Raising the bar for retail outsourcing
8 August 2019
Tighter margins and evolving technology are driving insurers to outsource more and more processes to third parties. While there are benefits to outsourcing, such as lower barriers to entry, firms have a regulatory duty to adequately oversee all aspects of the life cycle of outsourcing arrangements and the regulators' expectations are high.
Insurers can boost their understanding of their outsourcing obligations by reviewing enforcement actions against financial service firms for outsourcing failings. We briefly consider some of the issues identified in Final Notices published over the last twelve months including the Final Notice in relation to Liberty Mutual.
- Understand your outsourcer's operating model – A firm must carry out a risk assessment of the service, which requires it to understand the provider's operating model. Having identified the risks, the firm can understand how to monitor and mitigate them and negotiate appropriate and justifiable contractual protections in the service agreement to help the firm meet its regulatory responsibilities.
- Prepare for oversight – A firm must adequately plan for ongoing monitoring before the outsourcing arrangement begins. It is an important part of a firm's oversight obligations to have sufficient in-house skills and resources to supervise the outsourced arrangements and, where practical, to take control if the function goes wrong. Planning for oversight starts with being clear about where responsibility and accountability lies as between the firm and the service provider. The recent FCA report on GI distribution chains, praised outsourcing contracts that set-out clear lines of responsibility and expectations regarding servicing and customer outcomes.
- Delegate with care – A firm retains full accountability for discharging its regulatory obligations. The SM&CR regime will assist with clear delegation of responsibilities within the firm, but the Board cannot absolve itself from performing a proper oversight role.
- Take responsibility for compliance with law and regulation – The industry is now subject to enhanced regulations covering product oversight, data protection and accountability, which are relevant to outsourcing. It is the insurer's responsibility to have systems and controls in place that ensure the processes of the service provider allow the insurer to comply with its relevant legal and regulatory requirements. A firm cannot simply rely on a contractual undertaking from the service provider to comply with all regulatory matters.
- Be proactive - Insurers need to proactively manage their key outsourcing relationships in order to identify issues and avoid adverse customer outcomes. A common outcome of poor claims handling outsourcing arrangements is the rejection of legitimate claims or claims not being dealt with in a timely manner. A good outsourcing agreement will provide the firm with appropriate management information to identify shortcomings and give the firm the power to take steps to rectify issues in a timely manner.
- Focus on operational resilience – There is broad focus by the PRA and FCA on preventing and responding to operational failings, including how this can be managed with providers that could pose concentration risk, such as cloud computing providers. Dual-regulated firms, like insurers, face the prospect of separate fines from the PRA and FCA for critical service operational failings.
Enforcement actions on outsourcing arrangements serve to remind firms that they cannot outsource their regulatory obligations to a service provider. There is a lot for insurers to think about when deciding to outsource a critical service and the burden is likely to increase with transformative technology, such as algorithms that decide who to insure, at what price and which claims to accept or reject, being designed by unregulated service providers. Insurers will need to upskill those responsible for diligence, governance and oversight of the service, otherwise they may fail to identify risks of adverse consumer outcomes resulting from technology exploiting behavioural biases. Firms that do not take a robust approach to outsourcing risk regulatory action and ultimately, damage to their reputation and brand.
This article first appeared in Insurance Day