Today Nexoris is hosting Xavier Loiseau, a consultant specialized in compliance, who will walk us through a topical issue.
Nexoris: Hello Xavier Loiseau, thank you for joining us and accepting our invitation. Before we dive into the topic, let's take 2 minutes to get to know each other better.
Xavier Loiseau : Glad to be here, and thank you to Nexoris for the opportunity to have this conversation. I've been working in control and compliance since 2014, after spending 9 years as a banker across various institutions. This year I had the chance to start my own consulting firm (LX Compliance Consulting), focused primarily on the financial sector.
Nexoris: What services do you offer your clients?
XL : LX Compliance Consulting's offering is built around three services: advisory (audits, organization, project management), interim management (for compliance or internal control leadership roles), and training (change management, regulatory updates...). All of this covers financial security, customer protection, investment services, personal data protection and anti-bribery and corruption.
Nexoris: Why did you choose to highlight the topic of "vulnerable clients"?
XL : I chose to discuss this topic with you because, unfortunately, it's a current issue. We regularly read in the news about cases of abuse of weakness, breach of trust or financial mistreatment involving people who are vulnerable. I'm convinced this is a real issue for the future, because given an aging population that holds significant wealth, it seems necessary to adapt our approach and account for the specifics of this growing client base.
Nexoris: Today, is there a clearly defined scope for vulnerable clients?
XL: There's no fixed definition today of what "vulnerable clients" means. One issue is that the various market participants can't rely on a legal definition of vulnerability to do their work. The Public Health Code doesn't define vulnerability either. Approaches are starting to emerge, but unfortunately nothing harmonized for now.
Nexoris: But there are protection regimes, aren't there?
XL: Yes, several legal frameworks are in place to protect vulnerable people - the best known being guardianship and curatorship. These are regimes set up based on a detailed medical opinion that confirms a deterioration of the person's faculties. The real challenge isn't there, because legal protection measures have existed for a long time and are written into the Civil Code. The real challenge is upstream, in what notaries, the AMF* and the ACPR* call the "grey zone". This is the moment when significant cognitive decline can be observed - with various possible causes - and before any protection measure is put in place. We can also detect a vulnerability that doesn't translate into cognitive decline, or that isn't caused by aging. That's where managing vulnerable clients gets really hard for financial institutions: until a client is placed under a protection measure, an adult is considered able to make decisions, enter into contracts and commit to a financial institution.
Nexoris : What are the needs of people in this grey zone?
XL : These needs ultimately come from each person's specific situation. They can vary, but there's a common core: more support, more guidance, more listening, sometimes adapted documentation. Take someone whose eyesight is failing or who is becoming hard of hearing. It may be necessary to adapt the commercial communication: a written document with a larger font, shorter meetings, or having a trusted relative present are all options to consider.
The goal is for these clients to always have access to the level of information they need to make an informed investment decision.
Nexoris: As an insurer, broker or banker, how can we protect them?
XL: To protect this specific client base, you need to adapt to their constraints or difficulties so you can be sure you understand their expectations and needs - and equally make sure they understand the conversations and what's at stake. You also need to apply extra vigilance when carrying out transactions.
Vulnerability can have different origins, whether linked to cognitive decline or to a life event. These vulnerabilities can become a risk for a financial institution, since vulnerability creates the conditions for abuse of weakness, which can be carried out by relatives or - in the worst case - by a representative of the institution itself.
To protect them, financial institutions therefore need to adapt their commercial practices, train their teams to detect vulnerability, and define markers that should raise a flag. These markers are signs that, at a given moment, can give rise to reasonable doubt in the mind of an institution's representative about a client's capacity to commit in an informed way.
Nexoris: How do financial institutions approach this issue?
XL: There are no harmonized practices among financial institutions today; awareness varies depending on the issues encountered. Some good practices are emerging, partly drawn from industry-wide work led by the joint ACPR-AMF unit. That said, with different client bases and services, the risk areas will inevitably be different - between a retail bank and a private bank, for example. From there, advisory and support may be needed to define compliance policies and the control mechanisms that help support these clients in the best possible conditions while also protecting them. Let's not forget that one of financial institutions' core missions is customer protection.
Nexoris: Speaking of financial institutions' missions, what is their role when dealing with vulnerable clients?
XL : Their role isn't different for these clients than for any other - what differs is the means used. The challenge can come from the fact that the materials usually used to meet their information obligation (which must be clear, accurate and not misleading) can be ill-suited. As soon as you're dealing with someone whose vulnerability may prevent them from understanding the operations being discussed, applying heightened vigilance makes sense.
Nexoris: How do you balance protecting these clients with protecting personal health data?
XL: You're putting your finger on a real issue, since most financial institutions build long-term relationships with their clients - especially in wealth management. As a result, they can more easily detect a change in behavior in clients they need to keep an up-to-date understanding of. That detection - which can happen during an unusual transaction or a meeting - may stem from a change in health condition. However, the General Data Protection Regulation (GDPR) prohibits the processing of health data, with limited exceptions. So you have to be especially careful not to store data about a client's health (in CRMs in particular), even when the goal is to protect them in light of a potential vulnerability.
In its summary of workshops led by the joint ACPR-AMF unit, the CNIL* issued a recommendation for GDPR compliance: minimize the data collected and ensure that no sensitive data is processed by financial institutions.
Despite this, you have to stay vigilant, since many financial institutions use a CRM tool to manage their client relationships, and these tools can include free-text fields that are the danger zone. A banker can easily fill in a free-text field with health data - something that should be avoided through controls, training and even specific developments in the tool.
Nexoris : What actions should financial institutions put in place to support their clients?
XL : The summary from the joint ACPR-AMF workshops was insightful, since it suggested good practices observed in France and abroad. The FCA*, the UK regulator overseeing financial institutions, also issued guidance last year for institutions on managing vulnerable clients. The FCA took a different angle from the ACPR-AMF, since the latter focused mainly on age, while the FCA sought to map every type of vulnerability.
Among the actions to put in place, training sales teams to detect vulnerability markers and to adopt the right reflexes as soon as a behavior change potentially linked to vulnerability is detected in a client. This training is essential to set up a vulnerable-client management framework. In parallel, some institutions have created an internal vulnerability lead. The idea is to support the sales force with experience and knowledge of vulnerability situations whenever a potential vulnerability is detected.
This detection comes from awareness based on markers that have been defined and shared internally. The vulnerability lead's role is to help the banker qualify the situation and feel secure in the relationship with the client. One of the risks for a financial institution is facing legal action from relatives following transactions made with a vulnerable person.
Some wealth management firms also discuss the future protection mandate with their clients upfront - a contract that lets a person be represented by an agent on the day they can no longer manage their own affairs.
Nexoris: So financial institutions clearly have every reason to take this topic seriously, don't they?
XL: Yes, there's a real benefit for financial institutions in taking this topic on. First, to avoid the risk of legal action from heirs or relatives of a client who could be considered vulnerable.
Beyond that, there can be a reputational risk - particularly for larger institutions - if questionable commercial practices were widespread among a vulnerable and/or elderly client base.
Finally, with an aging client base, being able to demonstrate a proactive approach to this topic is a real reassurance argument.
Today, every institution must define a target client base for the products and insurance policies it distributes. Among the criteria, some institutions have for example chosen to set an age limit on the policyholder for certain products, in order to limit the risk of misselling to a vulnerable client base.
Nexoris: In your view, Xavier, what are the three big actions a company should take to protect its vulnerable clients?
XL: Training sales and support teams remains a pillar of any vulnerable-client management framework. The goal is to be able to adapt practices and approach to this client base, to be alert to signs or transactions that could point to vulnerability, and so to remain vigilant against potential abuse of weakness to a client's detriment.
On top of that, appointing a vulnerability lead, whose experience helps protect both the sales teams and the institution itself in complex or unusual situations.
Finally, putting in place an enhanced due diligence process for these clients. Detecting an unusual transaction or behavior in this client base should trigger a strengthened control process.
Nexoris: Xavier Loiseau, thank you for sharing your informed view on this sensitive subject, which will likely become more and more central for financial institutions as life expectancy continues to rise.
XL: Thank you for the invitation, and thank you for the conversation!
ACPR: Autorite de Controle Prudentiel et de Resolution (French Prudential Supervision and Resolution Authority)
AMF: Autorite des Marches Financiers (French Financial Markets Authority)
FCA: Financial Conduct Authority
CNIL: Commission Nationale de l'Informatique et des Libertes (French Data Protection Authority)
Want to learn more about the topic? Reach out to Xavier by clicking
here
The Nexoris team supports you and finds the profiles to handle your compliance topics.
Contact us by clicking the banner below.
