The FCA has just issued the details of the outcome of its review on outsourcing in the Life Insurance Sector. The report, a brief summary on their website rather than a detailed report, and based on a desk top review of practices at the Life insurers, makes a very clear and pointed reference to the Consultation Papers on Operational Resilience and the work of the FCA, PRA and Bank of England and the importance of ensuring proper oversight to mitigate poor customer outcomes if something goes wrong.
We are highlighting this limited FCA activity because it is clear that the FCA are going to be spending more time on this issue despite the limited scope and outcomes of this report. Thus, our reference to the report being no more than a first shot over the bows of the market.
The points made for the life market are very apposite for the general market and should be heeded as a warning of what is to come. As with all FCA reviews there was a comment that specific areas of poor practice identified for firms have been raised individually with those firms.
The areas reviewed included Exit Planning, Business Continuity Planning and as always Governance, Systems and Controls.
In what seems to be a cultural step change and a very positive one too, (and certainly in line with suggestions the writer made to the FSA a number of years ago) the FCA have outlined the poor practices as well as the good practices. Added to the recent increase in issuance of Guidance for firms, if this approach continues it will be very helpful to firms to better identify the FCA’s expectations and adopt or adapt practices accordingly. Equally it will make it more difficult for a firm to say that it was not aware of expectations.
The key finding is that in general the life sector has extensive controls over outsourced activities. Given the PRA and FCA requirements have been in existence in one form or another since the FSA was first formed this should not be surprising.
1. Exit Planning
The level of detail in exit planning plans for firms varied with good and poor practice in evidence. Where there was a lack of detail the FCA took the view that they could not gain sufficient confidence that the plan could be carried out in a way which would avoid customer harm. They key features here appeared to revolve around access to data and migration in house or to a new service provider to maintain continuity of service particularly where the Outsourced Service Provider (OSP) had complex IT architecture. Another area identified was the complexity of unbundling the service provided to the insurer by the OSP when there had been no segregation of staff at the OSP between one insurer and another which had outsourced the same service to the same OSP.
While no recommendations were made the choice would likely be for full segregation and a detailed plan of how data migration might take place or some requirement for a back-up to be available particularly for the worst-case scenario where the OSP went into Administration or Liquidation.
Planning and the contractual arrangements need to take account of these issues.
2. Business Continuity Planning
The FCA concluded that the OSPs were undertaking their own annual BCP testing but the practice among the regulated firms on assessing the results varied. The FCA Good Practice is for regulated firms to require the OSP to carry out annual BCP testing and for the regulated firm to be in a position to qualitatively assess the effectiveness of that as well as the effectiveness of the IT security in place at the OSP.
3. Governance, Systems and Controls
Here the FCA starts with a statement that goes to the absolute heart of what Operational Resilience is about:
Information provided to outsourcing governance committees tended to focus on operational performance, with less emphasis on customer outcomes.
Operational Resilience is about the continuity of service to ensure customer outcomes. Anyone who is any doubt about this (even without reading all of the Consultation Papers) will now understand the position being adopted by the FCA, PRA and the Bank of England. Firms can no longer treat the “back office” as an after thought and not invest appropriately. To the extent that functions such as IT, Ops and Binder Management may impact the service to the customers is as important as the underwriting and distribution and in many cases possibly more important as it is these functions most commonly which collate and provide the management information used to identify whether customers are benefiting from appropriate outcomes. Investment in systems and people will be required.
So, what else did the FCA say? Not surprisingly the good practices they identified and expect are clearly defined policies and underlying practices and procedures where everyone understood the roles they had and the design of the frameworks ensured effective systems and controls to mitigate the risk of poor outcomes through outsourcing.
The poor practice highlighted by the FCA, and one we often see on a wider range of issues than just outsourcing and which is often accepted as evidence of a poor culture, was the failure to follow-up on identified issues. Once an issue has been identified, it must be recorded, reviewed and if necessary repaired in good time with some form of validation to confirm the matter has been resolved.
Conclusion and Next Steps
On this occasion the FCA found no widespread failings but encouraged firms to review their current systems and controls.
This is and should be a call to all firms, life and general insurers and distributors, that Operational Resilience is on the agenda and is here to stay. It is also a heads up that many of the regulatory tools, in this case the FCA requirements on Outsourcing, already exist for those firms failing to ensure that customers are not impacted by a firm’s failure to ensure Operational Resilience.