We set out our findings from our review of outsourcing and third-party service providers. We identified governance over outsourcing as a priority area for supervision in the life insurers’ portfolio strategy.
Who this review is of interest to
- life insurers who outsource key business functions
- outsourced service providers (OSPs)
To ensure they meet the requirements in our existing rules and guidance, we encourage life insurers to consider whether the findings and examples set out in this paper are relevant to them, and to review their systems and controls where appropriate.
Why we conducted this review
Our Business Plan for 2019/20 highlighted outsourcing and third-party service providers as a priority area for the FCA. We stated that we would carry out work to:
- understand better the current outsourcing/third-party service provider environment
- address the risks of harm that could result from insufficient operational resilience in firms and inadequate controls over outsourcing
Outsourcing is a widespread practice in the life sector and there is a heavy reliance on a limited number of OSPs which creates a concentration risk. Some of the activities outsourced – such as annuities payroll administration, claims processing and resolving queries – directly impact customers and when they go wrong they can result in harm. There is potential for widespread harm if an OSP fails, with large numbers of customers affected.
Context
Control over outsourcing is a key part of operational resilience. Putting in place a stronger regulatory framework to promote operational resilience of firms and financial market infrastructures (FMIs) is also a key priority for the FCA, the Bank of England and the Prudential Regulation Authority (PRA). We recently published joint policy proposals on operational resilience. Our Consultation Paper also contains a chapter on outsourcing. And the PRA published a Consultation Paper and draft Supervisory Statement on outsourcing and third-party risk management at the same time.
What we did
We looked at a sample of life insurers’ systems and controls for managing and governing outsourced activities, rather than the activities of outsourced service providers. We carried out a desk-based review of practices in three areas with a risk of material customer harm:
- Exit planning – We reviewed the adequacy of firm plans for exit from an outsourcing arrangement. This includes both planned and unplanned exits. An unplanned exit may occur if, for example, an OSP suddenly becomes insolvent.
- Business continuity planning – We reviewed whether firms had adequate arrangements in place for system outages or disaster recovery in respect of outsourced activities.
- Governance, systems and controls – We reviewed the quality of governance and risk frameworks, including management information (MI), for OSP arrangements.
In carrying out this review we took into account the existing regulatory framework, including the Principles for Businesses, the rule in SYSC 3.1.1R and the guidance in SYSC 13 of the FCA Handbook.
We also considered FG16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services, which the FCA updated in September 2019.
What we found
Generally, life insurers have extensive governance, systems and controls over outsourced activities. However, some firms were not identifying and managing operational risks throughout the life span of outsourced arrangements from inception, through to business as usual operation and to exit from the arrangements.
We set out below examples of good and poor practices we observed. The good practice examples are illustrative and may or may not be relevant to the circumstances of each particular firm.
The examples of poor practices illustrate issues where we had cause for concern that good customer outcomes were potentially not being achieved. Firms should consider whether these examples are relevant to them, and how they set up their systems and controls.
Where we had concerns around potential non-compliance, we have raised those issues with the firm(s) concerned and asked the firm to take action. All firms should reflect on whether their outsourcing practices may be creating a similar risk of poor outcomes for customers.
Exit planning
FG16/5 Guidance for firms outsourcing to the cloud and other third-party IT services sets out our expectations in respect of exit plans.
Most life insurers have provisions in contracts to enable them to exit in the event of a serious breach of contract or the OSP’s financial failure. Insurers have contractual provisions that require the OSP to co-operate with the transition to a new provider. Most, but not all, life insurers had exit plans.
The level of detail contained in the exit plans varied. In some cases, lack of detail gave insufficient confidence that the plan could be carried out in a way which would avoid customer harm. The risk of such harm is also affected by the business model of the life insurer, and the services provided by the OSP.
Examples of issues we found are:
- Some life insurers had segregated teams at the OSP, providing services only to them. Where OSP teams are not segregated, this may make it more complex for the life insurer to transfer staff from the existing OSP to a new arrangement in an exit. In some cases, exit plans did not make clear how this risk would be managed.
- A firm and its OSP had complex IT architecture. The plan did not cover how such infrastructure, or the applicable data, would be moved in-house or to a new provider. Other firms’ plans did not clearly explain how data would be transferred from the OSPs’ systems to the systems used by a new arrangement.
- Some exit plans focused on planned exits and did not sufficiently consider the action necessary for an unexpected exit e.g. a sudden insolvency of an OSP.
- In some cases, it was not clear what alternative arrangements firms intended to employ in the event of exit. Some exit plans indicated firms would be unlikely to bring the work back in-house, but did not explain clearly how they would find an alternative OSP. If an OSP collapses unexpectedly and many firms are trying to exit at the same time it may be difficult to find other OSPs with enough capacity.
Poor practice
Exit plan – lack of planning for a quick exit
The exit plan for a firm did not cater for circumstances in which exit may need to be made quickly (e.g. if the OSP went into liquidation). The firm considered that the likelihood of such an event occurring was low and so it had made an active decision not to plan for this. If it did occur, the firm had the option of invoking step-in-rights, but the plan did not explain how it would do this.
As a result, there is an increased risk of customer harm in the event of a sudden occurrence such as OSP insolvency that requires a rapid exit.
Business continuity planning
In most cases, OSPs use their own IT systems rather than systems operated by the life insurer. Where this applies, OSPs carry out business continuity testing rather than life insurers. For all life insurers in our sample, their OSPs carried out recent (at least annual) BCP testing, which they confirmed to the insurer.
Some firms discuss and obtain detailed information on the scope and scale of business continuity testing from the OSP. This information enables them to assess the results of that testing and the standard to which it has been carried out. However, some firms obtain more limited information from OSPs. So they may not be able to satisfy themselves that the testing is robust or meets their needs.
Good practice
Third-party review of OSP
A firm instructs a third-party consultancy to undertake annual security reviews of their OSPs, with a remit including BCP. For critical OSPs, the consultancy firm goes on-site to conduct the reviews. The reviews cover areas including BCP testing results, whether critical systems can continue and perform within SLAs, IT Recovery and mechanisms in place to alert the firm to potential issues.
As a result, the firm had independent assurance as to the effectiveness of OSP security systems and controls, including BCP arrangements.
Governance, systems and controls
Information provided to outsourcing governance committees tended to focus on operational performance, with less emphasis on customer outcomes.
Where outsourcing management information (MI) identified shortcomings, it was in some cases unclear what risk they posed to customers or whether timely and effective remediation action had been taken.
In response to our queries, most firms were able to provide customer-centric MI and reasonable explanations of what actions they had taken and why. However, in some cases firms did not provide this information as part of the outsourcing MI to their outsourcing governance committees. Some firms were unable to demonstrate that their outsourcing governance committees had sufficient focus on customer fairness in addition to operational issues.
There is a risk that ensuring customer fair treatment may be seen within some firms as a separate compliance-related issue, rather than being an integral part of oversight and control over outsourcing.
Conclusion and next steps
While we have not found evidence of widespread failure to manage the risks to customers arising from outsourcing, we can see areas for improvement.
We encourage firms to review their current systems and controls in light of our findings and good and poor practice examples, where relevant to their particular characteristics and the nature, scale and complexity of their activities. Where firms identify shortcomings, they should take prompt remediation action.
We are not proposing any new rules or guidance arising from the findings of this multi-firm review at this time.