The Financial Conduct Authority (FCA) said it has not found evidence of widespread failure to manage risks to customers in its review of outsourcing in the UK life insurance sector.
But the watchdog can “see areas for improvement”.
The review was about life insurers which outsource key business functions to outsourced service providers (OSPs).
The intention was to “understand better the current outsourcing/third-party service provider environment” and “address the risks of harm that could result from insufficient operational resilience in firms and inadequate controls over outsourcing”.
The financial regulator assessed three areas which included:
- Exit planning – The FCA reviewed the adequacy of firm plans for exit from an outsourcing arrangement. This includes both planned and unplanned exits. An unplanned exit may occur if, for example, an OSP suddenly becomes insolvent;
- Business continuity planning (BCP) – It reviewed whether firms had adequate arrangements in place for system outages or disaster recovery in respect of outsourced activities; and
- Governance, systems and controls – Lastly, the FCA reviewed the quality of governance and risk frameworks, including management information (MI), for OSP arrangements.
Findings
The FCA said: “Generally, life insurers have extensive governance, systems and controls over outsourced activities.
“However, some firms were not identifying and managing operational risks throughout the life span of outsourced arrangements from inception, through to business as usual operation and to exit from the arrangements.
“Where we had concerns around potential non-compliance, we have raised those issues with the firm(s) concerned and asked [them] to take action.
“We encourage firms to review their current systems and controls in light of our findings and good and poor practice examples, where relevant to their particular characteristics and the nature, scale and complexity of their activities.”
Exit planning
The review said that most life insurers have provisions in contracts to enable them to exit in the event of a serious breach of contract or the OSP’s financial failure.
But the level of detail contained in the exit plans varied.
In some cases, a lack of detail gave insufficient confidence that the plan could be carried out in a way which would avoid customer harm.
Examples of issues the FCA found are:
- Some life insurers had segregated teams at the OSP, providing services only to them. Where OSP teams are not segregated, this may make it more complex for the life insurer to transfer staff from the existing OSP to a new arrangement in an exit. In some cases, exit plans did not make clear how this risk would be managed;
- A firm and its OSP had complex IT architecture. The plan did not cover how the applicable data would be moved in-house or to a new provider. Other firms’ plans did not clearly explain how data would be transferred from the OSPs’ systems to the systems used by a new arrangement;
- Some exit plans focused on planned exits and did not sufficiently consider the action necessary for an unexpected exit; and,
- In some cases, it was not clear what alternative arrangements firms intended to employ in the event of exit. Some exit plans indicated firms would be unlikely to bring the work back in-house but did not explain clearly how they would find an alternative OSP.
Business continuity planning
The FCA said that, in most cases, OSPs use their own IT systems rather than those operated by the life insurer.
Only some firms discussed detailed information on the business continuity testing from the OSP in case of system outages or disaster recovery.
However, some firms had more limited information from OSPs, so they may not be able to know that the testing is “robust or meets their needs”.
Governance, systems and controls
Lastly, the FCA found that most firms were able to provide customer-centric outsourcing management information (MI) and reasonable explanations of what actions they had taken and why.
However, in some cases firms did not provide this information as part of the MI to their outsourcing governance committees.
Some firms were unable to prove that their outsourcing governance committees had “sufficient focus” on customer fairness in addition to operational issues.
