FCA conducted a review of outsourcing and third-party service providers for life insurers. FCA identified governance over outsourcing as a priority area for supervision in the life insurers’ portfolio strategy. While the review did not find evidence of a widespread failure to manage the risks to customers arising from outsourcing, improvement is needed. The FCA review covered exit planning, business continuity planning, and governance, systems, and controls. FCA also highlighted the good and poor practices of the firms it observed.
In carrying out this review, FCA took into account the existing regulatory framework, including the Principles for Businesses in FCA Handbook. FCA also considered the guidance for firms outsourcing to the cloud and other third-party IT services. Generally, life insurers have extensive governance, systems, and controls over outsourced activities. However, some firms were not identifying and managing operational risks throughout the life span of outsourced arrangements from inception to business-as-usual operation and to exit from the arrangements. The following are the key highlights of the review:
- Exit planning. FCA reviewed the adequacy of firm plans for exit from an outsourcing arrangement including planned and unplanned exits. The level of detail contained in the exit plans varied. In some cases, a lack of detail gave insufficient confidence that the plan could be carried out in a way which would avoid customer harm. The risk of such harm is also affected by the business model of the life insurer and the services provided by the outsourced service providers.
- Business continuity planning. FCA reviewed whether firms had adequate arrangements in place for system outages or disaster recovery in respect of outsourced activities. In most cases, the outsourced service providers use their own IT systems rather than systems operated by the life insurer. Where this applies, outsourced service providers carry out business continuity testing rather than life insurers. For all life insurers in the FCA sample, their service carried out recent (at least annual) business continuity planning testing, which they confirmed to the insurer. Some firms discuss and obtain detailed information on the scope and scale of business continuity testing from the outsourced service provider. This information enables them to assess the results of that testing and the standard to which it has been carried out. However, some firms obtain more limited information from outsourced service providers. So they may not be able to satisfy themselves that the testing is robust or meets their needs.
- Governance, systems, and controls. FCA reviewed the quality of governance and risk frameworks, including management information, for outsourced service providers arrangements. Information provided to outsourcing governance committees tended to focus on operational performance, with less emphasis on customer outcomes. Where outsourcing management information identified shortcomings, it was in some cases unclear what risk they posed to customers or whether timely and effective remediation action had been taken. In response to the queries of FCA, most firms were able to provide customer-centric management information and reasonable explanations of what actions they had taken and why. However, in some cases, firms did not provide this information as part of the outsourcing management information to their outsourcing governance committees. Some firms were unable to demonstrate that their outsourcing governance committees had sufficient focus on customer fairness, in addition to operational issues. There is a risk that ensuring customer fair treatment may be seen within some firms as a separate compliance-related issue, rather than being an integral part of oversight and control over outsourcing.
Related Link: FCA Review
Keywords: Europe, UK, Insurance, Life Insurance, Outsourced Service Providers, Operational Risk, Outsourcing Arrangements, FCA
Previous ArticleEC Proposes Climate Law, Sets Climate Neutrality Target for 2050
EU published Directive 2021/338, which amends the Markets in Financial Instruments Directive (MiFID) II and the Capital Requirements Directives (CRD 4 and 5) to facilitate recovery from the COVID-19 crisis.
The Standing Committee of the European Free Trade Association (EFTA) recommended that a systemic risk buffer level of 4.5% for domestic exposures can be considered appropriate for addressing the identified systemic risks to the stability of the financial system in Norway.
In a recent statement, PRA clarified its approach to the application of certain EU regulatory technical standards and EBA guidelines on standardized and internal ratings-based approaches to credit risk, following the end of the Brexit transition.
In a recently published letter addressed to the G20 finance ministers and central bank governors, the FSB Chair Randal K. Quarles has set out the key FSB priorities for 2021.
EU published, in the Official Journal of the European Union, a corrigendum to the revised Capital Requirements Regulation (CRR2 or Regulation 2019/876).
ESAs published a joint supervisory statement on the effective and consistent application and on national supervision of the regulation on sustainability-related disclosures in the financial services sector (SFDR).
EC published a public consultation on the review of crisis management and deposit insurance frameworks in EU.
HKMA announced that enhancements will be made to the Special 100% Loan Guarantee of the SME Financing Guarantee Scheme (SFGS) and the application period will be extended to December 31, 2021.
EBA launched consultations on the regulatory and implementing technical standards on cooperation and information exchange between competent authorities involved in prudential supervision of investment firms.
BoE issued a letter to the CEOs of eight major UK banks that are in scope of the first Resolvability Assessment Framework (RAF) reporting and disclosure cycle.