Features

Vulnerability routing

Consumer Duty triggers send the right cases to the right humans — and prove they did.

Some customers need extra care: bereavement, recent diagnosis, low financial resilience, low confidence with digital tools, English as a second language. The FCA expects firms to identify these customers and treat them differently. Vulnerability routing is how Bedrock turns that expectation into something operational.

How it works

When you submit a job, you can pass a vulnerabilityFlags array. Each flag is one of the four FCA FG21/1 drivers: health, life_event, capability, or resilience. Any non-empty value automatically sets requiresSeniorSignOff: true on the job, and the routing engine restricts assignment to reviewers marked as FG21/1 specialists (or to lead reviewers / firm admins) — flagged cases are never auto-routed to a generalist queue.

json
{
  "documentType": "SUITABILITY_REPORT",
  "documentKey": "uploads/...",
  "documentReference": "DOC-2026-001",
  "clientReference": "CLIENT-0100",
  "factFindSummary": { "riskProfile": "Cautious", "...": "..." },
  "vulnerabilityFlags": ["health", "life_event"]
}

Error codes

If a reviewer attempts to pick up a flagged job without the specialist credential, the assignment endpoint returns VULNERABILITY_SPECIALIST_REQUIRED (403). A non-senior attempting to complete a sign-off-required job is rejected with SENIOR_SIGN_OFF_REQUIRED (403). See the error codes reference.

Evidence produced

  • vulnerabilityFlags persisted on the ReviewJob row and returned on every subsequent GET
  • Reviewer credential snapshot at decision time, embedded in the certificate
  • /v1/firm/me/vulnerability board report (PDF + JSON) summarising outcomes per driver, specialist coverage, and recent flagged cases

FCA mapping

  • FG21/1 — Guidance for firms on the fair treatment of vulnerable customers
  • PRIN 2A.5 — Consumer support outcome
  • PRIN 2A.6 — Cross-cutting obligations

See also