CII sets out vision for vulnerability data sharing
Publication date:
24 June 2025
Last updated:
24 June 2025
The Chartered Insurance Institute (CII) has outlined a vision for transforming how vulnerability data is shared across the insurance and personal finance distribution chain to meet the Financial Conduct Authority’s (FCA) requirements. In a new report summarising a recent roundtable held in May, 'Unlocking outcomes: data sharing across the distribution chain', the professional body calls for a shift from compliance-focused approaches to outcome-driven data sharing, recognising the need for ‘common standards and an ecosystem that promotes sharing data to create customer value’.
The approach represents a shift from penalties and incentives, demonstrating how firms can build stronger customer relationships and commercial value through providing a more personalised service, reducing the time and emotional distress associated with repeatedly disclosing vulnerable circumstances.
In its Managing Vulnerability in Insurance Roundtable Summary Report published in April, the CII identified a gap between the work currently being done on vulnerability within the sector, and tangible benefits to customers who are experiencing vulnerability. Data sharing was raised a key component in bridging this gap, and explored further at the roundtable, which consisted of participants from Allianz, Association of Financial Mutuals, AXA, Claims Guardians, MorganAsh, FWD, and RSA Group, amongst others.
Data sharing in practice
The report outlines a vision centred on creating a seamless experience where vulnerability data flows efficiently across the distribution chain in almost real time. Under the proposed model, customers would grant permission once for their vulnerability information to be shared appropriately, with subsequent firms receiving only the specific adjustments needed to provide tailored support, rather than sensitive characteristics of vulnerability.
Andrew Gething, Managing Director of MorganAsh and roundtable participant, illustrated the potential transformation: "If Amazon did vulnerability, they'd call it personalisation." He emphasised that customers already willingly share personal data with technology and utility companies, suggesting greater appetite for data sharing than the sector currently assumes, provided there’s a clear value exchange.
The report addresses widespread misconceptions about GDPR compliance, with many firms displaying excessive caution. The CII clarifies that explicit consent is not always required, and that 'legitimate interest' and 'substantial public interest' tests can apply to vulnerability data management aimed at improving customer outcomes.
Recognising its role in promoting best practices, the CII has committed to leading sector-wide change through several initiatives: convening a cross-sector working group (including consumers) to develop common vulnerability taxonomies; integrating vulnerability content into professional qualifications and CPD; publishing guidance on operationalising vulnerability management (including GDPR); and conducting research with individuals who have lived experience of vulnerability.
Matthew Hill, Chief Executive of the CII Group, said: “Sharing vulnerability data across firms has the potential to improve substantially the experience of customers in vulnerable circumstances. We're making this report available in an effort to drive the vulnerability conversation forward and implement action that meets regulatory requirements and customer needs.”