We set out our findings from our review of outsourcing and third-party service providers. We identified governance over outsourcing as a priority area for supervision in the life insurers’ portfolio strategy.
Who this review is of interest to
- life insurers who outsource key business functions
- outsourced service providers (OSPs)
To ensure they meet the requirements in our existing rules and guidance, we encourage life insurers to consider whether the findings and examples set out in this paper are relevant to them, and to review their systems and controls where appropriate.
Why we conducted this review
Our Business Plan for 2019/20 highlighted outsourcing and third-party service providers as a priority area for the FCA. We stated that we would carry out work to:
- understand better the current outsourcing/third-party service provider environment
- address the risks of harm that could result from insufficient operational resilience in firms and inadequate controls over outsourcing
Outsourcing is a widespread practice in the life sector and there is a heavy reliance on a limited number of OSPs which creates a concentration risk. Some of the activities outsourced – such as annuities payroll administration, claims processing and resolving queries – directly impact customers and when they go wrong they can result in harm. There is potential for widespread harm if an OSP fails, with large numbers of customers affected.
Control over outsourcing is a key part of operational resilience. Putting in place a stronger regulatory framework to promote operational resilience of firms and financial market infrastructures (FMIs) is also a key priority for the FCA, the Bank of England and the Prudential Regulation Authority (PRA). We recently published joint policy proposals on operational resilience. Our Consultation Paper also contains a chapter on outsourcing. And the PRA published a Consultation Paper and draft Supervisory Statement on outsourcing and third-party risk management at the same time.
What we did
We looked at a sample of life insurers’ systems and controls for managing and governing outsourced activities, rather than the activities of outsourced service providers. We carried out a desk-based review of practices in three areas with a risk of material customer harm:
- Exit planning – We reviewed the adequacy of firm plans for exit from an outsourcing arrangement. This includes both planned and unplanned exits. An unplanned exit may occur if, for example, an OSP suddenly becomes insolvent.
- Business continuity planning (BCP) – We reviewed whether firms had adequate arrangements in place for system outages or disaster recovery in respect of outsourced activities.
- Governance, systems and controls – We reviewed the quality of governance and risk frameworks, including management information (MI), for OSP arrangements.
In carrying out this review we took into account the existing regulatory framework, including the Principles for Businesses, the rule in SYSC 3.1.1R and the guidance in SYSC 13 of the FCA Handbook.
We also considered FG16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services, which the FCA updated in September 2019.
What we found
Generally, life insurers have extensive governance, systems and controls over outsourced activities. However, some firms were not identifying and managing operational risks throughout the life span of outsourced arrangements from inception, through to business as usual operation and to exit from the arrangements.
We set out below examples of good and poor practices we observed. The good practice examples are illustrative and may or may not be relevant to the circumstances of each particular firm.
The examples of poor practices illustrate issues where we had cause for concern that good customer outcomes were potentially not being achieved. Firms should consider whether these examples are relevant to them, and how they set up their systems and controls.
Where we had concerns around potential non-compliance, we have raised those issues with the firm(s) concerned and asked the firm to take action. All firms should reflect on whether their outsourcing practices may be creating a similar risk of poor outcomes for customers.
FG16/5 Guidance for firms outsourcing to the cloud and other third-party IT services sets out our expectations in respect of exit plans.
Most life insurers have provisions in contracts to enable them to exit in the event of a serious breach of contract or the OSP’s financial failure. Insurers have contractual provisions that require the OSP to co-operate with the transition to a new provider. Most, but not all, life insurers had exit plans.
The level of detail contained in the exit plans varied. In some cases, a lack of detail gave insufficient confidence that the plan could be carried out in a way which would avoid customer harm.
The risk of such harm is also affected by the business model of the life insurer, and the services provided by the OSP.
Examples of issues we found are:
- Some life insurers had segregated teams at the OSP, providing services only to them. Where OSP teams are not segregated, this may make it more complex for the life insurer to transfer staff from the existing OSP to a new arrangement in an exit. In some cases, exit plans did not make clear how this risk would be managed.
- A firm and its OSP had complex IT architecture. The plan did not cover how such infrastructure, or the applicable data, would be moved in-house or to a new provider. Other firms’ plans did not clearly explain how data would be transferred from the OSPs’ systems to the systems used by a new arrangement.
- Some exit plans focused on planned exits and did not sufficiently consider the action necessary for an unexpected exit e.g. a sudden insolvency of an OSP.
- In some cases, it was not clear what alternative arrangements firms intended to employ in the event of exit. Some exit plans indicated firms would be unlikely to bring the work back in-house, but did not explain clearly how they would find an alternative OSP. If an OSP collapses unexpectedly and many firms are trying to exit at the same time it may be difficult to find other OSPs with enough capacity.
Exit plan - absence of one
The firm informed us that, if an OSP goes into administration, it would manage the situation in line with the insolvency process. The firm told us they had no formal exit plan setting out how they would do this. It was also unclear what action the firm would take if the OSP went into liquidation.
As a result, there is a risk of customer harm in the event of OSP insolvency. It was not clear who would carry out currently outsourced activities, what systems they would use, how information would be transferred from existing OSP systems or how long the transition would take.
Exit plan - lack of planning for a quick exit
The exit plan for a firm did not cater for circumstances in which exit may need to be made quickly (e.g. if the OSP went into liquidation). The firm considered that the likelihood of such an event occurring was low and so it had made an active decision not to plan for this. If it did occur, the firm had the option of invoking step-in-rights, but the plan did not explain how it would do this.
As a result, there is an increased risk of customer harm in the event of a sudden occurrence such as OSP insolvency that requires a rapid exit.
Business continuity planning
In most cases, OSPs use their own IT systems rather than systems operated by the life insurer. Where this applies, OSPs carry out business continuity testing rather than life insurers. For all life insurers in our sample, their OSPs carried out recent (at least annual) BCP testing, which they confirmed to the insurer.
Some firms discuss and obtain detailed information on the scope and scale of business continuity testing from the OSP. This information enables them to assess the results of that testing and the standard to which it has been carried out.
However, some firms obtain more limited information from OSPs. So they may not be able to satisfy themselves that the testing is robust or meets their needs.
Third-party review of OSP
A firm instructs a third-party consultancy to undertake annual security reviews of their OSPs, with a remit including BCP. For critical OSPs, the consultancy firm goes on-site to conduct the reviews. The reviews cover areas including BCP testing results, whether critical systems can continue and perform within SLAs, IT Recovery and mechanisms in place to alert the firm to potential issues.
As a result, the firm had independent assurance as to the effectiveness of OSP security systems and controls, including BCP arrangements.
Governance, systems and controls
Information provided to outsourcing governance committees tended to focus on operational performance, with less emphasis on customer outcomes.
Where outsourcing management information (MI) identified shortcomings, it was in some cases unclear what risk they posed to customers or whether timely and effective remediation action had been taken.
In response to our queries, most firms were able to provide customer-centric MI and reasonable explanations of what actions they had taken and why. However, in some cases firms did not provide this information as part of the outsourcing MI to their outsourcing governance committees. Some firms were unable to demonstrate that their outsourcing governance committees had sufficient focus on customer fairness in addition to operational issues.
There is a risk that ensuring customer fair treatment may be seen within some firms as a separate compliance-related issue, rather than being an integral part of oversight and control over outsourcing.
Clearly defined group policies
A firm had group-wide policies in place. The Group Sourcing and Supply Chain Management Policy created defined business standards and parameters for the Group to follow, making clear to the business the requirements in dealing with third-party providers. The Group outsourcing guidance is explicitly linked to FCA, PRA and other applicable requirements and creates expectations for the business on the requirements to be undertaken to mitigate against the risk of customer harm.
To support the second-line policies, first-line business procedures were in force reflecting key Group guidance, systems and controls on outsourcing. These procedures helped give employees clear instructions on required practice on outsourcing, against which the firm could monitor compliance.
The framework provided by Group policies helped establish effective systems and controls and governance at business unit level.
Clear governance structure
A firm has four sub-committees, which are joint forums between the firm and the OSP. The sub-committees report directly into the applicable governance committee and subsequently to the ExCo Steering Committee, which includes all OSP services across the group. If necessary, issues can then be escalated to the boards of the applicable entities. Responsibilities for each committee are well-defined in their terms of reference. Sub-Committee minutes indicate clear escalation of issues and action taken.
The clear governance structure ensures that issues, once identified, are dealt with promptly and effectively.
Failure to follow up on action to address issues identified
At one firm, MI was not clear and did not evidence where issues involving outsourced services had been escalated and appropriately actioned, despite some having potential for customer harm.
The MI did not give assurance that issues were followed up, even where there was potential for customers to have been underpaid or for regulatory breaches to have occurred. For example, MI identified that error reports in calculating amounts due to customers had not been actioned and remediation action had not been taken. In one case, investigation into an incident which occurred in 2017 was still ongoing.
The firm’s failure to take timely action in respect of identified issues creates a risk of continuing customer harm.
Conclusion and next steps
While we have not found evidence of widespread failure to manage the risks to customers arising from outsourcing, we can see areas for improvement.
We encourage firms to review their current systems and controls in light of our findings and good and poor practice examples, where relevant to their particular characteristics and the nature, scale and complexity of their activities. Where firms identify shortcomings, they should take prompt remediation action.
We are not proposing any new rules or guidance arising from the findings of this multi-firm review at this time.