Frequently asked questions (FAQ)

What is the Vulnerability Registration Service (VRS)?

VRS is a not-for-profit organisation who has developed a central database to notify companies that an individual may be vulnerable and their circumstances need to be taken into consideration.

How does the VRS does it work?

Quite simply, VRS is a database of vulnerable individuals. It allows people to alert companies to the fact that they are in vulnerable circumstances and allows business to identify that vulnerability and take it into account in their dealings with the person.

• A consumer, or an authorised third party, can register their details on the VRS database
• A list of high-level descriptions of vulnerability are provided should the individual wish to provide more detail about the type of vulnerability
• Members of the VRS service can search the VRS database when interacting with the individual – this may be during a lending, arrears or account management process or where any service provision is involved

Where does the information come from?

• The VRS obtains information from a number of sources. People are able to self-register or an individual or organisation is able to register on somebody else’s behalf where they have the authority to do so. There may be a Court of Protection Order, a Power of Attorney or an Appointeeship in place. Where consent is given, an organisation can register and individual on their behalf.
• Some of our information is provided by solicitors, estate management companies, local authorities and charities.
• VRS also holds insolvency data

How do people know to register on the VRS database?

We are always keen to raise awareness of the VRS database. We work with organisations from any sector who deal directly with vulnerable customers to highlight the work VRS does. We also use social media to signpost people to VRS.

Do I need consent to share someone’s data with VRS?

No, processing special category data is not limited to explicit consent.
Data can be processed under ‘substantial public interest’ under the Data Protection Act 2018. This section allows health data to be processed to preserve someone’s economic well-being. If obtaining consent is not possible, unreasonable or if by trying to obtain consent you would prejudice the assistance you are trying to provide, you can share data with us.

Does VRS validate whether an individual is actually vulnerable before adding them to the VRS database?

Businesses use their own verification methodology to determine how to treat an individual where vulnerability has been identified and, where appropriate, will seek further information.  We are highlighting vulnerability but the way somebody is managed will ultimately be down to the service provider and be influenced by the type of business and the sector in question.

Where we are advised of vulnerability as a result of a Power of Attorney, we validate that Power of Attorney.

Much of our data is sourced from third parties and consequently is already validated:
• We receive data from local authorities, solicitors and estate management companies and typically a validated Court of Protection Order will be in place whereby the individual lacks the mental capacity to manage their own financial affairs.
• Organisations with which we have a contractual relationship will provide data to us where there is a legal basis to do so and will only be provided where there is sufficient evidence to justify registration.

What are the VRS definitions of vulnerability?

Everybody’s circumstances are different so we do not present an absolute definition of why somebody is vulnerable. We signpost organisations to the fact that vulnerability exists and we provide sub-flags to people can use to give a little more detail about their situation.

What are the VRS sub-flags?

The sub-flags that people can use to give more information about their vulnerability are as follows and we provide examples of what these may include:

• Physical disability
• Mental health
• Physical health
• Cognitive disorder
• Lifecycle event
• Gambling addiction
• Financial difficulty
• Financial capacity
• Accessibility
• Coronavirus

VRS also holds details of Bankruptcy Orders, IVAs and Debt Relief Orders.

Different organisations and sectors have different definitions of vulnerability – how does the VRS work with them?

We are aware that different organisations and different sectors may have slightly different definitions of vulnerability and sometimes, what they need to know about people may differ. We deliberately use high level definitions of vulnerability – firstly, to simply highlight that someone is vulnerable but secondly to give people the opportunity to populate sub-flags which give a further level of detail. However, these are compatible with companies own customer databases and specific vulnerability definitions and our own definitions can easily be mapped to allow the optimum use of our database.

Will all vulnerability be held on the VRS database?

We only show where somebody is vulnerable when they have notified us themselves or if an authorised third party has notified us on their behalf.

How does using the VRS database help meeting our obligations?

The VRS enables companies to identify that an individual is vulnerable when they may
not have notified you directly. It also allows you to notify other companies where you have been informed but they may not have been.

Using the VRS will allow you to identify vulnerability when you may otherwise not have been able to. It will provide you the opportunity to treat the individual in a way that is appropriate to them and achieve the right outcomes. It is also a step to meeting the expectations of regulators.

How does the VRS help a firm comply with FCA requirements?

We have taken into consideration the FCA’s guidance on handling vulnerable customers and continue to do so. VRS help firms to identify vulnerable customers and it can be factored into processes and used by customer service teams. It is a tool to help meet the expectations of regulators.

Can we add our own customers to the VRS database?

Yes. Where there is a legal basis to register a vulnerable customer with VRS doing so will alert other companies that they deal with to their situation.

Will we be informed if one of our existing customers is added to the VRS database?

Yes. The VRS can alert you if an existing customer is added to the VRS database.

Will being recorded on the VRS database mean that a vulnerable customer could be declined credit?

Our Agreements with our users do not permit them to automatically decline registered consumers for credit unless those consumers, or those acting on their behalf, have specifically stated that applications in their name should be declined. We monitor and audit searches of the VRS database to ensure that its use is in compliance with the Agreements we have in place.

Does the VRS cover all of the UK?

The VRS database holds data across the UK. The data is held and managed in the UK.

Is the VRS database secure and GDPR compliant?

Compliance and security and integral to the management of VRS data. We focus on and invest heavily in ensuring that the data is secure and that we have the appropriate protocols, policies, procedure and training in place. The data we hold is only processed in accordance with data protection law and that there is always a legal basis for holding and sharing that information.

VRS is Cyber Essentials, ISO9001 and ISO27001 certified.

Is the VRS database vulnerable to a data breach or a cyber-attack?

We recognise that any database that holds personal details is vulnerable to illegal or unauthorised access. The data we hold is limited to what is essential to provide the VRS service and we deploy the appropriate security controls, monitoring and processes to ensure that we mitigate risk.

VRS is Cyber Essentials, ISO9001 and ISO27001 certified.

How does the VRS know that firms will not misuse the information about vulnerability?

We have robust rules about how and when VRS data can be used and companies are contractually obliged to comply. We also undertake checks and audits to ensure that the data is being used in the right way.

Why is this information not available through a credit reference agency?

VRS is a not-for-profit organisation, running an independent database and its sole purpose is to alert organisations to the fact that an individual is in a vulnerable situation. Wherever possible we work with partners to ensure that companies have access to VRS data in the most streamlined and efficient way possible.

How long is somebody held on the VRS for?

Registrations are kept on the VRS database for as long as there is a legal basis to do so. Consent can be withdrawn at any time and we regularly contact individuals to ensure that their details are still recorded with VRS. In some cases, vulnerability may be temporary, perhaps as a result of a life event. Sometimes, the vulnerability may be permanent.

We do not retain vulnerability registrations once an individual has asked to be removed from the database.

Will all organisations have access to the VRS database?

We would encourage any organisation which deal with vulnerable people to use the VRS. We only provide information where there is a legal basis to do so and where we have a contractual relationship with them. The number of organisations using the VRS directly, or via a third party platform provider, is constantly increasing. We believe running a vulnerability check is essential for organisations when providing service to their customers.

Who does the VRS work with?

Vulnerability is not limited to any one sector so we work with any organisation that may deal with vulnerable people. This includes financial service providers, insurers, utilities, local and central government, charities and housing associations. If somebody is vulnerable, this is likely to impact various or all aspects of their lives and that is why VRS sees the existence of a central database to be essential in supporting people and to help ensure that they don’t need to repeat their circumstances to multiple different organisations.

How does VRS work with our own vulnerability database?

VRS enables the sharing of information. It can alert you to the fact that one of your new or existing customers is vulnerable or potentially alert you to additional information about them. It also allows you to tell other companies that one of your customers is vulnerable if appropriate – it may be that they have alerted you but have not told other companies they have a relationship with. One of the major challenges facing people in vulnerable circumstances is the need to keep repeating their situation and using VRS reduce the need to do so.

Can I check my existing customer database against VRS?

Yes. We can batch run customer databases against the VRS database.

Will integrating with VRS involve lots of development work?

No. VRS uses simple API technology.