Customer remediation: Making it right (and better)

In our Compliance Priorities for 2022 in the Financial Services Industry, we emphasised the interconnectivity among the risks we identified, including how the pandemic, the global focus on environmental, social and governance (ESG) issues, and continued regulatory emphasis on culture and conduct were combining to shine a bright light on how financial institutions (used broadly herein to refer to any organisation that provides financial services to consumers) treat their customers, particularly those who are considered financially vulnerable.

According to the Consumer Financial Protection Bureau’s (CFPB) definition, 40% of U.S. consumers are considered financially vulnerable.[1] The Financial Conduct Authority (FCA) estimates that 53% of the British adult population is vulnerable.[2]

While financially vulnerable customers may receive more of regulators’ attention, it is not just vulnerable customers who may be treated unfairly. Financially sophisticated customers may also be impacted. In the last several years, we have witnessed examples across the globe of financial institutions causing harm to their customers — some resulting in prominent headlines, but many more remaining private discussions between financial institutions and their regulators.

The reasons for these institutional failures vary and include poor processes, incorrect data, misconfigured technology, insufficient and/or inadequately trained personnel, insufficient risk management oversight, and, more recently, the inability to pivot from on-site to remote work during the pandemic. Often, these failures are inadvertent, with no intention to cause harm. Occasionally, they are willful, with profit supplanting customers as the priority. Sometimes, they fall in between — there is no explicit intent to cause harm to customers, but the institution knows there are weaknesses in its control environment and opts not to make the necessary investments to fix the problems. In the case of some financial institutions, repeated lapses across business lines, products and geographies have sorely tested customer loyalty and regulators’ patience.

According to Australian Securities and Investments Commission (ASIC) Deputy Chair Karen Chester, “Recent experience has shown that poor conduct has significant financial implications for companies, their investors and, ultimately, their customers. This is demonstrated by the costly lag and drag of remediation and reputational damage.”[3]

Customer harm may be detected by customers, self-identified by a financial institution, discovered by regulators or identified by third parties. In the U.K., for example, claims management companies (U.K.-regulated companies that offer advice or other services connected to claims for payment) have been very effective at pursuing institutions with significant volumes of customer complaints, leading some to close up shop rather than face the consequences of remediation.

While a willful, or recalcitrant, offender may find that regulators are very prescriptive about the steps it needs to take to redress harmed customers, other financial institutions will have more flexibility in designing customer remediation programmes, which they should view as the first step in regaining the trust of their regulators and their customers. They should also look at the customer remediation programme as a learning experience — a means to not only prevent recurrence but also enhance the customer experience.

Guiding principles for customer remediation

Customer remediation programmes should be based on certain guiding principles, including the following:

  • Effectiveness: A financial institution needs to understand the scope and depth of the customer harm and develop a well-thought-out remediation programme to avoid unnecessary course corrections.
  • Transparency: Affected customers deserve an explanation of what happened and how the harm will be addressed. They may also deserve an apology, which could prove an important step in restoring trust. The institution’s regulator(s) deserve, and likely will demand to understand and perhaps approve, the remediation programme and be kept informed of progress, including any amendments or obstacles.
  • Fairness: All harmed customers should be treated equitably, and in a consistent manner.
  • Efficiency: Remediation programmes should be repeatable and should utilise experienced personnel to institutionalise knowledge and streamline the process. Further, remediation programmes should optimise the use of technology and data. Relying on manual methods increases the chances of human error and slows down a process that is already detracting from business as usual. But accuracy is more important than speed.
  • Customer-centricity: In an effort not to make a bad situation worse, the remediation process needs to be as easy on customers as possible, avoiding complexity wherever possible.

These principles should be used to develop the programme and challenge it throughout its execution.

Eight components of a customer remediation programme

Customer remediation programmes include four risk management elements (inner circle) and four operational phases (outer circle).

1. Establish programme governance: Among other programme protocols, determine who the primary programme sponsor will be (a board committee, a senior executive, etc.), which individuals and departments need to be consulted and informed about the programme, how programme decisions will be vetted and approved, what escalation procedures apply, and who will be the designated interface to the regulators. Regulators are especially interested in the stakeholder responsible and accountable for successful delivery of the remediation programme and making sure that sufficient budget is made available to complete the programme and provide financial and nonfinancial compensation to customers as applicable.

2. Determine resourcing needs: Assess internal capabilities to determine capacity to support the remediation efforts. Gaps in either the quantity or capabilities of available internal resources may necessitate engaging the assistance of a third party. A qualified third party can provide resourcing as well as the experience and methodology to expedite the buildout of the programme and execute it more efficiently than less experienced internal resources. But engaging a third party comes with the caveat that outsourcing the execution of the programme does not absolve the board and management of the financial institution of their responsibility to ensure that the programme is sound and executed as planned.

3. Identify and assess: Ensure that you understand the problem — not only what happened but also why it happened. Identify the affected customers and the likely impact on these customers (i.e., financial and/or nonfinancial). This exercise should be conducted not only through the lens of applicable legal and regulatory requirements but also from the perspective of the customer. Consider whether there is merit in stratifying the population into subcategories that may be treated differently, but make sure such decisions are evidence-based and the rationale is clearly documented. You will continue to validate and refine the list of affected customers and the impact as the programme unfolds.

4. Develop plan and approach: Develop a detailed plan (with clear accountability, timelines, performance metrics and documentation standards) for remediating all adversely affected customers. One very important consideration is whether to use an automated or manual approach. An automated approach is more efficient and likely less costly to execute but requires complete and accurate data, which are not always available.

In addition to other tactical steps, the plan should provide comprehensive communication plans that include, but are not limited to, how the programme will be communicated to customers, what to do if customers are nonresponsive or disgruntled, how inquiries from the media or other third parties (e.g., claims management companies or customer and community groups) will be handled, and what to do about negative social media. Subject the plan to internal challenge: Will it accomplish the remediation goals? How will it be viewed by customers? Review the programme with counsel. As appropriate, vet the proposed plan with the regulator(s).

5. Execute plan: Reconfirm the affected population and the exact redress to be provided. Depending on the size and complexity of the effort, consider a pilot launch to validate the approach and/or allow for course corrections before a full launch. Conduct quality assurance checks at key milestones, such as when the population of affected customers is determined, when the adverse impact for the customer population is established and when redress is communicated to affected clients.

6. Monitoring and oversight: Maintain project sponsor involvement and oversight — and effective challenge — throughout the remediation effort. Encourage direct interaction between the project sponsor and key responsible stakeholders in addition to regular reporting to ensure that issues and challenges are surfaced and addressed in a timely manner.

7. Tracking and reporting: Perform continual tracking of the progress and effectiveness of the remediation programme against the metrics established when a plan and an approach are developed (phase 4). The metrics may vary from remediation to remediation but should be quantitative (e.g., number of customers remediated as a percentage of the total affected population, number of customer calls or complaints, number of tasks past due) and qualitative (e.g., customer sentiment). This information should be leveraged to support periodic internal reporting as well as reporting to the regulator(s), as appropriate.

8. Validate and close: Confirm that the customer remediation programme was carried out in accordance with the approved plan and with the desired outcomes. This validation should be performed by an independent party (e.g., the financial institution’s internal audit department).

Challenges can occur in any phase of the project. Realising that they are part of the process is important to setting expectations for internal stakeholders, regulators and, most important, customers.

Customer remediation programs include four risk management elements and four operational phases.

Common Challenges in Customer Remediation programmes

  • Failure to perform adequate root cause analyses
  • Underestimating the level of effort required and overcommitting to regulators
  • Identifying the population of customers adversely impacted and measuring the various impacts
  • Determining the parameters of automated and human support
  • Unanticipated issues when interrogating data or evaluating documentation manually that may warrant revisions to the remediation strategy and approach
  • Resource limitations and competing priorities that can impact approved timelines
  • Lack of credible challenge
  • Failing to make timely course corrections when necessary
  • Poor customer communication

Learning from the mistakes

One obvious lesson from conducting a remediation programme is that you learn how to improve the next remediation programme. That ability may have benefit, but since becoming an expert in remediation is not the goal, the most important lessons are those that help you improve processes, including the customer experience going forward. Those lessons come from reflecting — best done after some time has passed since the completion of the programme — on answers to questions such as the following:

  • Were there early indicators of the problem that we should have identified? If so, why did we miss them? If we did identify the warning signs, what should we have done differently to address them?
  • Is the product governance and approval process working effectively, or could closer monitoring of early sales of new products and services, or unusual sales patterns, have highlighted the need for review sooner?
  • Could what happened in this instance happen in another business line or with another product? If so, what changes do we need to make today?
  • Was culture (e.g., as manifested in performance targets, incentive compensation programmes or a cavalier attitude toward compliance) a root cause of the problem? If so, how do we begin to change the culture?
  • Was a lack of resources — people or technology — a root cause of the problem? If so, what investments need to be made?
  • Do we adequately consider customer impact in our decision-making? Do we understand that customer experience is either the growth engine of our brand or what will cause our customers to seek alternative providers?

In the end, there are two measures of success of any customer remediation programme: making it right with the customer, and leveraging the lessons learned to do better in the future.

The title of this newsletter is based on the ASIC publication ‘Making It Right: How to Run a Consumer-Centred Remediation.’

1. “Banks Should Focus More on Vulnerable Customers,” Bank Administration Institute, January 27, 2022,

2. “Guidance for Firms on the Fair Treatment of Vulnerable Customers,” Financial Conduct Authority, July 19, 2021,,displaying%20a%20characteristic%200f%20vulnerability.

3. “ASIC Consults on Consumer Remediation Draft Guidance,” Australian Securities and Investments Commission, November 17, 2021,