A few weeks ago I provided ICSR’s fourth market briefing on Operational Resilience covering on this occasion, the background to and requirements for mapping.

At the end of that briefing I was asked some questions about mapping claims and at what point does the requirement for mapping cease: when the payment is made by an insurer to a customer’s broker or only once payment reaches the customer/end-user. My answer at the time was that I considered the mapping only needed to get to activities relating to payment to the broker if that is where payment is made by the insurer.

I have spent time since cogitating over this position, considering the alternatives and any complexities and have come to the conclusion that broadly this response was correct, although there is a potential variation where the broker is receiving and holding funds under risk transfer.

The purpose of this paper is to explain why and to give examples.


The service is the service. By that I mean that the service an insurer provides to a customer is generally determined by how the customer chooses to access the insurer and what they agree the service should be either by way of a Client Terms of Business or by market practice. Most commonly a customer/policyholder will use one of the following: they can go direct by telephone or web portal, they can buy the insurance online through an aggregator or they can ask a broker to help them. In some cases that broker may actually be an MGA who is the agent of the insurer.

That approach by the customer and the terms and nature of the insurance product they are buying leads to a determination of the nature of the service the policyholder is paying for. In each case determination of how the service is provided is dependent on these factors and so is the extent of the mapping required.

Where the claim is satisfied by a payment by the insurer to an agent of the policyholder such as their insurance broker or a lawyer representing them in the claim, the law provides that the payment to that agent is satisfaction of that obligation to pay. In other words, the service ends at that point because the insurer’s obligation has been satisfied.

But the issue does not stop at that point. The same principle applies to payments and services made direct to policyholders. They way that the policyholder interacts with the insurer remains relevant to the mapping exercise as we shall see from the examples provided below.

Any alternative would mean that the PRA and FCA obligations under Operational Resilience amount to a requirement that insurers (and those brokers subject to the Operational Resilience requirements) are expected to change the nature of and processes by which they are providing their services to policyholders. There is nothing we have read in any of the Consultation Papers, and/or any material issued commenting on the proposals, which suggests that the PRA and/or FCA are requiring that the actual services being provided to policyholders must change. What they are simply requiring is that the services which are provided, however the arrangements are put in place for their provision, must be resilient. If not, there must be alternatives or work arounds to ensure that the basic service can continue in the event of disruption.



Unusually, I am going to start with an example from the world of banking. ICSR uses accounting software called Zero for all its accounting needs. Zero is a cloud-based accounting system which is provided to ICSR through its firm of accountants. We pay them to provide us with Zero. The accountants in turn pay the software company and we are provided with licenses to use the software.

Zero allows ICSR to make payments and has live feeds to our bank accounts. If we want to pay our employees or a supplier, we log in to Zero and make the payment, which the bank then puts into effect and the payment is then appropriately recorded in our management accounts. The service our bank provides to us and which it is no doubt currently busily mapping is the payment from ICSR’s account on ICSR’s instructions. The payment service provided by our bank is clearly delivered in the manner in which we have arranged for it to be delivered through our accountants and through Zero.

The service that the bank provides starts on provision of the interface with Zero and on the instruction that their IT systems receive when requested to make a payment from ICSR’s accounts. It would be impractical, if not impossible, for our bank to map those elements of the service they provide through the arrangements we have made. We have chosen to use a third party and an IT platform as our method for interaction with our bank. It would be even more impossible, if that is in fact not an oxymoron, for our bank to have to ensure that the processes we have chosen are resilient. They must map their service provision to the level of interface with ICSR through Zero to the level that their portal communicated with Zero and not beyond.


Let’s look at an SME product such as simple property damage where the policyholder buys the product through a broker.

Broker Direct:

In the first example, the broker is the agent of the insured for placing the insurance policy direct with the insurer. If the insured has a flood in their premises and makes a claim, the arrangements are that the broker supports the policyholder during the claim. After the negotiation of the claim the insurer may pay the claim direct to the policyholder. In this case the claim is settled and satisfied. The insurer will have to map and ensure resilience of its payment systems to the policyholder. Alternatively, the payment may be made to the broker. Here there are two possibilities.

a. No Risk Transfer:

If there is no risk transfer between the insurer and the broker for premiums and claims funds, the broker has received the funds as the agent for the policyholder and the insurers’ liability to the policyholder for that claim is satisfied. The insurer must map the process as far as payment to the broker.

b. Risk Transfer

The complication, however, arises where the broker representing the policyholder, also has risk transfer for client monies. That means, that the broker is the agent of the insurer for the receipt and payment of premiums and claims funds. In this case, payment to the broker may not be payment to insured because under risk transfer the broker is receiving and holding all insurance premiums and claims monies for and on behalf of and as the agent of the insurer. (Note also that risk transfer can also therefore impact mapping and resilience requirements for premium payment, but this is not covered by this article).

What is to be done? In many cases brokers will be the subject of the requirements of Operational Resilience but equally, the vast majority of brokers in number will not be. Insurers may have to decide for these brokers how they deal with Operational Resilience and the mapping requirements and continuity/resilience of service issues.

There are several obvious but not necessarily easy solutions. The first would be to remove Risk Transfer for claim payments (though that does not resolve the issue of premium payments) for all brokers which the insurer deals with. The second and perhaps from an industry point of view, easier solution, may simply be to move to the position where all claims payments are made direct to the insured. This option is, of course, easier said than done in the Lloyd’s environment due of the nature of the accounting and payment arrangements resulting in payments to policyholders generally being through brokers. Perhaps Blueprint 2 will change this but that is a few years away yet.

A further solution may be for all payment by insurers to brokers with risk transfer being delayed until such time as the policyholder has acknowledged in a settlement agreement that payment to their broker is payment in settlement of the claim and thereby the service being provided by the insurer notwithstanding the Risk Transfer arrangements in place. This is likely to slow down payments for smaller claims such as the SME example we are using and therefore may not to the policyholder or insurers’ benefit. For larger claims it may be easier to incorporate into the process.

There is one further thought. It is that while brokers may hold claims monies (as well as premiums) under Risk Transfer for insurers, the market practice is that insurers do not generally exercise any rights over those monies or oversee how and when they are distributed. The broker is responsible for those activities and is left to it subject to annual auditing of their CASS Accounts in accordance with FCA requirements. The insurer’s rights in those monies are a legal fiction created to protect policyholders in the event of a broker failing.

There may therefore be an argument that market practice treats the payment of the claims money by an insurer to a broker for onward transmission to the brokers client and/or the policyholder as completion of the service provided by the insurer to the policyholder. It is potentially not the legal position but insurers may be able take the view that in all other respects the service they provide to the policyholder in respect of a claim is complete once the broker has been paid.

Insurers will need to take a view as to which approach is acceptable to them and then adopt that approach in a consistent manner across their operations or justify any outliers.

c. Payments and Third Parties

What is the situation when payment needs to be made to a third party, say in our example, a builder or plumber who has resolved the claim by carrying out the work at the policyholders’ premises?

In this case, payment to the builder is satisfaction of the claim. The insurer need not map or establish resilience beyond their claim assessment and payment processes as they would for a payment direct to the policyholder.

Similarly, moving to a different example of say a travel policy,  a claim may be satisfied by an insurer paying an overseas hospital direct where the policyholder has incurred the medical expenses or the policyholder may first pay the hospital and the insurer will reimburse the policyholder. In these cases, it is clear the payment by the insurer to these third parties is in satisfaction of the claim and the mapping and resilience requirements need not go beyond the insurers’ internal processes for assessment and payment of the claim.

Alternatively, in cases of dire emergency the insurer may make arrangements for the repatriation of a policyholder. If the insurer is responsible under the terms of the policy for the arrangements for repatriation utilising a third-party service provider, the insurer will be responsible for ensuring that there is resilience in the availability of that service.

We move to a different responsibility once we consider the insurer’s involvement in the use of third parties to satisfy their responsibilities to policyholders by outsourcing services. Here Consultation Paper 29/19 on Outsourcing and Third-Party Risk Management applies.

ICSR will be covering CP29/19 in a later Market Briefing. However, in essence, CP 29/19 requires the insurer to ensure that the third parties it engages to provide services to its customers are able to offer a resilient service.

Other examples, where this may be relevant include claims involving third party liability products where the liability of the policyholder is to a third party for example from a motor vehicle accident or from an injury occurring to an individual while on the property of the policyholder in the case of physical damage and liability or it may be a liability arising from professional negligence. Here, the claim against the policyholder is managed by the insurer and third parties on its behalf such as loss adjusters and lawyers who will be responsible for negotiating the claims and ultimately may be involved in its settlement. That is the service the insurer is providing and the internal processes of the insurer related to that service will require mapping and resilience. The external aspects involving those acting on behalf of the insurer in dealing with the claim, like the example immediately above, will be the subject of Consultation Paper 29/19.

Once the claim against the policyholder has been negotiated with the third party, the insurer is likely to make a payment to either the claimants’ lawyers or other representatives. At this point we return to the internal processes within the insurer for making such payments. These will be subject to the requirements of Operational Resilience.

It is also worth remembering that insurers will generally need the services of their banks to make payments. However, we do not consider that they need to map the processes of their banks to the point at which the payment is transferred. Banks are subject to the regulatory requirements for Operational Resilience and an insurer should assume that the payment processes of its banks are resilient. If, however, the insurer uses a new payment service, and that payment service provider is not subject to Operational Resilience the insurer will need to consider the implications under Consultation Paper 29/19.

MGA Arrangements

MGAs are an agent of one or more insurers appointed under a binding authority agreement. In a number of cases the MGA may be subject to the regulatory requirements of Operational Resilience, but smaller MGAs will not be.

The binding authority agreements between the insurer and MGA almost always provide for the MGA to receive premiums and claims monies in circumstances where they are the agent of the insurer and accordingly payment of claims monies to an MGA will not be satisfaction of any claim. Payment by the MGA to the placing broker representing the policyholder will be subject to the analysis set out above as will any payments made by the MGA direct to the Policyholder. Accordingly, whether that payment satisfies the claim (and thus sets the point to which the insurer must map and remain resilient) is dependent on whether the broker has been granted risk transfer by the insurer and/or the MGA on behalf of the insurer.

The insurer will however have to consider how it treats the MGA under Consultation Paper 29/19 as an outsourcing arrangement.


In principle, payment to a policyholder or to a broker representing a policyholder will only require the insurer to map its internal processes and be resilient to the level required to ensure the claim has been properly adjusted and the payment is capable of being made with an appropriate instruction issued to its bank.

The first exception to this may be where the broker representing the policyholder also has risk transfer so that payment to the broker may not be considered payment to the policyholder. Solutions are available but can be complex.
The second exception is where payments are made to third parties and/or include an MGA. In these circumstances Consultation Paper 29/19 may apply as the alternative to the operational resilience requirements.

If you would like discuss any aspect of your work on mapping important business services as part of your Operational Resilience activities, please contact us.

Kenneth Underhill, Director

Kenneth Underhill

Implement Compliance Solutions & Resources

Our series of webinars are all available to watch on our YouTube channel. The direct links are below.

Operational Resilience: An Introduction

Kenneth Underhill

Technology & Operational Resilience

Justin Ward

Operational Resilience: Service & Activity Mapping

Kenneth Underhill


ICSR is supporting the Insurance Community initiative 'Computers4Schools'. Find out more about the way you and your organisation can support this by watching this video narrated by Huw Evans, Director General of the ABI.

Advisory | Resourcing | Training