Are We Doing Enough for Vulnerable Customers?
By Martin Schofield, Director at MSA (Training & Consultancy) Ltd
Aspects of doing the right thing for our customers have one way or another been around for many years. Agreed, the source and perspective has been different, for example there has been the Disability Discrimination Act 1995 (latterly codified into the Equality Act 2010), formalised complaint handling and reporting procedures, the JMLSG requirement to prevent unnecessary social and financial exclusion (dating back to at least 2006), outcome testing, conduct risk and various other regulatory drives and initiatives to encourage us to think of our customer first and foremost.
In the main, it is probably true to say that these initiatives have been implemented, and in the most part successful, but has the impetus behind the application of these initiatives in firms been a sheep in wolves clothing? Has there been a genuine pricking of the financial services sector’s moral compass, or have firms complied where they need to through fear of regulatory retribution or where they have seen an opportunity to make money?
There is of course nothing wrong in making money, that is, after all, what companies are in business for, but should that money be made at the expense of others, or at least where the benefit of the consumer could and should have been achieved no matter whether it generated a cost for the company or not.
Back in May 2010, in his first speech as Prime Minister David Cameron said that we need a society “where we don’t ask what am I just owed, but more what can I give” and that a guide for society should be “those that can should, and those who can’t we will always help”. I wonder how many of us are actively encouraged by our companies to go the extra mile, to always help if we can, rather than being measured by what we have achieved and in what timescale. Is productivity truly measured by firms in quality as well as quantity?
So, winding on to February 2015 and the FCA publish Occasional Paper 8, Consumer Vulnerability. This paper detailed some of the areas of vulnerability that firms should be focussing on, such as one in seven adults having the literacy skills of a child aged 11 or under (this is still an issue today, as mentioned most recently in the televised race for the next UK’s Prime Minister) and at the time of OP8’s publication, statistics from 2012 showed that 7.1m adults in the UK had never used a computer. Figures released from the Office of National Statistics for 2016 are encouraging and show that this figure has fallen to 5.3m adults. However, the 2016 statistics show that 25% of disabled adults had never used the internet. So clearly, in todays’ digitalised world, there is still a significant chunk of society that is being left behind or excluded.
OP8 also gave the FCA the opportunity to provide its definition of what a vulnerable customer is – “A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to detriment, particularly when a firm is not acting with appropriate levels of care.” The FCA also advised that vulnerability can affect any of us at any time, and that it can be temporary or permanent, it is fluid and can change from day to day, week to week, month to month or year to year. In other words, vulnerability can affect us all, and it can be as unique as us all.
BUT WHERE DOES VULNERABILITY SIT IN A FIRM? – This is the most regularly asked question. Who should own this and what policy should it form part of? which at least shows a willingness on the part of firms to do it, if only someone can tell them where in their firm it sits. Should it be owned by Compliance? Ethics? Or HR? for example. Not every firm has a Customer Experience or Customer Satisfaction Department, and even if they did, are these the right departments to own this vitally important topic? Arguably not, a customer’s vulnerability does not necessarily have anything to do with their “customer journey” or how satisfied they are with how their product forms, although these two areas should be assessed for how well they manage customer vulnerability.
The answer is, there is no real answer, other than vulnerability, due to its potential vastness and lifespan, is something that is the sum of all of these business areas, not just something that can be squeezed into one of them to fit as best it can.
I don’t think there is a real right or wrong answer as to where customer vulnerability management should sit within a firm, provided there are some accepted fundamental points:
1. Vulnerability can link to so many other topics and areas of regulatory and legislative interest, in fact, arguably it is intrinsically linked to them. For example, an elderly or infirm customer is taken into their bank each week by a rogue builder, carer or family member and manipulated into withdrawing money. At some point the scam is unmasked and a bank teller says to a colleague “I always thought there was something shifty about that builder/carer/family member”.
a. If the teller always thought this, why did they not report it?
b. Failure to report this would surely be a breach of the firm’s fraud policy
c. If money was withdrawn fraudulently, then the matter should have been reported to the MLRO as well, as the presence of the proceeds of crime engages the money laundering offences.
2. If a firm is expected to know who its vulnerable customers are, does that depict the presence of some form of list or computer system that can identify who is vulnerable? If so, such a list would prove a valuable commodity to the criminal fraternity, exposing any employee with access to that list to the risk of bribery. In addition, if a bribe occurred, then that too would represent the proceeds of crime and engage not only the firm’s anti bribery policy, but also the money laundering offences.
3. If someone in a firm did release this list, that would constitute a significant data protection breach and under GDPR attract a fine of up to 4% of the firm’s annual global turnover.
What can be seen from this very quick analysis, is that Vulnerable Customer Management has touch points within data protection, fraud, bribery and money laundering, and there is more.
Within each firm is an element of Treating Customers Fairly (TCF), Conduct Risk, Conduct Rules and the Senior Management and Certification Regime (SMCR), each of which would require input, governance and control over Vulnerable Customer Management.
Taking all of the above into account, the one thing that stands out is that Vulnerable Customers need to be managed from the top down, there are too many vitally important factors and touchpoints associated to Vulnerable Customer Management for this not to be directed and controlled from the top.
WHAT ACTION HAVE WE SEEN SO FAR? – There have been a number of enforcement actions over the last couple of years, but interestingly, all within the gaming sector, where allegations of failing to effectively manage vulnerable customers which has led to fines being imposed in 2018 alone in excess of £15m!
One of these cases also cited the firm as not having efficient AML checks as well, as detailed in the case below:
32Red was fined £2m for handing VIP status to a problem gambler, and in so doing, instead of providing help and advice to someone who clearly had a problem with their levels of gambling and sought to lie and deceive the gaming house to facilitate such, actually offered the customer free bonuses to encourage further play.
Whilst this in and of itself seems poor practice, and certainly not in line with the expectations around managing those members of society who are vulnerable, it does, if we take the reported circumstances at face value, also demonstrate poor AML and fraud prevention controls.
To examine that a little further, it is reported that:
The customer was able to deposit an average of £45,000 per month despite having a net salary of just £2,150. The customer gave 32Red evidence claiming £13,000 per month income which the regulator said was “not credible”.
This is a clear indication that absent or ineffective due diligence was conducted on this customer. Even if the higher rate figures were to believed, how can someone with a monthly income of £13,000 afford to deposit £45,000 a month at a gaming house? What about their mortgage, rent or household bills etc? What checks were conducted against the customer’s occupation to see if it is commensurate with that type of salary? What questions were asked of the customer as to how he was making up the balance from £13,000 to £45,000 and still managing to live?
The answer, I suspect is that very few questions were asked, if any at all, and even if they were, either little or no attention was actually paid to the responses provided, or the person examining those responses was ill-equipped or ill-trained to see the obvious, that the responses did not make sense and that is obviously wrong.
However, given what we know about this case (and we all know that there are two sides to a story), I cannot see how 32Red can be held totally liable for the situation in its entirety. For example, where was the customer’s bank in all of this? How did the bank allow their customer to pay £45,000 a month to a gaming house, when they must surely have seen that he had a monthly net income of just £2,150? How did the bank justify these large payments which appear to be incommensurate with the customer’s financial standing? Did the bank not think to question this, after all, a customer’s financial transactions which are not commensurate with their known CDD profile is one of the biggest reasons that SARs are made to the NCA. Why had the bank not identified the customer as vulnerable and restricted his account access to prevent him from making all of these large payments to a gaming house?
Maybe I am doing the bank an injustice, maybe it did identify the activity as unusual and suspicious, after all, where was the customer getting his large volumes of money from if it wasn’t through his earned income? Maybe the bank did make a referral to the NCA, however, in the absence of criminal activity, the NCA would not have taken any action. So, the bank allowed the customer to keep paying and the gaming house kept accepting the money, maybe even under the false illusion that if the bank were allowing the payments to be made, then it must all be OK, despite whatever “evidence” the customer had provided them in relation to his income.
But the fact remains, that in this instance, it must be questioned whether 32Red are the only ones to blame, or whether a number of organisations should share the blame for the position that this customer found himself in?
Lots of ifs, buts and maybes exist without statements from all of the parties that I have mentioned here, but it seems to me that 32Red are guilty yes, but should they carry that guilt alone? I suspect not – it seems that we have a vulnerable customer who was allowed to worsen his financial position, not just by 32Red, but by a number of organisations that failed to take the appropriate action to protect him, and it is a shame, that in such situations the sanctions for the failures are not applied and shared equally across the board for every party that, through one means or another, was culpable for the errors.
Firms are expected to apply a multi-disciplinary approach to their risk management programmes, maybe it is time for the regulators and law enforcers to apply a multi-disciplinary approach to fines and enforcement action as well? Maybe this is something that we will see the recently formed National Economic Crime Centre (NECC) drive forward?
SO, WHAT DO FIRMS NEED TO DO MORE? – This list could be endless, so, as a capture all, more systems and controls! If we take the FCA’s definition of vulnerability and accept that vulnerability is fluid, we must conclude that our policies, procedures, products and services have to be just as fluid, as does the manner by which we apply governance to vulnerability. However, I would like to address a few points directly:
Fluidity and flexibility in our approach to handling vulnerability is key – we need to be agile to move with our customer and their changing needs, not remain rigid and insurmountable. An example of this is where firms refuse to take any proactive action to assist a vulnerable customer, as their policies and procedures require it. For example, where someone is notifying a bank that their relative is in hospital and unable to manage their affairs and the bank refuse to even note this without a Power of Attorney, or cite being unable to assist due to data protection, despite the fact that the relative is not asking for any information at all. Another example is where someone knows they are being made redundant and that the chances of finding alternative employment soon are remote, yet upon advising their mortgage company of this so that they can implement a payment plan to avoid them falling into arrears and attracting a bad credit history, the mortgage company will not take any action until the customer can actually not afford the mortgage any longer and has fallen into arrears, thus creating the very situation that the customer was seeking to avoid.
Training and Awareness – Rigidity in policies and procedures is only ever made worse by ignorance. Employees not being aware of vulnerability and how it is (or should be) managed in their organisation only serves to compound what will already be an extremely frustrating, emotional and difficult time for the customer.
Employees need to be aware that someone phoning them for example to notify them of a pending divorce, terminal illness, redundancy or death is making what is possibly the hardest telephone call of their lives and to be greeted at the other end of the phone by someone who, though lack of training and awareness does not have the skillset to handle such a call with due skill, care and dignity just makes the matter even worse for the customer. I acknowledge that some people simply do not have the life experiences to handle such customer contact, and rightly so, not everyone has suffered life changing experiences personally, and this should not preclude them from dealing with customers that have and/or are going through such. However, as with anything in life or work where experience is absent, we look to training to fill the gap, and training our staff in managing vulnerability is essential.
Staff Wellbeing – The last area that I want to pay specific regard to, is how we manage our staff that we deploy to manage customer vulnerability. In a number of firms that have implemented dedicated teams to deal with its vulnerable customers, the staff do nothing all day but deal with what could be argued is the worst ailments, conditions and situations of life. This has got to have a domino effect onto the staff, and ultimately how they interact with their colleagues, friends and family. However, what is lacking, is some dedicated support resource for these staff members. Something aligned to onsite or offsite access to counselling, peer group discussions or even compulsory “buddy 121s” after dealing with a particularly harrowing situation.
It is of course, all well and good appointing staff members to deal with vulnerable customers, but how long will those staff members be able to continue in such roles unsupported, before they become vulnerable employees, and vulnerable customers for their product and service suppliers?
Proportionality – The last topic I want to draw attention to. Ultimately, it is just a word of warning not to get so engulfed and be all consumed by managing vulnerable customers, that ordinary senses of best practice are side lined. For example, writing off customer debts in the name of Vulnerable Customer Management, whilst becoming blissfully ignorant to the amount of times the same customer(s) request such write offs.
It is, as with everything else in the regulated sector, entirely feasible, no, inevitable that the criminal fraternity will use knowledge of our regulatory practices against us, and once they identify that firms are willing to write off debt, or apply more lenient controls to the vulnerable, they will find ways to abuse the good work that we are trying to deliver for our vulnerable customers.
So, efforts in this space need to be measured and proportionate and remain within the realms of realistic testing, control and standard suspicious activity reporting mechanisms.
Martin Schofield has undertaken financial crime prevention roles for the last 19 years, and is a well-known and established figure in the financial crime prevention sector. Martin is regarded as a highly competent consultant/adviser as well as an outstanding trainer, and a true expert in the field of financial crime prevention. Over the last 19 years Martin has been engaged on numerous projects, both global and domestic for major financial services firms, involving the delivery of staff training in all aspects of financial crime prevention, including (but not limited to) fraud and money laundering prevention, as well as policy authoring, reviews, audits and pre and post regulatory visit reviews. Martin has also acted as lead investigator in countless internal and external investigations, involving mortgage fraud, application fraud, identity fraud and money laundering. Other areas of speciality include data protection, anti bribery and corruption, market abuse, senior management responsibility, conduct risk and vulnerable customer management.