FCA Conducts Review of Third-Party Service Providers for Life Insurers

In carrying out this review, FCA took into account the existing regulatory framework, including the Principles for Businesses in FCA Handbook. FCA also considered the guidance for firms outsourcing to the cloud and other third-party IT services. Generally, life insurers have extensive governance, systems, and controls over outsourced activities. However, some firms were not identifying and managing operational risks throughout the life span of outsourced arrangements from inception to business-as-usual operation and to exit from the arrangements. The following are the key highlights of the review: 

• Exit planning. FCA reviewed the adequacy of firm plans for exit from an outsourcing arrangement including planned and unplanned exits. The level of detail contained in the exit plans varied. In some cases, a lack of detail gave insufficient confidence that the plan could be carried out in a way which would avoid customer harm. The risk of such harm is also affected by the business model of the life insurer and the services provided by the outsourced service providers.
• Business continuity planning. FCA reviewed whether firms had adequate arrangements in place for system outages or disaster recovery in respect of outsourced activities. In most cases, the outsourced service providers use their own IT systems rather than systems operated by the life insurer. Where this applies, outsourced service providers carry out business continuity testing rather than life insurers. For all life insurers in the FCA sample, their service carried out recent (at least annual) business continuity planning testing, which they confirmed to the insurer. Some firms discuss and obtain detailed information on the scope and scale of business continuity testing from the outsourced service provider. This information enables them to assess the results of that testing and the standard to which it has been carried out. However, some firms obtain more limited information from outsourced service providers. So they may not be able to satisfy themselves that the testing is robust or meets their needs.
• Governance, systems, and controls. FCA reviewed the quality of governance and risk frameworks, including management information, for outsourced service providers arrangements. Information provided to outsourcing governance committees tended to focus on operational performance, with less emphasis on customer outcomes. Where outsourcing management information identified shortcomings, it was in some cases unclear what risk they posed to customers or whether timely and effective remediation action had been taken. In response to the queries of FCA, most firms were able to provide customer-centric management information and reasonable explanations of what actions they had taken and why. However, in some cases, firms did not provide this information as part of the outsourcing management information to their outsourcing governance committees. Some firms were unable to demonstrate that their outsourcing governance committees had sufficient focus on customer fairness, in addition to operational issues. There is a risk that ensuring customer fair treatment may be seen within some firms as a separate compliance-related issue, rather than being an integral part of oversight and control over outsourcing.

Related Link: FCA Review

Keywords: Europe, UK, Insurance, Life Insurance, Outsourced Service Providers, Operational Risk, Outsourcing Arrangements, FCA