Vulnerable Customer Data And Secure Email

When a customer tells a firm about illness, bereavement, financial difficulty, accessibility needs, or another vulnerable circumstance, that information changes the communication risk.

The firm may need to act on it, record it, share it appropriately, and protect the customer from unnecessary exposure.

Vulnerability-related data can appear in very ordinary customer communications. It might be in an email to an adviser, a document attached to a complaint, a reply about missed payments, or a note from someone acting on behalf of a family member.

For regulated firms, that creates a practical challenge. Teams need enough information to support the customer properly, but they also need to control who can access it, how it is shared, how replies are protected, and what evidence exists afterwards.

The joint FCA and ICO statement on vulnerability-related data, published in March 2026, addresses this tension directly. It explains that UK data protection law does not stop firms delivering good Consumer Duty outcomes, while making clear that firms still need to comply with data protection requirements.

That has a direct impact on communication design. If a message contains sensitive customer information, firms need to consider who can open it, how the recipient is checked, how replies are handled, and whether the interaction can be reviewed later, as well as how the content itself is protected.

This article explains where secure email fits for firms that need to keep customer communication simple while adding stronger controls around access, replies, and records.

Why Vulnerability-Related Data Changes The Email Conversation

The FCA’s guidance on the fair treatment of vulnerable customers describes a vulnerable customer as someone who, due to personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.

In practice, vulnerability-related data can include information about health, bereavement, mental health, financial difficulty, disability, accessibility requirements, power of attorney, domestic circumstances, or another support need.

This information may be necessary. A lender may need it to adapt a collections process. An adviser may need it to take extra care with instructions. An insurer may need it to understand how a customer wants to receive documents. A pension provider may need it to support someone acting on behalf of another person.

The same information that helps a firm support the customer can also expose them if it is handled poorly. An open email can be easy to send, forward, misaddress, or leave visible in the wrong inbox.

That does not make email unsuitable by default. It means the safeguards around email should match the sensitivity of the message, the recipient’s circumstances, and the firm’s need to keep a clear record.

"When a customer shares vulnerable circumstances with a firm, the communication route becomes part of the duty of care. The message needs to be protected, but the process also needs to feel understandable and proportionate for the person receiving it."

Paul Holland, Founder and CEO, Mailock / Beyond Encryption

What The FCA And ICO Have Clarified

The FCA and ICO statement is useful because it addresses a concern many firms have in practice: how to support customers in vulnerable circumstances without mishandling personal data.

The statement says the FCA requires regulated firms to act to deliver good outcomes for all consumers, including those in vulnerable circumstances. In practice, this can involve processing personal information and, where appropriate, sharing vulnerability-related data.

It also says UK data protection laws, including UK GDPR, the Data Protection Act 2018, and PECR, do not stop firms delivering good consumer outcomes under the Consumer Duty. Firms still need to comply with data protection requirements.

The statement focuses on three areas: supporting consumers in vulnerable circumstances, sharing vulnerability-related data appropriately across the distribution chain, and monitoring outcomes for those consumers.

That gives firms a useful way to review communication workflows. They need to understand where vulnerability-related information appears, who needs to see it, how it moves between teams or organisations, and how the customer’s privacy is protected during that process.

The Communication Risks Firms Should Review

A secure communication review should start with the customer interaction, not the tool. The useful question is where sensitive information appears and what could go wrong if the message is misdirected, exposed, delayed, or difficult to reconstruct later.

Wrong Recipient Or Shared Inbox

A customer’s email address may be out of date, entered incorrectly, shared with a partner, monitored by a family member, or accessible on a compromised device. For a low-risk update, that may not create much concern. For a message about ill health, debt, bereavement, identity documents, or financial support, the risk is higher.

Recipient authentication helps firms check that the person opening the message is the intended recipient. The control sits at the point of access, where the customer opens the protected message.

Unprotected Replies

Customers often disclose the most sensitive information in the reply, not the original message. They may attach evidence, explain personal circumstances, name another person, or provide financial details.

If the original message is protected but the reply comes back as open email, the firm has only secured part of the interaction. Secure replies keep the conversation protected both ways.

Evidence Gaps

When a customer later complains, asks what happened, or challenges whether information was received, teams need more than a sent item. They may need to know when the message was sent, who it was sent to, whether it was opened, whether access was revoked, and how the customer responded.

Mailock’s Message Tracker helps senders see message activity. Broader audit trails can support a wider review of account-level activity, including message logs, company admin actions, user activity, and other relevant records.

Excessive Friction

Protection should not create avoidable barriers. A customer in distress, poor health, bereavement, financial difficulty, or low digital confidence may struggle if the only route is a portal account, a forgotten password reset, or a process that is hard to explain.

The FCA’s Consumer Duty focus areas include customer journey design and the way firms apply friction at key points. That is relevant here because a process can be secure on paper and still fail if customers cannot use it when they need support.

What Good Secure Email Controls Look Like

Good secure email controls are proportionate. They recognise that different messages carry different levels of risk, and that different customers may need different levels of support.

For vulnerability-related data, firms should review the whole communication loop: sending, opening, replying, forwarding, revoking, tracking, and recording. The message is only one part of the customer interaction.

Useful controls can include encryption for message content, recipient authentication before access, secure replies, message revocation, expiry options, message tracking, and clear records for support or compliance review.

Recipient experience also matters. If a customer receives a protected email, they should understand why it is protected, what they need to do, and how to get help if they cannot complete the step.

For many firms, the right balance is to keep email as the familiar delivery route while adding protection around the sensitive parts of the interaction. That can be more practical than moving every customer into a portal or sending important documents by post.

Where Mailock Fits

Mailock is designed for organisations that need to send sensitive information securely by email. It helps firms protect message content with AES-256 encryption, add recipient authentication, support secure replies, revoke access where needed, and track message activity through Message Tracker.

For teams handling vulnerability-related information, that means email can remain the delivery route while adding controls around access, response, and evidence.

This is especially relevant where a firm needs to send personal documents, policy information, pension communications, mortgage packs, complaint correspondence, identity evidence requests, or sensitive support information.

The existing Mailock guide to secure email for financial services explains how protected email delivery can support regulated communication workflows. The secure email business case also shows how risk, cost-to-serve, and customer trust can be reviewed together when firms are deciding whether to change communication routes.

Designing For The Customer, Not Only The Control

Customers in vulnerable circumstances may need more flexibility, not more complexity. A secure process should protect them without making them repeat sensitive details or navigate unnecessary steps.

That means firms should think about the wording around protected messages as well as the technical controls. A customer should know why the message is protected, what verification means, and how to reply safely.

It also means firms should avoid treating every customer in the same way. Proportionate authentication is a design decision. A routine update may need a lighter challenge. A message containing medical evidence, identity documents, or financial hardship details may need a stronger one.

For advisers and customer support teams, secure email should help the interaction feel calmer. The customer can receive the document in their inbox, open it with the right check, and reply through a protected route.

"For regulated firms, the practical question is often simple: can we send the document quickly, control who opens it, let the customer reply safely, and keep a clear record of the interaction?"

Adam Byford, COO, Mailock / Beyond Encryption

Questions To Ask Internally

Vulnerability-related data often appears before a firm has formally labelled it as such. That is why communication reviews should look at real interactions, not only policies.

Useful questions include:

• Which customer communications could contain vulnerability-related data?
• Are those messages currently sent by open email, portal, post, or secure email?
• Can the intended recipient be authenticated before access?
• Can the customer reply securely with documents, context, or evidence?
• Can the sender see whether the message has been accessed?
• Can access be revoked if the wrong information is sent?
• Can compliance, support, or complaints teams reconstruct the interaction if needed?
• Does the authentication method match the sensitivity of the message?

The answer will not be identical for every firm or every customer. But the process should give teams a clear way to match the communication route to the sensitivity of the information and the customer’s needs.

How To Treat Secure Email As Part Of A Wider Customer Process

Secure email should not sit in isolation. It works best when it is part of a wider customer communication process, with clear guidance for senders, support teams, compliance teams, and customers.

That process might include rules for when messages must be protected, which authentication challenge to use, how to explain the protected email to the recipient, how to handle assisted support, and how records should be reviewed later.

It should also recognise that vulnerability-related data may need to move between teams or firms in a distribution chain. If that happens, the firm needs to think about who genuinely needs the information, how it is shared, and how the customer’s privacy is protected.

The FCA’s 2025 review of firms’ treatment of customers in vulnerable circumstances found positive actions across sectors, as well as areas for improvement. The FCA also said consumers in vulnerable circumstances may still not consistently receive outcomes as good as other consumers, especially where they have multiple characteristics of vulnerability.

That is why communication controls should be practical enough to use every day. A policy that works only in exceptional cases will not protect the ordinary messages where vulnerability-related data often appears.

FAQs

Can Firms Email Vulnerable Customer Data?

Yes, email may be used where the firm has considered the sensitivity of the information, the customer’s needs, and the safeguards around access, replies, and records. The right approach depends on the message, recipient, workflow, and risk.

Does Consumer Duty Require Secure Email?

No. The Consumer Duty does not prescribe one communication tool. It does, however, increase the need for firms to consider customer outcomes, communication effectiveness, support needs, and evidence.

Is Encryption Enough for Vulnerability-Related Data?

Encryption helps protect message content, but firms should also consider recipient authentication, secure replies, access control, message tracking, and broader audit trails where relevant.

Should Customers in Vulnerable Circumstances Be Asked to Authenticate?

Authentication can be appropriate, particularly where the message contains sensitive information. The process should be proportionate, clearly explained, and supported for customers who need help.

What Records Should Firms Keep?

Firms may need records showing what was sent, who it was sent to, when it was sent, how access was controlled, whether the message was opened, and how the customer responded.

References

Joint FCA and ICO Statement on Regulatory Expectations Regarding Firms’ Approaches to Vulnerability-Related Data, Financial Conduct Authority, 2026

Consumer Duty, Financial Conduct Authority, 2026

FG21/1 Guidance for Firms on the Fair Treatment of Vulnerable Customers, Financial Conduct Authority, 2021

Firms’ Treatment of Customers in Vulnerable Circumstances - Review, Financial Conduct Authority, 2025

Our Consumer Duty Focus Areas, Financial Conduct Authority, 2025

Reviewed by

Sam Kendall, 01.06.26

This content is for general information only and is not legal advice.