Treating Customers Fairly – Vulnerable Customers Policy

1.1 Background

Paywiser Limited also referred to as (“Paywiser” or the “Company”) is a UK Private Limited company, authorised and regulated by the Financial Conduct Authority (FCA) as an Authorised Electronic Money Institution (“AEMI”), with FRN 901086. Headquartered in London, our company was established in 2017. Paywiser is established as an electronic money institution which is authorised to provide the following services:

• Issuance and redemption of electronic money,
• Ancillary services closely related to issuance of electronic money,
• Payment services set out in Annex 1 of the AML Directive (EU) 2015/2366:
  • Services enabling cash to be placed on a payment account as well as all the operations required for operating a payment account.
  • Services enabling cash withdrawals from a payment account as well as all the operations required for operating a payment account.
  • Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider
  • Execution of direct debits, including one-off direct debits,
  • Execution of payment transactions through a payment card or a similar device,
  • Execution of credit transfers, including standing orders,
  • Issuing of payment instruments and acquiring of payment transactions,
  • Money remittance services.

1.2 Scope

This Procedure applies to all staff (including permanent, fixed term, and temporary staff, any third- party representatives or sub-contractors, agency workers, volunteers, interns, including staff of our agents and distributors, and customers engaged with Paywiser in the UK or overseas) within the organisation. It also applies to all subsidiary firms, whether in the UK or overseas.

Any wilful, significant, or negligent non-observance of any internal policy arrangements or standards may result in internal disciplinary action being taken against the relevant individual(s).

1.3 Objectives

We acknowledge that in the FCA Handbook, under the section entitled High Level Standards Sourcebook, Principles for Business, there are several Principles that define the fundamental obligations of firms under the regulatory system. One of these Principles, Customers Interests (Principle 6), states the following:

“A firm must pay due regard to the interests of its customers and treat them fairly”.

The FCA outlined Six Core Consumer (Customer) Outcomes that it wishes to see as a result of the Treating Customers Fairly (TCF) initiative. These are:

• Outcome 1 - Consumers can be confident that they are dealing with firms where the fair treatment of customers is central to the corporate culture,
• Outcome 2 - Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are targeted accordingly,
• Outcome 3 - Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale,
• Outcome 4 - Where consumers receive advice, the advice is suitable and takes account of their circumstances,
• Outcome 5 - Consumers are provided with products that perform as firms have led them to expect, and the associated service is of an acceptable standard and as they have been led to expect; and
• Outcome 6 - Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint.

1.4 Policy Statement

The FCA expects Paywiser to be able to demonstrate that it is consistently delivering fair outcomes to all their Customers, particularly through Senior Management’s acceptance of the objectives and embedding a “TCF” culture in the overall business. We are committed to conducting our business to the highest standards and will always act in the best interest of our Customers including Vulnerable customers.

The Compliance Officer will be responsible for monitoring, record keeping and staff training in ensuring full compliance with the TCF regime. Any queries concerning the scope and application of the TCF regime must be directed to the Money Laundering Reporting Officer (MLRO) and the Compliance Officer, or in their absence a member of the Senior Management team. The CEO and the AML Committee will be fully committed to offering Customer(s) the highest level of service satisfaction and ensuring fair treatment on a consistent basis. Complying with TCF does not mean that the customer must always be right, but it does require us to properly understand and communicate its ethos and approach on the subject to its staff, and to demonstrate and evidence how it measures and manages its performance against delivery of realistic TCF outcomes. TCF covers the whole product and customer life-cycle process from product design to initial marketing and contact, point-of-sale communication through to the end of the customer relationship.

1.5 Changes and Revision

Changes to this document are made by the MLRO. Small changes shall be reflected by incrementing the version number as 1.1, 1.2, 1.3, etc. Where significant changes to the document occur, this shall be reflected in a new version number, e.g., 1, 2, 3, etc.

The CEO of Paywiser must approve all changes before they are put into effect and the approved Policy document must be shared with all relevant staff.

This confidential document is the exclusive property of Paywiser and may not be copied, duplicated, or otherwise reproduced without prior written consent of the Company.

This Policy should be read in conjunction with the Complaint Handling Policy & Procedures and the Compliance Monitoring Programme (CMP). Also refer to Appendix 3 & 4 for references to Data protection and regulatory obligations. Information Commissioner’s Office (ICO) website https://ico.org.uk/ must be referred for queries relating to data protection.

We seek to utilise periodic self-certification to verify and affirm individual staff awareness and continued adherence with specific Policy standards and requirements issued or accessible. Please refer to Appendix 1 to confirm the receipt and acceptance of this document.

2.1 Measures for Better TCF Outcomes

Paywiser continues to develop and evolve specific measures and reporting to effectively inform and provide assurance on the proper delivery of its applicable TCF outcomes and standards as well as to assess continued risk and arrangements on an ongoing basis to ensure they remain proportionate and effective. The following recurring cycle is used to achieve better TCF outcomes:

Step 1: What does TCF mean?

• Ensure that Senior Management understand and is involved in TCF strategy and principles

Step 2: Gap Analysis

• Assess risks that could impair fair treatment of Customers
• Identify areas that do not meet TCF outcomes
• Identify potential harm to our Customers

Step 3: Action Planning

• Prioritise tasks and define measures
• Secure resources and accountabilities
• Develop and summarise outcomes in the periodical Management Information (MI)

Step 4: Implementing and Monitoring

• Track progress
• Make changes
• Monitor outcomes and delivery
• Identify remedial actions

Step 5: Lessons Learnt

• Review actions
• Communicate both internally within the firm and externally with the FCA, if needed.

All our staff (including agents and distributors) report in writing any significant events or concerns to the CEO or the Compliance Officer, which might indicate any potential failure, weaknesses, or other inefficiency in delivering TCF outcomes in a fair and transparent manner.

4.1 Definition

A Vulnerable Customer is “someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a Company is not acting with appropriate level of care”.

Regarding Vulnerable customers, this policy applies to the supply of products or services to retail customers who are natural persons, even if Paywiser does not have a direct client relationship with the customer. ‘Natural persons’ includes individuals but may also include some businesses or charities which are not incorporated. For example, individuals or groups of individuals who are un- incorporated business customers – e.g., sole traders and some partnerships. It does not apply where businesses or charities are incorporated because in that case, it is the corporate body, not any natural persons running it, that is Paywiser’s customer.

4.2 Purpose

The FCA issued guidance in February 2021 in its FCA’s Principles for Businesses (the Principles) on what firms must do to comply with their obligations under the Principles and ensure vulnerable Customers are treated fairly. We will aim to achieve good outcomes for vulnerable Customers, by doing the following:

• Understand the needs of their target market / Customer base,
• Ensure our staff have the right skills and capability to recognise and respond to the needs of vulnerable Customers,
• Respond to Customer needs throughout product design, flexible Customer service provision and communications,
• Monitor and assess whether staff are meeting and responding to the needs of Customers with characteristics of vulnerability and make improvements where necessary.

4.3 Harm or Disadvantage to Vulnerable Customers

Examples could be as follows:

• Heightened stress levels due to difficult, or different, personal circumstances,
• Increasing time pressures due to additional responsibilities,
• Increasing pre-occupation limiting their ability to manage,
• Processing power and ability decreasing due to competing pressures, like due to side effects, or emotional toll, of receiving medical treatment,
• Lack of perspective especially when experiencing something for the first time, not fully understanding the broader implications, being unable to make comparisons, or see the ‘bigger picture.’
• Changing attitudes towards taking risks, people often become more reckless and/orcareless when under stress.
• Financial Exclusion – Vulnerable Customers are more likely to be unbanked and less likely than average to hold any form of savings, insurance or protection, pension, or investments.
• Difficulty Accessing Services – A disability may make it difficult for a customer to access a branch in person or contact us by phone. Low digital capability may prevent Customers from accessing services online. Difficulties with access can lead to disengagement, exclusion, mistrust, or even risk of scams as Customer may instead rely on informal access methods.
• Disengagement with the market/partial exclusion - Customers may find it difficult to engage with markets and search for products and services effectively. As a result, vulnerable Customers are likely to pay a higher price than other Customers because they do not switch.
• Inability to manage a product or service – Customers may be less likely to be aware of their rights including their ability to get redress if things go wrong. People whose mental health has affected their social cognition can be out of fear that they will be misunderstood or say the wrong thing.
• Over-indebtedness – Being over-indebted can be linked to experiencing mental health conditions or addictions. Life events such as bereavement, relationship breakdown and ill health can contribute to temporary loss of income and greater risk of debt.
• Buying inappropriate products or service and exposure to mis-selling – Customers may mistakenly buy inappropriate product or service because they misunderstood the features or the terms and conditions.
• Scams and financial abuse – Customers are more likely to fall victim to scams, including misleading online financial promotions. They may be targeted through unsolicited approaches, more trusting or more likely to be persuaded to disclose personal financial details. Older Customers who may be lonely are more likely to be at risk of being scammed. Some Customers are less likely or able to check their bank account or statements regularly to spot unusual transactions.

4.4 Vulnerability Awareness Review

4.4.1 Understanding Customer’s Needs

We will take steps to understand the nature and scale of characteristics of vulnerability that exist in our target market and customer base. This will help in evaluating the impact of vulnerability on the needs of Customers in the target market and Customer base, by analysing the types of harm or disadvantage our Customers may be vulnerable to and how this might affect their Customer experience and outcomes.

All Customers are at risk of becoming vulnerable, particularly if they display one or more characteristics of vulnerability. They may become more or less vulnerable, and so have an increased or reduced risk of harm throughout their lives. A heightened period of vulnerability can be short, such as a hospital stay, or long term, such as long-term unemployment affecting financial resilience.

All Customers are at risk of becoming vulnerable and this risk is increased by characteristics of vulnerability related to 4 key drivers:

• Health – health conditions or illnesses that affect ability to carry out day-to-day tasks.
• Life Events – life events such as bereavement, job loss or relationship breakdown
• Resilience – low ability to withstand financial or emotional shocks.
• Capability – low knowledge of financial matters or low confidence in managing money (financial capability). Low capability in other relevant areas such as literacy, or digital skills.

Please refer to Appendix 2 for Table of characteristics associated with the 4 drivers of vulnerability.

4.4.2 Skills and Capability

We will embed the fair treatment of vulnerable Customers across the workforce. All relevant staff will need to understand how their role affects the fair treatment of vulnerable Customers. During the recruitment process Paywiser will hire relevant staff with necessary skills and capability to recognise and respond to a range of characteristics of vulnerability. We will always provide emotional and practical support required by the frontline staff when dealing with vulnerable Customers. Training provided to staff will allow them to spot signs of Mental health conditions and disabilities, domestic abuse, and other vulnerabilities.

Staff will be encouraged to make disclosures where they see clear indicators of vulnerability but are not expected to go further than this to proactively identify vulnerability. Staff will be expected to be aware of all relevant company Policies and Procedures to perform their role. They will also be trained to recognise when to seek additional support and escalate the case to the next level for advice and help from the Compliance Officer or the MLRO.

Staff will be capable of recognising and responding to the needs:

• Where the Customer has told us about a need.
• Where there are clear indicators of vulnerability or
• Where there is relevant information noted on the Customer’s file that indicates an additional need or vulnerability.

Signs and phrases to actively look out for when engaging with Customers:
Changes in payment behaviour:

• Payments stopping suddenly,
• Late or missed payments,
• Regular unarranged overdrafts and charges
• Unusual activity on an account

Phrases such as:

• I cannot pay,
• I am having trouble paying,
• Mention of breathing space/debt moratorium or contacting a debt advisor,
• I cannot read my bill,
• I cannot understand the letter you sent me,
• I cannot hold on, all day,
• I hate these press buttons.

Staff could also lookout for:

• Shortness of breath or signs of agitation
• Asking for repetition (a sign that the Customer is not retaining information)
• Signs that the Customer has not understood or signs of confusion,
• Mention of medication.

Record Keeping

Staff must make additional notes which are accessible and seen to relevant staff and the Management which will enable us to meet all Customer’s needs promptly, consistently, and fairly. These notes are valuable as they can help reduce stress, repeating same questions to the customer, understanding customer’s needs, and adapting to further communications and contact with the Customer. We will be open and transparent with our Customers about how any information disclosed will be used to meet their needs from a Data Protection, Storage and Consent point of view.

Offering practical and emotional support to frontline staff dealing with vulnerable Customers

Frontline staff may offer self-help information to vulnerable Customers when they come across challenging situations. We will offer practical and emotional support to staff where appropriate, like allowing them to take time out following a difficult or challenging phone call, staff will be allowed to share experiences in a face-to-face meeting or an online forum. Supporting and improving staff member’s mental and emotional resilience will help them deal with vulnerable Customers more sensitively.

4.4.3 Product and Service Design

We will always invest significant time and resources to understand positive and negative impacts of a product or a service on vulnerable Customers, ensuring there are no potential harmful impacts. Vulnerable Customers will be considered at all stages of the product and service design process, including idea generation, development, testing, launch and review, to ensure products and services meet their needs.

Over complex products and services can be hard for Customers to understand and make it difficult for them to buy the product best suited to their needs. Therefore, the Customer will be at the heart of the entire product lifecycle starting from idea generation, research, brainstorming customer’s needs, features, benefits and vulnerabilities in the product, ease of use, flexibility of product, fair and clear terms, practical sales process, product and service design process, product development, testing, launch and review, intermediaries involved in the sales process. This will ensure that any harm or vulnerabilities will be addressed, and the product or service will be flexible, fair, and clear for use from a vulnerable Customer’s point of view too. This will ensure we can define the scope of the product and service use accordingly.

From defining the features of the product to structuring the flexibility of a standard contract, exit terms, ensuring marketing materials use same terminology, flexibility to respond to needs of customers impacted by ill health or major life events must be considered up front. Some complex products could be sold on an advice basis or may require signposts for Customers who could be at a greater risk of harm to appropriate help or advice services. Paywiser will allocate additional time for decision making in case of a vulnerable customer.

Product development phase will consider scenarios where call back service could be arranged for Customers who struggle with phone menus or the option to notify us of a change in circumstance. This may also include face-to-face options for Customers who may be digitally excluded or have lost access to telephone services.

Testing phase will test any innovative features designed specifically to meet the needs of the vulnerable Customers and assess how flexible the product could be to changing needs. Product or Service could be adapted based on the results of the testing process to reduce the risk of harm and to ensure the product features work.

Product launch will ensure that the Customer fully understand and are aware the product and its features as well as who it might be most or least appropriate for. All products and services are testing and audited periodically by Paywiser to assess its performance, need for enhancements and changes to suit their target market and Customer base. When we alter or withdraw a product or service appropriate communications, and correspondence must be sent to the Customers in a timely, clear, and sensitive manner. Contact details and alternative communication solutions must be offered to the Customers.

Where intermediary Companies are used for sale of products and services of Paywiser, the treatment of Customers must still be fair, clear, and handled sensitively.

4.4.4 Customer Service

We will set up systems and processes in a way that will support and enable vulnerable Customers to disclose their needs. Also, we will be able to spot signs of vulnerability proactively.

Frontline staff must never use this label in their interactions with Customers. Instead, staff must focus on what harm or disadvantage Customer may be vulnerable to and how they can respond appropriately.

The Customer Service team members will be trained to respond flexibly to the needs of vulnerable Customers. All Customers will be made aware of the support available to them, including relevant options for third party representation and specialist support services. The systems used by Customer Service staff will allow them to note and retrieve information about a Customer’s needs.

We will set up systems and processes in ways that will support and enable vulnerable Customers to disclose their needs. Frontline staff will deliver appropriate customer service that responds flexibly to the needs of vulnerable Customers. We will put in place systems and processes that support the delivery of good customer service, including systems to note and retrieve information about a Customer’s needs.

Flexible Customer Service

Interactive websites can encourage vulnerable Customers to open up about their needs. Questions about needs and preferences across key points of the customer journey, such as when taking out a new product or service can help Customers choose the product that is best suited to their needs. Therefore, digital channels like website or mobile app could introduce tools such as text boxes or chatbots, to allow Customers to share information about their needs. Frequently asked questions could be expanded to cover potential information relevant to vulnerable Customers in the future.

Staff will be encouraged to take additional time and flexibility when dealing with a vulnerable Customer to resolve their issues. Pay and reward structures could be introduced to promote better quality customer service including dealing with vulnerable Customers sensitively.

We are aware of the duty under the Equality Act 2010, to make reasonable adjustments for people with disabilities. Where possible, we will make reasonable adjustments to accommodate needs of our vulnerable customers.

Where the Customer contacts to inform they could no longer afford monthly repayments due to illness or long-term sickness, consideration should be given to lower the monthly payment and account placed with a specialist for additional help and support to the Customer.

Support and Help for Customers

Our website, Customer contracts, terms, fees schedule, communications in the form of email, newsletters, phone calls will all be clear, fair, and concise. Help and support options available to the Customers will be proactively communicated with them. The help and support offered will be easy to access and use.

Additional help will be provided to Customers who have been victims of fraud or scams. These vulnerable Customers will be allowed to complain, and investigations will be conducted to meet their needs and get them redress where appropriate.

Third party representation

We will support Customers who do not make their own decisions to have a Power of Attorney (POA). Additional checks will be performed to ensure the legitimacy of the POA and the third- party access to the Customer’s account. Customer accounts may be frozen where there are concerns over fraudulent activity. If we have doubts about a Customer’s ability to understand a product or service, suspects they do not have capacity to make decisions or that they are acting as a result of fraud or coercion, the Customer may not be allowed to proceed.

4.4.5 Communications

We will ensure that all communications and information about products and services are understandable for Customers in our target market and Customer base. Communication will be amended by considering how to communicate with vulnerable Customers.

We will ensure communications throughout the life cycle of a product or service will be clear and provided to vulnerable Customers in a way that they can understand. This includes:

• Marketing
• Point of Sale,
• Post-Contractual Information
• Information about changes to the product or service
• Complaints processes

We may consider providing communications in different formats where it is proportionate to do so, especially for key documents. Different formats could include translated documents in various languages, use of diagrams and infographics, colour schemes friendly material for people with conditions such as dyslexia, large print, accessible website, audio options etc.

Paywiser will ensure that vulnerable customers are not rushed into making decisions and ensure that complex terms and concepts are communicated clearly.

Website will offer easy to read FAQs, pop ups that explain complex terms through the journey that can help Customers who may have more questions. We may choose to share sources of independent help and guidance where applicable. Customers will be allowed to communicate with Paywiser in writing (by post), secure email, phone, or video call. All Customers will be made aware of the available channels of communication.

4.4.6 Monitoring and Evaluation

Paywiser will implement appropriate processes as part of the Compliance Monitoring Plan, to evaluate where they have not met the needs of vulnerable Customers, so that improvements can be made. Regular management MI will also include information on the outcomes delivered for vulnerable customers. We will implement quality assurance processes throughout the whole customer journey to highlight areas where:

• We do not fully understand vulnerable Customer’s needs,
• The performance of staff has led to poor outcomes for vulnerable Customers,
• Products or services unintentionally cause harm to vulnerable Customers,
• Customer service and complaints handling processes are not meeting vulnerable Customer’s needs.

The following aspects will be considered when monitoring a Customer’s relationship with us:

• Decision making – whether the products/services are meeting the needs of Customers when providing information and support to making the right decision.
• Engagement throughout the Customer Journey – whether the Customer service and communications are meeting the needs of vulnerable Customer. If Customers are experiencing any issues in engaging with the firm throughout their customer journey.
• Disclosing changes in circumstance/needs - If vulnerable Customers are being supported and encouraged to share information about their circumstances or their needs.
• Suitable Products – If Customers can access the products or product features that are suitable and that it meets their changing needs.

We will look at Complaints data (in tandem with ensuring it is easy for vulnerable Customers to make complaints, and that complaints can be made through multiple channels. We may choose to engage with third party firms to understand Customer satisfaction rates. Paywiser allow all staff to send honest and open feedback when they think processes for vulnerable Customers could be improved. All company policies and procedures are updated at least once a year, approved by the CEO, and circulated to the relevant staff. Compliance Officer will assess the effectiveness of the fair treatment of vulnerable Customers as part of their Compliance Monitoring Plan (CMP).

4.4.7 Management Information (MI)

Paywiser will capture outcomes for identified vulnerable Customers, making sure it is discussed regularly at an appropriate level, and escalated and acted upon where necessary. Types of MI we will collect are:

• Business persistence: analysis of customer retention records – redress and account termination information. This may help analyse poor customer outcomes leading to high turnover of Customers.
• Distribution of legacy products/pricing and fees and charges: review if vulnerable Customers (where known) are more likely to incur fees and charges or are receiving rates not as good as other Customers.
• Behavioural Insights: Customer interactions and drop off rates, use of different communications channels including digital, Customer testing of financial promotions. This will flag where policies, processes and systems need to be improved.
• Additional Support: referrals to and feedback from specialist services (where applicable).
• Training and competence records: analysis of records of staff training, including remedial actions where staff knowledge or actions were found to be below expectations.
• File reviews: reviewing customer files and monitoring calls to check for errors and assess if Customers were treated fairly during sales processes for example.
• Customer feedback: using formal and informal feedback from Customers to identify trends and areas for improvement (like complaints and comments made to Paywiser but also comments and complaints on social media where applicable)
• Numbers of complaints: trends in numbers of complaints involving vulnerable Customers in comparison to other Customers.
• Complaint root cause analysis: investigating complaints fully to understand the cause of Customer complaints, not just dealing with the symptoms.
• Compliance reports: review Compliance reports to check if standards are being met in terms of treating Customers fairly.

Refer to Appendix 3 and 4 for further guidance on GDPR considerations and Regulatory obligations relevant to the treatment of vulnerable Customers.

Definition

Personal Data is information that relates to an identified or identifiable living individual, Full definition is set out in Article 4(1) GDPR.

Processing refers to any operation or set of operations which is performed on personal data or on sets of personal data, including collection, recording, and sharing. Full definition is set out in Article 4(2) GDPR.

Special Category Data is more sensitive personal data, for example about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. This does not include criminal offence data as separate rules apply.

A lawful basis is needed to process personal data. (Refer Article 6 of the GDPR). To process Special Category Data or Criminal Offence Data, additional conditions need to be identified under Articles 9 and 10, respectively.

Consent is a freely given, specific and informed statement or affirmative action, which indicates that an individual agrees to the processing of their personal data. Refer to the ICO’s Consent guide for further details. The guidance will include information about capacity to consent, how long does consent last and third-party consent.

Data Protection Principles

Article 5(1) of the GDPR sets out 6 key principles core to the GDPR, some of which have already been outlined. These include:

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization.
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

The ICO website provides a guide to the GDPR principles.

Basis on Which Firms Can Process Data

Under the GDPR, there must be specific grounds for processing and a lawful basis on which to process personal data. Article 6 of the GDPR details the 6 lawful bases on which firms can rely when processing personal data. We note that consent is not the only basis they can/should rely on and may not be appropriate to rely on in all cases. ICO provides information about when we can change the lawful basis.

• Basis (a) Consent: the individual has given clear consent for a firm to process their personal data for a specific purpose. Firms should consider the ICO guide on valid consent when seeking to understand what determines consent.
• Basis (b) Contract: the processing is necessary for a contract a firm has with the individual, or because they have asked the firm to take specific steps before entering a contract.
• Basis (f) Legitimate Interests: the processing is necessary for a firm’s legitimate interests, the legitimate interests of a third-party, or wider societal interests, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This may be most appropriate where firms use customer’s data in ways the customer would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

Special Category Data

It may not always be immediately obvious that information about a Customer is Special Category Data. For Example: information about changes made for a Customer due to change in their health may not specifically identify health issue but would be likely to constitute Special Category Data as their health issue could be inferred.

Explicit Consent

Firms may be able to obtain explicit consent from their Customers to process the Special Category Data, under condition (a) of Article 9. Explicit consent does not have to be written, and can also be oral, however, it is more difficult to prove explicit consent when it is not in writing. Explicit consent requires a very clear and specific statement of consent.

Data Sharing

Data protection legislation provides a framework to ensure fair, lawful, and proportionate data sharing, and should not be perceived as a barrier to appropriate information sharing. Sharing data with third party individuals or organisations may be important in achieving good outcomes for a vulnerable customer.

In order to comply with relevant data sharing obligations, we will consider whether we are a controller, joint controller, or processor of personal data. According to the ICO:

• The Controller ’determines the purposes and means of the processing of personal data’.
• The Processor ’processes personal data on behalf of the controller’.
• Joint Controllers are ’two or more controllers that jointly determine the purposes and means of processing’.

We understand that, where we are the controller, we are able to share data within the organisation provided that the data is processed for a purpose that is compatible with that for which it was originally collected under the original lawful basis under Article 6 and, where applicable, the relevant condition under Article 9.

As with wider sharing, we will assess whether we need to carry out a DPIA to share data with third party individuals or organisations. We also consider what information needs to be shared, why we are sharing this, the risks associated with sharing, and how to share this information.

We will identify a lawful basis for sharing personal data. If the firm is sharing Special Category Data, we will identify an additional condition under Article 9(2) and, if required, under Schedule 1 of the DPA 2018. We would also ensure they share information in compliance with the principles laid out in Article 5 of the GDPR.

The ICO recently published its Data sharing Code of Practice. It also provides other information through its Data Sharing Hub and suite of resources, including case studies. These provide practical advice to businesses and organisations on how to carry out responsible data sharing.

Additional Areas to Consider

We will consider all further requirements of the GDPR, including those relating to Individual Rights, and the Data Protection Principles including Accountability, and Governance. Relevant information is set out below.

Individual Rights

Firms should ensure that they have appropriate policies and procedures in place to provide individuals with the information they are entitled to under Article 13 and 14 of the GDPR (Right to be Informed), no matter what lawful basis or Article 9 condition they are relying on.

Firms should also ensure that they are able to meet individuals’ rights requests under the GDPR, for example the right of access (Article 15) and right to rectification (Article 16). Firms should also be aware that the lawful basis chosen may have an impact on the individual rights available to the data subject. The ICO provide further information on how rights may be affected depending on the lawful basis chosen.

Data Protection Impact Assessments (DPIA)

Prior to processing data on vulnerability, we will consider carrying out a DPIA to help identify and minimise data protection risks. A DPIA is a key tool for identifying and mitigating data protection risks and ensuring consideration of how the processing will comply with the principles contained in Article 5 of the GDPR. In certain circumstances under Article 35 of the GDPR, performing a DPIA is a requirement to comply with the regulations and we will refer to ICO guidance or seek our own legal advice on this if we are unsure as to whether we need to carry out a DPIA. The ICO provides further information on DPIAs.

Equality Act 2010

Equality Act 2010 seeks to protect people with certain personal characteristics, which are protected characteristics under the Act, from discrimination and harassment. In Northern Ireland, where the Equality Act is not enacted but other anti-discrimination legislation applies, firms should ensure that they comply with any applicable legislation and FCA rules and guidance. While we do not have the powers to act for breaches of firms’ obligations under the Equality Act, which is the role of the Equality and Human Rights Commission (EHRC), it is likely that a breach of the Equality Act will be a breach of our rules, including our Principles.

There is an overlap between certain protected characteristics under the Equality Act, and characteristics of vulnerability. In particular, one driver of vulnerability, health, largely overlaps with the protected characteristic ‘disability’ under the Equality Act. In this respect, whilst this Guidance is broader, it also seeks similar outcomes to the anticipatory duty under the Equality Act that requires reasonable adjustments for disabled people.

Other Obligations

Other examples of requirements beyond the Principles that we may need to consider in their treatment of vulnerable Customers.

• FCA’s FG21/1 Guidance for firms on the fair treatment of vulnerable customers
• FCA training and competence regime (set out in the Training and Competence sourcebook (TC)) which requires that the financial services workforce be appropriately qualified. This includes the high-level competent employees’ rule in SYSC 5.1.1.
• The Product Intervention and Product Governance sourcebook (PROD) and the FCA regulatory guide, the Responsibilities of Providers and Distributors for the Fair Treatment of Customers. These are also relevant to the design of products and services.
• The rules and guidance for financial promotions and communications with consumers that are in the FCA Handbook, such as those in COBS. Any different or additional communications provided for vulnerable consumers must always be in line with existing regulation. Firms may want to refer to the FCA Discussion Paper 15/5, Smarter Consumer Communications, and subsequent publications, for a wider discussion on how firms can communicate effectively.
• The Dispute Resolution: Complaints (DISP) rules that require firms to ensure that they effectively apply lessons learned from the Financial Ombudsman Service’s decisions in future complaint handling. Also, that Ombudsman decisions on similar complaints to the firm may be relevant factors in the fair, consistent and prompt assessment of other complaints.
• The requirements for fairness and transparency under Part 2 of the Consumer Rights Act 2015 and the Unfair Terms in Consumer Contracts Regulations 1999 (for contracts entered before 1 October 2015). Firms may want to refer to the FCA website for further information about unfair contract terms and our powers.
• The requirements of other consumer protection law, including the Consumer Protection from Unfair Trading Regulations 2008. These prohibit engaging in unfair commercial practices and makes specific reference to commercial practices aimed at vulnerable consumers.
• Data protection requirements – FCA have engaged the ICO when developing this Guidance. Appendix 3 highlights some of the relevant areas of data protection requirements that firms should consider. Firms must also consider other relevant requirements, such as those concerning direct marketing under the Privacy and Electronic Communications (EC Directive) Regulations 2003. For guidance on data protection requirements please refer to the ICO website.
• Where applicable, obligations under the Mental Capacity Act 2005 and the Adults with Incapacity (Scotland) Act 2000. These set out legal frameworks concerning mental capacity, including information on indications of mental capacity limitations and how to help people with making decisions; and other relevant guidance relating to mental capacity.