Outsourcing claim activities to private investigators

Understand the responsibilities of insurers for the actions of private investigators (PIs) who investigate claims.

When insurers use the services of a PI, either directly or through a third party such as a claims administrator or solicitor, they are outsourcing part of their regulated activities. The FCA Handbook defines outsourcing as ‘…the use of a person to provide customised services to a firm…’.

The FCA’s regulatory requirements 

We expect insurers to make sure that the work performed by PIs is consistent with their regulatory obligations under SYSC, PRIN and ICOBS, and they are able to provide evidence of this. Insurers need to be aware of the following sections of the Handbook and understand their impact:

ICOBS 8.1.1R

An insurer must handle claims promptly and fairly.

PRIN 2.1.1R

Principle 2 – Skill, care and diligence – A firm must conduct its business with due skill, care and diligence.

Principle 3 – Management and control – A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

Principle 6 - A firm must pay due regard to the interests of its customers and treat them fairly.

 

SYSC 3.2.3G

A firm’s governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives or, where applicable, its tied agents, appropriate safeguards should be put in place;

When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved;

The extent and limits of any delegation should be made clear to those concerned.

There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks; and

If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.

SYSC 3.2.4G

The guidance relevant to delegation within the firm is also relevant to external delegation (‘outsourcing’). A firm cannot contract out its regulatory obligations. For example under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.

A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.

SYSC 13.9.1G

As SYSC 3.2.4G explains, a firm cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourced functions. This section provides additional guidance on managing outsourcing arrangements (and will be relevant, to some extent, to other forms of third party dependency) in relation to operational risk. Outsourcing may affect a firm’s exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.

SYSC 13.9.4G

Before entering into, or significantly changing, an outsourcing arrangement, a firm should:

  • analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations
  • consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing
  • conduct appropriate due diligence of the service provider’s financial stability and expertise
  • consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
  • consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.

 

SYSC 13.9.5G

In negotiating its contract with a service provider, a firm should have regard to:

  • reporting or notification requirements it may wish to impose on the service provider
  • whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the FSMA 2000) and to the appropriate regulator (see SUP 2.3.5 R and SUP 2.3.7 R
  • information ownership rights, confidentiality agreements and Chinese walls to protect client and other information
  • the adequacy of any guarantees and indemnities
  • the extent to which the service provider must comply with the firm’s policies and procedures (covering, for example, information security)
  • the extent to which a service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed
  • the need for continued availability of software following difficulty at a third party supplier, and
  • the processes for making changes to the outsourcing arrangement and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:

(a) a change of ownership or control (including insolvency or receivership) of the service provider or firm

(b) significant change in the business operations (including sub-contracting) of the service provider or firm

(c) inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations