Following a thematic review into delegated authority in the general insurance market, the FCA has found that shortcomings in the oversight of insurers’ outsourcing arrangements pose risks to the quality of the services delivered to customers, whether retail or small and medium sized enterprises (SMEs). Various forms of outsourcing are used across the general insurance market, with wide variance as to the extent to which functions are provided by parties other than the insurer or intermediary.
‘Delegated authority’ is a widely applied term which concerns the outsourcing of functions to insurance intermediaries and other third parties. The outsourcing of functions can cover underwriting, claims handling, and other aspects of the product life cycle. The FCA thematic review has found that in some cases insurers have failed to recognise that such delegated authority fell within the regulatory meaning of outsourcing and therefore firms were failing to retain responsibility and oversight for their regulatory obligations to customers. The failure to provide sufficient oversight of outsourced functions demonstrates a lack of appropriate systems and controls and a failure to recognise a responsibility to treat customers fairly.
Specific findings for insurers’ outsourcing
- In some cases, insurers did not have, or were unable to demonstrate, arrangements for the assessment of conduct risks posed by delegated authority.
- Not all due diligence of third parties took into account conduct risks. Too often assessments of third-parties only took prudential suitability and financial performance into account.
- Insurers underwriting products – especially where they were not the product ‘manufacturer’ – did not always review whether the product delivered fair outcomes to customers.
- There was a disproportionate reliance upon third party audits rather than insurers applying their own internal controls over outsourced functions. Such audits could produce ‘false positives’ where the scope or quality of the audit was insufficient, particularly in relation to conduct issues. Furthermore, audits fail to prevent customer harm but operate as a third line of defence after problems have already occurred.
It ain’t what they do, it’s the way that they do it
The review has found that the complexity of outsourcing arrangements in many cases does not improve the treatment of customers. Conduct risks tended to be overlooked or excluded from any analysis of the performance of outsourced functions or the due diligence on potential providers. Conduct risks must be monitored as part of the oversight of outsourcing and management information should not just show financial performance but should capture how well products and services are performing in terms of treating customers fairly.
Who is responsible for what?
In addition to looking at insurers’ responsibilities under both the Principles for Businesses (PRIN) and Senior Management Arrangements, Systems and Controls (SYSC), firms had failed to clearly allocate responsibility for outsourced functions as required under the Responsibilities of Providers and Distributors for the Fair Treatment of Customers (RPPD). In particular, some intermediaries designing products did not recognise their responsibilities as the product manufacturer and failed to demonstrate sufficient appreciation of customer needs when designing products. Both insurers and intermediaries often failed to provide sufficient oversight of products in terms of customer outcome, often attributable to a failure in the provision of suitable management information that might assist either insurers or intermediaries in identifying when and how products were not performing as intended.
Can’t see the wood for the trees
The review found that the complexity of the distribution chain and the carving up of responsibility for different functions (such as claims handling and complaints) poses significant challenges for the successful oversight of how well a product performs for the customer. The review found examples where complaints information was not suitable to enable firms to undertake root cause analysis on the design and delivery of products.
Delegated authority agreements should be tailor-made
The evident failure to clearly allocate responsibility between insurers and those to whom functions are outsourced is often down to the use of badly drafted or generic agreements. Delegated authority or outsourced claims handling agreements need to take into account the clear division of responsibilities between the parties and ensure that there are sufficient means through which oversight and control of the quality of services can be maintained. Accordingly, firms should pay greater attention to ensuring that contractual agreements clearly set out the nature of the specific outsourcing arrangement and the regulatory responsibility of each of the parties.
The FCA expects firms to have appropriate risk-based controls in place to monitor and mitigate conduct risks. These controls should extend to ensuring that management information captures conduct risks and that the identification of such risks is acted-upon. Firms should consider the extent to which they act as product providers and should review their responsibilities for the design and monitoring of their products. Distribution channels should be reviewed to ensure that firms are able to monitor the performance of other parties in the distribution chain and check that third-parties remain suitable to perform the roles they have been given.
The FCA review has found that existing delegated authority arrangements are too frequently not taking into account the impact of the arrangement in terms of how customers are treated. The complexity of some arrangements has resulted in a situation where it is almost impossible for any one party to have a view of the product as experienced by the customer. Firms need to take the FCA’s focus on conduct regulation seriously and do more to try to put themselves in the shoes of their customers and work back from this point of view when designing products and distribution strategies. Without sufficient mechanisms in place to assess conduct risk, firms are likely to come under increasing pressure to from the regulators to explain how they meet FCA threshold conditions.
View TR15/7: Delegated authority: Outsourcing in the general insurance market, 2 June 2015