulnerable customer identification occurred, what process was used, and what outcome resulted. EchoDepth generates four evidence artefacts per covered interaction period:

Coverage evidence

Percentage of interactions assessed for vulnerability signals — demonstrating proactive, systematic identification across the customer base.

Detection record

Timestamped flag log for each interaction where vulnerability signals were identified — with signal type and risk level documented.

Outcomes data

What action was taken for each flagged interaction — enabling the FCA's outcomes monitoring requirement to be met.

Process documentation

Complete audit trail of the vulnerability assessment methodology — satisfying the FCA's expectation of documented processes.

GDPR and data protection

Vulnerability detection analysis is conducted under legitimate interests (Article 6(1)(f)) — the lawful basis being the obligation to comply with FCA Consumer Duty and prevent harm to customers. Analysis occurs at the interaction level. No persistent biometric profile of the customer is built. Vulnerability flags are attached to the interaction record with defined retention limits.

A Data Protection Impact Assessment (DPIA) is conducted for each deployment. EchoDepth is ICO registered (ZB915623). All clients operate under signed Data Processing Agreements. For FCA-regulated firms subject to Consumer Duty, EchoDepth supports the production of all required DPIA and DPA documentation.

Regulation

FCA Consumer Duty: what firms must evidence

Platform

Vulnerable client detection platform

Satisfy FCA Consumer Duty with auditable evidence

Submit a sample of customer interactions. Receive a vulnerability signal report and evidence documentation within 5 working days.

Request Free Analysis →See the Platform →