FCA review of outsourcing in the life insurance sector

Background and scope of the review

On 4^th March, the Financial Conduct Authority (FCA) published the findings of its desktop review of outsourcing in the life insurance sector.

The review forms part of the FCA’s broader consultation and proposals on operational resilience across the financial services sector and touches on a number of themes that, to put it mildly, have taken on a new level of significance over the past few weeks.

The FCA focussed on three areas that, where deficient, could pose a risk of material harm to customers.  These were exit planning, business continuity planning (BCP) and governance, systems and controls.

In this article, we will consider, with the benefit of some considerable hindsight:

• the FCA’s key findings;
• examples of good and poor practice and how these align with our experience in acting for both customers and suppliers in the life insurance sector; and
• some practical tips when entering into new contracts or undertaking reviews of existing arrangements.

Exit planning

The FCA found that most firms had exit plans alongside contracts that require the supplier to cooperate with the transition to a new provider. However, the FCA identified several concerns regarding exit planning, for example:

• ‘one-to-many’ models, whereby supplier delivery teams are spread across multiple insurers could add complexity to exit arrangements
• lack of detail on how complex IT architectures and data would be transitioned back in‑house or migrated to a replacement supplier
• a focus on foreseeable exits (e.g. on expiry) at the expense of unexpected events

The results here aren’t surprising. Most life insurers have well-developed procurement functions, along with sign-off procedures that prevent significant contracts being signed without some form of exit assistance obligation. However, these are often based on templates that anticipate a generic exit plan being updated in the run up to natural expiry or when a termination notice is given.

There are some useful approaches that can be taken to mitigate these risks:

1. Approach exit as a ‘reverse’ transition: Exit is often left to the end of negotiations, resulting in vague obligations on the supplier to deliver first draft exit plans at a later date.  Unfortunately, this often coincides with the busy initial transition period where the last thing on anyone’s mind is exit. However, asking the operations teams to consider exit alongside initial transition discussions can elicit key requirements to be captured in the contract and in the draft exit plans and ensure that exit is approach with a similar rigor to transition.
2. ‘Man-mark’ the target operating model: In other words, require the exit plan to reflect the activities, functions, dependencies and relationships with third parties (both customer and supplier) that will need to be unpicked as part of a partial or full exit.
3. Make specific provision for ‘emergency’ exits: It is very difficult (and in most cases would not be practical) to account for every type of emergency exit scenario.  However, it is possible to mitigate against the potential delays in mobilising the relevant parties. For example:
   1. maintaining a detailed understanding within the firm of how the services, including the wider supply chain, operates (something regulators have been stressing for years)
   2. ensuring access to service data, operations manuals, and other important documentation. Not just on request, but through a maintained repository (preferably hosted by the customer!)
   3. consider and define those additional governance and operational steps that will be mobilised on short notice in an emergency.

Business continuity planning

The FCA noted that, in most cases, suppliers use their own IT systems and not the systems of the customer firm. It follows that BCP testing tends to be carried out by the supplier who then provides feedback to the insurer.

The risk here is that firms end up relying on extracted ‘highlights’, which hare often carefully presented in the best possible light. This can lead to difficulties in assessing whether a supplier’s plans and testing are sufficiently robust.

As an example of good practice to mitigate these risks, the FCA highlighted the use of a third-party expert to evaluate a supplier’s business continuity plans, testing and systems.

In practice, suppliers are often reluctant to allow customers to conduct their own security and business continuity testing.  However in our experience agreement of an ‘independent’ third party along with appropriate terms of reference can prove an effective compromise.  

As the current crisis subsides, we expect to see increased emphasis on business continuity from both life insurers and suppliers (some of whom have experienced delays in instigating effective work from home strategies due to contractual security and data protection restrictions). 

However, setting aside recent events (which have left no doubt as to the need for robust BCP and testing), operational resiliency in its broadest sense was already a key focus for the regulators pre COVID-19. The FCA and Prudential Regulation Authority (PRA) are currently consulting on joint policy proposals on operational resilience (see the FCA’s Consultation Paper and the PRA’s Consultation Paper). The consultation period for each has been extended to 1^st October 2020 due to the current crisis, and the additional time period will no doubt enable firms across the financial services sector to reflect on the impacts of COVID-19 and future pandemics.

Governance, systems and controls

The FCA found that information provided to outsourcing governance committees focused on operational performance, rather than customer outcomes and that in some cases, the link between operational issues and impacts on customers was unclear.

The FCA highlighted a number of practices which can improve the link between operational performance and customer outcomes.  These included:

• clear governance structures, including joint customer-supplier forums with well-defined terms of reference
• clearly defined group policies which link to FCA and PRA guidance, creating “expectations for the business on the requirements to be undertaken to mitigate against the risk of customer harm”

In addition to ensuring that governance structures with outsourced providers create a clear link between service standards and customer outcomes, the FCA expects life insurers to be able to demonstrate how issues which are identified during the governance of its outsourcings are escalated and remediated.

Many outsourcing agreements will already include detailed governance and reporting schedules.  However, in line with the FCA’s expectations on customer outcomes, firms should review their existing arrangements to ensure that customer outcomes take centre stage.

In our experience, to make this happen, compliance and risk must take a more central role in the deal team.  Governance, reporting and service level regimes are often developed and negotiated in isolation of the wider business, resulting in vague obligations on suppliers to support the customer’s obligations to treat customers fairly. Good ‘outcome based’ governance will require input and review well beyond the immediate operations and contract management teams.

Key takeaways

The FCA is not proposing new guidelines or rules as a result of the review but firms are expected to review their existing arrangements in light of the review. There are some key takeaways for life insurers and other financial service firms:

Flexibility and partnership: Contracts that are overtly one-sided often lead to problems being stored up and behaviours that are detrimental to customer outcomes. When the unexpected happens, whether resulting in the invocation of business continuity or disaster recovery plans or an unplanned exit, it is crucial for both sides to act flexibly and in a non‑adversarial manner.  Contracts can and should anticipate flexibility and cooperation in these situations, for example:

• mechanisms to address peaks and troughs in work volumes and the application of any minimum commitments during the latter.
• procedures to address emergency change requests (such as changes to security and data protection obligations where working from home is required).   

Customer centricity: Bring customer impact to the forefront of their governance process for outsourcings. The FCA made it clear that it considers customer impact an integral part of governance as opposed to being separate or an afterthought.

Plan for the unplanned: Consider and plan for both anticipated and unplanned exits. Migrating to a new outsourced provider is usually a complex, time consuming and high risk event. Planning for the unexpected can significantly mitigate against these risks.

Test the tests: Ensure that both firm and supplier business continuity plans and systems are aligned and tested. Consider consulting a third party expert to ensure it gains unbiased actionable information from any tests and ensure that action is taken and documented where deficiencies are identified.

How Eversheds Sutherland can help

Our outsourcing and commercial teams have significant experience working with life insurers to assess and renegotiate both existing and new arrangements with outsourced suppliers.  Please contact your usual Eversheds Sutherland contact for more information.